2014 Mid-Year Update on Corporate Non-Prosecution and Deferred Prosecution Agreements

Joseph Warin is partner and chair of the litigation department at the Washington D.C. office of Gibson, Dunn & Crutcher. The following post and is based on a Gibson Dunn client alert; the full publication, including footnotes and appendix, is available here.

As the debate continues over whether and how to punish companies for unlawful conduct, U.S. federal prosecutors continue to rely significantly on Non-Prosecution Agreements (“NPAs”) and Deferred Prosecution Agreements (“DPAs”) (collectively, “agreements”). Such agreements have emerged as a flexible alternative to prosecutorial declination, on the one hand, and trials or guilty pleas, on the other. Companies and prosecutors alike rely on NPAs and DPAs to resolve allegations of corporate misconduct while mitigating the collateral consequences that guilty pleas or verdicts can inflict on companies, employees, communities, or the economy. NPAs and DPAs allow prosecutors, without obtaining a criminal conviction, to ensure that corporate wrongdoers receive punishment, including often eye-popping financial penalties, deep reforms to corporate culture through compliance requirements, and independent monitoring or self-reporting arrangements. Although the trend has been robust for more than a decade, Attorney General Eric Holder’s statements in connection with recent prosecutions of financial institutions underscore the dynamic environment in which NPAs and DPAs have evolved.

Since 2000, NPAs and DPAs have become a mainstay in the federal playbook for corporate criminal justice matters. The steady rise in their use by the U.S. Department of Justice (“DOJ”) began in the middle of the last decade and has since reached a baseline pace of at least 20 agreements per year, with some years spiking to nearly double that figure. The year 2004, for example, saw eight agreements. A decade later, the first half of 2014 alone has seen 11 agreements from DOJ, with an additional agreement from the SEC, for a total of 12 agreements. Since 2000, DOJ has entered into 283 publicly disclosed NPAs and DPAs. The U.S. Securities and Exchange Commission (“SEC”) also has adopted NPAs and DPAs in its corporate enforcement regime, entering into seven such agreements since 2010. Of the 290 agreements DOJ and the SEC have entered into since 2000, more than half (152) have come since January 1, 2010. NPAs and DPAs have led to monetary penalties totaling more than $42 billion, equivalent to the annual GDP of Latvia.

This post, the twelfth in our series of semiannual updates on NPAs and DPAs (available here), (1) analyzes the metrics of NPAs and DPAs announced in 2014; (2) examines issues raised by recently introduced congressional legislation that, if enacted, would require greater regulation of these agreements; (3) discusses the entry into force of DPA legislation in the United Kingdom; (4) considers state-court collateral civil litigation related to NPAs and DPAs; and (5) scrutinizes the evolution of compliance program requirements that often accompany NPAs and DPAs. As in previous updates in this series, the appendix lists all agreements announced in the first half of 2014.

NPAs and DPAs to Date in 2014

During the first half of 2014, DOJ entered into 11 agreements to resolve a variety of alleged conduct spanning multiple DOJ divisions and sections. The SEC entered into one agreement. Of the 12 agreements total, 5 were NPAs and 7 were DPAs. This figure is in line with the 12 agreements reached in the first half of 2013. In past years, we observed the phenomenon of an uptick in NPAs and DPAs during the second half of the year, so we anticipate that this year’s tallies could match or exceed the 2013 figure of 27 agreements.

As Chart 1 below demonstrates, the use of corporate NPAs and DPAs has increased steadily since 2000, generally exceeding 20 agreements per year since 2006, which was the first year that recorded a total of more than 20 agreements. The agreements continue to be a valuable mechanism for resolving allegations of corporate misconduct, and 2014 is staying on pace to match the normal range of the past decade. The charts and figures below are derived from Gibson Dunn’s database, which contains details of 290 NPAs and DPAs entered into by federal enforcers between January 1, 2000 and July 7, 2014.

Click image to enlarge

Due to several extraordinarily large settlements, this year’s monetary penalties already exceed the 2013 total. In the first half of 2014, NPAs and DPAs have resulted in monetary penalties of nearly $3.6 billion, as shown in Chart 2 below. The total for 2013, on the other hand, was approximately $2.9 billion. The 2014 figure will no doubt increase significantly in the second half of the year. Regardless of the degree of that increase, this year will be the ninth of the last ten years in which total monetary penalties associated with NPAs and DPAs have exceeded $1 billion. This year will also be the sixth of the last ten years in which the total for the year breaks $3 billion. The numbers to date in 2014 continue to signal DOJ’s focus on negotiating large monetary settlements. Of course, this analysis does not include the recent BNP Paribas $8.9 billion guilty plea. The first half of the year saw two resolutions with monetary components exceeding $1 billion, and together they account for approximately 90% of the total monetary penalties to date in 2014.

Click image to enlarge

The 12 agreements announced so far in 2014 resolved various types of allegations. They cover categories of conduct that have become typical for resolutions through NPAs and DPAs over the years. Chart 3 below shows the agreements in 2014 to date, broken down by the primary legal allegations they resolved.

Chart 3: 2014 DPAs/NPAs by Primary Allegation (through July 7, 2014)
Primary Legal Allegation Number
Bank Secrecy Act 1
Drug Misbranding 1
False Statements 1
Foreign Corrupt Practices Act 2
Fraud (various types) 4
Securities Fraud 1
Tax Evasion 1
Trade Sanctions 1

The use of NPAs and DPAs continues to evolve, as they are deployed in an increasing variety of circumstances. Following on the heels of its first DPA with an individual in late 2013, discussed in our 2013 Year-End Update, the SEC entered into its first NPA with an individual in April 2014. As we have noted in previous updates, a variety of different DOJ divisions and sections use NPAs and DPAs, and that pattern has continued so far in 2014. In addition to the Fraud Section of DOJ’s Criminal Division, other DOJ headquarters units have been involved in agreements this year, including the Consumer Protection Branch of DOJ’s Civil Division and the DOJ Tax Division. The DOJ Fraud Section and the U.S. Attorney’s Office for the Southern District of New York (“SDNY”) each entered into three agreements during the first half of 2014. The SDNY ranks among the DOJ units that have entered into the greatest number of these agreements over the years. The SDNY has been party to 35 of 290 agreements since January 1, 2000, or approximately 12% of the total.

Five other U.S. Attorneys’ Offices have also entered into NPAs or DPAs so far this year. The U.S. Attorney’s Office for the Eastern District of Wisconsin entered into what appears to be its first publicly reported agreement this year, with Miron Construction Company, Inc., an industrial construction company in Neenah, Wisconsin. Two other districts entered into what appear to be their second rounds of agreements. The U.S. Attorney’s Office for the District of Connecticut, which announced its first DPA in 2006, entered into its first NPA in January 2014. Similarly, the U.S. Attorney’s Office for the Northern District of New York entered into its first corporate DPA in February 2014, after inking two NPAs in 2008. Additionally, media reports indicate that the U.S. Attorney’s Office for the District of Colorado also entered into an NPA with the Grand Junction Regional Airport Authority, but there has apparently not yet been a formal DOJ announcement or release of the agreement. We therefore have excluded it from our tally of agreements.

While some of the agreements this year have required independent compliance monitors, continuing to include what has long been a bedrock requirement of many NPAs and DPAs, the use of self-reporting provisions also continues. Three agreements required an independent compliance monitor or consultant. Each involved allegedly fraudulent conduct. Six other agreements included a self-reporting requirement. As we noted in our 2013 Year-End Update, the use of either self-reporting or hybrid monitorships—in which the agreement provides for an independent monitor to serve for the first half of the agreement period (18 months in a three-year deferral period, for example), with the possibility of the company self-reporting on its compliance program for the remainder of the agreement’s term—has replaced traditional monitorship arrangements in a number of agreements. After first appearing in one agreement in 2004 and a second in 2008, some form of self-reporting has been required in 41 of 166 DOJ agreements entered into since 2009, approximately 25% of the agreements during that time period.

Agreements thus far in 2014 also generally fit the mold for duration. Among the 267 agreements since 2000 that include a duration provision, the average term is approximately 29 months. The duration of this year’s agreements is roughly the same. This figure is in line with the typical pattern; the duration of many agreements over the years has ranged between two and three years. Over 65% of the agreements since 2000, or 189 agreements out of 290, fall in that range: 95 agreements have two-year durations, 89 agreements have three-year durations, and the remaining 5 agreements have durations between two and three years.

Prospect of Federal Legislation Indicates Continued Push for Accountability and Transparency Concerning NPAs and DPAs

As we noted in our 2013 Mid-Year Update and 2013 Year-End Update, some recent agreements have received increased judicial oversight. Similarly, DPA legislation that took effect in the United Kingdom in February 2014 (discussed below) emphasizes the role of the courts in overseeing deferred prosecutions. Several factors, including the prospect of increased judicial scrutiny of DPAs, the recent Second Circuit decision addressing Judge Rakoff’s rejection of a civil settlement between CitiGroup and the SEC, and the new, more regimented DPA system in the United Kingdom, have fueled further dialogue about the processes underlying NPAs and DPAs in the United States. A recent legislative proposal pending in Congress sets the stage for further discussion of those issues, though its prospects for becoming law seem slim.

On May 1, 2014, U.S. Rep. Bill Pascrell (D-N.J.) introduced H.R. 4540, the Accountability in Deferred Prosecution Act of 2014 (“ADPA” or “H.R. 4540”), which was referred to the House Judiciary Committee the same day. The ADPA would regulate the process by which federal prosecutors enter into NPAs and DPAs and select outside monitors. Specifically, the ADPA would require DOJ rules and regulations regarding the use of NPAs and DPAs, including the selection of independent monitors, online publication of the agreements, filing in federal district court, and court review and approval of the agreements.

Its sponsors tout H.R. 4540 as legislation that will establish greater consistency and predictability in NPAs and DPAs. The sponsors further argue that such a measure would ensure that if an NPA or DPA requires an independent monitor, the monitor is selected in an objective manner. However, the bill has yet to receive much attention, and similar legislation has failed in recent Congresses. Although it may be unlikely to gain meaningful traction during this mid-term election year in a Congress that has passed few bills, the introduction of the bill shines a spotlight on the current state of NPAs and DPAs, their terms, and the processes by which companies and the government enter into them.

The proposed law would require DOJ to: (1) issue public written guidelines for NPAs and DPAs; (2) establish rules for the selection of independent monitors; and (3) publish the agreements on the DOJ website. Under the first requirement, DOJ would need to issue “public written guidelines” for NPAs and DPAs within 90 days of enactment “to promote uniformity and to assist prosecutors” and companies in negotiations and implementation of NPAs and DPAs. Those guidelines would address a range of issues, including the appointment and duties of independent compliance monitors, the appropriate terms and conditions to include in such agreements (such as monetary penalties, restitution, and civil settlements), whether to include provisions within the agreements for effective compliance and ethics programs as set forth in the U.S. Sentencing Guidelines, how DOJ determines whether a company has satisfied the terms of an agreement or has breached an agreement, the duration of agreements, and what “cooperation” means and requires from a company and its employees in connection with an agreement. The guidelines also would cover “[w]hen and why it would be appropriate for Federal prosecutors to enter into a nonprosecution agreement rather than a deferred prosecution agreement.” These guidelines could bring an additional measure of consistency to NPAs and DPAs and could limit prosecutorial discretion in drafting and enforcing such agreements. The legislation, on balance, could help standardize NPA and DPA terms further, leading to more consistent terms across agreements. Such standardization, however, is already underway—albeit in a less regimented manner than the legislation would require, as discussed below in our analysis of standard compliance terms included in NPAs and DPAs.

Second, the legislation would seek to ensure objectivity in the selection of independent monitors. The bill calls for the creation and publication of a list of organizations and individuals “who have the expertise and specialized skills necessary to serve as independent monitors.” The challenge in creating such a list is that the wide range of conduct covered by NPAs and DPAs in recent years precludes a tidy categorization of monitors’ work. Experts in anti-money laundering compliance, for example, may be less well-equipped to monitor a company that entered into an agreement to resolve allegations of food mislabeling. Effective monitor selection demands flexibility to choose a monitor based on the facts and circumstances of a case, a company’s needs, and the prospective monitor’s skills and experience. Further, the process of being placed on an official government list opens itself up to the sort of allegations of cronyism that underlie this particular reform in the first place.

The legislation’s monitor selection process also differs from established DOJ policy. In 2008, DOJ issued the Morford Memorandum, which addresses the monitor selection process. The memorandum contemplates a two-step monitor selection process: first, a committee of prosecutors at the relevant DOJ component considers monitorship candidates; second, the Office of the Deputy Attorney General approves the committee’s selection. To encourage objectivity, the memorandum prohibits individual U.S. Attorneys and Assistant Attorneys General from unilaterally selecting or vetoing a candidate, prohibits the selection of a monitor with an interest in the defendant corporation, and prohibits the defendant corporation from employing the monitor for at least one year after the termination of the monitorship. In contrast, some SDNY agreements contemplate more discretion for prosecutors. For example, a 2008 DPA with ESI Entertainment Systems (“ESI”) provides that within ten days of entering into the agreement, the company must retain “the services of a [monitor] approved by this Office to monitor ESI’s compliance.” Although some SDNY agreements empower the U.S. Attorney’s Office in the selection process, they nonetheless require approval of the Office of the Deputy Attorney General.

The monitorship provisions in H.R. 4540 also call for selection of monitors using “an open, public, and competitive process” and for the establishment of a publicly accessible fee schedule for the compensation of monitors and their staffs. One of the arguments for a fee schedule is to enhance the predictability of the expenses associated with monitorships, ameliorating concerns that independent monitors are extremely costly and that their costs are unpredictable. Setting a fee schedule could allow companies to calculate more easily the anticipated costs of monitorships before they agree to NPAs or DPAs and could also make monitorship costs more consistent. If this predictability enabled companies to budget more effectively, there might be more agreements containing monitorship provisions. Such an approach could, however, limit the pool of available monitors to those for whom the government’s pay schedule is in concert with their normal fee arrangements, narrowing the monitor options for companies.

The monitor trend also exists in state prosecutions. For example, in resolutions with the New York State Department of Financial Services (“DFS”), including those involving BNP Paribas and Standard Chartered Bank, New York State Superintendent of Financial Services Benjamin M. Lawsky imposed two-year monitorships. The DFS monitor selection process can vary from case to case, with language in the DFS agreements setting forth the selection mechanism. For example, the Standard Chartered order provides that DFS will appoint an “on-premises monitor of the Department’s selection.” Another DFS order provides that within 20 days of executing the order, the company itself must “identify an independent on-site monitor acceptable to the Department … who will report directly to the Department.”

Third, H.R. 4540 seeks greater transparency through the disclosure of NPAs and DPAs. The bill would require DOJ to publicly disclose, on its website, each NPA and DPA into which it enters, “together with all the terms and conditions of any agreement or understanding between an independent monitor appointed pursuant to that agreement and the organization monitored.” Hewing closely to the Freedom of Information Act (“FOIA”) exception for trade secrets and confidential business information, the legislation would allow courts to approve exceptions from disclosure “for good cause shown” by “any interested party,” allowing the withholding of information that is “proprietary, confidential, or a trade secret.” At a minimum, DOJ must disclose that an agreement has been filed in court, the name of the organization subject to the agreement, and the identity of the independent monitor appointed, if any, along with the financial terms for the monitor. Such a provision seems unlikely to change the NPA-DPA landscape significantly. Undisclosed agreements are likely to be the exception.

For example, a recent FOIA lawsuit resulted in the disclosure of a previously unreleased agreement between ABC Professional Tree Services, Inc., and the U.S. Attorney’s Office for the Southern District of Texas. As we noted in our 2013 Year-End Update, in November 2013, University of Virginia School of Law (“UVA Law”) research librarian Jon Ashley sued DOJ under FOIA seeking access to the 2012 NPA.DOJ had previously announced the agreement only in a press release;[ the agreement itself was not available. Ashley, conducting research with UVA Law professor Brandon Garrett, sought the agreement as part of Garrett’s work to make NPAs and DPAs available online, through a UVA Law website. The complaint called for a court order requiring disclosure of the agreement and argued the researcher was “statutorily entitled to the disclosure” of the agreement and that DOJ had “improperly withheld the requested records in violation of the law and in opposition to the strong public interest in understanding the judicial system and why admitted wrongdoers are not criminally prosecuted.” The litigation was resolved in March 2014 when DOJ released the agreement, which Garrett has described as “a totally unremarkable non-prosecution agreement, raising the question why it was ever sealed in the first place.”

In addition to imposing greater controls around DOJ’s process for negotiating and disclosing NPAs and DPAs, H.R. 4540 would require that NPAs and DPAs be filed in a federal district court and obtain judicial approval based on the court’s determination that the agreement “is consistent with the guidelines for such agreements and is in the interests of justice.” Courts also would have ongoing review powers for agreements under their purview, with the requirement that all parties and the independent monitor, if any, submit quarterly reports to the court addressing “the progress made toward the completion of the agreement, and describing any concern the filer has about the implementation of the agreement.”

These provisions, if enacted, would give the courts a more substantive and clearly defined role in the process for entering into and administering these agreements, along with greater direct authority to scrutinize the agreements. Although some courts have already assumed a more active role in analyzing and overseeing DPAs, as we discussed in our 2013 Mid-Year Update, this measure would standardize that practice. It would universalize quarterly reports, which Judge Gleason of the U.S. District Court of the Eastern District of New York required in connection with the HSBC DPA, but which have not been mandated in connection with other agreements. It also would give district courts authority to examine NPAs, which otherwise are not filed in court.

Moreover, the legislation would give courts broad powers to assess and intervene in agreements, if a party or the monitor moves the court to do so. Courts could review “the implementation or termination of the agreement, and take any appropriate action, to assure that the implementation or termination is consistent with the interests of justice.” These measures would greatly expand the role of courts in the deferred- and non-prosecution process—a role that some judges have begun to claim under existing authority and that may become more common, regardless of new legislation. This provision conflicts with the standard provision that DOJ is the sole arbiter of the breach of an agreement. A recent DPA, for example, provided: “… the Department shall determine, in its sole discretion, whether the Company has breached the agreement … .”

U.K. DPA Legislation Takes Effect

On February 24, 2014, corporate DPAs became available in the United Kingdom, after the Serious Fraud Office (“SFO”) and the Crown Prosecution Service finalized the Deferred Prosecution Agreements Code of Practice. As discussed in our 2013 Mid-Year Update, the draft Code of Practice was released in June 2013. A public consultation period followed, closing in September 2013. The entry into force of the U.K. DPA legislation affords an opportunity to consider the similarities and differences between the U.K. and U.S. approaches to such agreements, including certain aspects that may be especially relevant for those familiar with U.S. practices.

The U.K. DPA regime as implemented by the Code of Practice is broader than the U.S. approach in some respects, yet narrower in other ways. Unlike their American cousins, U.K. DPAs will only resolve the crimes “particularised in the counts of the draft indictment.” U.S. DPAs, on the other hand, typically grant deferral for crimes other than those specifically identified in the information.[ Accordingly, companies entering into U.K. DPAs might need to include more counts of wrongdoing and more factual detail in a draft indictment, as compared to a U.S. criminal information, to obtain the finality they seek from the DPA process.

But companies should be wary of the risk that including additional counts or factual detail in the draft indictment could present in collateral civil litigation, as discussed below with regard to collateral civil litigation in U.S. state courts and as we discussed in our 2013 Year-End Update with regard to such litigation in U.S. federal courts. U.S.-listed companies entering into a U.K. DPA should seek counsel on how to address the possibility of finding themselves engaged in litigation based on the facts and allegations contained in the draft indictment. Moreover, the SFO has signaled that corporations should certainly not expect the office to look out for their interests in this regard. Alun Milford, General Counsel of the SFO, put it bluntly in a March 26, 2014 speech: “It is unhelpful of your clients to put their interest in civil proceedings ahead of assisting our criminal investigation.” The ongoing civil claim in the English courts against Innospec Limited by one of its competitors arising from Innospec’s guilty plea to corruption charges shows this risk to be quite real.

The more limited, count-specific protection offered by the U.K. DPA regime could be mitigated somewhat by U.K. laws—excepting the U.K. Bribery Act—that impose corporate criminal liability only when behavior meets the “controlling mind” test. This test is more difficult for prosecutors to meet than U.S. respondeat superior liability, which often results in conduct of low-level employees being imputed to a company as long as it was within the scope of their employment. Satisfying the controlling mind and will test, however, usually requires prosecutors to find a senior corporate executive or board member “controlling” the illegal behavior. As Serious Fraud Office Director David Green commented in an April 23, 2014 speech, email conversations often “run[] out” in the middle management ranks and rarely implicate senior corporate officials. Director Green has suggested amending the new DPA law to create an offense for “failing to prevent” financial or economic crime along the lines of Section 7 of the U.K. Bribery Act’s offense for failure to prevent corruption.

Companies considering self-reporting under the new U.K. DPA regime as implemented should note that prosecutors believe such a report “carries with it an acceptance of wrong-doing” on the part of the corporate entity and not solely on the part of individuals. General Counsel Milford struck a strong tone against delayed disclosure and broad assertions of privilege: “The assertion of privilege over witness first accounts is unhelpful and, frankly, impossible to reconcile with an assertion of a willingness to cooperate.” According to General Counsel Milford, early disclosure allows improved collaboration with the government and reduces the risk of sloppy data collection or internal investigations practices. He warned that “[i]f a company decides not to involve us at the outset but decides to plough its own furrow in gathering accounts of witnesses and suspects, then we will view adversely any prejudice caused thereby to our criminal investigation when evaluating the level of a corporate’s cooperation.” The draft Code of Practice consultation response echoed this concern, stating that “if an internal investigation … prejudiced criminal proceedings,” the self-reporting company may receive an “unfavourable assessment” when seeking a DPA instead of outright prosecution.

It remains to be seen how the new U.K. DPA statute will affect the volume and outcomes of future U.K. corporate investigations. The SFO and the Crown Prosecution Service broadcasted their expectations loud and clear in their draft Code of Practice consultation response: “Stimulating official investigations into corporations is … at the heart of the DPA regime.” As a potential tool in expanding investigations, Director Green recently emphasized the forthcoming use of “intrusive surveillance” in corruption investigations, including undercover operations, phone tapping, and the planting of “probes” in homes and businesses. Coinciding with the entry into force of its DPA legislation, the United Kingdom may be on the verge of an increase in corporate prosecutions and resolutions, including DPAs.

Collateral Use of NPAs and DPAs in State Civil Litigation

As NPAs and DPAs become more prevalent, parties have increasingly attempted to use these settlements in collateral state court litigation. This practice is comparable to the practice in collateral civil litigation in federal court, which we addressed in our 2013 Year-End Update. Although this is a relatively new development, some general trends have begun to emerge:

  • DPAs are mostly used offensively by plaintiffs. In suits against corporations or companies, they have successfully used admissions in DPAs to supplement their complaints and avoid motions to dismiss
  • So far, plaintiffs have been unable to impute general admissions in a corporate NPA or DPA to directors.

Offensive Use to Supplement Complaints

State-court plaintiffs have successfully used DPAs to supplement complaints and supply missing facts. In Shalam, a New York state court case, plaintiffs used a defendant’s admissions in a DPA to plead elements of conspiracy and fraud in connection with a scheme to market illegal tax shelters. The defendant, HVB, sought dismissal, noting that plaintiffs failed to allege that it made any material misrepresentations. The court denied the motion because HVB had admitted in its DPA to participating in the scheme. Thus, according to the court, plaintiffs had successfully pleaded HVB’s participation in a conspiracy to defraud them.

The plaintiffs in a related case successfully used a corporation’s admissions in its DPA against a law firm partnership, even though the law firm was not mentioned by name in the DPA. In Salt Aire Trading LLC, a law firm allegedly participated in a fraudulent scheme by HVB and its auditor to market legally dubious tax transactions. Plaintiffs claimed that the firm provided boilerplate tax opinion letters to help market the tax shelters, all the while knowing the transactions were shams. Even though HVB’s DPA did not identify the firm as one of the firms with which HVB worked, the court concluded that if the DPA is “[v]iewed with the allegations in the [civil] complaint, which tie [the firm] directly to the underlying transactional documents, it is reasonable … to infer that [the firm] was one of the ‘other’ attorneys referred to in [HVB’s] DPA.” The court therefore denied the firm’s motions to dismiss the fraud-related claims against it.

Plaintiffs Unsuccessfully Use DPAs to Plead Demand Futility

Plaintiffs in derivative actions have been unable to use DPAs to show demand futility. In one case, In re FalconStor Software, Inc., the plaintiff shareholders brought a derivative suit against the board alleging breach of fiduciary duty. Plaintiffs claimed they were excused from Delaware’s requirement that shareholders present allegations to the board before suit because FalconStor’s DPA showed that the directors faced serious liability, and that a demand was therefore futile. The court found that plaintiffs failed to adequately plead demand futility because the DPA did not provide “any particularized facts [indicating] that the FalconStor directors knew of the violations, nor that they were provided with any red flags to support an assertion that they consistently refused to exercise proper oversight.”

These cases suggest that unless the DPA directly and specifically implicates the board or individual directors, board members can forcefully argue that corporate admissions are not imputed to the directors themselves.

Defensive Use

In Symbol Technologies, Symbol sued an accounting firm for failing to discover fraud committed by Symbol’s senior management. The accounting firm argued that Symbol’s claims were barred because management’s illegal actions (to which Symbol admitted in an NPA) were imputed to the company, and that Symbol therefore had “unclean hands” and was barred from suing under the doctrine of in pari delicto. The accounting firm further argued that the “adverse interest” exception to that rule, under which misdeeds are not imputed to a company if the managers acted entirely for their own benefit, was foreclosed by Symbol’s admission in the NPA. The court disagreed because the NPA did not state “that the members of [Symbol’s] management who committed accounting fraud did so for the benefit of Symbol”; the adverse interest exception was therefore available to Symbol.

Immunity Issues for Defamation Claims

One state court has held that statements made to the government before criminal charges related to those statements are imminent receive only qualified immunity from defamation charges. In Writt v. Shell Oil Co., Writt claimed that Shell defamed him in its report to DOJ describing possible FCPA violations. DOJ approached Shell to request a meeting to discuss Shell’s operation in Nigeria, and Shell thereafter initiated an internal investigation and submitted a report to DOJ implicating Writt in bribery. Shell’s discussions with DOJ ultimately resulted in a DPA in 2010. In Writt, Shell argued that Writt could not sustain his defamation claim as to statements in the report because Shell submitted the report “with the understanding that [it] would be used by the DOJ in determining whether or not to prosecute Shell for FCPA violations”; thus, Shell argued that the statements were absolutely privileged and that it was immune from the defamation claim. The Court of Appeals of Texas reversed. It held that “absolute privilege [from defamation claims] applies only to communications made in judicial proceedings and those communications made preliminary to or in serious contemplation of a judicial proceeding.” Shell’s statements were given only qualified immunity because “there [was] no evidence conclusively establishing that a criminal case had been filed against Writt or Shell, or that a criminal prosecution was actually being proposed … at either the time the DOJ contacted Shell or when Shell submitted its report to the DOJ.” In support of this conclusion, the court noted that DOJ did not file charges against Shell until “twenty months after Shell submitted its report,” and that Shell prepared the report for “important internal purposes” and not in preparation for impending criminal proceedings.

“Attachment C”: NPA and DPA Corporate Compliance Program Requirements

NPAs and DPAs frequently include an appendix setting forth corporate compliance program requirements—often referred to as “Attachment C,” due to its frequent placement as an appendix to an agreement. Over the years, the provisions in Attachment C have evolved and expanded. Recent agreements have included as many as 18 separate provisions. As we noted in our 2011 Mid-Year Update, these provisions offer insight into U.S. enforcement officials’ views on corporate compliance best practices. The intention of these provisions is not to prescribe specific elements for compliance programs for companies across the board, but rather the government requires such elements in resolving the alleged misconduct and compliance issues of the specific companies with which it enters into the agreements. Many compliance practitioners and commentators have nonetheless construed the provisions as helpful guidance for companies seeking to fashion comprehensive compliance programs. Many Attachment C requirements have, in recent years, become staple components of corporate compliance programs prescribed by the government, and we anticipate that NPAs and DPAs will continue to drive changes in compliance culture.

As compliance programs have matured and as the reach of NPAs and DPAs has broadened, the scope of Attachment C’s compliance requirements can have increasingly important implications for companies contemplating resolution of allegations through an NPA or DPA. To examine comprehensively the evolution and current status of Attachment C, Gibson Dunn has analyzed the compliance program appendices of 26 NPAs and DPAs released since mid-2011.These NPAs and DPAs resolved allegations ranging from FCPA violations and securities fraud to violations of the Controlled Substances Act and the Food, Drug, and Cosmetic Act. It is clear that some compliance provisions are used more frequently than others, making them more likely to emerge as industry standards for compliance practices. Other provisions appear less frequently and tend to be more specific to a particular company or the particular conduct an agreement addresses. A company seeking proactively to develop its compliance program should consider the most common provisions in recent NPAs and DPAs, which provide a useful baseline for compliance standards. Based on our analysis, the most common provisions from the last three years are:

  1. High-level commitment from the directors and senior management of the company in support of the company’s policy against legal violations and applicable compliance code provisions;
  2. A strong, written corporate policy against violations of the relevant laws;
  3. Standards and procedures to reduce the prospect of violation of the relevant laws;
  4. An effective system of financial and accounting procedures, including a system of internal controls;
  5. Annual risk-based review and updates of compliance standards and procedures;
  6. A designated senior corporate executive to implement and oversee compliance with the relevant laws;
  7. Strong mechanisms to ensure communication with and training of all officers, directors, employees, agents and business partners;
  8. Clear channels to provide guidance and advice to all personnel, to ensure confidential reporting, and to protect those who wish to report violation of the relevant laws;
  9. Disciplinary procedures to address violations of the relevant laws;
  10. Due diligence and compliance requirements pertaining to all agents and business partners;
  11. Standard provisions in commercial agreements designed to prevent violation of the relevant laws;
  12. Periodic review and testing of compliance programs to improve effectiveness in detecting and preventing violations of the relevant laws; and
  13. Policies and procedures designed to conduct risk-based due diligence with regard to M&A activities and the prompt application of the company’s compliance code, policies, and procedures to newly acquired businesses.

High-Level Commitment. Fifteen of the 26 compliance program appendices surveyed include a provision requiring the directors and senior management of the company to provide strong, explicit, and visible support for the company’s policy against violations of the relevant laws and compliance code. Moreover, this language has appeared more frequently in NPAs and DPAs from 2013 and 2014. The frequent inclusion of this “tone from the top” provision suggests that compliance functions that have not already embraced this principle may wish to consider this recommendation to foster a culture of compliance.

Prohibiting Violation of the Relevant Law. Nearly all of the compliance program appendices we analyzed (24 of 26) require the company to set forth a clearly articulated and visible corporate policy prohibiting violations of the laws that were allegedly broken; for example, a corporate policy prohibiting violations of the FCPA. The company is required to set forth this policy in a written compliance code. Each year since 2011, NPAs and DPAs have included this requirement consistently across industries. The fundamental nature of this requirement makes it the backbone of any robust corporate compliance program.

Promulgation of Compliance Standards and Procedures. Similarly, 24 of the 26 agreements analyzed include a provision requiring the development of specific compliance standards and procedures that operationalize the broad policy prohibiting violations of the laws that were allegedly broken. This provision bears resemblance to the Sarbanes-Oxley Act (the Public Company Accounting Reform and Investor Protection Act of 2002) regulatory requirement that some companies disclose their codes of ethics that apply to certain executives or explain why they have not adopted such codes. Attendant to these measures is a company’s commitment to encourage, at all levels of the organization, adherence to ethics and compliance policies and procedures. The frequent appearance of this provision in NPAs and DPAs highlights the importance the U.S. government places on companies taking an integrated approach to the creation and maintenance of an effective compliance program. We anticipate this provision will remain a key feature of compliance program appendices to NPAs and DPAs for the foreseeable future, and companies that have not yet implemented such policies and procedures would be well advised to consider doing so.

Effective System of Financial and Accounting Procedures. Approximately 75% of the agreements analyzed require the implementation of a system of financial and accounting procedures, including a system of internal controls. The provision calls for the design of such a system to provide reasonable assurances as to the execution and recording of transactions in accordance with the company’s compliance standards and policies. This requirement has appeared frequently in agreements resolving alleged violations of the FCPA internal controls and books and records provisions. Although the language of this compliance requirement mirrors the language of the recordkeeping and internal controls provisions of the FCPA, it serves as an additional reminder to compliance personnel of the important role that proper internal controls and recordkeeping play in the prevention of fraud. This theme is embodied in the Sarbanes-Oxley Act, under which CEOs and CFOs are required to certify the accuracy of a public company’s financial statements. Additionally, Dodd-Frank’s whistleblower provisions create strong financial incentives for employees to report wrongdoing to the SEC coupled with broad anti-retaliation protections. As a result, companies should place a premium on having a broad, truly effective compliance program and a corporate culture of compliance.

Annual Risk-Based Review and Updating of Standards and Procedures. Three-fourths of the agreements also require the company to conduct an annual risk assessment that will inform or update its compliance policies and procedures based on the organization’s individual circumstances. The provision specifies that this risk-based review should, in the FCPA context—where many of these compliance refinements first originated—consider the particular foreign bribery risks facing the company, including locations where it operates, the industry or sector in which it operates, and degree of governmental oversight. As evinced by the increased emphasis by U.S. officials on the use of data analytics in enforcement and compliance program development, the importance of data-driven risk assessments will likely continue to grow.

Proper Oversight and Independence. NPAs and DPAs also offer guidance on best practices for senior management oversight of the compliance function. Specifically, 21 of the 26 agreements analyzed require the company to assign one or more senior corporate executives to implement and oversee the compliance code, policies, and procedures. The designated persons must be able to report information to internal audit and the board of directors, as well as maintain an adequate level of autonomy from management. While such guidance is useful for companies designing a best practices compliance program, DOJ has stopped short of requiring a “one size fits all” structure of senior compliance oversight and independence.

Training and Guidance. All but one of the compliance appendices analyzed provide that the company implement training and guidance mechanisms to help ensure that its compliance code, policies, and procedures are effectively communicated to directors, officers, employees, and third parties. DOJ has emphasized that effective training and guidance should include periodic training for directors, officers, and employees within the company, along with annual certifications of compliance with such training requirements. As a best practice, training and guidance is a cornerstone of any effective compliance program. A recent compliance survey, however, indicated there is room for improvement: only 38 percent of the C-suite leadership reported attending training on their organization’s anti-corruption and anti-bribery policy. Compliance program provisions in NPAs and DPAs will almost certainly continue to feature training requirements prominently.

Effective System for Guidance, Confidential Reporting, and Investigation. Approximately two-thirds of the compliance program appendices analyzed require mechanisms for company personnel to seek internal guidance and for reporting and investigating complaints and allegations. This provision requires the company to maintain an effective system to provide guidance and advice regarding compliance with its code of conduct, policies, and procedures. Additionally, the company must maintain an effective system for internal and confidential reporting and ensure an effective and reliable process for responding to, investigating, and documenting allegations of violations of the relevant laws or the company’s codes, policies, or procedures.

Enforcement and Disciplinary Mechanisms. More than 90 percent of the corporate compliance appendices analyzed contain a requirement that the company institute disciplinary measures to address violations of the company’s compliance code, policies and procedures, and relevant laws. As demonstrated by the frequency with which this provision appears, U.S. officials view the presence of a disciplinary mechanism as an essential component of a corporate compliance program.

Third-Party Relationships: Due Diligence and Contractual Representations. Roughly three-fourths of the NPAs and DPAs analyzed include two related provisions addressing third-party relationships. The first requires the company to establish a risk-based due diligence program related to hiring and oversight of agents and partners, as well as to enter into reciprocal commitments between the company and its agents and partners to comply with the relevant laws. The second provision requires the company to include standard contractual provisions in agreements with agents and business partners to prevent violations of the relevant laws.

Periodic Monitoring and Testing. Twenty-three of the 26 corporate compliance appendices analyzed require the company to perform periodic monitoring and testing to measure the efficacy of the organization’s compliance code and relevant policies and procedures. As with other processes identified by our analysis, the U.S. Sentencing Commission guidelines identify periodic monitoring and testing as an attribute of an effective compliance and ethics program. This periodic review enables companies to update their codes based on recent developments and changing standards in the industry. A company seeking to create or improve upon its compliance program may wish to consider incorporating a periodic testing procedure to ensure that its program remains current and effective.

Mergers and Acquisitions. Two provisions related to mergers and acquisitions appear in almost half the NPAs and DPAs analyzed. The first provision requires the company to have a policy to conduct risk-based due diligence of newly acquired entities. The second provision requires the company to apply its code, policies, and procedures to any newly acquired entities as soon as practicable, including training management and other personnel and conducting an audit of the newly acquired company. Companies that engage in mergers and acquisitions with some level of frequency would be well advised to consider incorporating post-M&A due diligence policies and procedures into their compliance programs. For companies that are unlikely to engage in mergers and acquisitions, however, recent NPAs and DPAs hint that such policies and procedures may not be as critical as other compliance program elements. Failure to formalize such procedures would not, however, exempt corporations in the eyes of U.S. enforcement officials from taking appropriate steps to address potential successor liability in connection with business relationships they enter.

Although NPA and DPA Attachment C appendices on corporate compliance programs are set forth in the context of enforcement proceedings against the organizations subject to them and therefore are not intended to prescribe compliance norms, they do provide valuable insight into U.S. enforcement officials’ perspectives on best practices in corporate compliance programs. The increased inclusion of certain provisions—especially those related to M&A activity—may provide a glimpse into compliance program practices that regulators and prosecutors consider effective. As we noted in our 2011 Mid-Year Update, government resolutions addressing corporate misconduct continue to drive compliance best practices. While these provisions are typically implemented with an eye toward avoiding future violations, corporate compliance programs also affect how the government will view an organization under investigation for criminal wrongdoing.


The rate of new NPAs and DPAs for 2014 roughly equals 2013’s pace, emphasizing the staying power of such agreements as a tool to resolve federal allegations of corporate wrongdoing without the collateral consequences of criminal conviction. With 12 agreements so far in 2014—11 DOJ agreements and 1 SEC agreement—the year is shaping up to approach 2013’s total, evening out the trend line after spikes in earlier years. Although large settlements continue to represent the vast majority of monetary recoveries linked to NPAs and DPAs, prosecutors at DOJ headquarters and in U.S. Attorneys’ Offices across the country still use the agreements to resolve a variety of corporate criminal conduct.

These agreements enable companies and prosecutors alike to resolve allegations of criminal conduct, strengthen corporate compliance mechanisms to prevent such conduct in the future, and mitigate the risks that collateral consequences of a conviction can bring for companies, their shareholders, employees, and the economy. Continued interest in corporate accountability, prospective legislation in the United States, a new DPA regime in the United Kingdom, and ongoing judicial scrutiny of corporate settlements will likely keep NPAs and DPAs the resolution vehicles of choice.

Both comments and trackbacks are currently closed.
  • Subscribe or Follow

  • Cosponsored By:

  • Supported By:

  • Programs Faculty & Senior Fellows

    Lucian Bebchuk
    Alon Brav
    Robert Charles Clark
    John Coates
    Alma Cohen
    Stephen M. Davis
    Allen Ferrell
    Jesse Fried
    Oliver Hart
    Ben W. Heineman, Jr.
    Scott Hirst
    Howell Jackson
    Wei Jiang
    Reinier Kraakman
    Robert Pozen
    Mark Ramseyer
    Mark Roe
    Robert Sitkoff
    Holger Spamann
    Guhan Subramanian

  • Program on Corporate Governance Advisory Board

    William Ackman
    Peter Atkins
    Allison Bennington
    Richard Brand
    Daniel Burch
    Jesse Cohn
    Joan Conley
    Isaac Corré
    Arthur Crozier
    Ariel Deckelbaum
    Deb DeHaas
    John Finley
    Stephen Fraidin
    Byron Georgiou
    Joseph Hall
    Jason M. Halper
    Paul Hilal
    Carl Icahn
    Jack B. Jacobs
    Paula Loop
    David Millstone
    Theodore Mirvis
    Toby Myerson
    Morton Pierce
    Barry Rosenstein
    Paul Rowe
    Marc Trevino
    Adam Weinstein
    Daniel Wolf