Priority areas for global enforcers
What's on the agenda for regulators and prosecutors?
Ongoing cooperation among global regulators
US regulators and enforcement authorities continue to cooperate and coordinate both with each other and with their counterparts abroad in investigating potential misconduct. Companies involved in multijurisdictional investigations should be aware that US regulators may be able to access information and data from overseas, and should also be sensitive to the challenges and potential pitfalls that may arise when responding to regulators in multiple jurisdictions. These challenges may arise, for example, with respect to differing treatment of interview notes and privilege, the degree of coordination that regulators may expect, and approaches to data protection and production. They may also be exacerbated by the trend towards increased corporate enforcement activity across the globe.
The common challenges for boards when responding to regulators in multiple jurisdictions include the differing treatment of interview notes and privilege.
Continued focus on individual liability
US and global regulators remain focused on pursuing the individuals responsible for corporate misconduct. Recent trials against individuals have, however, exposed the government’s liability theories to heightened scrutiny and, sometimes, rejection. As an example, the DOJ lost one of its first two spoofing prosecutions, and has faced mixed results in recent bribery-related trials. In the UK, the courts this past year rejected prosecutors’ attempts to hold the leaders of UK financial institutions criminally liable for alleged mismanagement during the financial crisis. Such outcomes have been less common with corporate defendants, which tend to settle enforcement actions well before trial.
Prosecutors have begun to explore novel legal avenues by which to pursue individuals, charging them under laws that, for example, toll the statute of limitations.
With the DOJ’s charging theories increasingly tested, companies and their management teams should be aware that prosecutors have begun to explore novel legal avenues by which to pursue individuals – charging them under different, more accommodating laws that, for example, toll the statute of limitations or lack a complicated history of judicial interpretation.
Expansion of, and more experience with, the FCPA Corporate Enforcement Policy
The DOJ continues to revise and expand its 2017 Corporate Enforcement Policy (CEP), extending its principles to successor companies and beyond the Foreign Corrupt Practices Act (FCPA) context. In addition, in late 2019 the DOJ published revisions to the CEP, clarifying that companies should self-disclose potential violations as early as possible as opposed to waiting until after an investigation has been substantially completed. Put differently, the CEP continues to demonstrate how focused the DOJ is in getting companies in the door.
The possibility of a reduced penalty or declination from the DOJ may be less appealing if it brings sanctions in other jurisdictions – and civil litigation exposure.
Companies eager to reap the CEP’s potential benefits should still, however, be mindful that authorities in different jurisdictions have divergent expectations with respect to corporate cooperation. The potential for a penalty reduction or declination from the DOJ may become less attractive if achieving it would result in hefty consequences in other jurisdictions (along with potential civil litigation exposure).
Discovery and privacy challenges: navigating conflicting regulatory requirements
Multinational companies have long faced challenges handling and producing data across borders. The 2018 implementation of 1. the EU General Data Protection Regulation (GDPR), and 2. the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act) have done little, in practice, to simplify the data protection landscape, especially for companies caught at their intersection. Indeed, such businesses (particularly internet service providers) are subject to potential conflicts between US authorities and non-US privacy regulators, where the former might seek evidence stored abroad, the disclosure of which may run afoul of the GDPR (or of any of the myriad other data protection regimes, blocking statutes, and other data-related restrictions around the world).
Companies caught in the middle should:
1. be thoughtful about where and how they store their data across business units and corporate entities;
2. document efforts to comply with the GDPR, the CLOUD Act and other data-related regimes to defend against claims of breach; and
3. be aware that, in the wake of the first UK-US Bilateral Data Access Agreement, it has become easier for authorities in each country to obtain data directly from firms in the other by removing conflicting privacy restrictions facing these businesses.
Cyber enforcement focuses on disclosure and unfair trade practices
The US lacks an all-purpose, comprehensive data protection regime like the EU’s GDPR or those found in other jurisdictions. Nevertheless, US federal and state regulators have used a patchwork of special-purpose regimes – derived from statutory, regulatory and common law sources at both the federal and state levels – to bring enforcement actions, including in particular in relation to cyber incidents. Here, recent high-profile cases have stemmed from allegations of unfair/deceptive trade practices. For further information, please see our section on technology and business.
Practical guidance for boards
Investigations into disparate industries (from antitrust regulators scrutinizing big tech companies to the criminal probe of drug companies in the wake of the opioid crisis) highlight a common lesson: while it is important to remain mindful of “traditional” threats like corruption, cartels and accounting fraud, companies should increasingly stay vigilant and try to anticipate potential risks that may be lurking around the corner, including from less familiar sources.
Board and senior management oversight, combined with robust risk-mapping and versatile risk-management plans, should continue to serve as the first lines of defense in quickly evolving areas of enforcement. In addition, companies should be aware that their governance and management of risk are often the critical first points of regulatory scrutiny, particularly outside of the US.
Companies should also take stock of their compliance programs and ensure that they are nimble enough to cover emerging challenges, including ones related to data, the environment and human rights.
US federal and state regulators have used a patchwork of special-purpose regimes to bring enforcement actions, including in the cyber arena.