Molins News The US Department of Justice’s new Corporate Enforcement and Voluntary Self-Disclosure Policy: key points for Compliance Systems

The US Department of Justice’s new Corporate Enforcement and Voluntary Self-Disclosure Policy: key points for Compliance Systems

In recent years, Compliance Systems have taken on a central role in the prevention and detection of corporate crime. This trend is evident not only in Europe but also in jurisdictions such as the United States, where the authorities have progressively strengthened incentives for companies to detect and report potential unlawful conduct internally.

In this context, the US Department of Justice (hereinafter the DOJ) has recently published the Corporate Enforcement and Voluntary Self-Disclosure Policy (hereinafter the CEP), a document that sets out the criteria to be followed by federal prosecutors when a company internally detects a potential offence and decides to voluntarily report it to the authorities.

It is worth making a preliminary clarification, as this article will highlight certain similarities between the CEP and the regime set out in the Spanish Criminal Code; yet such parallels must be understood whilst acknowledging the differences between the two systems.

In this regard, the CEP provides that, if the requirements set out below are met, the DOJ may decline to bring criminal proceedings against the legal person, that is to say, it may choose directly not to prosecute the company. By contrast, under Spanish criminal law, even though the fulfilment of certain requirements may lead to the exemption or mitigation of the legal person’s criminal liability, this does not preclude the initiation of criminal proceedings. The assessment of the effectiveness of the Compliance System and the presence of exculpatory or mitigating circumstances is therefore carried out at a later stage, within the framework of the criminal proceedings themselves. This difference means that, in our system, the company may still be subject to the inherent impact of the opening of proceedings, including any associated reputational cost.

The CEP pursues a clear objective: to encourage organisations to take an active role in the detection and management of criminal risk. To this end, it establishes a tiered system of incentives based on three (3) fundamental elements: voluntary self-reporting, cooperation with the investigation and effective remediation of the breach.

The document is divided into three (3) sections that outline the possible responses of the DOJ to alleged corporate criminal conduct: ranging from a decision not to prosecute, in the most favourable cases, to other scenarios in which the prosecutor retains a greater degree of discretion.

• Waiver of criminal prosecution: the maximum incentive

Part I of the CEP sets out the most favourable scenario for the company: the possibility that the DOJ may decide not to bring criminal proceedings where the following conditions are met:

1. Voluntary self-reporting of non-compliance. For such a self-report to be considered valid, the following conditions must be met:

• The report must be made in good faith to the relevant body within the DOJ.
• The matter must not already be known to the authorities.
• The company must not be legally obliged to report it.
• The report must be made before there is an imminent threat of an investigation.
• It must be made within a reasonably short period of time after the company becomes aware of the facts.

This requirement bears certain similarities to the provisions of Article 31 quater of the Spanish Criminal Code, which recognises as a mitigating circumstance the fact that a legal person has, prior to becoming aware that legal proceedings are being brought against it, admitted the offence to the authorities.

Furthermore, this requirement is related to the provisions of Law 2/2023, regulating the protection of persons reporting regulatory infringements and combating corruption (hereinafter, Law 2/2023), which establishes the obligation to immediately forward the information to the Public Prosecutor’s Office when the facts detected through the Internal Reporting System may, on the face of it, constitute a criminal offence.

2. Full cooperation with the investigation. To this end, the DOJ expects the organisation to take the following steps, amongst others:

• Provide accurate and complete information about the facts and the individuals involved.
• Provide the results of internal investigations.
• Preserve and hand over relevant documentation.
• Cooperate proactively with the authorities.
• Make employees or managers who have relevant information available to investigators.

This approach also follows the logic of Law 2/2023, which provides for an exception to the principle of informant confidentiality where it is necessary to disclose information to the Public Prosecutor’s Office or other competent authorities for the investigation of possible offences.

Similarly, we again find an analogy with Article 31 quater b) of the Criminal Code, which considers it a mitigating circumstance that the legal person has cooperated in the investigation of the offence by providing new and decisive evidence to clarify criminal liability.

3. Appropriate remediation or correction of the breach. The company must demonstrate that it has taken effective corrective measures, including the following:

• Conduct a root cause analysis.
• Implement or strengthen an effective Compliance System[1].
• Take disciplinary action against those responsible.
• Establish appropriate mechanisms for the retention and control of corporate documentation.

Particular attention should be paid to the recommendations introduced by the CEP regarding the elements that should form part of an effective Compliance System, including:

• The allocation of sufficient resources to the Compliance function.
• The experience and qualifications of the staff responsible for this function.
• The independence of the Compliance Officer and their direct access to senior management[2].
• The conduct of risk assessments to enable the System to be adapted to the company’s activities.
• The periodic review of the System to verify its effectiveness.

If these elements are compared with Article 31 bis 5 of the Criminal Code, the similarities are evident. Our legal system also requires that Compliance Systems identify activities where criminal risks may exist, establish protocols and procedures to mitigate them, allocate the necessary financial resources, set up channels for reporting breaches, incorporate a disciplinary system and undergo periodic reviews to ensure their effectiveness.

4. Absence of aggravating circumstances. Finally, the decision not to pursue criminal proceedings will only be possible where there are no aggravating circumstances, taking into account the seriousness of the offence, its extent within the organisation, or any history of non-compliance on the part of the company.

• The intermediate scenario: so-called ‘Near Miss Disclosures’

Part II of the CEP covers intermediate situations in which the company cooperates and rectifies the breach, but does not meet all the necessary requirements to obtain a waiver of criminal prosecution, for example, because the self-report does not strictly comply with the required criteria or where there are aggravating circumstances that justify a criminal response.

In such cases, the DOJ provides for a more favourable outcome through: (i) the signing of a Non-Prosecution Agreement, (ii) a term of less than three (3) years for the agreement, (iii) the non-imposition of independent compliance monitoring, and (iv) a reduction of between 50% and 75% of the financial penalty set out in the US Sentencing Guidelines.

This approach bears certain similarities to the logic of the Spanish legal system insofar as the cooperation of the legal person and the adoption of effective remedial measures may result in a more favourable legal outcome.

• Other cases: at the discretion of the prosecutor

Part III of the CEP governs cases in which the company fails to meet the requirements set out in the preceding parts.

In such situations, the prosecutor retains full discretion to determine: (i) the type of criminal ruling, (ii) the duration of the measures imposed, (iii) the Compliance obligations to be imposed, and (iv) the amount of the financial penalty.

However, even in these cases, if the company cooperates fully and remedies the non-compliance, the CEP provides for the possibility of applying reductions to the penalties, although these are limited to a maximum of 50% of the range set out in the US Sentencing Guidelines.

Conclusions

The DOJ’s policy confirms a clear trend in global corporate criminal law: the criminal liability of organisations is increasingly centred on the effectiveness of compliance systems and on companies’ ability to identify and manage criminal risk internally.

However, any comparison between the CEP and the Spanish model must be made with due caution. Although there are significant points of convergence regarding self-reporting, cooperation, remediation and the assessment of the effectiveness of Compliance Systems, the two regimes are based on different procedural logics. Whilst the CEP allows, in certain cases, the DOJ to directly decline criminal prosecution of the legal person, the Spanish Criminal Code essentially provides for a regime of exemption or mitigation of liability, the assessment of which takes place within criminal proceedings that have already commenced.

Furthermore, the emphasis on early detection of non-compliance ties in with the objective of Law 2/2023, which seeks to strengthen internal reporting mechanisms and early collaboration by organisations as key tools for the prevention of crimes in the business sphere.

In short, the CEP reinforces the idea that the corporate response to non-compliance constitutes a decisive element in the criminal-legal response.

[1] Here, too, we find a parallel with Article 31 bis (d) of the Criminal Code, which provides for a reduction in the sentence where the company has taken effective measures to prevent and detect offences prior to the trial.

[2] Similarly, the UNE 19601 standard, Criminal Compliance Management Systems, stipulates that the Compliance Body must, amongst other characteristics, be independent, autonomous and have direct access to the governing body and senior management.