Corporations (and their CISOs) that discover wrongdoing or corruption within their own business are well-advised to self-report such activities and cooperate with prosecutors. The stakes are high for those who don’t. Credit: Den Rise The US Department of Justice (DOJ) has taken a carrot-and-stick approach to its corporate enforcement policy in regard to the Foreign Corrupt Practices Act (FCPA) in an effort to entice companies to self-report when in violation of the FCPA. Assistant Attorney General Kenneth A. Polite, Jr., shared the 2022 success of the Criminal Division of the DOJ in its pursuit of corrupt and criminal activities within corporations that “threaten the public safety and national security, [and] wrongfully divert money into the pockets of criminal actors” at a mid-January event at Georgetown University’s Law Center.Polite described how in 2022 the division’s fraud section secured convictions of more than 250 individuals, of which 50 were convicted via trial. In addition, seven corporations entered “criminal resolutions” with the DOJ and there were two declinations (decisions by prosecutors not to prosecute). While the Money Laundering and Asset Recovery Section convicted more than 24 individuals and had two corporations enter guilty pleas, including a “financial institution” which agreed to forfeit $2 billion (Danske Bank A/S pleaded guilty in December 2022).CISOs and CSOs are well-positioned to spot anomaliesThis is of import to CISOs and CSOs, as their teams are often in a position to observe signs of anomalous behavior within their own infrastructure and the changes within the Enforcement Policy clearly reward those who self-report and cooperate. Indeed, Polite emphasized that the DOJ’s job is not just the prosecution of crime, but also to deter and prevent crime. The DOJ needs “corporations to be our allies in the fight against crime,” Polite said. Two examples were shared of companies whose cooperation resulted in a declination of prosecution or a deferred prosecution agreement. The first example involved French aerospace company Safran, which uncovered FCPA violations post-acquisition due diligence. Safran uncovered years of bribes having been paid to a Chinese consultant which had occurred from 1999 to 2015. Safran made a full disclosure, put in place remediation steps, and “agreed to disgorge the ill-gotten gains of its US subsidiary.” The second example involved Swiss tech company ABB. Polite notes that ABB, who had prior FCPA resolutions from 2004 and 2010, had discovered corrupt business practices in South Africa. ABB scheduled a meeting with the DOJ to self-disclose. Though the media broke a story that highlighted the fraud occurring within ABB. Polite emphasized that the company helped itself when it could “demonstrate intent and efforts to self-disclose prior to and without any knowledge of the media report” and the DOJ entered into a deferred prosecution agreement, with two subsidiaries pleading guilty and paying a fine of more than $315 million.Incentives to cooperate with the DOJThe CEP program adjustments announced by Polite noted, “prosecutors may nonetheless determine that a declination is the appropriate outcome if the company can demonstrate that it has met each of the following three factors: The voluntary self-disclosure was made immediately upon the company becoming aware of the allegation of misconduct;At the time of the misconduct and the disclosure, the company had an effective compliance program and system of internal accounting controls that enabled the identification of the misconduct and led to the company’s voluntary self-disclosure; andThe company provided extraordinary cooperation with the Department’s investigation and undertook extraordinary remediation.”When companies don’t cooperate with the DOJThe emphasis on the outcome corporations and individuals may expect when they decline to self-disclose or cooperate fully with a DOJ investigation was clear. Polite shared the case of the Belfour Beatty Communities military housing fraud plea, noting that there was no voluntary self-disclosure, cooperation was “lackluster,” and their efforts were at the bare minimum, so they did not earn any reduction in fines.He then shared another instance where the Toronto-based Bank of Nova Scotia received little reduction as the “company’s compliance function contributed to the misconduct.“ The bank was fined more than $127 million in 2020. His third and final example was that of Swiss mining firm Glencore, which in fact did receive a slight reduction as they failed to fully cooperate, take timely actions with respect to the individuals involved, and were fully aware of the criminal activity, “which was pervasive.” Glencore pleaded guilty and was fined more than $1.1 billion in May 2022.The bottom line: self-reporting misconduct under FCPA is keyThe bottom line, directly from Polite: “When a company has uncovered criminal misconduct in its operations, the clearest path to avoiding a guilty plea or indictment is voluntary self-disclosure. It is also the clearest path to the greatest incentives that we offer, such as declination with disgorgement of profits.” He continued that the DOJ is forthright about the potential incentives to self-report and cooperate to hammer home the point that corporations that fall short of the department’s expectations do so at their own risk. “Make no mistake—failing to self-report, failing to fully cooperate, failing to remediate, can lead to dire consequences.” Related content news analysis Marriott admits it falsely claimed for five years it was using encryption during 2018 breach Marriot revealed in a court case around a massive 2018 data breach that it had been using secure hash algorithm 1 and not the much more secure AES-1 encryption as it had earlier maintained. By Evan Schuman Apr 29, 2024 6 mins Data Breach Encryption Legal brandpost Sponsored by Palo Alto Networks Is your hybrid/multicloud strategy putting your organization at risk? For all the flexibility and cost management upsides to hybrid/multicloud infrastructure, there is a major trade-off: Complexity can breed security risks. By Pete Bartolik Apr 29, 2024 4 mins Security news UK’s revamped surveillance rules become law despite industry opposition A new law expanding the Investigatory Powers Act, the UK’s already-controversial surveillance and data access rules, became law last week. By John Leyden Apr 29, 2024 4 mins Government Mobile Security Security feature Finding the perfect match: What CISOs should ask before saying ‘yes’ to a job Sometimes it's not really clear why a company wants to hire a CISO or the role lacks authority. There are some key questions that CISOs can ask to avoid taking a job with too many red flags. By Aimee Chanthadavong Apr 29, 2024 8 mins CSO and CISO Careers PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe