2023 is turning out to be a testing year for those involved in protecting companies, their employees, and stakeholders from the consequences of poor compliance or unethical conduct.
In the face of macroeconomic headwinds, compliance and investigations teams face an uphill battle to ensure individuals comply with company policy and call out wrongdoing.
Regulation – often backed by civil or criminal enforcement – is growing as policy makers confront wider threats, such as cyber-crime, illicit money flows, ESG concerns or the impact of AI.
While challenging, these factors also create opportunities e.g., to garner senior level attention on efforts to prevent and weed out wrongdoing.
Here we outline three recent trends that may be used to drive the investigations and compliance conversation within companies. We will explore these and other trends in more detail in further posts, looking at the practical implications for those working in this space.
Unprecedented attention on sanctions helps reinforce broader compliance messaging
The expanded sanctions on Russia following the war in Ukraine has been a catalyst for heightened attention on sanctions compliance and associated risks such as money-laundering. As a result, unprecedented resources are being funneled into sanctions and trade controls enforcement in several jurisdictions. It has also shone a light on the extensive and far-reaching counter-terrorist legislation in place in some jurisdictions, which may have been overlooked until now.
Now that Russia related measures are more embedded and stable, a key trend upcoming is an expected increase in investigations in this space. Because of the speed, breadth and complexity of the Russia-related sanctions put into place, some violations may have occurred in the early days of implementation, presenting a new type of challenge for companies.
In addition, although the agencies are currently focused largely on Russia, the increase in resources and enforcement tools recently made available will also be used to target sanctions and trade controls violations across a range of jurisdictions and activities. As such, it is more important than ever that internal investigations teams are primed to spot and investigate sanctions and export control related issues, and related money-laundering or terrorist-financing risks.
Expectations for sanctions compliance – for example, as to the standard of diligence to be conducted or the extent of sanctions screening to be run – are continuing to evolve upwards. Companies should consider what specific, risk-based sanctions and trade controls procedures and other compliance measures are needed and consider relevant risk factors and red flags (for example those listed in the US Department of Commerce, Department of the Treasury, and Department of Justice Tri-Seal Compliance Note of March 2023).
In addition to sanctions-specific measures, the attention on sanctions also creates an opportunity for compliance and investigations teams to reinforce some existing messages that can help mitigate broader white-collar risks. For example, ensuring heightened awareness when operating in high-risk jurisdictions, the importance of third-party due diligence, understanding the rationale for payment structures, and encouraging speaking up and the use of proper escalation procedures.
Many in-house teams may have already increased their engagement with regulators on this issue, a trend accelerated by broad sanctions reporting requirements in the financial sector, in particular, and the need to apply for licenses, e.g., to clean up historical exposure to sanctioned persons or territories. Companies may also receive inquiries from law enforcement conducting sensitive investigations in this space, and having robust investigations processes and protocols in place, in advance, can help make those interactions as productive as possible.
Increased criminal and reputational risks underpin the need for robust investigations
Criminal liability laws continue to evolve, and enforcement agencies remain focused on tackling misconduct in the corporate sphere across the full landscape of risk.
We continue to see cooperation across agencies (within the same jurisdiction and internationally). For example, tax authorities are increasingly alleging criminal behavior by corporate taxpayers. In some jurisdictions this is not a new tactic. But other jurisdictions (e.g., France) are now recognizing that the threat of criminal prosecution is a highly effective tool in the tax enforcement arsenal, leading to greater cooperation between tax authorities and public prosecutors. This has led to cross-border cooperation on dawn raids, with receiving assistance from criminal law enforcement in other jurisdictions to conduct raids on companies.
One clear example of the strengthening of corporate criminal laws is the UK Government’s plan to introduce a new offence to make it easier to prosecute companies that are involved in fraud, unless they had reasonable prevention measures in place. This new failure to prevent fraud offence, which is now making its way through Parliament with the UK Government’s backing, creates an opportunity (and, once in force, an imperative) for companies falling within scope to review their prevention procedures and adapt as necessary. This development will have important consequences on how businesses operating in the UK manage fraud risk and markedly increases the threat of criminal prosecution. For a summary of the proposals see our post here.
Cyber-crime is also a major concern for companies. For good governance or sometimes regulatory reasons, more companies are now conducting post-incident investigations into the potential wider route causes of such incidents. These offer important lessons learned that can inform governance and prevention measures going forward – although, they must be conducted in close coordination with legal advisors to ensure they do not inadvertently prejudice the company’s position in any enforcement investigation or litigation.
US Department of Justice policy updates focus on specific compliance mechanisms
In March this year, the DOJ launched a three-year pilot program on compensation incentives and claw backs. It (1) requires corporate criminal resolutions to direct companies to implement a compensation system that promotes compliance, and (2) will potentially allow companies that attempt, in good faith, to claw back payments to law-breaking executives and employees to obtain reduced penalties—even if those efforts are unsuccessful.
This approach is reinforced in the DOJ’s revised Criminal Division guidance on the Evaluation of Corporate Compliance Programs (updated in March), which sets out further detail on how prosecutors should assess whether a company’s compensation structures promote a culture of compliance.
The updates in the revised guidance also lend weight to another issue internal compliance and investigation teams have been grappling with for some time—the use of personal devices and messaging services. The guidance, again, goes into further detail than before on this issue. It instructs prosecutors to consider what guardrails are in place to ensure effective compliance when using such messaging systems, including ensuring they can be preserved and collected, if needed.
These updates are part of a continuing drumbeat from enforcement agencies to incentivize companies to focus on effective measures to mitigate the risk of white-collar crime. For companies already focused on remuneration policy and claw backs as a compliance tool, and those who have clear controls around the use of personal devices and messaging platforms, the updates lend weight to existing measures. For those that have not yet highlighted these issues in their compliance programs, this may be an opportunity for legal and compliance teams to engage with a range of business functions (including HR, IT, and finance) on how they can work together to consider these points, which can be complex to implement across large organisations.
As is often the case in this area of the law, where the US leads others follow, and companies should expect other agencies to also focus on these issues. For example, the UK Serious Fraud Office’s compliance guidance specifically recognizes the DOJ’s Evaluation of Corporate Compliance Programs guidance as an example of best practice.
Looking at these issues in more detail
Across our global practice, our experts will continue to examine how these, and other trends are impacting enforcement risk, the conduct of investigations, and practical risk mitigation efforts.
As new posts in the Global Enforcement & Compliance series are published, we will update this post with the links, drawing together the trends and issues to consider in response in one place.