As has been widely reported by compliance, white collar and regulatory defense practitioners, on June 1, the U.S. Department of Justice's Criminal Division once again amended its guidelines on prosecutorial evaluation of effective corporate compliance programs.
Among other things, DOJ policy now expressly requires that companies account for and incorporate lessons learned — which refers to the detection and remediation of prior instances of misconduct — into their compliance materials.[1]
The new DOJ guidance looks at whether "the company ha[s] a process for tracking and incorporating into its periodic risk assessment lessons learned ... from the company's own prior issues."[2] The guidance also makes express that prosecutors should gauge a company's "continuous improvement" of its compliance program by reference to "revisions to corporate compliance programs in light of lessons learned."[3]
The Lessons Learned Dilemma
The problem, of course, is that DOJ inquiry into exactly how a company has learned its lesson — or lessons — potentially provides the government with an officially sanctioned road map into, among other things, the degree to which the company may be an habitual or at least recidivist violator of applicable law and regulations, such that maybe it should be charged this time.
This is particularly true in heavily regulated industries like health care, financial services and government contracting. Many participants in closely regulated industries likely have a range of legal and administrative compliance issues that have historically been confidentially incorporated into their future risk assessments without concern that prosecutors will ask or expect to be advised about how prior violations have informed a dynamic compliance program. Simply put, a risk is definitionally more abstract than a concrete lesson.
But DOJ policy now emphasizes corporate accounting of prior lessons, rather than simply risks, in demonstrating compliance. In addition, a targeted company may have very good reasons, including parallel civil and administrative litigation and whistleblower concerns, to conduct confidential investigations and to keep the outcome privileged.
The DOJ's now-official policy that companies must overtly account for their prior misconduct in making their compliance programs more effective presents an obvious Catch-22: Incorporation of lessons learned to show that a company has an effective compliance program risks exposing the fact that the company did not otherwise have an effective compliance program up to that point.
While accounting for lessons learned plainly enhances whether a company has addressed the root cause or causes of compliance risks, it is inherently destabilizing for these lessons to be expressly subject to government scrutiny.
Evolution of DOJ Guidance on Effective Corporate Compliance Programs
The new DOJ guidance updates earlier policy pronouncements from February 2017 and April 2019. The February 2017 guidance focused on 11 effective compliance program hallmarks, including analysis and remediation of underlying misconduct, the need for risk assessments to be based on actual business risk, confidential reporting and investigation, and continuous improvement and review.[4]
The April 2019 amendment principally organized the February 2017 topics into three overarching categories:
1. Is the compliance program well-designed?
2. Is the program being implemented effectively? and
3. Does the program work in practice?[5]
The current guidance makes corporate accounting of lessons learned express by mandating that, to demonstrate proper design, companies must have a process of tracking and incorporating into their periodic risk assessments lessons learned from their own prior misconduct.
In other words, while prior DOJ pronouncements counseled companies to calibrate their compliance programs by reference to their assessment of risk, current DOJ policy provides that how a company learned its lesson from prior legal or regulatory missteps is now fair game for prosecutorial inquiry.
DOJ's Implementation of Lessons Learned Policy Remains Undefined — and Dangerous
No one thinks companies will immediately start openly narrating in DOJ conference rooms how they previously violated the law and how they learned from such misconduct. But how the government chooses to investigate a company's good-faith implementation of lessons learned in its compliance program presents multiple dangers.
For the government to vet incorporation of lessons learned, it at least has to ask about an investigative subject's prior compliance missteps, which for companies in heavily regulated industries likely includes legal, administrative or other regulatory violations and, potentially, a comparatively high volume of such offenses. This means companies will have to decide how detailed they want to be in responding to the government's inquiry, which may, depending on the investigation and the facts involved, range from the general to the quite specific.
This includes when the lessons learned may suggest habituation and recidivism; that is, that lessons really may not have been learned, and that the prosecutors may want to expand their investigation or, worse, pursue charges. It also includes when the lessons learned fall outside the particular purview of a DOJ investigation yet are nonetheless relevant, at least in the government's eyes, to whether the company can effectively govern itself.
And even if outright legal or administrative offenses are not involved, for an issue to implicate a lesson to be learned that goes to a corporate compliance program's overall effectiveness, there must at least have been a control or oversight issue involved, potentially implicating other compliance program effectiveness issues.
Put simply, in articulating how lessons learned have informed effective compliance programs, companies face the dilemma of exposing earlier violations or at least control weaknesses to government scrutiny. This could actually aggravate a corporate resolution, particularly when other parts of the DOJ's effective compliance program policy look to whether the corporate subject is a recidivist or habitual violator of the law.
And when government evaluation of the modeling and effectiveness of a corporate compliance program is most typically implicated during the remediation and resolution phase of an enforcement investigation, close examination of lessons learned risks undercutting months or even years of corporate cooperation following what for many companies may have been a more limited or targeted disclosure.
Why Companies Should Not Have to Disclose, Even Impliedly, Lessons Learned
Most companies — especially those with active competitors and stakeholders — have entirely legitimate reasons to conduct privileged internal investigations, which could and often do precipitate lessons learned. Conducting these investigations serves several purposes, including the prevention of parallel or later misconduct.[6] And for companies that undertake these investigations under privilege, it is critical that they maintain confidentiality.
Although it is now the DOJ's express policy that cooperation credit is not predicated on waiver,[7] companies must also be mindful of the collateral consequences that could result from voluntary disclosure of privileged information, even if the company is able to resolve its liability with the DOJ. This includes inquiries from other government agencies or regulators and parallel or follow-on civil litigation.
Regulators in parallel proceedings that are themselves charged with ensuring effective compliance programs could inquire into lessons learned that have been disclosed to the DOJ by registrants and other regulated parties. They would do this to aggravate disgorgement and civil penalties.
They could also point to lessons learned as evidence of prior misconduct warranting specific administrative remedies, including the entry of restraining orders and, potentially, exclusion and debarment. This is especially dangerous when administrative agencies have the power to enforce mere compliance violations, which is a lower burden than outright fraud and abuse.
In addition, news of a DOJ investigation or settlement often puts companies in the crosshairs of parallel or follow-on civil litigation. A company that has disclosed lessons learned to the DOJ risks the disclosure becoming civilly discoverable, especially since most federal appellate courts have rejected the selective waiver doctrine.[8]
Even in the absence of a waiver to the DOJ, civil plaintiffs could cite DOJ policy on express incorporation of lessons learned in seeking discovery of circumstances and events that could aggravate civil liability and damages. Indeed, the DOJ's policy on express accounting and incorporation of lessons learned dovetails with a multitude of civil practice guides counseling in favor of the use of "lessons learned" as a term of art in written and oral discovery.[9]
Limited Prosecutorial Access to Lessons Learned — Good for Corporate Governance
Public policy and effective corporate governance are better served by allowing companies to incorporate lessons learned into their compliance programs without risk of express or even constructive disclosure to the DOJ.
Indeed, preexisting DOJ policy ensured that companies were already considering lessons learned through an emphasis on root cause analysis, risk assessments, proper scoping, confidential reporting and escalation to and oversight by senior management and the board.
These effective compliance mechanisms internalize lessons learned without, in the words of the new DOJ guidance, requiring that companies overtly track them for potential disclosure to the government in demonstrating that a compliance program has worked and will continue to work in practice.
The government should not get the prosecution advantage, and litigation advantage if a matter is post-indictment, of effectively compelling a corporate target/defendant to incriminate itself, including civilly and administratively, with potentially unrelated misconduct to secure a favorable corporate resolution.
For something indeed to be a lesson learned, there is a high likelihood it involves a legal, administrative or regulatory violation. In promulgating its new corporate compliance program evaluation policy, the DOJ has told corporate America that it should be prepared to document how prior legal offenses, or at least compliance missteps, have informed compliance improvements.
The DOJ has thus effectively reserved optionality — by exercising its right under official DOJ policy to ask substantive questions about the particulars of lessons learned — to leverage the guise of a compliance program evaluation to secure corporate disclosure of specific instances of misconduct.
This is destabilizing because, aside from the fact that DOJ typically declines to treat such disclosures as protected settlement and plea discussions under Federal Rules of Evidence 408 and 410, it risks compromising the confidentiality of corporate internal investigations that should remain privileged, specifically including under current DOJ policy on compelled corporate privilege waivers.[10]
It also puts companies in the difficult position of considering a voluntary waiver of their corporate privilege, which DOJ policy allows,[11] simply to prove that they have adequately and dynamically assessed their risk.
But the assessment of compliance risks, including the root cause of such risks based on lessons learned, is something that companies should be able to implement without risk of expanding their criminal, civil and administrative exposure through a DOJ-mandated system that tracks prior compliance violations. The new DOJ guidance tips the scales in a potentially untenable direction.
[1] While the prior revision of the DOJ's effective corporate compliance program guidance counseled that companies should assess whether their "training addressed lessons learned from prior compliance incidents," see U.S. Department of Justice, Criminal Division, "Evaluation of Corporate Compliance Programs" (updated April 30, 2019), the current guidance makes systematic accounting of lessons learned an overt compliance requirement.
[2] U.S. Department of Justice, Criminal Division, "Evaluation of Corporate Compliance Programs" (updated June 2020), at Part I.A, https://www.justice.gov/criminal-fraud/page/file/937501/download (last accessed July 12, 2020).
[3] Id., Part III.A (quoting Justice Manual § 9.28.800).
[4] U.S. Department of Justice, Criminal Division Fraud Section, "Evaluation of Corporate Compliance Programs" (Feb. 8, 2017).
[5] U.S. Department of Justice, Criminal Division, "Evaluation of Corporate Compliance Programs" (updated Apr. 30, 2019).
[6] U.S. Department of Justice, Brent Snyder (Deputy Assistant General, Antitrust Division), "Compliance Is a Culture, Not Just a Policy", Remarks as Prepared for the International Chamber of Commerce, United States, Council of International Business, Joint Antitrust Compliance Workshop, https://www.justice.gov/atr/file/517796/download.
[7] Justice Manual § 9-28.720.
[8] See, e.g., In re Syncor ERISA Litig., 229 F.R.D. 636, 646 (C.D. Cal. 2005) (collecting cases).
[9] See, e.g., Todd Heffner, Law.com, "Filters, Curse Words, and 'Lessons Learned': Tips on Discovery Searches" (Feb. 25, 2020) https://www.law.com/dailyreportonline/2020/02/25/filters-curse-words-and-lessons-learned-tips-on-discovery-searches/?slreturn=20200612113349 (noting that running keyword searches for "lessons learned" should be "reflexive").
[10] See Justice Manual § 9-28.710 (providing that prosecutors should not ask for waivers of the attorney-client privilege or the attorney work product doctrine in relation to corporate criminal investigations and are directed not to do so) https://www.justice.gov/jm/jm-9-28000-principles-federal-prosecution-business-organizations#9.28.710.