Wachtell: White-Collar and Regulatory Enforcement: What Mattered in 2023; What to Expect in 2024

Introduction

This past year was yet another notable and intensely active one across the entire range of white-collar criminal and regulatory enforcement areas. We heard continued tough talk from law enforcement authorities, especially concerning the government’s desire to bring more enforcement actions against individuals and on the need to keep ramping up corporate fines and penalties. The government largely lived up to its talking points about increasing the numbers of individual prosecutions and proceedings, particularly with respect to senior executives in the cryptoasset industry. But there were some notable stumbles. The most striking example of this was DOJ’s failure to secure convictions in cases where it attempted to extend criminal antitrust enforcement in unprecedented areas, such as no-poach employment agreements and against certain vertical arrangements—neither of which has historically been viewed as involving per se violations of the federal antitrust laws. And, as in years past, many state attorneys general remained active throughout 2023, using broad state consumer-protection statutes to bring blockbuster cases across a wide array of industries, from ridesharing and vaping to opioids and consumer technology offerings.

Law enforcement authorities also largely made good on another set of important promises and policy changes, as reflected principally in the still relatively new DOJ Corporate Enforcement Policy. In particular, both DOJ and the SEC sought during 2023 to make more clear the corporate conduct they will reward when settling cases and to be more transparent about exactly what those rewards include. This is consistent with our observation in last year’s wrap-up memo that government investigators are becoming more adept at gauging whether a corporation’s commitment to ethics and compliance is both genuine and commensurate with the risks its businesses entail, as well as more concrete and specific about the credit they will grant for having in place an effective compliance culture, taking prompt remedial action, and self- reporting and cooperating.

This emerging change in the government’s approach is an important signal that all well-managed companies should heed. Last year’s record of major corporate settlements demonstrates that maintaining strong internal accounting controls, providing effective training, instilling an ethics-focused tone at the top, and reacting swiftly when problems arise through self-remediation and self-reporting (when appropriate) remain critical to reducing the adverse consequences when legal issues surface. In short, internal controls matter; director oversight matters; and the talent (and internal culture) of the legal, compliance, accounting, and finance personnel who carry out the day-to-day tasks of ensuring compliance with applicable regulatory requirements also matters.

DOJ Developments

In 2023, DOJ continued to expand the scope of its corporate criminal enforcement efforts and its programs designed to encourage self-reporting, remediation, and cooperation.
This included continued emphasis on anti-money laundering, Foreign Corrupt Practices Act (FCPA), and fraud prosecutions, with a particular focus on digital asset and alternative currency- related fraud.

DOJ reiterated throughout the year, in both words and actions, its priority of bringing criminal cases against individual corporate actors, as well as their institutions. All of this continues what Principal Associate Deputy Attorney General (PDAG) Marshall Miller promised near the end of 2022—namely, that criminal charges and guilty pleas are now “on the main, everyday menu.” More recently, in a September 2023 speech, PDAG Miller used the same language to explain that the “Department will not hesitate to hold accountable companies that do not honor their obligations under deferred prosecution agreements (DPAs) and non- prosecution agreements (NPAs), or under the terms of corporate probation following convictions.” Miller also noted that this would no longer be a “special for certain customers,” but rather that DOJ’s “main, everyday menu” would include “[r]equiring a guilty plea after a company violates a DPA or NPA.”

In January 2023, DOJ updated its Corporate Enforcement and Voluntary Self- Disclosure Policy in several significant respects. First, corporations are now eligible for a declination, even if there are aggravating factors, if they can demonstrate: (a) the “voluntary self-disclosure was made immediately upon the company becoming aware of the allegation of misconduct”; (b) at “the time of the misconduct and disclosure, the company had an effective compliance program and system of internal accounting controls, which enabled the identification of the misconduct and led to the company’s voluntary self-disclosure”; and (c) the “company provided extraordinary cooperation with the Department’s investigation and undertook extraordinary remediation.” Second, DOJ made it clear that, generally, “[i]f a criminal resolution is warranted for a company that has voluntarily self-disclosed, fully cooperated, and timely and appropriately remediated,” the Criminal Division will recommend at least a 50% and up to a 75% reduction off of the low end of the otherwise applicable fine range under the U.S. Sentencing Guidelines. Finally, the new policy establishes that, as a general matter, DOJ will not require a corporate guilty plea or a corporate monitor—the latter concession being available if an effective compliance system and remediation are in place.

In March 2023, DOJ announced a Pilot Program Regarding Compensation Incentives and Clawbacks, which Deputy Attorney General (DAG) Lisa Monaco described as an attempt to further DOJ’s goal of “shift[ing] the burden of corporate wrongdoing away from shareholders, who frequently play no role in the misconduct, onto those directly responsible.” The program provides that “when entering into criminal resolutions, companies will be required to implement compliance-related criteria in their compensation and bonus system and to report to the Division about such implementation during the term of such resolutions.” It also provides that companies must “report to the Division annually during the term of the resolution about [their] implementation of such criteria. These criteria may include, but are not limited to: (1) a prohibition on bonuses for employees who do not satisfy compliance performance requirements; (2) disciplinary measures for employees who violate applicable law and others who both (a) had supervisory authority over the employee(s) or business area engaged in the misconduct and (b) knew of, or were willfully blind to, the misconduct; and (3) incentives for employees who demonstrate full commitment to compliance processes.” The program also provides for fine reductions for cooperating companies that have a program to “recoup compensation” from wrongdoers at the company and their negligent or willfully blind supervisors—up to 100% of the amounts successfully withheld or recouped or 25% of the amounts sought in good faith, but without success.

Another major DOJ focus last year was on so-called “off-channel communications”—essentially the entire universe of personal devices and platforms on which corporate officers and employees communicate about business outside of the company’s official email and other established corporate communications systems. A March 2023 update to DOJ’s Evaluation of Corporate Compliance Programs policy, stated that in “evaluating a corporation’s policies and mechanisms for identifying, reporting, investigating, and remediating potential misconduct and violations of law, prosecutors should consider a corporation’s policies and procedures governing the use of personal devices, communications platforms, and messaging applications, including ephemeral messaging applications.” The policy now instructs prosecutors to consider how well such policies have been communicated to employees, and whether the corporation has enforced the policies on a regular and consistent basis, including consideration of what channels employees actually use to conduct business, what steps the company has put in place to preserve information on these channels, and what policies and procedures the company has put in place to police compliance.

In October 2023, DOJ announced a new Safe Harbor Policy for Voluntary Self- Disclosures Made in Connection with Mergers and Acquisitions. DAG Monaco explained that going forward, acquiring companies that promptly and voluntarily disclose criminal misconduct; cooperate with the ensuing investigation; and engage in timely and appropriate remediation, restitution, and disgorgement will be presumed to be eligible for an outright declination as to the disclosed misconduct. DAG Monaco also stressed that to qualify for the safe harbor, companies must disclose misconduct discovered at the acquired entity within six months from the date of closing, and must fully remediate within one year of closing.

As we look ahead to 2024, companies can expect that the priorities announced at a high level within DOJ over the past year will trickle down into the policies of individual U.S. Attorney’s Offices. For example, in January 2024, SDNY U.S. Attorney Damian Williams announced a new whistleblower pilot program to encourage individuals involved in criminal activity to come forward in exchange for extraordinary leniency. U.S. Attorney Williams stated specifically that NPAs would now be available as a matter of policy for certain individuals who come forward and voluntarily cooperate.

All of this, particularly the increasingly complex interplay between the incentives and punishments for individuals working at corporations and the institutions themselves, means that corporations seeking to responsibly address criminal conduct by officers and employees will have a clearer sense of the inducements government is extending to individual corporate actors to report wrongdoing, as well as an improved ability to read the strategic landscape and determine a path that advances the company’s best interests. DOJ’s enforcement tools continue to expand, as have the “carrots and sticks” available to the Department to shape corporate conduct. Every company facing these kinds of risks of potential criminal liability must be alert to evolving DOJ policy and must invest appropriate time and energy to put in place the compliance culture, policies, and systems that will best position the company to respond effectively if problems do surface and to achieve the best possible outcome

SEC Developments

The Commission brought a total of 501 standalone enforcement actions in its fiscal year ended September 30, 2023. This was an 8% increase over the prior year, though it was still somewhat below the 526 cases brought in 2019, the last year before the pandemic. The case mix was broadly in line with historical patterns. Public company disclosure and accounting cases were 17% of the total, nearly identical with the 16% share in 2022. Insider trading cases were 6% of this year’s docket, consistent with historical experience. Securities offerings comprised a whopping 33% of the cases brought, but this category always includes a large number of unregistered offerings, Ponzi schemes and similar matters—and relatively few cases involving offerings by public companies. Cases against investment advisers and investment companies accounted for 17% of the total; 12% of the docket involved broker-dealers. The SEC brings its most serious cases as injunctive actions in federal court, but nearly 80% of the cases in 2023 were administrative proceedings. The question of the constitutional status of the administrative enforcement mechanism is pending before the Supreme Court in SEC v. Jarkesy. The Court heard oral argument on November 29, 2023. A decision adverse to the SEC would have far-reaching implications for the enforcement program.

SEC officials continue to talk publicly about their desire to ratchet up civil penalty amounts, which they believe will affect corporate behavior. While penalty amounts shot up by a historic degree in 2022, the numbers returned to a more normal range in 2023, totaling $1.58 billion. This was the second-highest amount ever achieved, but paled by comparison to the record of $4.194 billion set in 2022. That year, however, seems to have been aberrational, as penalties totaled between $1.091 billion and $1.456 billion from 2018 through 2021.

The SEC continued to make limited use of its controversial practice of requiring admissions of wrongdoing in selected settlements. Corporate respondents made admissions in 19 settlements arising out of the SEC’s ongoing campaign against failures by financial services firms to preserve employees’ off-channel electronic communications. The SEC obtained a total of $400 million in penalties in these cases in 2023. The off-channel cases entail regulatory recordkeeping violations that do not require a finding of wrongful intent. At the same time, the SEC regards the failure to preserve required records as impeding its ability to carry out enforcement investigations. The SEC also obtained admissions in one case against a broker- dealer involving failure to provide complete and accurate securities trading information to the SEC and violations of related recordkeeping requirements. The SEC has touted admissions as an enforcement tool, but did not deploy it in any of the cases brought in 2023 involving fraud by corporate respondents.

The SEC’s whistleblower program shattered records in 2023. The SEC received an all-time high of 18,354 whistleblower reports in 2023—exceeding the previous record set in 2022 by nearly 50%. The SEC made a total of nearly $600 million in whistleblower awards in 2023, which was the highest total since the inception of the program in 2011. This included a single award for almost $279 million—the largest ever granted by the SEC. The SEC also continued to promote the program by taking enforcement action against companies seen as impeding whistleblowing activity, including by utilizing employment and severance agreements that include terms that could be read to restrict whistleblowing. In one such case against D.E. Shaw, the SEC obtained a $10 million penalty, the largest ever for a standalone violation of Rule 21F-17, the whistleblower protection rule. That record was then broken early in 2024, when J.P. Morgan paid an $18 million penalty in settling Rule 21F-17 charges based on provisions in agreements with retail customers who received credits or entered into settlements, whereby the customers agreed not to voluntarily contact the SEC regarding those matters.

The SEC continues to emphasize the importance of corporate cooperation in its investigations. Self-reporting continues to be the single most potent factor in a company’s favor, though companies miss the opportunity to score that point if they do not learn of potential misconduct internally before the SEC comes calling. Robust internal reporting mechanisms and a strong compliance culture are the most effective ways to maximize the chances of hearing about potential wrongdoing before the SEC does. In its year-end enforcement summary, the SEC highlighted three cases in which it found cooperation to be noteworthy. In two of the cases, the SEC recognized the cooperation by imposing no civil money penalty; in the third settlement (which was one of the off-channel communications cases), the SEC imposed a penalty “substantially” lower than those paid by other similarly situated firms. In all three of the spotlighted cases, the company self-reported.

Reinforcing another familiar theme, the SEC continues to aggressively pursue charges against individuals. In fiscal 2023, the SEC brought charges against one or more individuals in two-thirds of its enforcement actions. The SEC also obtained 133 orders barring individuals from serving as officers or directors of public companies, the highest number in 10 years. Barred individuals included a Wells Fargo executive, who settled fraud charges arising from statements about the company’s core business operations; the former CEO of McDonald’s, who was charged with false and misleading statements about the circumstances leading to his termination from the company; and a former controller at Pareteum Corp., who was sanctioned for his role in a fraudulent revenue recognition scheme.

Finally, we have seen occasional evidence of an overly zealous pursuit of enforcement actions in order to live up to tough rhetoric or in service of programmatic goals. A noteworthy example is a settlement reached with Charter Communications last November, which involved two hot-button topics for the SEC: Rule 10b5-1 trading plans and issuer stock repurchases. Charter adopted a 10b5-1 plan that allowed management to affect the amount of stock the company would buy back in the market by choosing to carry out certain debt offerings. This ability to affect the terms of the buyback ran afoul of the basic requirements of Rule 10b5-1. But failing to satisfy the elements of Rule 10b5-1 is not a violation—it is merely a failure to qualify for an affirmative defense to insider trading charges. The SEC’s order did not charge Charter with buying stock while it was in possession of material nonpublic information, indicating there was no basis for an insider trading charge (and thus nothing to assert an affirmative defense against). The SEC nonetheless charged Charter with violating the internal controls provisions of the Exchange Act. The theory of the case was that the failure to adhere to the elements of the 10b5-1 affirmative defense violated the requirement to maintain internal accounting controls reasonably designed to assure that transactions are carried out only in accordance with management’s authorization (and the board had authorized adopting a plan only in conformity with Rule 10b5-1). Reaching this outcome required the Commission to engage in what we (and other observers) saw as pretzel-like contortions to turn a failure to qualify for an affirmative defense—to substantive charges the SEC did not bring—into a violation of a provision intended to assure that financial statements are accurate. On the basis of this attenuated theory, the SEC also imposed a $25 million civil penalty, an eye-catching amount for a standalone internal controls charge. It is hard to see how the public interest is served when the SEC goes to such lengths to generate an enforcement headline about stock buybacks, particularly where it appears there was nothing wrong with the buybacks.

Cybersecurity

In 2021, the Biden Administration declared that combatting cyber threats was a “top priority and essential to national and economic security.” Last year saw the administration following through with a comprehensive National Cybersecurity Strategy and accompanying implementation plan. Described by Assistant Attorney General Kenneth Polite as a “huge, but necessary, undertaking,” the plan comprises 65 initiatives spanning a host of government agencies. Among the many initiatives assigned to or involving DOJ are developing plans to disrupt and investigate ransomware crimes, proposing new legislation to deter cybercrime and cyber-enabled crime, and leveraging the False Claims Act to improve vendor cybersecurity. To bolster its cybercrime-fighting capacity and ability to effectively address ransomware attacks in particular, DOJ has now merged the National Cryptocurrency Enforcement Team into the Department’s Computer Crime and Intellectual Property Section.

One initiative included in the National Cybersecurity Strategy is issuance by the Cybersecurity and Infrastructure Security Agency (CISA) of final rules implementing the reporting requirements contained in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). CIRCIA requires critical infrastructure companies—defined broadly—to report cyber incidents and ransomware payments to CISA. CISA issued a Request for Information and held listening sessions in connection with this project in 2022 and 2023, and its draft Notice of Proposed Rulemaking is expected before the end of March 2024. The final rules will make clear which types of companies are required to make reports pursuant to CIRCIA; the types of cyber incidents that must be reported; the manner, form, content of, and deadlines for such reports; data preservation requirements; and enforcement mechanisms.

Meanwhile, in July 2023, the SEC finalized sweeping new cybersecurity disclosure rules for public companies. The final rules require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident within four business days after the registrant determines the incident to be material. Registrants are also required to disclose in their annual report on Form 10-K, pursuant to the new Regulation S-K Item 106, their processes for assessing, identifying, and managing material risks from cybersecurity threats, the material impacts of cybersecurity threats and previous cybersecurity incidents, the board’s oversight of risks posed by cybersecurity threats, and management’s role and expertise in assessing and managing material risks posed by cybersecurity threats. Similar rules for registered investment advisers and funds and for broker-dealers have yet to be finalized.

Last year also saw the SEC pursuing enforcement actions focused on cyber- related disclosures. In March, the Commission brought an action against Blackbaud, Inc. for falsely assuring the public that a ransomware attacker had not accessed bank account or other sensitive information, when, in fact, information known within the company (but not communicated to senior executives) demonstrated otherwise. Then, in October, the SEC filed a complaint against SolarWinds and its chief information security officer for fraud and internal control failures relating to the company’s cybersecurity risk and incident disclosures. The case arose from a massive Russia-linked breach in 2020 that precipitated a broad campaign by the SEC to gather information about and from companies affected by the breach. The SEC’s complaint alleges that SolarWinds repeatedly overstated in its public documents the strength of its cybersecurity risk management practices and knowingly concealed critical vulnerabilities affecting its key product and business. SolarWinds has moved to dismiss the case, in part, for lack of legislative authority. Reflecting the breadth of the SolarWinds breach, the parties to the case recently made a joint submission to the court overseeing the matter identifying more than a dozen law firms with clients who may possess discoverable material related to the case.

Cryptoassets

The cryptoasset industry remained a focus for multiple enforcement agencies in 2023. The high-profile criminal action against Sam Bankman-Fried ended in a November conviction on multiple fraud counts, all stemming from the implosion of the FTX cryptoasset exchange and associated hedge fund Alameda Research. Bankman-Fried was only one of several prominent individuals associated with centralized crypto-focused institutions to face criminal charges in 2023. In November, Binance—the world’s largest cryptoasset exchange— pled guilty (and agreed to a total financial penalty of $4.3 billion) to resolve federal charges relating to violations of the Bank Secrecy Act and money transmittal licensure; and at the same time, Binance’s founder and CEO pled guilty to charges concerning anti-money laundering program failures.

Among other notable prosecutions, two of the co-founders of Tornado Cash, a virtual currency mixer that facilitated anonymous transactions and had processed over $7 billion of virtual currency transfers, were indicted in August 2023. The charges included conspiracy to commit money laundering, to commit sanctions violations, and to operate an unlicensed money transmitting business. The indictment, following on the heels of a sanction by the Treasury Department a year earlier, underscores both the potential legal risk associated with developing and sponsoring decentralized software protocols potentially susceptible to misuse and, as with the Binance case, regulators’ resolute focus on AML compliance. In July, the DOJ also indicted former executives of the now-bankrupt lending platform Celsius on fraud charges. And, in March, the DOJ indicted Do Kwon, founder of Terraform Labs, which created cryptoassets Luna and the so-called stablecoin UST, each of which collapsed in May 2022.

It is hard to think of any year in any industry that saw as many high-ranking executives charged as happened last year in the cryptoasset space. And this extraordinary spate of criminal cases was not the whole story. The SEC, CFTC, and State Attorneys General also brought notable civil enforcement actions in 2023, some in tandem with the criminal actions described above. For example, the SEC, CFTC, and the Civil Division of the SDNY U.S. Attorney’s Office brought parallel civil actions against Bankman-Fried. In December, the U.S. District Court for the SDNY granted the SEC summary judgment on part of its enforcement action against Do Kwon, finding that he had illegally offered and sold unregistered securities. The SEC also brought a claim for market manipulation against a trader who drained $116 million from a decentralized cryptoasset platform based on a software flaw he identified.

Of particular significance, as we have previously noted, the SEC has continued to use enforcement actions to assert that most cryptoassets constitute securities, while simultaneously maintaining that the U.S. securities laws are clear in this respect and declining to engage in prescriptive rulemaking. Consistent with that position, the SEC is pursuing claims against each of Coinbase, Binance, and Kraken for purportedly operating as unregistered securities exchanges, brokers, and clearing agencies. The SEC’s reach even extended to nonfungible tokens (NFTs), with the Commission entering into two settlements on the basis that NFT sales constituted unregistered securities offerings.

Still, some market observers concerned about potential SEC overreach and “regulation by enforcement” were heartened by developments in the long-running litigation against Ripple. The U.S. District Court for the SDNY granted, in part, Ripple’s motion for summary judgment, based on its finding that sales of cryptoasset XRP on exchanges did not constitute sales of securities (though certain primary market sales to institutional purchasers were found to constitute securities). And in another widely observed case before the SDNY involving a decentralized cryptoasset exchange, Uniswap Labs won a significant motion to dismiss private federal securities claims. But in a countervailing series of enforcement actions, and underscoring the continued murkiness of the regulatory status of some decentralized finance (DeFi) protocols, the CFTC issued orders against, and entered into settlements with, the operators of three DeFi protocols for offering illegal digital asset derivatives trading.

Courts and regulators at all levels of government are continuing to grapple with the legal treatment of cryptoassets and the events of past market cycles, even as the technology and its applications continue to evolve rapidly and cryptoassets increasingly find mainstream acceptance.

Antitrust Developments

Much has been written about the FTC and DOJ’s aggressive enforcement stance, which has influenced all areas of antitrust enforcement. DOJ’s campaign to bring criminal antitrust cases alleging anticompetitive labor market agreements is the clearest example of this aggressive approach. DOJ’s track record across all of its antitrust enforcement activities has been mixed at best, but its results in criminal prosecutions have been decidedly worse. Most significantly, DOJ’s frequent failures to secure criminal convictions in cases involving so-called no-poach agreements and vertical bid-rigging suggests to us (and many other observers) that DOJ should consider a pause in these areas and thoughtfully reconsider its approach. The consistent rejection by courts and juries of the government’s theories of prosecution certainly merits careful attention and reflection.

We have previously highlighted several reasons why DOJ’s criminal prosecutions of no-poach agreements are problematic. Most concerning has been DOJ’s seeming expansion of what constitutes a per se antitrust law violation. DOJ has long limited its pursuit of criminal charges to per se illegal conduct, such as price-fixing, horizontal bid-rigging, and market allocation schemes, because they are so “manifestly anticompetitive” that they lack “any redeeming virtue.” However, as part of an enforcement initiative jointly announced with the FTC in 2016, DOJ has attempted to extend per se treatment to conduct not previously criminally prosecuted, such as no-poach agreements. To us, DOJ’s decision to bring criminal charges using an untested theory raises constitutional concerns of fair notice and due process. And, fundamentally, there are procompetitive reasons to enter these types of agreements. For instance, companies regularly enter into labor-related agreements for procompetitive reasons, such as facilitating negotiation of a business combination, protecting confidential information, or fostering employee development.

Still, DOJ has not lost a motion to dismiss in this space. DOJ’s ability to plead these charges so as to survive dismissal makes the adverse results at trial worthy of study. Based on the decisions reached by trial courts in United States v. Jindal and United States v. Manahe, there arguably might be some case that could lead to a successful prosecution. But, after eight years of searching, DOJ has not yet found one. The string of acquittals shows that, in practice, it is difficult to find a no-poach agreement that is actually intended to achieve anti-competitive restraints in labor markets, instead of serving legitimate business goals.

In considering the recent string of acquittals following these aggressive antitrust prosecutions, it is worth remembering that DOJ is not an ordinary litigant. DOJ rarely loses criminal cases. Per the Federal Judiciary’s statistics, approximately 91% of criminal defendants are convicted, whether by plea of guilty or conviction at trial. In fiscal year 2023, only 263 of 72,255 defendants in federal criminal cases—approximately 0.4%—went to trial and were acquitted. In light of those statistics, this one should resonate: in fiscal year 2023, DOJ either lost at trial or simply dismissed 18 of its 47 antitrust prosecutions, one of which included its criminal charges against Surgical Care Affiliates. Given these highly unusual results, some reevaluation of DOJ’s stance in this area would seem to be in order.

DOJ has similarly expanded its reach in a traditional and well-established area of antitrust enforcement—bid-rigging. Historically, DOJ only brought criminal bid-rigging cases where there were alleged horizontal market restrictions—that is, where the conduct was alleged to restrain behavior between and among competitors. By contrast, vertical agreements between manufacturers and distributors historically have not been viewed as per se violations of the antitrust laws. Despite that settled history, DOJ has sought to pursue criminal prosecutions by aggressively applying the per se standard to alleged vertical restraints. As with the failed no- poach cases, this initiative has also been met with pushback from courts. Just last month, the Fourth Circuit in United States v. Brewbaker overturned an antitrust conviction for bid-rigging because the alleged restraint had occurred between two companies in a vertical relationship and thus no per se antitrust offense had occurred.

As the Biden Administration settled in, it repeatedly announced that there would be dramatic changes in antitrust enforcement priorities and tactics. Prosecutors made good on those promises by pursuing more aggressive theories, but their failure to make those charges stick in court is an important reminder that, in the right kinds of cases, corporate defendants can successfully resist government pressure to resolve cases. Resistance can be particularly appropriate where the government is advancing unprecedented legal theories, and where the defense can develop a record at trial showing that the underlying behavior serves legitimate business interests.

FCPA

FCPA enforcement activity in 2023 was in line with 2022 levels, with DOJ and the SEC resolving a combined total of 15 corporate investigations (two of which were joint resolutions). On the DOJ side, corporate resolutions involved four DPAs and one NPA, all with three-year terms, and one plea agreement (which, as described below, represented a re-opening of Ericsson’s 2019 DPA). Financial penalties were down significantly from 2022 levels and continued a multi-year downward trend, with DOJ and the SEC imposing a total of approximately $910 million in FCPA-related criminal and civil penalties, disgorgement, and prejudgment interest (about $704 million excluding Ericsson), which, after offsets for amounts paid to foreign and U.S. enforcement authorities, yielded a total recovery of about $726 million (about $519 million excluding Ericsson). DOJ also issued two FCPA-related declinations under its Corporate Enforcement and Voluntary Self-Disclosure Policy (“CEP”). As for FCPA prosecutions against individuals, DOJ in 2023 filed charges against nine different individuals, also continuing the recent downward trend.

As is often true, statistics tell only part of the story. The details of last year’s resolutions offer important insights into the areas of greatest FCPA risk, as well as lessons regarding how law enforcement authorities will apply new policies in the future:

• Significant Risks from Using Third-Party Consultants, Agents and Other Intermediaries. FCPA resolutions in 2023 involved a variety of bribery schemes—e.g., corrupt payments to help obtain or retain government contracts, secure competitive pricing and other inside information to assist in bidding for government business, or facilitate the passage of legislation—and arose in many different countries—e.g., Brazil, China, Colombia, Ecuador, India, Indonesia, Russia, and Vietnam. But a unifying principle across all of 2023’s FCPA resolutions, and indeed, across FCPA resolutions generally, is the central role third-party consultants, distributors, agents, and other intermediaries play in executing corrupt schemes. This underscores that effectively implementing compliance controls concerning the vetting, onboarding, managing, and monitoring of third-party intermediaries is one of the most critical aspects of a robust anti-corruption compliance program.

• Independent Compliance Monitors. None of the DOJ DPA and NPA resolutions last year involved an independent compliance monitor. At this point, it seems clear that there is no presumption either for or against the imposition of a monitor. Rather, in making the monitor determination, DOJ assesses all relevant facts and circumstances, including, importantly, the remedial actions taken and the state of the company’s compliance program at the time of resolution. Even absent imposition of a monitor, the standard terms and conditions for DOJ FCPA resolutions include an array of weighty compliance obligations, including continuing commitments to compliance assessments, periodic reporting, and certification upon the conclusion of the DPA or NPA that the company maintains an effective anti-corruption compliance program.

• Strict Compliance with DPA/NPA Obligations. In a 2021 policy pronouncement, DOJ emphasized that it would focus on ensuring strict compliance with DPA/NPA obligations. In 2022, the Swedish telecommunications company Ericsson was found to have breached its 2019 DPA that resolved a long-running FCPA investigation—both by failing to fully disclose the scope of misconduct addressed in the DPA and by failing to timely disclose information related to possibly additional FCPA violations in a different country. In March 2023, Ericsson pleaded guilty to the original charges that had been deferred under the 2019 DPA and agreed to additional criminal penalties of $206.7 million (which included elimination of the cooperation credit that had previously been granted as part of its 2019 DPA) and to extend the term of the compliance monitor by one year.

• Application of the Requirements Under DOJ’s CEP. The lone 2023 NPA resolution, involving specialty chemical manufacturer Albermarle, is instructive, as it underscores the critical importance of moving expeditiously if one hopes to be treated with leniency. While Albermarle had voluntarily disclosed the conduct underlying the ultimate criminal resolution, and apparently sought an outright declination under the CEP, DOJ concluded that the company’s disclosure was not “reasonably prompt” as required under the CEP. Nonetheless, given the company’s (i) exemplary cooperation with DOJ’s investigation, (ii) pre-resolution remediation, and (iii) ongoing compliance and other commitments, DOJ determined that an NPA, not a DPA, was the appropriate resolution.

• Cooperation with International Enforcement Partners. DOJ and the SEC have long emphasized the importance of “partnering” with enforcement authorities in foreign countries to enhance the effectiveness of global anti-corruption enforcement efforts. In connection with the Biden Administration’s 2021 designation of anti-corruption enforcement as a national security priority (see U.S. Strategy on Countering Corruption), the United States has sought to build upon existing relationships and develop new ones. Consistent with that pledge, FCPA resolutions last year involved cooperation from at least 20 different countries, including the first-ever coordinated resolution of an anti-corruption case between DOJ/SEC and Colombian authorities in the Corficolombiana/Grupo Aval investigations.

• DOJ M&A Safe Harbor Policy. Last year saw an instructive application of DOJ’s new M&A safe harbor policy in the Lifecore Biomedical declination. The company, which uncovered misconduct during post-acquisition integration of a target company operating in Mexico, self-reported “within three months of first discovering the possibility of misconduct and hours after an internal investigation confirmed the misconduct had occurred,” and otherwise met the cooperation and remediation requirements of the CEP. This resolution underscores the critical importance of not only pre-acquisition due diligence, but post-acquisition integration and related diligence where more information is generally available to the acquiror.

• Pilot Program Regarding Compensation Incentives and Clawbacks. 2023 FCPA resolutions reflected early application of the DOJ’s Pilot Program on bonuses and clawbacks. The Albermarle NPA included an additional credit reducing the criminal penalty pursuant to the Pilot Program, because the company withheld bonuses during its investigation from employees suspected of wrongdoing and supervisors who failed to spot or otherwise deter the wrongdoing. More generally, the compliance remediation requirements set forth in FCPA DPA and NPA resolutions include implementation of compliance- related criteria into the company’s compensation and bonus system and reporting on such efforts to DOJ.

At the close of 2022, in a dramatic step underscoring the U.S. commitment to anti-corruption enforcement, Congress enacted the Foreign Extortion Prevention Act (“FEPA”) as part of the National Defense Authorization Act. FEPA criminalizes for the first time what is often referred to as “demand-side” of foreign bribery—i.e., the demand for or receipt of a corrupt payment by a foreign government official in return for favorable action in connection with obtaining or retaining business. FEPA is intended to have broad extraterritorial effect, criminalizing corrupt demands for anything of value made by foreign officials to a U.S. issuer, U.S. domestic concern (which includes U.S. citizens, domestic companies, and non-issuer entities), or any person within the territory of the United States. FEPA’s definition of foreign official is similarly broad, covering those acting in an official or unofficial capacity on behalf of a foreign government or any department, agency or instrumentality thereof, or a public international organization. It remains to be seen whether this new statutory authority will ultimately result in a significant uptick in cases against foreign governmental officials or what, if any, impact it will have on corporate FCPA enforcement.

State AG Developments

As we predicted last year, state AGs have remained aggressive in their regulatory oversight and have focused on consumer protection issues. Large settlements resulting from vigorous prosecutions by state AGs have occurred in the ridesharing, opioid, vaping, and education industries. Some noteworthy settlements in 2023 included the significant ridesharing settlements with Uber ($290 million) and Lyft ($38 million), as well as opioid settlements with CVS, Walgreens, and Walmart. These striking resolutions will likely incentivize state AGs to continue pursuing these kinds of consumer protection cases.

Antitrust is another area of significant state AG activity. State AGs are often most aggressive in areas where there is little or no enforcement activity by federal authorities. Antitrust, of course, is an area of federal/state enforcement, but, despite that fact, state AGs have aggressively carved out their own areas for antitrust enforcement, particularly against large health and technology companies. For example, just last month, a bipartisan group of 53 AGs announced a $700 million settlement with Google over alleged anticompetitive conduct with the Google Play Store.

Investigations by state AGs are particularly challenging because they often involve multiple jurisdictions, competing priorities, and partisan considerations. The political winds that often shape state AG cases and the impact that these investigations can have on a company’s reputation also make state AG prosecutions difficult to navigate. Companies need a coherent strategy to deal with multistate enforcement, especially when state AGs continue to expand their enforcement activity across new areas.

Conclusion

As we noted last year, and as remains the case this year, we are currently in a period of increased and more aggressive white-collar criminal and regulatory enforcement activity. We remain convinced that, despite the burdens and frustrations that arise in such periods, well-governed companies can and should use the government’s heightened attention to compliance effectiveness and tone at the top to thoughtfully evaluate their current systems, assess whether new policies and/or added resources might be appropriate, and consider the examples presented by enforcement actions taken against other companies, especially those in one’s own industry or sector, as offering potential insights into further enhancements that may be appropriate to adopt.

And, as the examples we discussed above about the successes many companies had in 2023 in defending against the government’s effort to extend criminal antitrust enforcement into unprecedented areas illustrate, these periods of amped-up government white- collar initiatives can also, in the right circumstances, present opportunities to fight back. In particular, where the government is pursuing an untested or questionable legal theory, is misapprehending key underlying facts, or is failing to consider crucial, mitigating context, a more combative strategy may well be called for.

John F. Savarese
Ralph M. Levene
Wayne M. Carlin
David B. Anders
Sarah K. Eddy
Randall W. Jackson
Kevin S. Schwartz