Corporate Compliance as a Matter of National Security: DOJ ‘Surging’ Criminal Enforcement Resources

The DOJ has committed in recent years to bolstering corporate criminal enforcement. In recent years, Deputy Attorney General Lisa Monaco has issued a series of memos (I and II) and policy updates aimed at strengthening corporate criminal enforcement, including matters related to individual accountability, prior misconduct, cooperation credit, business communications, voluntary self-disclosure, compliance program assessment and monitors, among other issues. 

All versions of the Monaco memo come as the DOJ invests heavily in corporate enforcement resources — and as the agency links corporate crime to national security. 

In March of this year, the DOJ announced it planned to add 25 new prosecutors to the National Security Division to assist with corporate criminal enforcement. In July, the DOJ, OFAC and Bureau of Industry & Security (BIS) released a joint compliance note highlighting the benefits of voluntary self-disclosure for U.S. sanctions, export controls and national security laws violations, emphasizing that businesses play “a critical role in identifying threats from malicious actors and helping to protect our national security[.]” In September 2023, the department appointed its first-ever chief counsel for corporate enforcement. The DOJ is “surg[ing] resources” at corporate criminal enforcement, Principal Associate Deputy Attorney General Marshall Miller confirmed in a September 2023 address and, “so too must companies invest in compliance measures if they are to mitigate national security risks.” According to Miller, corporate compliance now requires a “new level of diligence and attention[.]” (Emphasis added.)     

The DOJ could not be clearer about its priorities. Yet, recent years have not seen a material bump in blockbuster corporate enforcement matters. The DOJ reported no new FCPA enforcement actions in Q2 2023, and 2023 is on track to be the third consecutive year with FCPA enforcement activity below the 10-year average. The DOJ Fraud Section charged 72 individuals in 2022, entering into just seven corporate resolutions and two corporate enforcement policy declinations that year. Just nine corporations faced criminal antitrust charges in 2022, the third-lowest annual total in the past decade. And while the DOJ was involved in the $629 million settlement with British American Tobacco and an affiliate, resolving charges of bank fraud and sanctions violations arising from North Korea sales, most recent sanctions and export controls matters brought by the DOJ’s National Security Division have involved charges against individuals. 

What does this data signify? It would be unwise to assume that it belies the sincerity of the DOJ’s stated focus on corporate crime. The implementation of new policies takes time. Enforcement actions might not yet be public. Newly added resources may have yet to produce new matters. Regardless, companies should take the DOJ at its word when it says that more enforcement is imminent. If this moment is a period of calm before a coming storm of enforcement, companies should consider utilizing this time to bolster compliance programs in accordance with updated DOJ guidance and expectations.  

Companies with cross-border operations, investment or supply chains should be especially thoughtful in assessing their compliance programs. The Monaco memo and the DOJ’s March 2023 updated “Evaluation of Corporate Compliance Programs” provide a useful framework. These documents indicate that, at a high level, prosecutors will assess whether a corporate compliance program is well-designed, adequately resourced, empowered to function effectively and working in practice. These questions will be answered by looking at more concrete factors, including: 

• How (and how often) corporations measure and identify compliance risk.
• How policies are designed and updated.
• Whether the compliance function is well-resourced and independent.
• What training is provided to employees, management and gatekeepers.
• How the company monitors payment and vendor systems for suspicious transactions.
• Whether confidential reporting structures exist; how investigations are handled.
• How disciplinary decisions are made.
• How senior leaders and middle management foster compliance.
• The management of third-party compliance risk.
• Compliance due diligence, oversight and integration in the M&A context.
• Whether compensation structures discourage compliance violations.
• Whether the compliance program is tested and improved over time.
• How the company tracks business communications, including on personal devices.
• Whether identified concerns are remediated appropriately.   

Two enforcement considerations highlighted in the second Monaco memo may be especially challenging for companies with multinational exposure. First is the use of personal devices and third-party messaging platforms. Monaco II states that corporations “should have effective policies governing the use of personal devices and third-party messaging platforms for corporate communications, should provide clear training to employees about such policies, and should enforce such policies when violations are identified.” The oversight of corporate communications on personal devices is challenging enough in the United States, where corporate email continues to be a primary means of communication. In other countries, third-party applications and messaging platforms accessed by personal devices can be the primary or even sole means of corporate communication. Subjecting these communications to compliance oversight can be complicated simply as a matter of logistics. Local data privacy, national security, cybersecurity and other measures may make such monitoring even more challenging. 

The potential tension between U.S. and foreign legal obligations is the second Monaco II consideration that can be difficult for multinational operators. In an era of growing geopolitical tension, some foreign countries have laws in place that restrict companies’ ability to share foreign documents and information with U.S. regulators, including data privacy, data security, cybersecurity and national security regulations, blocking statutes and laws prohibiting cooperation with overseas law enforcement. Monaco II notes that while foreign law may complicate a company’s ability to cooperate with DOJ information requests, companies have the burden of “establishing the existence of any restriction on production,” “identifying reasonable alternatives to provide the requested facts and evidence” and working “diligently to identify all available legal bases to preserve, collect, and produce such documents, data, and other evidence expeditiously.” 

The DOJ retains broad discretion to withhold cooperation credit from companies when compliance with foreign law results in a failure to produce requested evidence; companies that wish to cooperate with the DOJ without subjecting themselves to foreign liability sometimes must engage in a balancing act between legal regimes that offer no clear path to compromise.

Despite the challenges, the DOJ’s stated intent to ramp up corporate criminal enforcement means that companies should continue to assess whether their compliance programs have kept pace with the DOJ’s evolving expectations. This will be particularly necessary for companies that operate in sensitive geopolitical locations and sectors, as well as those that employ new technologies including but not limited to advanced computing, advanced engineering materials, traditional and advanced manufacturing, aerospace, autonomous systems, robotics, biotech, communication networking technologies, food production, traditional and renewable energy, semiconductors, space technologies, surveillance technologies, AI/machine learning and military and dual-use technologies. These businesses in particular should be proactive in (a) periodically measuring risk exposure and (b) assessing whether their compliance programs address the identified risks sufficiently. Program improvements should be made as necessary. Any issues should be remediated promptly. 

An effective compliance program is more critical than ever. As the DOJ increasingly views corporate compliance as a matter of national security, companies should heed the call for a “new level” of diligence in implementing, testing and improving their compliance programs before the DOJ comes knocking.