by Jonny Frank, Laura Greenman, Chris Hoyle, Michele Edwards, and Ksenia Ioffe 

No Longer Just a Matter of Paying the Fine and Moving On

Corporate settlement agreements used to be straightforward—pay the penalty and move on.

Now, these resolutions rival complex business transactions, including months of negotiations and multi-year post-resolution obligations. Satisfying post-settlement commitments is a business imperative, not just a legal obligation. Meeting, if not exceeding obligations, helps restore brand value and improves employee and investor stakeholder confidence.

DOJ policy requires prosecutors to consider the effectiveness of the company’s compliance program in determining whether to bring charges and in negotiating plea and other agreements.[1] Companies may secure leniency by having an independent third-party or senior management certify the compliance program and control’s effectiveness or, if not ready for certification, report on the company’s progress.

The government estimates that between 10% and 20% of large corporate criminal resolutions have involved recidivist companies.[2]

The consequences of violating post-resolution obligations are severe. One party (the government) decides whether a breach occurred. Under DOJ settlement agreements, the government can prosecute the organization for the underlying conduct and use any information the company provided at trial. And breaches are not academic. DOJ has committed to “hold accountable any company that breaches the terms of its Deferred Prosecution Agreement (“DPA”) or Non-Prosecution Agreement (“NPA”) and impose “serious consequences for violating their terms.”[3] DOJ rescinded Ericsson’s DPA, forced the company to plead guilty and imposed a $200 million+ penalty for breaching its DPA.[4] Deutsche Bank incurred a one-year extension of its corporate monitorship for violating its DPA.[5]

Post-Settlement Guide

We developed our guidance, Meeting DOJ and SEC Post-Settlement Obligations: A Practical Guide, to help companies and their external counsel prepare for and manage post-resolution obligations. Our suggestions draw from StoneTurn’s cross-disciplinary and industry expertise; past experience as regulators, auditors and prosecutors; our team’s many risks and controls engagements; and years of experience serving as government-imposed and voluntary compliance monitors and consultants.

The Post-Settlement Guide includes four sections organized around requirements for DOJ (NPAs, deferred DPAs, and plea agreements. The SEC and other agencies impose similar obligations (e.g., HHS Corporate Integrity Agreements). The Guide also includes tools and templates counsel can tailor.

We summarize the four sections below. To read the full guide, click here.

Commitments & Breaches. DOJ settlement agreements often include the corporate defendant’s agreement “to commit no further crime.”[6] And, even if not explicit in the settlement agreement, the DOJ’s updated criminal enforcement policy is tough on corporate recidivists, requiring prosecutors to “consider the full criminal, civil, and regulatory record of any company when deciding the appropriate resolution.”[7] The Guide begins with basic steps companies should take to meet obligations and tips to avoid breaches. These include:

• addressing all potential criminal conduct, not just the specific violations leading to the settlement;
• engaging in scenario-based risk identification to identify the underlying risk giving rise to a violation;
• assessing the adequacy of its internal controls framework and testing program;
• starting now—use recent settlement agreements as a roadmap of what to expect and don’t wait for the company and government to finalize settlement terms;
• creating an obligations register;
• conducting a root cause analysis to identify items requiring remediation;
• engaging the three lines of defense in meeting the obligations;
• creating a governance structure and forming a multi-disciplinary project team;
• developing assessment criteria, expected evidence and validation procedures;
• performing a “check and challenge” of the executability of corrective action plans and monitor completion;
• conducting “real-time” testing to keep the project on track;
• identifying and mitigating breach risks and scenarios; and
• keeping a “Good Deeds” scrapbook to record activities and accomplishments contemporaneously.

Certifying Compliance Program Effectiveness. In 2022, the DOJ instituted a policy requiring Chief Executive Officers (“CEOs”) and Chief Compliance Officers (“CCOs”) to certify the effectiveness of the ethics and compliance program as part of NPAs, DPAs and plea agreements.[8] The SEC enforcement orders often carry a similar requirement, albeit limited to the CEO, not the CCO.[9]

Our guide identifies steps to meet DOJ and SEC requirements for senior management to certify compliance programs and controls effectiveness and how public companies can leverage their Sarbanes-Oxley processes to avoid duplication of efforts. Key steps include:

• leveraging prior DOJ and SEC settlement agreements to anticipate terms;
• selecting a framework and criteria;
• identifying and assessing significant ethics and compliance risks and scenarios;
• evaluating the design and operating effectiveness of the risk response;
• executing a corrective action plan to cure deficiencies;
• implementing an evidence-based sub-certification waterfall; and
• arranging for an independent third party or internal audit to validate that the program meets the framework and criteria.

Compliance program certifications also provide benefits beyond satisfying regulator and prosecutor expectations. If performed effectively, the certification process should identify opportunities to save costs, maximize revenues, safeguard tangible and intangible assets and enhance the CCO’s power and prestige.

Reporting Misconduct Allegations. DOJ corporate settlement agreements require companies to “promptly report” to DOJ “any evidence or allegation of misconduct that may constitute a violation of the criminal laws that gave rise to the settlement, including foreign conduct that would have been illegal if it had occurred in the U.S.”[10] The government regards this obligation so seriously that DOJ requires the CEO and Chief Financial Officer (“CFO”) to certify personally that (1) they are aware of the company’s disclosure obligations and (2) the company reported all disclosable information.[11] Our guide presents critical steps companies should take to meet and avoid breaches of disclosure obligations and to protect CEOs and CFOs before they certify personally that the company has completed its disclosure obligations. These steps include:

• ensuring that all employees understand the obligation;
• developing an inventory of potential sources, recipients, reporters, and escalation systems;
• identifying reasonably likely breach scenarios and evaluating the effectiveness of the company’s risk response;
• establishing a process to escalate misconduct allegations to the right decision-makers; and
• protecting the CEO and CFO with evidence-based sub-certifications and independent testing.

Making the Best of a Government Monitor. The Post-Settlement Guide concludes with practical steps to prepare, liaise and maximize the value of a government-imposed monitor or independent consultant, starting with behaving like a client, not a criminal defendant and avoiding an adversarial relationship.

Our guide suggests actions for companies to reduce costs, save time and minimize management distraction based on our experience as a government-imposed and voluntary monitor, independent auditor, and independent consultant to over 25 companies. We suggest:

• identifying the objectives and benefits of the monitorship;
• developing proposed assessment criteria;
• selecting candidates wisely;
• investing in an effective project management office;
• collaborating on the Monitor’s work plans and recommendations; and
• demonstrating its commitment to maintaining a culture of integrity and enhanced ethics and compliance policies, processes and controls.

This guide is a resource for companies seeking to navigate the complex landscape of DOJ and SEC corporate settlement agreements. We recommended the steps outlined above to help companies fulfill their post-resolution obligations, mitigate the risk of future violations and rebuild trust with stakeholders and the public. Our guide acknowledges that every organization’s post-resolution journey is unique, and flexibility in implementing these steps is important. StoneTurn encourages companies to tailor their strategies to their specific circumstances, industry, and risk profile while maintaining regulatory compliance and ethical standards at the forefront.

Footnotes 

[1] DOJ, Principles of Federal Prosecution of Business Organization, §9-28.300 (2023). https://www.justice.gov/jm/title-9-criminal; DOJ Criminal Division, Evaluation of Corporate Compliance Programs (March 2023). www.justice.gov/criminal-fraud/page/file/937501/download

[2] DOJ Office of Public Affairs, Deputy Attorney General Lisa O Monaco Delivers Remarks on Corporate Criminal Enforcement, September 2022 https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-delivers-remarks-corporate-criminal-enforcement.

[3] DOJ Office of Public Affairs, Deputy Attorney General Lisa O Monaco Gives Keynote Address at ABA’s 36th National Institute on White Collar Crime, October 28, 2021. https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-gives-keynote-address-abas-36th-national-institute.

[4] DOJ Office of Public Affairs, Ericsson to Plead Guilty and Pay Over $206M Following Breach of 2019 FCPA Deferred Prosecution Agreement, March 2, 2023. https://www.justice.gov/opa/pr/ericsson-plead-guilty-and-pay-over-206m-following-breach-2019-fcpa-deferred-prosecution.

[5] Deutsche Bank Aktiengesellschaft, Annual Report Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1935 for the Fiscal Year Ended December 31, 2022, p.13 (March 2022). https://investor-relations.db.com/files/documents/sec-filings-for-financial-results/Form-20-F-2022.pdf.

[6] See, e.g., U.S. v. Danske Bank, Plea Agreement, 22 Cr. 679 (SDNY), December 12, 2022. www.justice.gov/opa/press-release/file/1557611/download.

[7] DOJ, Office of Public Affairs, Deputy Attorney General Lisa O. Monaco Delivers Remarks on Corporate Criminal Enforcement, September 15, 2022. www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-delivers-remarks-corporate-criminal-enforcement.

[8] Kenneth Polite, Assistant Attorney General Kenneth A. Polite Jr. Delivers Remarks at NYU Law’s Program on Corporate Compliance and Enforcement, March 25, 2022, New York, NY, remarks as prepared for delivery, https://www.justice.gov/opa/speech/assistant-attorney-general-kenneth-polite-jr-delivers-remarks-nyu-law-s-program-corporate.

[9] See, e.g., In the Matter of KPMG, Exchange Act Release No. 4051 ¶80 (June 17, 2019) (requiring the CEO to certify that KPMG policies, processes and controls are “adequate and sufficient to provide reasonable assurance of compliance with all professional standards relating to ethics and integrity”). www.sec.gov/litigation/admin/2019/34-86118.pdf

[10] See, e.g., U S v Danske Bank, Plea Agreement, 22 Cr. 679 (SDNY) ), ¶13, December 12, 2022. www.justice.gov/opa/press-release/file/1557611/download.

[11] See, e.g., Plea Agreement, United States v. Glencore International A.G., (S.D. N.Y.) (May 2022). https://www.justice.gov/criminal/file/1508266/download.

Jonny Frank, Chris Hoyle, and Michele Edwards are Partners and Laura Greenman and Ksenia Ioffe are Managing Directors at StoneTurn. A shorter version of this post first appeared on the firm’s blog.

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright or this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).