Takeaways
- Directors and officers can and have been named personally in both civil and criminal enforcement actions involving sanctions, export restrictions, anti-money laundering and anti-bribery rules.
- Enforcement agencies expect boards and senior managements to ensure their companies’ compliance with these rules, which are viewed as key instruments of U.S. foreign policy.
- The same conduct can run afoul of multiple regulatory regimes, and enforcement authorities regularly cooperate and bring joint actions.
- Companies will only receive credit for voluntarily disclosing violations if they do so before enforcement officials discover the problems.
Recent developments, including Russia’s invasion of Ukraine, ongoing tensions between the U.S. and China, and turmoil in the digital assets sector, have made it essential for companies — including their directors and senior executives — to pay close attention to compliance with U.S. sanctions, export controls, anti-money laundering (AML) and anti-bribery and corruption (ABC) laws. While most boards have long been alert to the issues raised by the Foreign Corrupt Practices Act, these other regulatory regimes have grown in importance as the U.S. government has increasingly and aggressively turned to them to shine a spotlight on corporate conduct. The U.S. government uses these laws as critical tools to advance its foreign policy, protect the financial system and prevent sensitive U.S. technology and information from falling into the wrong hands.
Boards and senior management need to be especially vigilant because they can become the targets of enforcement actions if there are violations. In recent years, the U.S. government has sought stiff fines and brought criminal charges against dozens of companies, and in some cases their executives and officers, for failing to comply with these laws. In addition to the potential legal penalties, media coverage of possible violations and enforcement actions heightens the reputational risks to companies and individuals. Disclosure of violations, or even of an investigation of potential violations, often is quickly followed by securities class actions litigation and derivative lawsuits claiming that directors failed in their duties to appropriately oversee these risks.
Boards and senior management play a critical role by instilling a culture of compliance, ensuring that compliance functions are adequately resourced and providing continuous and meaningful oversight. Here is a quick guide to the different offices responsible for enforcement, some key compliance risks and the obligations of directors and C-suite officers.
Key Enforcement Agencies and Laws — and Their Acronyms |
---|
BIS: The Department of Commerce’s Bureau of Industry Security is the primary federal agency responsible for administering and enforcing U.S. export control laws. |
DOJ: The Department of Justice is responsible for investigating and prosecuting violations of U.S. federal law, including the Foreign Corrupt Practices Act and referrals for criminal prosecution from other agencies. |
FinCEN: The Department of the Treasury’s Financial Crimes Enforcement Network is responsible for implementing, administering and enforcing compliance with the Bank Secrecy Act (BSA) and associated regulations. |
OFAC: The Department of the Treasury’s Office of Foreign Assets Control is the primary federal agency responsible for administering and enforcing U.S. economic sanctions laws. |
Other Federal Regulators, including the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the Securities and Exchange Commission and the Commodity Futures Trading Commission, conduct compliance examinations and bring enforcement actions for violations of the BSA and associated regulations. |
Focus on Company Officers and Directors
The agencies that implement and enforce these laws are increasingly focused on how senior management oversees and manages compliance risk. Even inadvertent violations of sanctions, AML, ABC or export control laws can expose executives and officers to liability if they fail to take steps to ensure compliance. Willful violations can lead to criminal prosecution.
For example, in April 2021, SAP SE, a software company headquartered in Germany, agreed to pay more than $8 million in penalties as part of a global resolution with the DOJ, BIS and OFAC after the company disclosed thousands of export violations, including illegally releasing U.S.-origin software, upgrades and patches to users in Iran. SAP had also allowed Iranian users to access U.S.-based cloud services. Of note, some SAP senior executives were aware that neither the company nor its U.S.-based provider used geolocation filters to identify and block Iranian downloads, yet they did not remedy the issue. In announcing the resolution and penalties, the DOJ prosecutor stated that the case “should serve as a strong deterrent message to others that the release of software and sale of product and services on the internet are subject to U.S. export laws and regulations.”
At the Treasury Department, OFAC and FinCEN have brought several enforcement actions against individuals in recent years for violations of sanctions and export control laws. One case brought by FinCEN resulted in a $450,000 civil fine against the former chief risk officer of a large U.S. bank.
At the Commerce Department, BIS, in cooperation with the DOJ, routinely brings enforcement actions against individuals, including company executives. In 2021 — the last year for which BIS published this data — BIS investigations resulted in criminal convictions of 50 individuals and companies, resulting in a total of 1,118 months of prison time for individual defendants.
A significant policy statement by Deputy Attorney General Lisa Monaco published in September 2022 (the Monaco memorandum) highlighted DOJ’s renewed focus on individual misconduct.
Parallel Enforcement
It is important to understand that incidents of company wrongdoing often implicate multiple enforcement regimes. Shipping a U.S. product to Iran, for instance, can violate U.S. sanctions prohibitions, export control laws and money laundering regulations.
In April 2022, FinCEN issued an Advisory on Kleptocracy and Foreign Public Corruption urging financial institutions to focus efforts on detecting the proceeds of foreign public corruption — activity that can involve violations of several U.S. laws. The advisory included 10 red flag indicators to assist financial institutions in detecting, preventing and reporting suspicious transactions associated with kleptocracy and foreign public corruption. And in June 2022, FinCEN and BIS issued a joint alert urging companies to be on the lookout for Russian and Belarusian attempts to evade U.S. export controls and reminding financial institutions of their obligation to report suspicious activities, including potential sanctions and export control violations.
In such cases, OFAC, FinCEN and BIS may cooperate in their investigations and bring parallel civil enforcement actions alleging violations of multiple laws. Any one of these agencies can refer cases to the DOJ where there is evidence of willful violations.
Examples of joint enforcement cases:
- In October 2022, OFAC and FinCEN announced settlements of approximately $24 million and $29 million, respectively, with a virtual currency exchange for alleged violations of sanctions and AML laws.
- In July 2021, OFAC and BIS brought parallel enforcement actions against two U.S. and United Arab Emirates companies for violations of sanctions and export control laws stemming from the sale of U.S. tank storage cleaning units to Iran.
The DOJ routinely brings criminal enforcement actions in conjunction with civil enforcement actions pursued by OFAC, FinCEN, BIS and other agencies.
The Importance of Disclosure
OFAC, FinCEN and BIS have emphasized the importance of voluntary disclosure of potential violations of laws and regulations. Depending on the facts, companies that voluntarily disclose may avoid civil fines or see them reduced because of the disclosure.
Similarly, the Monaco memorandum emphasized that, absent aggravating factors, the DOJ will not seek a guilty plea to criminal charges where a company has voluntarily disclosed conduct, fully cooperated and remediated its conduct appropriately and promptly. On the flip side, failing to voluntarily disclose can lead to higher fines and more onerous settlement conditions.
That said, voluntary disclosure is not always the right call in all circumstances, and companies considering a voluntary disclosure should keep in mind a few important considerations.
Disclosure after the government learns of the violation will not be considered voluntary. The Monaco memorandum makes clear that a company will only receive credit for self-disclosure if that is made prior to an imminent threat of disclosure or government investigation. Companies should therefore ensure that their compliance programs incentivize employees to surface problems to management, and that management surfaces problems to the board, before the conduct becomes known to the government, often through a whistleblower and sometimes a disgruntled employee who positions himself as such. Boards should carefully review whether current reporting mechanisms, up to management and the board, are effectively alerting the company’s leadership and those responsible for oversight, including the board, to problems.
Disclosure to one agency is not necessarily disclosure to others. The U.S. government agencies typically expect that a company will disclose a possible violation to all relevant agencies. An agency may not extend voluntary disclosure credit if it learned of the conduct from another agency. Therefore, if a company identifies an issue that involves a potential violation of multiple legal regimes, it should carefully consider agencies it should contact and coordinate disclosure to help ensure voluntary cooperation credit. Further, in instances where companies have specific filing obligations, such as a suspicious activity report filing in the AML context, they should not consider their obligations satisfied by virtue of, for example, a disclosure to OFAC or BIS.
U.S. agencies expect companies to name the individuals involved in misconduct. Following disclosure of a possible violation of law — whether or not voluntary — U.S. government agencies expect companies to identify the individuals involved. The Monaco memorandum, for example, emphasizes the DOJ’s expectation that companies disclose all nonprivileged information related to all individuals involved in corporate misconduct to receive cooperation credit.
What Regulators Expect From Companies and Their Managements |
---|
Regulators expect U.S. companies to maintain effective risk-based compliance programs that are reasonably designed to prevent violations of the law. Companies in the financial services industry are typically required to design and implement an effective anti-money laundering compliance program that is risk-based and meets the minimum requirements of the BSA and related regulations. Boards of directors are expected — and in some cases required — to oversee compliance programs to guard against violations, including ensuring that adequate resources are provided for the compliance function and that there is a strong pro-compliance culture at every level of the company. In the event of a potential violation, U.S. government agencies will consider the nature and quality of a company’s compliance program when determining whether an enforcement action is appropriate and, if it is, what form it takes. In weighing a criminal prosecution, the DOJ will consider whether a company deters misconduct by, for instance, creating incentives for compliance, enforcing personal accountability and instituting compensation clawback provisions. |
View other articles from this issue of The Informed Board
- Demystifying China’s Merger Review Process
- The Angel’s in the Details: The Importance of Carefully Drafted Board Minutes
- This SEC Press Release Is a Compliance Checklist for Corporations
See all the editions of The Informed Board
This memorandum is provided by Grand Park Law Group, A.P.C. LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.