On December 13, 2019, the Department of Justice (“DOJ”) released an updated Export Control and Sanctions Enforcement Policy for Business Organizations (“Policy”), revising the prior policy governing voluntary self-disclosures of export control and sanctions violations for business organizations, including financial institutions. The Policy encourages companies to voluntarily self-disclose all potentially willful[i] violations of the primary export control and sanctions statutes—the Arms Export Control Act[ii], the Export Control Reform Act[iii], and the International Emergency Economic Powers Act[iv] —directly to the Counterintelligence and Export Control Section (“CES”) of the National Security Division (“NSD”) of DOJ. Under the new Policy, if a company (1) voluntarily self-discloses potentially willful export control or sanctions violations to CES, (2) fully cooperates, and (3) timely and appropriately remediates, there is a presumption that the company will receive a non-prosecution agreement (“NPA”) and will not pay a fine, absent aggravating factors.
Companies should view the Policy against a background of heightened NSD criminal enforcement of export control and sanctions violations, particularly in the context of Chinese state-sponsored economic espionage[v]. In this context, the Policy is important in the following respects:
- NSD has provided some notable clarity and additional incentives for voluntary disclosure—thus providing additional disclosure carrots in addition to enforcement sticks—although the Policy does not provide as many incentives as self-disclosure regimes in other criminal contexts.[vi]
- This Policy allows financial institutions to take advantage of the incentives for self-disclosure by eliminating the carve-out that specifically excluded these entities from the prior policy.[vii]
- Benefits of the Policy are conditioned on timeliness and heighten the need for appropriate due diligence in the context of mergers and acquisitions.
- Benefits of the Policy also are conditioned on direct reporting to NSD, in addition to any civil regulators such as the Treasury Department or Commerce Department, reinforcing the expanded role of criminal law enforcement in policing export control and sanctions compliance.
Despite the possible benefits offered by the policy, it remains to be seen whether and how often NSD’s new policy will, in practice, actually be employed.
The ability of a company to meet the criteria noted above will require a nuanced understanding of the key aspects of each element. A significant new Policy requirement also mandates that companies self-disclose directly to DOJ to qualify for the Policy benefits in any subsequent DOJ investigation. Self-reporting solely to a regulatory agency will not qualify a company for the benefits afforded by the Policy, though the Policy is not intended to alter existing reporting protocols to those regulatory bodies.
First, the disclosure must be “voluntary,” meaning the company must self-report before there is an “imminent threat of disclosure or government investigation.”[viii] Self-disclosing before the company becomes aware of an ongoing, nonpublic investigation is still considered “voluntary.” Additionally, a company must disclose the conduct “within a reasonably prompt time after becoming aware of the offense.”[ix] The company must also provide all relevant facts known at the time of disclosure and identify individuals involved with or responsible for the misconduct at issue.
Second, to “fully cooperate,” a company must disclose all relevant facts related to the potential wrongdoing. This disclosure includes providing information attributed to specific sources, rather than a general narrative; updates on any internal investigation findings; and information regarding the company’s officers, employees, or agents, or third-party companies involved in criminal activity. The company also must identify, preserve, collect, and disclose relevant documents and information and identify and assist with the production of documents not within the company’s possession, as well as make witnesses available for interviews by DOJ. Additionally, DOJ may require de-confliction of witness interviews or the company’s other investigative measures.
Third, to fulfill the “timely and appropriate remediation” requirement, a company must analyze the underlying causes of the conduct, implement an effective compliance program, appropriately discipline employees, implement controls for and retain business records, and take any additional steps necessary to avoid repeating the misconduct. The Policy highlights several compliance criteria to consider when evaluating the efficacy of a compliance program but acknowledges that compliance programs are not one-size-fits-all and will vary based on the size and resources of a particular company.
Even if a company meets the elements to qualify for a presumptive NPA under the Policy, certain “aggravating factors” may result in more severe action by DOJ. These aggravating factors, which “represent elevated threats to national security,” include, but are not limited to:
- Exports of items controlled for nuclear nonproliferation or missile technology reasons to a proliferator country;
- Exports of items known to be used in the construction of weapons of mass destruction;
- Exports to a Foreign Terrorist Organization or Specially Designated Global Terrorist;
- Exports of military items to a hostile foreign power;
- Repeated violations, including similar administrative or criminal violations in the past; and
- Knowing involvement of upper management in the criminal conduct.
If aggravating circumstances warrant a more stringent enforcement action, but the company still satisfies all other criteria, the Policy provides that DOJ will recommend a fine that is at least 50 percent lower than what would otherwise be available under the alternative fine provision and will not require the appointment of a monitor if the company has implemented an effective compliance program at the time of resolution.
While offering an important opportunity for companies to potentially mitigate risk when violation of these laws is identified, the Policy emphasizes that protecting national security assets—and holding those that violate U.S. export controls and sanctions laws accountable—is a “top priority” of DOJ. Unlike the presumption of a declination afforded under the Foreign Corrupt Practices Act Corporate Enforcement Policy, the government concluded that presuming to take “no action” was not appropriate for this Policy, “[g]iven the threats to national security posed by violations of our export control and sanctions laws.”[x] As noted in the Policy, this concern “distinguish[es] these cases from other types of corporate wrongdoing.”
Under the new Policy, financial institutions may take advantage of the benefits of voluntary self-disclosure. Additionally, in the context of a merger or acquisition, when misconduct by the target entity is discovered during “timely and thorough” due diligence or, in certain circumstances, during post-acquisition integration, the presumption of an NPA still applies if the company abides by the other requirements under the Policy (e.g., the timely implementation of an effective compliance program at the acquired or merged entity).
One key question that remains, however, is how other agencies, including government contracting agencies—particularly the State Department’s Directorate of Defense Trade Controls (“DDTC”) that enforces the International Traffic in Arms Regulations—will view an NPA entered into as a result of a voluntary self-disclosure proceeding with DOJ. DDTC and other agencies that have debarment authority have the discretion to administratively debar companies for violations of export control laws, particularly criminal violations of such laws. Thus, government contractors will need to carefully consider collateral consequences of a voluntary self-disclosure to DOJ when deciding whether to avail themselves of this Policy.
Companies should carefully consider the benefits offered under the Policy for voluntary self-disclosures—the presumption of an NPA and no associated fine—since companies who choose not to self-disclose potentially willful violations that later become known to DOJ may receive significantly greater penalties. These benefits should be carefully weighed against the possible risks of disclosing potentially criminal conduct to DOJ and collateral consequences with other agencies to determine whether and when a disclosure is appropriate. Indeed, it is an open question how often the benefits of the policy will come into play, particularly when one or more “aggravating factors” which “represent elevated threats to national security” might be present.
Given the Policy’s emphasis on a company’s ability to identify and remediate issues that arise, its expanded scope to new entities (financial institutions), and focus on timely disclosure, including in the context of mergers or acquisitions, companies should consider taking stock of their compliance policies and procedures and acquisition due diligence. Companies with compliance programs that encourage reporting of potential issues—including robust internal reporting mechanisms, effective training, acquisitions due diligence, and anti-retaliatory provisions—and companies that involve counsel early when an issue is identified will be best equipped to reap the potential benefits of the Policy.
[i] In export control and sanctions cases, NSD defines an act as “willful” if it is done with the knowledge that it is illegal.
[ii] 22 U.S.C. § 2778
[iii] 50 U.S.C. § 4801 et seq.
[iv] 50 U.S.C. § 1705
[v] John Demers, Assistant Att’y Gen., Dep’t of Justice, Statement before Committee on the Judiciary of the United States Senate (Dec. 12, 2018) (describing how the Justice Department is “marshall[ing]  resources” to confront the threat of Chinese state-sponsored economic espionage).
[vi] While other self-disclosure regimes may allow companies to receive less stringent penalties than an NPA, DOJ emphasizes that criminal violations of these laws threaten national security, and that companies, as the “gatekeepers of our export-controlled technologies, […] play a vital role in protecting our national security.” David Burns, Principal Deputy Assistant Att’y Gen., Dep’t of Justice, Remarks (“Burns Remarks”) Announcing New Export Controls and Sanctions Enforcement Policy for Business Organizations (Dec. 13, 2019). Driven by these national security concerns, the Policy aims to create a balance between encouraging disclosures and cooperation with “concrete and significant” benefits, while also deterring violations of U.S. export control and sanctions laws. Id.
[vii] Burns Remarks.
[viii] U.S.S.G. § 8C2.5(g)(1)
[x] See Burns, supra note 5.