Back to All Blog Posts

The Inside Track: In DOJ corporate enforcement update, more carrot than stick for honesty, but DPAs could be harder to nab as liability shifts to individuals, senior and otherwise

Enforcement mural

The Skinny:

  • From accounting for a future compliance resolution to accountability and individual prosecutions. From delay, distract and backpedal to coming forward quickly, voluntarily and honestly disclosing the full scope of compliance failings.
  • Those are some of the key takeaways from several just-announced and updated initiatives to embolden corporate compliance oversight, shorten investigations and sharpen enforcement for culpable individuals – regardless of their stratification – along with marking it harder to ward off prosecutions for serial, flagrant offenders.
  • In all, the speeches and interlinked memorandum – highlighting a new “carrots and sticks” approach to resolutions – chart the course of both broad expectations for financial crime compliance programs and further detail the parameters and frameworks that will be employed when enforcement failings rise to the level of potentially prosecutable offenses.

The ACFCS Inside Track Series Provides Insight, Guidance and Practical Takeaways from ACFCS Thought Leaders and Association Champions and Partners.

From accounting for a future compliance resolution to accountability and individual prosecutions. From delay, distract and backpedal to coming forward quickly, voluntarily and honestly disclosing the full scope of compliance failings.

Those are some of the key takeaways from several just-announced and updated initiatives to embolden corporate compliance oversight, shorten investigations and sharpen enforcement for culpable individuals – regardless of their stratification – along with marking it harder to ward off prosecutions for serial, flagrant offenders.

The fresh details come courtesy of statements, new and incoming guidance released on Thursday and Friday by top officials at the U.S. Department of Justice (DOJ): Deputy Attorney General Lisa Monaco and Assistant Attorney General Kenneth Polite, speaking at industry forums in New York and Texas.

To read Monaco’s full speech, click here.

To read Polite’s speech, click here.

To read the memorandum, sent to a host of directors, various levels of attorney generals, federal prosecutors, the FBI and others, click here.

In all, the speeches and interlinked memorandum chart the course of both broad expectations for financial crime compliance programs – at banks and corporates writ large – and further detail the parameters and frameworks that will be employed when enforcement failings rise to the level of potentially prosecutable offenses.

“Taken together, the policies we’re announcing today make clear that we won’t accept business as usual,” Monaco said.

“With a combination of carrots and sticks—with a mix of incentives and deterrence—we’re giving general counsels and chief compliance officers the tools they need to make a business case for responsible corporate behavior.”

These revisions provide guidance addressing:

  • All for one: Uncovering, prosecuting, prioritizing individual liability.
  • Inaction, infractions: Seeing the full picture, good and bad, of the misconduct history.
  • Honesty, transparency: The benefits of self-disclosing misconduct and doing it quickly and openly.
  • No holding back: The finer points on cooperation, including overcoming foreign privacy, information sharing barriers.
  • Culture wars: More detailed parameters on what a “culture of compliance” looks like, including the good in finding the bad.
  • Certs till it hurts: The duality of CCO and CEO certifications on corporate remediations: not meant to used a cudgel against compliance leaders, but ensure seat with C-suite.
  • Watching the monitor: How the DOJ chooses monitors will be a clear, set process, along with oversight and operational and fiscal goals and boundaries.
  • Get the message: DOJ will be looking more closely at how banks and corporates monitor for employees using third-party messaging apps that allow for messages to disappear, roadblocks that could hamstring and investigation.

While there will likely be considerable adjustments by institutions to abide by the updated guidance, the moves could lower the temperature of typically fraught, tense and combative interactions at the negotiating table.

“Absent aggravating factors, the Department will not seek a guilty plea when a company has voluntarily self-disclosed, cooperated, and remediated misconduct,” Monaco said, adding that DOJ will also not require an independent compliance monitor for such a corporation if, at the time of resolution, it also “has implemented and tested an effective compliance program.”

Here are some key snapshots, takeaways and analyses of the DOJ guidance and statements by ACFCS VP of Content, Brian Monroe:

Compliance man standing in front of muscles graphic

How prosecutors should continue to prioritize individual accountability:

This is DOJ’s number one priority, apart from a splashy multi-million, or even billion-dollar, enforcement penalty.

Although in egregious cases, corporates could expect both: giving up sacrificial lamb leaders and doling out eye-watering fines.

“Whether wrongdoers are on the trading floor or in the C-suite, we will hold those who break the law accountable, regardless of their position, status, or seniority,” Monaco said.

This new strategy is already bearing fruit in several recent high-profile cases.

In the last year, the Department of Justice has secured notable trial victories, including convictions of the head of Theranos; J.P. Morgan traders for commodities manipulation; a managing director at Goldman Sachs for bribery; and the first-ever conviction of a pharmaceutical CEO for unlawful distribution of controlled substances.

The takeaway for banks and corporates: Deferred prosecution agreements or non-prosecution agreements (DPAs and NPAs), the flavor of the last 15 years or so, could be harder to come by, being replaced by individuals or the bank pleading guilty to certain related financial crimes.  

“Going forward, undue or intentional delay in producing information or documents – it particularly those that show individual culpability – will result in the reduction or denial of cooperation credit,” Monaco said.

“Gamesmanship with disclosures and productions will not be tolerated,” she said. “In individual prosecutions, speed is of the essence.”

Compliance Checklist graphic

Compliance, C-suite certifications that the compliance program is refreshed, retuned, remediated:

In comments in March when DOJ stated corporate resolutions may require a CEO or Chief Compliance Officer (CCO) to sign a certification at the end of the term of the agreement, it was not meant to put a target on the back of the officer meant to be a federal agency’s ally.

These certifications are “designed to give compliance officers an additional tool that enables them to raise and address compliance issues within a company or directly with the department early and clearly,” Polite said.  

“This certification is meant to guarantee a seat at the table that all compliance officers should have in an organization with a functioning compliance program.”

“For too long, they have complained that compliance doesn’t have the same voice in corporate decision-making,” Polite said. A corporate leader who ignores the emphasis we are placing on compliance does so at his or her own risk.”  

Fraud Prevention in Digital Space

How a corporation’s history of misconduct should be considered in determining the appropriate resolution of a corporate case:

In short, “not all instances of prior misconduct are created equal,” Monaco said.  

Failings that appear “institutional” or blessed by top leaders and are more recent will be weighed more heavily than missteps that took place five or 10 years ago and involved, say, salespeople or mid-level managers in isolated pockets of compliance stumbles.

As well, DPAs overall may be harder to snare.

DOJ will disfavor “multiple, successive non-prosecution or deferred prosecution agreements with the same company,” Monaco said, adding that companies cannot assume that they are entitled to an NPA or a DPA, particularly “when they are frequent flyers.”

Prosecutors are now armed with a different, more adversarial mindset for companies failing to clean up their act after successive DOJ clashes.

“We will not shy away from bringing charges or requiring guilty pleas where facts and circumstances require,” she said. “If any corporation still thinks criminal resolutions can be priced in as the cost of doing business, we have a message—times have changed.”

Enforcement Path

The benefits companies can expect from voluntary self-disclosure of misconduct:

For the first time ever, every DOJ component involved in prosecuting corporate crime will have a program that incentivizes voluntary self-disclosure.

“Simply put, the math is easy: voluntary self-disclosure can save a company hundreds of millions of dollars in fines, penalties, and costs,” Monaco said. “It can avoid reputational harms that arise from pleading guilty. And it can reduce the risk of collateral consequences like suspension and debarment in relevant industries.”

By contrast, recent cases that did not involve self-disclosure have resulted in guilty pleas and billions of dollars in criminal penalties, this year alone, she said.

“I expect that resolutions over the next few months will reaffirm how much better companies fare when they come forward and self-disclose.”

Man finding regulatory guidelines in a cave illustration

How the Department evaluates cooperation provided by a corporation:

In essence, to get “cooperation credit,” DOJ is requiring firms to “come forward with important evidence more quickly,” Monaco said. “If a cooperating company discovers hot documents or evidence, its first reaction should be to notify the prosecutors.”

Overall, companies seeking credit for cooperation must “timely preserve, collect, and disclose relevant documents located both within the United States and overseas,” and must also overcome potential hurdles in the form of data privacy laws, blocking statutes, or other restrictions imposed by foreign law may complicate the method of production of documents located overseas.”

Corporations, though, can’t use foreign laws as a way to stymie investigators and weaken a case.

“Conversely, where a corporation actively seeks to capitalize on data privacy laws and similar statutes to shield misconduct inappropriately from detection and investigation by U.S. law enforcement, an adverse inference as to the corporation’s cooperation may be applicable if such a corporation subsequently fails to produce foreign evidence,” according to the updated guidance.

Ocean waves painting

How prosecutors will evaluate certain components of a corporation’s compliance program:

In two words: compliance culture.

This is an oft-mentioned and criticized regulatory focal point and institution pain point – for corporates and banks alike – as it is not just one thing, but an amalgam of more esoteric concepts and concrete compliance and technology tactics.

The eternal challenge: these must come together to empower internal fincrime fighters, give them ample resources and authority and find the razor thin balance between following rules and crafting rich, relevant and timely reports to support law enforcement.

As DOJ notes in this guidance, however, the future goal is to go far beyond just arming humans with the training and technology to identify fraudsters, launderers and other forms of illicit acts and their financial trails.

“But resourcing a compliance department is not enough; it must also be backed by, and integrated into, a corporate culture that rejects wrongdoing for the sake of profit,” Monaco said, adding that celebrating the good, and chastising the bad, should also be baked into corporate bonus and incentive structures.  

“To promote that culture, an increasing number of companies are choosing to reflect corporate values in their compensation systems,” she said.

How would this look in practice:  

  • Compliance teeth and claws: On the deterrence side, companies could employ clawback provisions, the escrowing of compensation, and other punitive actions to hold financially accountable individuals who contribute to criminal misconduct – simply beyond firing them with a sparkling and bejeweled “golden parachute.”
  • Put it in writing: Compensation systems should clearly and effectively impose financial penalties for misconduct, again, either taking money away or laying out clearly defined fines. Ensure these tenets and loudly and proudly displayed physically and virtually, even at employee onboarding, where they have to click that they do understand what this means.
  • Positive reinforcement, affirmations: On the incentive side, conversely, companies could build compensation systems that use positive, affirmative metrics and benchmarks to reward compliance-promoting behavior. Think of a program that rewards the most helpful, responsive or, better yet, proactive business lines.
  • Rewards, awards and accolades: Maybe even start an awards program for the most detailed SARs or those representing the most value, similarly, giving a percentage back to fraud fighters who saved the bank, and customers, money, pulled out of the hands of scammers. Consider this a quarterly exercise where accolades are highlighted and doled out by the CEO.

In upcoming corporate compliance negotiations, DOJ “will evaluate what companies say and what they do, including whether, after learning of misconduct, a company actually claws back compensation or otherwise imposes financial penalties,” Monaco said.  

The use of monitors, including their selection and the appropriate scope of a monitor’s work:

Going forward, all monitor selections will be made pursuant to a documented selection process that operates transparently and consistently.

DOJ officials will require regular updates to verify that the monitor stays on task and on budget.

“We at the Department of Justice are not regulators, nor do we aspire to be. But where we impose a monitor, we recognize our obligations to stay involved and monitor the monitor,” Monaco said.  

Corporate practices on employees using personal devices and third-party messaging apps, including those where messages can disappear:

Companies and individuals, particularly those engaging in fraudulent or criminal scams, are not stupid.

There is an old adage for corporate shenanigans to “never put anything in writing,” particularly if that can be tied back to a certain individual.

Not surprisingly, these groups have found ways in company systems and on personal devices to use applications to message each other that are either encrypted or that actively delete themselves and disappear.

The message for corporates: ensure this doesn’t happen as those messages, emails and communications could be crucial evidence to go after firms and their lackeys.

Shifting the burden of corporate financial penalties away from shareholders – who in many cases do not have a role in misconduct – onto those more directly responsible:

This dynamic bears somewhat of a resemblance to the “compliance culture” prong update, but with a twist.

The goal here is, rather than forcing a bank to pay a massive penalty that ostensibly comes from corporate profits – unintentionally hurting innocent investors – the tactic would take a precision-guided approach and pay the penalty from the compensation of the actual offenders.

How this would work, such as whether the funds are clawed back from base compensation, bonuses or from a certain division, is anyone’s guess.

But DOJ will be releasing more guidance soon, which, depending on the verbiage, could give significant leverage to compliance officers trying to nudge begrudging business lines into line.

Moonlit path

Current deluge of guidance builds on prior statements, updates that prosecutors will look at full background of compliance failings

The current DOJ guidance dump takes further statements Monaco made in October.

Some overarching themes included:

  • Pay now or pay more later: Companies need to actively review their compliance programs to ensure they adequately monitor for and remediate misconduct — or else it’s going to cost them down the line.
  • Going on record about the full record: For clients facing investigations, as of today, the department will review their whole criminal, civil and regulatory record — not just a sliver of that record.
  • Rating your cooperating: For clients cooperating with the government, they need to identify all individuals involved in the misconduct — not just those substantially involved — and produce all non-privileged information about those individuals’ involvement.
  • Watching the watchers, monitoring the monitors: For clients negotiating resolutions, there is no default presumption against corporate monitors. That decision about a monitor will be made by the facts and circumstances of each case.
  • More changes in store, the floor not the ceiling: Looking to the future, this is a start — and not the end — of this administration’s actions to better combat corporate crime.

What is behind the stronger focus on compliance? Soaring scams, national security fears

So what are the trends driving the DOJ’s new stance on corporate compliance and what has changed in recent years?

Several, including frauds and cyber breaches increasingly coming with tethers to national security issues, such as the “new role of sanctions and export control cases to cyber vulnerabilities that open companies up to foreign attacks.”

Second, data analytics is playing a larger and larger role in corporate criminal investigations, whether that be in “healthcare fraud or insider trading or market manipulation,” Monaco said in October.

In tandem, criminals are “taking advantage of emerging technological and financial industries to develop new schemes that exploit the investing public.”

The more direct meaning: DOJ has growing concerns about soaring cyber-enabled and crypto-fueled frauds.

Whether the words used are crypto, Bitcoin, Ether, ICO or NFT, fraud schemes with virtual value themes have exploded.

The use of certain crypto coins – and mixers and tumblers to anonymize those involved – has also coincided with helping criminals, in some cases, monetize romance schemes, money mules, ransomware and other cyberattacks.

As well, grand scams related to corruption, securities frauds and finding new ways to manipulate regulated markets show no signs of stopping – meaning DOJ must find new ways to fighting, including by better arming compliance champions to be the tip of the spear without fear.

Compliance officers “cannot shy away from this role,” Polite said. “You cannot run away from the responsibility. My call is that you embrace it, knowing full well that stronger, more empowered compliance voices are exactly what we need.”

See What Certified Financial Crime Specialists Are Saying

"The CFCS tests the skills necessary to fight financial crime. It's comprehensive. Passing it should be considered a mark of high achievement, distinguishing qualified experts in this growing specialty area."


(JD, Washington)

"It's a vigorous exam. Anyone passing it should have a great sense of achievement."


(CFCS, Official Superior

de Cumplimiento Cidel

Bank & Trust Inc. Nueva York)

"The exam tests one's ability to apply concepts in practical scenarios. Passing it can be a great asset for professionals in the converging disciplines of financial crime."


(CFCS, Royal Band of

Canada, Montreal)

"The Exam is far-reaching. I love that the questions are scenario based. I recommend it to anyone in the financial crime detection and prevention profession."


(CFCS, CAMS Lead Compliance

Trainer, FINRA, Member Regulation

Training, Washington, DC)

"This certification comes at a very ripe time. Professionals can no longer get away with having siloed knowledge. Compliance is all-encompassing and enterprise-driven."

Director, Global Risk
& Investigation Practice
FTI Consulting, Los Angeles