The edits to the DOJ’s Evaluation of Corporate Compliance Programs (ECCP) that were announced in September 2024 (2024 Edits) during the Society for Corporate Compliance and Ethics’ (SCCE) Compliance & Ethics Institute were broad, touching on many aspects of compliance programs.

The first article of this three-part series about the 2024 Edits discussed the changes related to AI, the hottest compliance topic of the day; and the second examined the many edits related to data analytics, which are still cutting edge for many companies. This last installment covers changes regarding bread-and-butter elements of a compliance program that are less sexy to discuss but equally important.

See “Meeting DOJ Expectations Post-Resolution Requires Realism and Accountability” (Sep. 11, 2024).

Speaking Up

In two places, the 2024 Edits add questions for prosecutors to ask regarding how companies foster a speak-up culture.

Encouraging Reporting

In the subsection regarding the effectiveness of a company’s reporting mechanism, three questions have been added to the existing set:

• Does the company encourage and incentivize reporting of potential misconduct or violation of company policy?
• Conversely, does the company use practices that tend to chill such reporting?
• How does the company assess employees’ willingness to report misconduct?

These changes, which are intended to ensure that companies have effective programs in place, are consistent with the DOJ Fraud Section’s Corporate Whistleblower Awards Pilot Program (WAPP), announced in August 2024, Ephraim (Fry) Wernick, a partner at Vinson & Elkins, told the Anti-Corruption Report. In addition to providing rewards to those who bring information to the DOJ about corporate crime, the WAPP is also careful to encourage internal reporting. For example, a whistleblower’s “participation in internal compliance systems or internal reporting” can increase awards.

See our two-part series on the DOJ’s Corporate Whistleblower Awards Pilot Program: “A Look at Forfeiture and Culpability” (Aug. 14, 2024), and “Exclusions, NDAs and Goals” (Sep. 11, 2024).

Anti-Retaliation

The 2024 Edits also add an entirely new section titled “Commitment to Whistleblower Protection and Anti-Retaliation,” which includes the following questions:

• Does the company have an anti-retaliation policy?
• Does the company train employees on both internal anti-retaliation policies and external anti-retaliation and whistleblower protection laws?
• To the extent that the company disciplines employees involved in misconduct, are employees who reported internally treated differently than others involved in misconduct who did not?

“Before this update, there was an expectation that companies have multiple avenues to raise concerns, including avenues to raise concerns anonymously,” Amy Schuh, a partner at Morgan Lewis, told the Anti-Corruption Report, and that their policies would reflect that those who raised concerns would be protected from retaliation.

As with the questions about encouraging reporting, the questions about anti-retaliation are consistent with the WAPP. According to Daniel Wendt, a member of Miller & Chevalier, the WAPP “encourages whistleblowers to report any retaliation so that the DOJ can assess whether to withhold cooperation credit or even pursue enforcement actions” against companies that engage in any kind of retaliation. Additionally, the fact sheet that accompanies the WAPP notes that the fear of retaliation keeps many whistleblowers from coming forward. The DOJ understands whistleblower programs “have a much better chance of achieving their aims if companies have affirmative efforts to prevent retaliation against employees who raise concerns, either internally or externally,” he said.

The 2024 Edits regarding anti-retaliation suggest that companies should consider implementing a standalone anti-retaliation policy rather than relying on high-level statements in their code of conduct or other subject-matter specific policies, such as an anti-corruption policy, Wendt advised. Companies should train employees on those anti-retaliation policies. They also should audit decisions to investigate and discipline retaliation to make sure individuals are being treated fairly.

An audit of anti-retaliation practices may not be so easy. “Retaliation is a notoriously tricky allegation to investigate and substantiate,” Lila Acharya, a partner at Crawford & Acharya, told the Anti-Corruption Report, noting that the ECCP does not define “retaliation” despite using the term six times. The E.U. Whistleblower Directive, on the other hand, provides concrete examples of what retaliation might look like. “The updated ECCP is a step in the right direction, but it is not particularly robust on this point,” Acharya said.

See “Germany’s New Whistleblower Act Goes Beyond E.U. Directive With Unique Requirements” (Jul. 19, 2023).

Training on External Whistleblower Programs

The new subsection on whistleblower protection has one additional question that is a bit controversial. Prosecutors are encouraged to ask, “Does the company train employees on internal reporting systems as well as external whistleblower programs and regulatory regimes?”

Companies have a substantial interest in finding issues quickly so that they can be investigated and remediated – an interest that is undermined when employees go outside of the company to make their reports. “The notion that companies should now advertise DOJ and SEC whistleblower programs, and the huge financial incentives they offer, to employees creates a thorny problem that companies will have to navigate,” Wernick observed. To successfully address the issue, compliance teams would need to walk the tight rope of educating employees about possibly lucrative outside programs while also encouraging them to use – and trust – internal reporting options, he said.

Considering the challenges here, Wendt does not “anticipate that many companies will prioritize any such efforts.”

See “Takeaways From the CFTC’s First Whistleblower Interference Case” (Aug. 28, 2024).

Compliance Resources

One small tweak in the 2024 Edits changed the language about compliance autonomy and resources from a question of whether the compliance team has “sufficient seniority within the organization” to whether it has “sufficient qualifications, seniority, and stature (both actual and perceived) within the organization.” While not a big change in and of itself, this readjustment underscores the increasing emphasis on having a compliance team with the appropriate knowledge and resources to succeed.

The Right Expertise

For many companies, the most important compliance resource are the team members themselves. While headcount is critical, not just any warm body will do. A compliance team has to have both the right type and level of experience for a compliance program to run effectively, Tarek Helou, a partner at Wilson Sonsini, told the Anti-Corruption Report. Just as in any other area of the company, compliance team members “need to have the right knowledge and experience to do their job,” he said.

For years there has been a debate over what the “right” background is for a compliance professional when it comes to education and certifications. The field is full of lawyers, but many successful compliance professionals do not have a law degree or any professional degree at all.

The DOJ’s aim with the 2024 Edits is not to weigh in to any active debates about the best resume for compliance positions, especially CCO positions, Wendt explained. Instead, the new language in the ECCP is targeted at sussing out situations where a company has filled compliance positions – even senior roles – with personnel who have no background in the area, he said.

What matters most in compliance is not whether someone has a particular degree or certificate, but their experience. “The job requires more than just the application of DOJ guidance or theory but also a genuine appreciation of a company’s risk profile, an understanding of how to work effectively with the business and other control functions, and, quite frankly, how to accomplish a slate of goals on what is inevitably always going to be a limited budget,” Acharya said.

Industry experience is particularly important, “since different industries face different compliance risks,” Helou observed.

Other relevant qualifications could include tenure in a corporate compliance role or related departments such as legal, finance and audit; outside experience at law firms, audit firms, compliance consultancies or government agencies; IT and data science experience; a background in behavioral science; and expertise in communications or adult learning, Wendt suggested.

Stature Within the Company

In addition to suggesting that a compliance team needs to have the right qualifications, the 2024 Edits also indicate the need for stature, both perceived and actual, within the company.

What the DOJ means by “stature” is not defined in the ECCP, but “actual” stature likely includes titles, reporting lines and inclusion in key management meetings, committees and leadership events, Wendt proposed. “Perceived” stature is inherently more opaque, but could refer to things such as an office in the C‑suite, other visibility with senior management and the board, and day-to-day treatment within the company, he said.

To Schuh, a former chief ethics and compliance officer, stature “is about the CCO’s ability to influence the decision making of the company.” Is the CCO respected, and does the person have a proverbial seat at the table? When the individual raises issues, is anyone listening? “The answers to those questions better be ‘yes,’” she said.

No matter where a CCO sits within a company, actual independence is critical, Acharya offered, so that the individual “can bring something to the attention of the board or the audit committee without repercussion.” Wernick likewise posited that when defending a program to the DOJ, “a company needs to be able to show that the compliance function is sufficiently empowered and respected in a company to demand accountability from other senior executives and business professionals.”

If compliance lacks stature – actual or perceived – within a company, all is not lost. To improve stature, the compliance team can advocate for corporate perks and privileges and, most importantly, invest in building relationships, Wendt suggested. The compliance team also can highlight the ways in which it can help the company. “There are so many day-to-day business issues where compliance can and should be involved and where compliance can demonstrate its value,” Acharya said. “The more compliance is invited to the table, the more its stature is improved within the company.”

See “To Work Effectively, CCOs Need Authority, Autonomy and Information” (Nov. 6, 2024).

Lessons Learned

In her speech at the SCCE conference announcing the changes to the ECCP, Principal Deputy Assistant Attorney General Nicole Argentieri noted that the DOJ had “updated the ECCP to expand upon an important concept – that companies should be learning lessons from both [their] own prior misconduct and from issues at other companies to update their compliance programs and train employees.”

The main edit touching on lessons learned is in the subsection dealing with the design of policies and procedures, where the following question was added: Is there a process for updating policies and procedures to reflect lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region?

Additionally, in the final section of the ECCP that focuses on whether a compliance program is working in practice, two changes were introduced about whether the compliance program has a track record of detecting issues in the past and how responses have changed over time. And in the section dealing with training and communication, a number of questions were added, as well.

A Critical Compliance Component

The ability to learn from the past and make improvements to a compliance program is not a new concept. “DOJ has long emphasized the importance of compliance being an ongoing and evolving function that continues to respond to new and ongoing risks,” Wernick said.

However, the 2024 Edits are very targeted, drawing attention to specific areas of a program where these lessons should be incorporated, Wendt noted.

Angela Crawford, a partner at Crawford & Acharya, referenced a William Faulkner quote – “The past is never dead. It’s not even past.” – in making the point that issues that have arisen as part of past monitoring, investigations and risk assessments have continued relevance for a compliance program. “If an organization finds itself having to learn the same lessons repeatedly, this usually is an indication that there is an issue with the broader culture and tone or conduct at the top and middle of the organization,” she said. There is likely some barrier to fully learning and incorporating the lesson related to culture or leadership. To move forward, the compliance team needs to attempt to uncover these barriers as part of it its risk management process through surveys or focus groups, she suggested.

Training Is a Natural Place to Start

In the previous version of the ECCP, there was a question that asked, “Has the training addressed lessons learned from prior compliance incidents?” The 2024 Edits added a question specifically about integrating lessons learned from other companies: “Has the training addressed lessons learned from compliance issues faced by other companies operating in the same industry and/or geographical region?”

Issues faced by other companies, particularly those in the same industry, are an excellent way to teach employees about compliance expectations. “Lessons learned from the mistakes of a competitor are extremely useful in internal discussions, because employees generally feel more open to talk about what a competitor did wrong,” Wendt said. “Discussing a competitor’s mistakes may also help to show the value-add for compliance, as the compliance team is there to help avoid similar pitfalls.”

See “Training Insights From In-House Experts”: Part One (Jun. 1, 2016), and Part Two (Jun. 15, 2016).

Other Ways to Incorporate Lessons Learned

To incorporate lessons learned from previous issues and those at other companies, companies also “can and should go through nearly all the elements of a compliance program,” Wendt advised.

For example, companies can use lessons learned “in risk assessments and audits by focusing on risks that have occurred,” Helou suggested. Crawford noted that any root-cause analysis from previous issues is particularly useful for the risk management process. “When issues arise, companies should identify and remediate root causes and then determine whether there are systemic risks to address and resolve beyond the narrow scope of the issue that was initially the focus,” Wernick agreed.

Companies also can use lessons learned as part of their third-party due diligence, Helou suggested. If the personnel responsible for due diligence are familiar with lessons learned, they can flag similar issues going forward, Wendt added.

“Real-life examples of what has gone wrong, while protecting privacy and confidentiality, are critically important to creating awareness in a company that bad things happen and there are consequences when they arise,” Schuh opined.

See our three-part series on root-cause analysis: “DOJ Expectations and Getting to Why” (Jun. 23, 2021), “Gathering Information” (Aug. 4, 2021), and “Touching Bottom and Advanced Maneuvers” (Aug. 18, 2021).

In the wake of Russia’s 2022 actions in Ukraine, the U.S., U.K. and E.U. collectively initiated the most extensive and rapidly escalating sanctions regime in history. This unprecedented response saw the imposition of sweeping measures targeting key sectors of the Russian economy, high-profile individuals, and critical state-owned enterprises. However, these extensive sanctions have not led to the intended outcome – by some measures the Russian economy is thriving as the war in Ukraine grinds on.

In this article, we discuss how the U.S., U.K. and E.U. are attempting to increase pressure on Russia through secondary sanctions and the complications this may create for companies engaged in international trade.

See this two-part series on the new Russia restrictions: “Agency Cooperation and Industry Focus” (Mar. 13, 2024), and “International Cooperation and Risk Mitigation” (Mar. 27, 2024).

Falling Short of Intended Goals

The historical significance of these sanctions lies both in their breadth and the depth of coordination among Western powers.

Unprecedented Size

For perspective, the scale of action surpasses the magnitude of sanctions imposed in previous geopolitical conflicts. Within weeks of the invasion, the E.U. and G7 countries froze over €21.5 billion in assets belonging to designated individuals and entities, froze €300 billion in assets from the Central Bank of Russia, and added 1,700 individuals and entities to the E.U.-Russia sanctions lists, according to a briefing by the European Parliament. The U.K. has sanctioned more than 1,600 individuals and entities and frozen over £18 billion, according to a news story published by the U.K. government, around £6 billion more than held across all other U.K. sanctions regimes.

Collectively, the sanctions regime resulted in a 98.2% reduction in imports of goods from Russia compared with the monthly average for the 12 months prior to February 2022. The U.S. has sanctioned Russian banks that represent over 80% of the total Russian banking sector and has restrained over $500 million in assets belonging to Russian individuals and others who allegedly supported the Russian regime. Together, a joint effort dubbed the Russian Elites, Proxies and Oligarchs (REPO) Task Force – consisting of Australia, Canada, France, Germany, Italy, Japan, the U.K., the U.S. and the E.U. – has frozen over $58 billion in assets.

SWIFT Restrictions

Additionally, the sanctions include one unprecedented element – the restriction of access to the Society for Worldwide Interbank Finance Telecommunications (SWIFT). This is the first time that a G8 nation has been prevented from accessing the primary messaging network through which international payments are initiated, effectively freezing Russia’s currency reserves and crippling its ability to engage in international finance. This level of multilateral coordination and the rapid pace of implementation underscore a remarkable period in the history of sanctions, marking a new era in the global response to geopolitical conflicts.

Not the Expected Outcome

The expectations in Western capitals were that these unprecedented sanctions, combined with military aid, would bring the conflict in Ukraine to a quick end. However, despite the extraordinary nature and scale of Western sanctions, Russia’s economy has shown a surprising level of resilience, with a preliminary estimate of GDP growth in the first half of 2024 at 4.6% compared to 1.8% from the same period last year, as well as a current account surplus for the first nine months of the year totaling $50.6 billion compared to $38.8 billion during the same period in 2023. While policymakers argue that the sanctions were designed to gradually erode the Russian economy, not crash it, there is growing concern that Russian economic performance contradicts earlier predictions, suggesting a stronger-than-expected economic position amidst sanctions. This situation has begun to cause stress among allies as the sanctions are not achieving the objectives in a short timeline.

The initial strategy of adding names to sanctions lists is being re‑evaluated in light of Russia’s economic resilience. Western nations, led by the U.S., are now turning toward more aggressive measures. These include secondary sanctions on third-country nationals and entities that continue to do business with Russia, as well as a major expansion of resources devoted to criminal enforcement for violations of existing sanctions. The objective of these measures is to close loopholes that have allowed Russia to circumvent the impact of sanctions with the hope that by drastically reducing circumvention, the sanctions can achieve their original objectives.

See “How a New Law and Recent Settlements Paint a Tough Sanctions Enforcement Picture” (Jun. 19, 2024).

A Primer on Secondary Sanctions

Secondary sanctions are a tool used by one country to influence non-nationals to comply with its sanctions regime. Unlike primary sanctions, which directly target the sanctioned country or its nationals, secondary sanctions extend to third parties who are typically not subject to, for example, U.S. laws and regulations but who engage in transactions with or provide support to the sanctioned entities or individuals. Their purpose is to increase pressure on Russia by limiting its access to international markets and financial systems, causing more drastic and effective economic isolation.

Secondary sanctions can include various measures, such as asset freezes, travel bans or prohibitions on certain types of financial transactions. They are designed to deter third-country entities from engaging in certain business activities with the sanctioned country or individuals, amplifying the impact of the primary sanctions. The U.S. has previously utilized secondary sanctions in its programs against Iran and North Korea on a more limited scale.

See “Five Ways to Use Existing Resources to Meet Sanctions and Export Control Compliance Needs” (Apr. 10, 2024).

Focus on Third-Country Nationals

Since 2022, there has been a dramatic expansion, primarily by the U.S. and the U.K., of secondary sanctions targeting those allegedly assisting Russia and its nationals to carry out economic activity, often circumventing existing sanctions.

These measures targeted a variety of sectors and involved a range of countries, demonstrating the broad scope of secondary sanctions. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the U.S. Department of State added a range of individuals and entities in countries like Switzerland, Turkey, the United Arab Emirates (UAE) and China to the Specially Designated Nationals List (SDN List). The reasons for these designations include involvement in sanctions evasion, support for Russia’s military, dealings in high-priority goods identified as being used in Russian weapons systems and what may be regarded as regular economic activity.

While the risk of a secondary sanctions designation may be obvious for those dealing with the Russian military industry because there could be clear ties to the Russian military and high-priority goods, the risk is less obvious for those involved in regular economic activity such as international trade of dual-use goods.

OFAC defines “Russia’s military-industrial base” very broadly. For example, in June 2024, OFAC announced that it was updating the definition to include all persons designated under the Executive Order 14024, including those who had been designated for operating in the accounting sector of the Russian economy.

U.S. Enforcement Actions

There have been numerous cases of U.S. enforcement of secondary sanctions in the past year.

In November 2023, OFAC sanctioned three UAE-based entities and identified three vessels accused of exporting Russian crude oil above the $60 per barrel cap established by the Price Cap Coalition. The vessels used U.S. services while transporting Russian oil.

In August 2024, OFAC targeted a network of companies in Turkey, France, and Hong Kong for sending dual use goods to a Russian naval manufacturing firm. On the same day, several Swiss individuals were sanctioned for obfuscating Russian ownership in foreign firms and facilitating sanctions evasion schemes through asset management and relocation.

In October 2024, OFAC sanctioned persons based in India, Switzerland, Turkey, Thailand, and China for alleged sanctions evasion and circumvention.

See “Are Recent Export Controls Enforcement Actions Low-Hanging Fruit or a New Wave of Prosecutorial Zeal?” (Sep. 25, 2024).

U.K. Enforcement Actions

The U.K. has taken similar actions. In August 2023, the U.K. announced new sanctions targeting Russia’s access to foreign military equipment, sanctioning individuals and businesses in Turkey, the UAE, Slovakia and Switzerland. For example, the U.K. imposed sanctions on a Swiss crypto asset manager for his involvement in supporting the Russian financial services sector.

Later, in February 2024, the U.K. sanctioned a Dutch businessman for allegedly facilitating the trade of Russian oil through a previously designated company in the UAE.

See “U.K.’s Upcoming Sanctions Enforcer Means Higher Likelihood of Investigation” (Aug. 28, 2024).

E.U. Secondary Sanctions

While in the past the E.U. has opposed extraterritorial application of third-country sanctions and even prohibited E.U. operators from complying with the U.S. sanctions concerning Cuba and Iran, the E.U. changed its long-held stance in 2023 with respect to sanctions circumvention.

In the 11^th sanctions package adopted in June 2023, the E.U. created a mechanism for secondary sanctions of third-country operators and third countries. For the first time, the E.U. sanctioned entities from jurisdictions other than Iran and Russia, such as Armenia, Uzbekistan, Syria, the UAE, and Hong Kong, China.

See “Implications of the New E.U. AML Directive” (Jun. 5, 2024).

The Criminal Side of Sanctions Evasion

Violations of sanctions regimes may be enforced through criminal prosecutions and civil actions against property suspected of being involved in a crime. The U.S. has led the charge in bringing criminal cases in the sanctions context.

When sanctions laws are broken, the violators may be charged with a crime that may lead to a prison sentence and forfeiture of assets. While the assets of those who are added to OFAC’s SDN List or the equivalent lists in the U.K. and the E.U. may be frozen while still remaining the listed entity’s property, if a criminal conviction is obtained, certain property of the defendant may be forfeited to the government. Alternatively, the government may bring a civil forfeiture action against property that was involved in or traceable to crimes, such as money laundering, with the aim of taking the property even in the absence of a criminal conviction. In the sanctions context, most cases involve alleged assistance to a person on the SDN List or violations of export controls prohibiting shipment of certain items to Russia.

U.S. Examples

In October 2023, a dual U.S.-Tajik citizen and two Russian-Canadian citizens were arrested in New York City and charged with conspiracy and other crimes related to a global procurement scheme on behalf of sanctioned Russian entities and alleged shipments of prohibited electronic components to Turkey, Hong Kong, India, China and the UAE that were later rerouted to Russia. One of the defendants pled guilty in February 2024, receiving a 24‑month prison sentence followed by a year of supervised release. The other two defendants pled guilty in July 2024 and are awaiting a December sentencing date.

In another case, the U.S. moved to seize and forfeit a luxury yacht, Amadea, allegedly associated with Suleiman Kerimov, an SDN, for making maintenance payments in violation of U.S. sanctions law. The Amadea was seized in 2022 in Fiji pursuant to the seizure warrant issued by a U.S. court that was enforced by Fiji authorities following a mutual assistance treaty request by the DOJ.

In yet another U.S. prosecution, a Russian citizen and U.S. legal permanent resident was charged with sanctions violations and money laundering for allegedly assisting in making payments to maintain real properties located in New York City, Southampton and Fisher Island that were associated with Viktor Vekselberg, an SDN. The DOJ moved to forfeit the properties.

Disregarding Ownership Structures

In all of these cases, defendants can assert numerous defenses against the criminal charges and forfeiture allegations. Sometimes interested parties can challenge civil forfeiture allegations as well. Notably, in many sanctions-related cases, the U.S. government has chosen to completely disregard trust and corporate ownership structures of the assets and treat assets as belonging to the SDNs regardless of the legal ownership. In fact, the White House has made bolstering sanctions enforcement and sending proceeds from seized and forfeited assets to Ukraine a priority.

How Third-Country Nationals Can Navigate the Legal Landscape

Potential sanctions violations that may result in secondary sanctions or criminal cases are not obvious. The regulations and enforcement patterns are constantly changing. The legal and practical challenges that third-country nationals face are numerous when considering transactions.

Assessing Risk

Even if the transaction is not intended to touch the U.S., U.K. or E.U., it is important to evaluate whether:

• a sanctioned individual or entity is involved, either directly or indirectly;
• the item being shipped may be dual-use or other regulated item;
• there is any touchpoint with the U.S. financial system; and
• the transaction can be viewed as bolstering the Russian economy.

Sanctions imposed on individuals and entities from Turkey, the UAE, Slovakia, Switzerland, Armenia, Uzbekistan, Thailand, India and China, as well as U.S. criminal prosecutions of Canadian and U.K. citizens, should be concerning to anyone who conducts business internationally. The risk of a sanctions designation has climbed with the increasingly aggressive actions taken by the DOJ.

Mitigation Measures

For third-country companies engaging in business with Russia or its neighboring countries, it is paramount to monitor sanctions developments, have a well-designed compliance program and seek legal advice when transactions could be regarded as risky.

A strong compliance program creates a culture of conformity throughout every level of the organization. Management should supply employees with resources to report misconduct and provide internal compliance officers, implement sanctions-specific training programs to instruct employees on relevant regulations and risks, and outline clear expectations and defined procedures to address sanctions risks, identify where risks may arise, and prevent violations. Additionally, companies must conduct regular risk assessments, including giving a sanctions risk rating to new customers, mergers, acquisitions and integrations; leverage independent research; and conduct frequent audits to identify inconsistencies between policy and day-to-day operations.

If a possible sanctions violation is identified, companies should consider self-disclosure. A company that can show that previous issues have been identified and remediated, and that the company has a commitment to adhere to sanctions regimes, may be treated more favorably by OFAC should there be a finding of violation.

See “Managing Sanctions Risk Up and Down the Supply Chain” (Jun. 9, 2021).

 

Martin De Luca is a partner at Boies Schiller and leader of the firm’s international private client practice. An experienced litigator, he advises high-net-worth individuals and corporations in complex multi-jurisdictional disputes and investigations, including government enforcement actions and related cross-border litigation.

Daria Pustilnik is a senior attorney at Boies Schiller. She advises individuals and corporations in complex multijurisdictional civil and criminal disputes, including navigating international sanctions regimes enforced by OFAC, the U.S. Department of State, the U.S. Department of Commerce, the U.K. Office of Financial Sanctions Implementation and the E.U.

It might seem alarming for multiple U.S. agencies to trumpet a settlement involving allegations of foreign bribery, export control violations and defective pricing resulting in $950 million in fines, penalties and disgorgement. Coupled with the news that the companies involved – Arlington, Virginia-based aerospace and defense contractor Raytheon Company (Raytheon) and its parent company, RTX Corporation (RTX) – need to hire multiple monitors, it might seem that the companies were hard done by.

“Raytheon engaged in criminal schemes to defraud the U.S. government in connection with contracts for critical military systems and to win business through bribery in Qatar,” said Deputy Assistant Attorney General Kevin Driscoll of the DOJ’s Criminal Division in a press release announcing the settlements (Release). The resolutions “reflect the Criminal Division’s ability to tackle the most significant and complex white-collar cases across multiple subject matters,” he continued.

Yet, that $950‑million setback for the company might, oddly enough, yield a net gain. “The settlement is, in some measure, a win for Raytheon and RTX,” William McGovern, a partner at McGovern Weems and former SEC Enforcement Branch Chief, told the Anti-Corruption Report, not because the companies received significant discounts through cooperation or remediation, “but because they are going to go forward as a stronger company that will be able to vigorously compete in high-risk jurisdictions, knowing that they have built in the kind of internal processes and controls that they need to comply with the law.”

This first article in a two-part series lays out Raytheon’s behaviors that led to the settlement and the resolution with the government. The second article will focus on the monitorships and the broader takeaways for entities working in the aerospace and defense industries.

See “How to Survive – and Even Thrive – Under a DPA” (Oct. 9, 2024).

DOJ’s Forum Choices

The federal government pursued FCPA and Arms Export Control Act allegations against Raytheon in the Eastern District of New York (EDNY) and major fraud charges in the District of Massachusetts (DMass).

The involvement of these jurisdictions was influenced by recent corporate history. In 2020, United Technologies Corporation (UTC) merged with Raytheon. Raytheon became a wholly owned subsidiary, and UTC changed its name to Raytheon Technologies Corporation and is now known as RTX Corporation. RTX is publicly traded on the New York Stock Exchange.

Both companies are currently based in Arlington, Virginia, but, before the merger, Raytheon was headquartered in Waltham, Massachusetts.

“Complex companies facing multiple regulators may find that investigations build on one another,” McGovern said. “Exhaustive investigations sometimes uncover unexpected findings that lead in new directions,” he explained.

Those practical realities can mean that a corporation might be defending itself on multiple fronts, in multiple jurisdictions. “In large corporate investigations, there can be many leads pursued by inestigators, including confidential tips which, taken together, can result in a complex mosaic with the result that, if there are multiple legal actions, they might be brought in more than one federal district court, as happened here,” McGovern said.

The EDNY DPA

In the EDNY, Raytheon entered into a three-year DPA (EDNY DPA) resulting from one count of conspiracy to violate the anti-bribery provisions of the FCPA and one count of conspiracy to violate the Arms Export Control Act (AECA) and its implementing regulations, the International Traffic in Arms Regulations (ITAR). Although parent company RTX is not a defendant in the matter, it has obligations pursuant to the agreement.

FCPA

“Over the course of several years, Raytheon employees bribed a high-level Qatari military official to obtain lucrative defense contracts and concealed the bribe payments by falsifying documents to the government,” EDNY U.S. Attorney Breon Peace said in the Release. The associated Criminal Information (EDNY Information) alleges that, between 2012 and 2016, a Raytheon employee helped third parties in Qatar pass Raytheon’s due diligence process inappropriately, which resulted in a sham contract through which bribes would be funneled to a foreign official. Some employees allegedly used their personal email accounts in furtherance of the scheme.

Raytheon did not receive voluntary disclosure credit in the EDNY DPA because it did not “voluntarily and timely disclose” the inappropriate conduct at issue. The EDNY DPA also revealed that the company was “at times slow to respond” to requests for information and that it failed to provide relevant information it possessed and even gave “incomplete and misleading presentations” about its relationship with a third-party intermediary.

Despite this, “the significant point is that Raytheon cooperated and remediated,” McGovern asserted. Raytheon’s cooperation included providing information it obtained in its own investigation, facilitating interviews with current and former employees, providing presentations to the DOJ, disclosing evidence federal prosecutors were unaware of, identifying key documents and engaging experts to conduct financial analyses.

“Timely remedial measures” Raytheon undertook, and for which it received credit pursuant to the DOJ Criminal Division’s Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP), included:

• recalibrating third-party review and approval processes to lower Raytheon’s risk tolerance;
• implementing enhanced controls over sales intermediary payments;
• hiring “empowered” subject matter experts to oversee the company’s anti-corruption compliance program and third-party management;
• developing data analytics to improve the monitoring of third parties; and
• creating a “multipronged communications strategy” to improve ethics and compliance.

The EDNY Information addresses the regular training on anti-corruption, export control and sanctions laws certain employees took between 2008 and 2018. It also mentions employee awareness of pertinent policies.

“Ultimately, the effectiveness of compliance policies, procedures, and training is driven not only by their scope and content, but more importantly the commitment of the people tasked to follow them,” Daanish Hamid, a partner at PLG, told the Anti-Corruption Report. “A business can have some fairly sophisticated internal controls in place that are designed to prevent corruption, export control violations, and fraud,” he noted. Yet, to achieve success, “company personnel must have strong values that prioritize compliance over shortcuts to achieve business targets,” he said. Finding quality managers and employees “continues to be a challenge even for those businesses that are committed to legal and ethics compliance on paper.”

For the FCPA-related conduct, the total offense level was 42, given that multiple bribes were paid, the value of benefits received exceeded $65 milion and a high-level official was involved. The FCPA criminal penalty was $230,400,000, which reflects a 20‑percent discount off the 20th percentile of the sentencing guidelines range.

See “How the New DOJ and PNF Corporate Enforcement Guidelines Affect Self-Reporting, Cooperation and Remediation” (Mar. 29, 2023).

AECA/ITAR

The export of defense articles critical to national security and foreign policy interests of the United States are governed by the AECA and ITAR. The Department of State has the authority to grant export licenses for certain transfers of defense articles. In applying for such a license, certain applicants are required to disclose whether they or their vendors made political contributions, or paid other fees or commissions, in connection with the sale or transfer of defense articles.

The DOJ maintained that Raytheon violated the requirements of AECA and ITAR by failing to disclose sums paid through sham contracts with Qatari entities. Raytheon agreed to pay a criminal penalty of $21,904,850 for the ITAR-related conduct.

A Significant Sum

The total criminal penalty to be paid in the EDNY action is $252,304,850. A forfeiture amount of $36,696,068, representing the proceeds traceable to both the FCPA and AECA/ITAR violations was reduced by $7,400,090, a sum RTX is to pay in connection with a concurrent resolution with the SEC.

An independent compliance monitor is also to be appointed at Raytheon for three years.

Both Raytheon and RTX have ongoing cooperation and disclosure obligations under the deal.

The DMass DPA

The conduct at issue in the Massachusetts matter occurred at Raytheon Company prior to its merger with UTC, according to the statement of facts appended to the DMass DPA.

Underlying Behavior

Between 2013 and 2018, Raytheon employees made misrepresentations about the cost of contracts with the U.S. government to provide PATRIOT missiles and services for a surveillance radar system for the benefit of a “partner” of the U.S. in order for the government to award the contracts to Raytheon at an inflated price. The sole source contracts, not open to competitive bidding, are subject to the Truthful Cost or Pricing Data Act (formerly known as the Truth in Negotiations Act, or TINA), which requires contractors bidding sole source contracts to certify the accuracy and completeness of cost and pricing information provided to the U.S. during contract negotiations.

Employees, at times against the suggestions of corporate counsel, falsely certified that cost and pricing data was accurate and complete even after internal procedures, referred to as “TINA sweeps,” required them to check the information and to update and disclose any changes to the government. Cost underruns were not properly disclosed to the government.

“Through deliberate and deceptive actions, Raytheon not only defrauded the U.S. government – it compromised the integrity of our defense procurement process,” DMass Acting U.S. Attorney Joshua Levy said in the Release.

Terms of the Deal

Raytheon did not get voluntary disclosure credit in the DMass action because it did not voluntarily and timely disclose. It did, however, receive cooperation credit for facilitating interviews with current and former employees, providing information obtained through its own internal investigation, making detailed presentations to prosecutors, identifying key documents, engaging experts to conduct financial analyses, and “demonstrating its willingness to disclose all relevant facts by analyzing whether the crime-fraud exception applied to certain potentially privileged documents and releasing the documents that it deemed fell within the exception,” according to the DMass DPA.

The government did note, however that “prior to March 2022, the Company’s cooperation was limited by unreasonably slow document productions.”

Still, Raytheon received credit pursuant to the CEP because it remediated by:

• terminating employees;
• establishing a broad awareness campaign about the TINA;
• developing and implementing policies, procedures and controls relating to compliance with these requirements; and
• engaging additional resources to evaluate and test the new policies, procedures and controls.

Raytheon agreed to pay a criminal monetary penalty of $146,787,972 (reflecting 25 percent off the 10th percentile of the applicable fine range) and restitution of $111,203,009.

Again, both Raytheon and RTX are subject to ongoing cooperation and disclosure, and a monitor will be appointed for three years.

See “Corporate Enforcement Policy Revisions: A More Amenable DOJ Looks to Negotiate” (Feb. 1, 2023).

False Claims Act Settlement

Also in October, Raytheon and RTX entered into a civil False Claims Act (FCA) settlement to resolve allegations that untruthful cost or pricing data was used in negotiating contracts with the Department of Defense. The $428‑million settlement, brought about by a former employee who pursued a qui tam lawsuit, is the second largest government procurement fraud recovery under the FCA, according to the Release.

Raytheon was credited for cooperation provided by RTX, which conducted and disclosed the results of an internal investigation, disclosed facts not known to the government, provided evidence to the DOJ, conducted a damages analysis, identified and separated people responsible for or involved in the misconduct, admitted liability and accepted responsibility for the misconduct, and improved its compliance programs.

Karen Atesoglu, the former Raytheon employee who initiated the action in DMass and who asserted that her employment had been terminated in retaliation for her efforts to stop the alleged fraud, will receive $4.2 million as her share.

See “False Claims Act: Key Decisions and Predictions” (Feb. 28, 2024).

The SEC Settlement

On October 16, 2024, the SEC issued a cease-and-desist order (Order) against RTX for violations of anti-bribery, books and records, and internal accounting controls provisions of the FCPA. The Order alleges that Raytheon paid bribes of almost $2 million to Qatari military and other foreign officials between 2011 and 2017. Additionally, from the early aughts to 2020, Raytheon “paid over $30 million to a Qatari agent who was a relative of the Qatari Emir . . . under circumstances that created a significant anticorruption risk” and led to a “wholesale breakdown of the company’s due diligence process and internal accounting controls,” according to the Order.

Here, too, the SEC reported a “period of uncooperativeness” but noted that Raytheon provided significant cooperation following the merger when new management – as well as new outside counsel – was in place.

In addition to cooperating, new management remediated by terminating employees involved in the misconduct, revising anti-corruption policies, enhancing internal accounting controls over third parties, improving anti-corruption risk assessments and expanding compliance staff.

Under the Order, RTX agreed to the appointment of an independent compliance monitor for three years. RTX is to pay disgorgement of $37,400,090, prejudgment interest of $11,786,208 and a civil monetary penalty for $75,000,000, for a total of $124,186,298. RTX will receive a civil penalty offset of $22,500,000 based on its payment to the DOJ.

See “SEC Enforcement Director Grewal Emphasizes Benefits of Cooperation” (Sep. 25, 2024).

The State Department Order

Additionally, in August 2024, the State Department ordered RTX to pay $200 million to settle allegations of civil AECA/ITAR violations. The Department noted that RTX voluntarily disclosed, made numerous improvements to its compliance program, voluntarily expanded its internal investigation and cooperated with the Department. RTX agreed to take remedial measures including the establishment of policies and procedures related to AECA/ITAR and to the appointment of a “Designated Official” who will have the authority to monitor, oversee and promote AECA/ITAR compliance.

Debarment on the Horizon?

The possibility remains that Raytheon or others associated with these matters could be suspended or debarred as federal contractors.

“Government contractors have an obligation to be fully transparent about their cost and pricing data when they seek an award of a sole source contract,” Principal Deputy Assistant Attorney General Brian Boynton, head of the DOJ Civil Division, in said in the Release. The DOJ “is committed to holding accountable those contractors that knowingly misrepresent their cost and pricing data or otherwise violate their legal obligations when negotiating or performing contracts with the United States,” he continued.

The DOJ “has made it clear that it will refer such cases to the Interagency Suspension and Debarment Committee to determine whether culpable parties should be suspended or debarred from U.S. government contracting pursuant to the Federal Acquisition Regulations,” Hamid explained.

Businesses that “rely heavily on U.S. government contracts can face devastating consequences if they become the subject of a debarment order,” Hamid said.

Prospective Fallout

One unknown is whether Raytheon’s troublesome season will extend beyond the current one.

“Raytheon’s settlement may be painful in the short term,” McGovern said. “But from a higher level, big-picture standpoint, Raytheon will be well-positioned for the future and will be able to demonstrate that compliance is more than a formality.”

What remains to be seen is whether this string of settlements will trigger additional enforcement actions.

The DOJ “has made it clear that it places significant importance not only on holding companies responsible, but also prosecuting culpable individuals for FCPA and related violations,” Hamid observed. “Identifying responsible bad actors within a business is a condition that the DOJ expects companies to satisfy as part of a settlement,” he said.

To that end, there are likely to be more enforcement actions against company representatives who, in the DOJ’s view, violated applicable laws, Hamid predicted.

“Another question is whether foreign officials will face consequences, especially given that the acts in question predate the recent Foreign Extortion Prevention Act which seeks to address demand-side bribery,” Hamid said. “Oftentimes, it is challenging to assert U.S. jurisdiction over foreign officials.” Even where there is jurisdiction and extradition is possible, “other, more nuanced considerations may also come into play,” he noted.

“The diplomatic and national security consequences associated with potentially embarrassing an allied country by prosecuting its high-level officials may outweigh any benefits of charging those individuals with money laundering or extortion under U.S. law,” Hamid suggested, explaining that may be one reason why U.S. enforcement agencies “do not identify culpable foreign officials by their name in press releases and court filings.”

At the same time, behind-the-scenes moves “where the United States pressures foreign governments to pursue local legal remedies against guilty officials” could be taking place, Hamid observed. “Typically, those maneuvers do not receive public attention, and the foreign country in question can save face (especially if the officials in question are royal family members or occupy senior roles) while holding bad actors accountable,” he noted.

“It will be interesting to see how compliance enforcement changes with the new administration,” McGovern said. “In the past four years, regulators had a pretty open slate and were empowered to bring investigations and to seek large settlements.”

“That sort of high-octane enforcement may not continue in the new administration,” McGovern predicted.

See “The Monaco Memo: A Roll Back on Individuals and Cooperation” (Jan. 19, 2022).

Integrating compliance systems after a merger or acquisition is notoriously tricky and can cause headaches for the compliance teams at both entities. Katarzyna Golonka, TD Synnex’s vice president for global compliance, and Jannica Houben, vice president for global legal transformation at the same company, shared insights on creating a post-transaction playbook to help the process run smoothly during the 2024 Compliance & Ethics Institute of the Society of Corporate Compliance and Ethics. They drew on their experiences from two transactions by TD Synnex, a multinational IT products distributor. This article summarizes their advice on aligning structures and processes, gaining buy-in from company leadership and embracing interim solutions.

See our two-part series on the John Deere Settlement: “Internal Controls Fail to Prevent T&E Missteps” (Sep. 25, 2024), and “M&A Integration, Commercial Bribery and Compliance Remediation” (Oct. 23, 2024).

Aligning Structures and Processes

Harmonizing compliance controls brings many benefits to the combined entity after a merger, but it is important for compliance professionals to assess the entire program carefully in the process.

A Chance to Optimize the Team

Some areas that are “vital to address,” Golonka said, include the makeup of the compliance team. The structure of the compliance team “needs to change to fit the new business profile,” she stressed. An appropriate structure for the combined entity might be neither of the two pre-existing companies’ legacy structures, she explained.

One question to consider, for a company with operations in numerous geographical locations, is whether it is best for compliance team members to be “localized or more globally managed,” Golonka pointed out.

An M&A process can be a time when long-yearned-for changes to increase the compliance team’s efficiency might prove feasible in a way that “is going to be less painful” than otherwise, Golonka asserted. When “everything is shifting all around,” it can be a once-in-a-lifetime chance for compliance leaders to have “carte blanche” to bring about a “dream perfect team structure,” she suggested.

Delineate Clear Roles

Clarifying roles and empowering the people in those roles are very important. Sometimes post-M&A integration involves eliminating overlapping roles, Golonka said.

Some things might need addressing right away in the initial stages of integration, requiring compliance leaders to assign temporary roles to make sure important tasks are covered, Golonka noted. “We appointed critical roles, even though we knew that these were temporary,” she said.

Compliance leaders should consider authority in addition to skills when assigning roles, Golonka advised. She recounted an example of speaking with an employee who confirmed having the capability to solve an issue, only to discover ultimately that this person did not have the authority to perform the task. “Responsibility is not empowerment,” she remarked, observing that they were back to square one because they had been talking to the wrong people. “We did not realize someone being responsible for something did not mean they were empowered.”

Watch for Cultural Differences

When integrating two compliance programs after a transaction, the compliance cultures at the two legacy organizations are an important consideration.

Questions to consider include how highly the compliance function is positioned within the company structure and to whom compliance leaders report, Houben noted. Post-transaction is a time, she said, to consider such questions as “what value is being placed on compliance,” and “is this just a paper tiger, or does this really mean something to the company?”

In determining answers to these questions, it can help to poll employees using an anonymous survey, which increases the likelihood that “people will actually provide valuable feedback,” according to Houben.

In navigating cultural shifts, communication contributes to employees’ feeling of “comfort and safety,” according to Golonka. “Overcommunicate,” Houben urged.

See “Compliance 5.0: A Culture-Centered Approach” (Jan. 17, 2024).

Prepare for Governance Shifts

Governance may also shift in the wake of an M&A deal, Golonka commented. For example, one of the transactions TD Synnex went through meant that it “overnight became a stockholders’ company,” she said. This came with a raft of different reporting requirements to get accustomed to, she recounted.

Additionally, one of the two recent mergers TD Synnex undertook was complicated by a mismatch in how the compliance functions were structured at the two legacy companies, Houben shared. Compliance “was all managed by different people,” she recalled. As a result, it was a project of its own to map out the way compliance was handled, Golonka noted.

The reporting, investigation and disciplinary action processes are important to examine, as well, Golonka affirmed. This can be complex, involving many stakeholders within the organization, including its HR and IT security personnel, she noted. “For us, this was a particularly challenging area.”

See “Anti-Corruption Due Diligence Checklist for Mergers and Acquisitions” (Jun. 12, 2013).

Getting the Timing Right

Post-M&A integration requires a compliance leader to perform a complicated dance. The compliance team must respond rapidly to immediate needs while maintaining a deliberate approach to the longer journey.

Planning the Steps

Compliance leaders should draw up a roadmap for the successful integration of compliance frameworks, Houben offered.

The roadmap should lay out timelines for different parts of the program to be ready by different days, including “mission critical” things that should be ready for day one after the merger, Golonka said. Compliance leaders need to consider how to achieve this “without causing disruption to the business.”

During one of TD Synnex’s integrations, “we were not really seeing the progress we wanted to see,” Golonka relayed, so they “took a step back and drew up a playbook.” This included granular steps needed for policy integration. For each step, it was imperative to identify the people in the company who were the policy owners – those drawing up the policies – and the people who were the stakeholders to consult, such as people from a range of departments within the organization.

Such a playbook must clarify to these people that they “have that much time to review it and come back with feedback,” Golonka specified. When drawing up such a playbook, it is important to be clear about what a policy owner must do and “exactly what steps each person has to take,” she said. The playbook lays out the list of “people who are supposed to look at the policy at each stage” and a process for their comments to be provided and considered, she explained.

This helps with accountability, Houben added. The risk of someone claiming later that they did not know the required steps is eliminated if “everyone is really clear on what they have to do, when,” she remarked.

The resultant policies, when finalized, were delivered to affected employees in predictably timed chunks. Instead of “bombarding employees” with multiple disparate items of policy whenever each one was confirmed, the compliance team provided staff a monthly update of “whatever policies are ready at the end of the month,” Golonka explained. This was presented as coming from the top of the company, not from the person in the company who was the owner of the respective policy. “It resonates differently when it is coming from the CEO,” she emphasized.

Tolerate Interim Fix for Training

Compliance professionals should not be afraid to put interim solutions in place – to “settle with something acceptable” – while longer-term formulas are drawn up, Golanka said.

Training is a vital element in ensuring compliance keeps up with the new reality of a merged company, but training will not always be ideally structured at the time when it is urgently needed, Golonka explained. Recalling the difficulty of providing finalized training to each person right after a transaction, she clarified that sometimes it is a matter of “whatever is feasible” rather than “fully prepared training.”

Approach Systems Integration Thoughtfully

Even while coming up with timely solutions to pressing problems, compliance leaders should retain a measured approach to the integration of compliance systems in a merged organization. Overall, this process should not be rushed, according to Houben.

It is improbable to have an integrated system “ready on day one or even the same year,” Houben commented. Compliance professionals should take time to evaluate the systems being used in each of the merging parties and compare them. They should “be very systemic and very clear” about what systems should be used in the future, she stated.

It is worth examining whether any systems in use are subject to contracts that are soon expiring, or if the merging entities have certain parallel systems that are particularly expensive, Houben said. A compliance professional may be well advised to prioritize those for unification, she added.

Ponder System Access Carefully

One thing to consider very early in the process of designing the merged organization’s future system is who should have access to which parts of it, Golonka emphasized. At least one person on the team should have holistic access to the system, she added.

However, access can be a double-edged sword, Golonka warned. “Access has another side, which is cost,” she said. It can prove necessary to limit how many users can be added to one system to ensure costs are manageable, she advised.

Compliance professionals, when seeking support from technical colleagues to work on their system, should keep requests clearly defined, Golonka recommended. This reduces the risk that the task will be postponed in favor of requests coming from elsewhere in the organization, she noted.

See our two-part guest series on FCPA Evolution through an M&A lens: “How M&A Impacted FCPA Enforcement and Guidance” (Jan. 20, 2021), and “The Compliance Value-Add” (Mar. 3, 2021).

Strengthening Leadership Support

The role of a merged organization’s top leadership is critical to successfully integrating compliance.

C‑Suite Empowering the Compliance Team

Compliance integration would be impossible “without proper support from leadership,” Golonka maintained. It provides the compliance team with “empowerment” through the merger process if the top leadership’s support is signed “in blood” from the outset, she said.

“One of the first questions” compliance chiefs should ponder in M&A situations is when they are going to engage leadership, Houben stressed. It is important to ensure that leadership is on the same page with compliance leaders, she added.

“They are extremely busy with the integration, and compliance integration is probably not at the top of their priorities,” Houben stressed. Therefore, compliance heads must approach the matter in a way that is “crisp and clear,” “on a timely basis” and confirms the company leaders’ buy-in, Houben said.

The compliance function needs support from the company’s top leadership particularly with regard to disciplinary procedures and case management processes, Houben argued. The compliance leaders should “get management input” on these things as soon as possible, she stressed.

Should company leaders feel dubious about compliance integration and see it as a burden, it is important for compliance heads to “keep coming back to them and show them that it is a competitive advantage,” Houben affirmed.

Always Expect Resistance

It is inevitable that many people in a merged organization will be hesitant about adopting new compliance requirements. “Any change triggers resistance and concerns, and that is normal,” Golonka acknowledged. Some employees will even actively avoid a new requirement, especially if it is stricter than what they are accustomed to, she commented.

Support from top leadership can be critical when staffers balk at new compliance requirements, Houben affirmed. “In compliance, we can communicate as much as we want, but it makes more of an impact if it comes from the management team,” she emphasized.

Local Leaders Are Key Allies

Support from critical allies in senior positions in the organization is vital to win over the doubters, Golonka stressed. Sometimes, that means local leaders in overseas operations.

Golonka related an example from one of TD Synnex’s M&A situations, where there was one region in which third-party risk management was not getting harmonized appropriately. The compliance team sought to remedy the situation with a focused round of training, only to find several months later that the employees in question had simply “opted out.” Eventually this was resolved through a determined campaign that engaged key people who wielded local influence as ambassadors, she said.

“We designed a six-month campaign, identified local leaders and managers, and had them speak in round-table sessions and town halls in the local language. They were speaking for us,” Golonka recalled. However, it took time to convince those individuals to cooperate in the first place, she admitted.

“It is really important to have those local champions identified,” Golonka said. When the compliance message comes from local leaders, this makes a big difference to how it is received by affected employees, she asserted.

Fostering Long-Term Engagement

Hopefully, company leaders will not only be involved in the integration of compliance procedures but will stay engaged in compliance thereafter, Houben said. “It is key to lay that groundwork after the acquisition, and make sure that management stays invested in the program,” she asserted.

In discussing compliance issues with the company leadership, a good piece of advice for compliance professionals is to “not bring questions, but bring solutions,” Golonka posited.

It is a good idea for the compliance function to sustain longer-term relationships with local leadership champions, as well, to troubleshoot any future problems, Golonka asserted. “Feedback is a gift,” she said, and those local leaders can be the compliance function’s allies in obtaining this. “They are going to hear from their team some complaints,” she noted, and hopefully pass them along.

Consider Outside Consultancy

Assess the available resources and plan for whether to deal with compliance matters in-house or to enlist outside help, Golonka advised. Bringing in outside help can enable compliance professionals to avoid some of the negative internal politics they might otherwise be subjected to, she suggested. If they can explain that a course of action was recommended by a consultant, compliance professionals face less blowback, she explained.

See our three-part series on managing M&A anti-corruption risk: “Pre-Deal Prep” (Oct. 3, 2018), “Pre-Closing Risk Assessments and Due Diligence” (Oct. 17, 2018), and “Deal Terms and Integration” (Oct. 31, 2018).

The DOJ has its sights set on cybersecurity fraud and is pursuing alleged offenders in unprecedented ways. Since establishing its Civil Cyber-Fraud Initiative in 2021, the DOJ has pursued several entities for cybersecurity fraud. In August 2024, it joined and took over a fraud case brought by a whistleblower – the first time the United States has taken the lead role in prosecuting a cybersecurity fraud case. This article summarizes the DOJ’s efforts since 2021 and discusses what all cybersecurity contractors should do both to maintain compliance and avoid costly cyber-fraud investigations.

See our two-part series on the DOJ’s Corporate Whistleblower Awards Pilot Program: “A Look at Forfeiture and Culpability” (Aug. 14, 2024), and “Exclusions, NDAs and Goals” (Sep. 11, 2024).

The False Claims Act

To understand the recent cyber-fraud investigations, a basic False Claims Act (FCA) primer is in order. The FCA was established during the Civil War to combat defense contractor fraud on the United States, mostly in relation to wartime materials and resources. This “Lincoln’s Law,” passed in 1863, was first used to prosecute fraudsters profiting off the war effort by, among other actions, selling the Union Army crates filled with sawdust instead of muskets, sick mules, substandard uniforms and rotten food supplies. The FCA then sat relatively dormant after the Civil War until significant amendments in 1986, 2009 and 2010 greatly expanded and strengthened this unique law.

Whistleblowers and Their Incentive

Critically, and quite exceptionally, the FCA deputizes private citizens to file suit on behalf, and in the shoes, of the United States, to bring cases against individuals or companies allegedly defrauding it. These “private attorneys general” are called “whistleblowers” colloquially and “relators” under the FCA’s qui tam provision. The term “qui tam” is abbreviated from the Latin phrase meaning, “He who sues in this matter for the King as well as for himself.” Successful relators have first-hand knowledge and details of any alleged fraud on the government. Relators are typically former or current employees, vendors or even competitors of the defendants in FCA cases. So, while private citizen relators file suit initially and can prosecute these cases on their own, all relators try to get the government to take over the case and prosecute the fraud in its own right. When this is done, it is called government intervention.

Relators play a critical role in safeguarding the public good and taxpayer dollars by uncovering fraud schemes by those seeking to take advantage of government funds. They are duly incentivized to stick their necks out to blow the whistle on fraud. If there is a recovery by the United States, the relator who brought the case is entitled to between 15 and 30 percent of the collected proceeds. Given that these cases are frequently million-dollar recoveries, a relator’s individual share can be substantial.

Four Elements of a Violation

An FCA violation contains four basic elements: (1) a false statement or fraudulent course of conduct; (2) made or carried out with knowledge of the falsity; (3) that was material (i.e., material in the government’s decision to pay a grant, program or claim, or to pay on a federal contract); and (4) that involved a claim (i.e., demand for money or property from the United States). Generally, FCA liability exists for any person who knowingly submits a false claim, causes another to submit a false claim, knowingly makes a false record or statement to get a false claim paid by the government, or conspires to do the same. At its heart, the FCA is intended to recover ill-gotten gains and to deter fraudulent conduct.

Penalties

The modern FCA imposes strong penalties on fraudsters. For civil violations, a statutory penalty of no less than $13,946 and no more than $21,916 per false claim is possible as of February 2024. Damages are allowed to be trebled (tripled) under the FCA so that the United States can recoup three times what the government actually paid for each false claim. Fraudsters also can be suspended or debarred from any future participation in government programs. For instance, a healthcare company can be disbarred from Medicare, or a defense contractor can be prohibited from any further government contracts. Lastly, both companies and individuals can be prosecuted criminally (in addition to civil prosecution) for FCA violations, resulting in more fines and potential criminal charges in the more extreme cases.

Though government reporting shows that fraud continues to flourish, and still outpaces efforts to curb it, by any measure, the FCA has nevertheless been wildly successful. The Justice Department reported that settlements and judgments under the FCA exceeded $2.68 billion for fiscal year 2023. During that one year, the government and relators were party to 543 settlements and judgments – a record number in a single year. Since the 1986 amendments, the United States has recovered more than $75 billion under the FCA.

See “Implications of the Updates to the Pharmaceutical Research and Manufacturers of America Code” (Sep. 29, 2021).

DOJ’s Civil Cyber-Fraud Initiative and Related Proceedings

The FCA has been used to combat an eclectic mix of fraud, with cybersecurity fraud being one of the DOJ’s more recent targets.

The Cyber-Fraud Initiative

The DOJ’s effort to combat cybersecurity threats includes its Civil Cyber-Fraud Initiative (Initiative), which was announced in October 2021. The Initiative is dedicated to using the FCA to promote cybersecurity compliance by government contractors and grantees by holding them accountable when they “knowingly” violate applicable cybersecurity requirements. Acting “knowingly” under the FCA has a somewhat expansive definition. It includes: (1) actual knowledge of the information; (2) deliberate ignorance of the truth or falsity of the information; or even (3) reckless disregard of the truth or falsity of the information. Critically, a relator (or the government, if it intervenes) is not required to prove specific intent to defraud.

The Initiative has resulted in several investigations, settlements and litigations since its formation just three years ago.

Cyber-Fraud Settlements

Comprehensive Health Services

On March 8, 2022, the DOJ announced a $930,000 settlement with Comprehensive Health Services, LLC for alleged FCA violations. This settlement was the DOJ’s first such resolution after launching its Initiative, and a harbinger of things to come. Observant cybersecurity contractors likely took heed.

Aerojet Rocketdyne

Then, in July 2022, the DOJ made more news with the announcement that Aerojet Rocketdyne Inc. agreed to pay $9 million to resolve allegations that it violated the FCA by misrepresenting its compliance with cybersecurity requirements in certain federal government contracts. Aerojet provides propulsion and power systems for launch vehicles, missiles, satellites and other space vehicles to the Department of Defense, NASA and other federal agencies. This case was brought under the FCA’s qui tam provision by a former Aerojet employee, who received a $2.61‑million share in the government’s recovery. The DOJ highlighted this case as a prime example of “how whistleblowers can contribute to civil enforcement of cybersecurity requirements through the False Claims Act.”

In its press release, Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division, emphasized that, “whistleblowers with inside information and technical expertise can provide crucial assistance in identifying knowing cybersecurity failures and misconduct.” Highlighting a whistleblower and his or her contribution and monetary award is typical of the DOJ’s press strategy in announcing FCA settlements. This, it hopes, serves to incentivize future whistleblowers to come forward with their insider information about fraud on the government.

Jelly Bean

March 2023 saw the announcement of a settlement with Jelly Bean Communications Design LLC and its manager. While a relatively small amount for a settlement under the FCA, totaling just $293,771, cybersecurity contractors should not sleep on this settlement. It demonstrates that the DOJ is willing to pursue cyber-fraud allegations even if they are relatively low-dollar violations. The DOJ alleged that the defendants failed to secure personal information on a federally funded Florida children’s health insurance website, which Jelly Bean created, hosted and maintained. The settlement resolved allegations that Jelly Bean did not provide the secure hosting of the applicants’ personal information as contractually required, but instead, knowingly failed to properly maintain, patch and update the software systems. When the site was cyberattacked, the breach exposed the information of 500,000 applicants. Of note, the DOJ also individually named Jelly Bean’s manager, 50‑percent owner and sole employee, as a target of its investigation and party to the settlement. FCA cases are often against companies but can be equally brought against individuals as well.

Verizon

In September 2023, the DOJ settled for over $4 million with Verizon Business Network Services LLC. The settlement resolved FCA allegations that Verizon failed to completely satisfy certain cybersecurity controls in connection with an IT service provided to federal agencies under various different General Services Administration contracts. Strikingly rare, reportedly, Verizon voluntarily disclosed its actions, initiated an independent investigation and compliance reviews of all concerning issues, and remediated its cybersecurity failures. The United States acknowledged Verizon’s disclosure and remediation efforts and cited this cooperation as the basis for providing Verizon with a “credit” in relation to the ultimate settlement amount.

The Verizon settlement demonstrates the DOJ’s commitment to working with companies that self-disclose potential fraud and are transparent and cooperative with investigations. The DOJ has said, and this settlement underscores the message, that companies that self-disclose fraud will be afforded potentially significant credit for their cooperation. The DOJ has several programs incentivizing voluntary disclosure of fraud, including its 9‑47.120 policy on corporate enforcement and voluntary self-disclosure, available on its website, and the Criminal Division’s correlating Pilot Program on Voluntary Self-Disclosures for Individuals.

Guidehouse and Nan McKay and Associates

In June 2024, the United States publicized another settlement involving allegations that cybersecurity contractors failed to meet contractual requirements. Unlike those discussed above, this $11.3‑million settlement involved a New York State contract meant to ensure a secure environment for low-income New Yorkers to apply online for federal rental assistance during the COVID‑19 pandemic. Guidehouse Inc. paid $7.6 million while Nan McKay and Associates paid $3.7 million to resolve allegations that they violated the FCA. These settlements were the result of a case brought about by a former Guidehouse employee-turned-whistleblower, who received a $1,949,250 qui tam share of the settlement amounts. It is important to keep in mind that some 33 states have their own False Claims Acts, typically similar to the federal version. The state laws are used, as is their federal counterpart, to combat fraud on the state governments. Whistleblower incentives and protections in most state FCAs mirror the federal provisions.

DoD’s Special Audit Report

In December 2023, the Department of Defense Office of Inspector General (DoD OIG) issued a “special” Audit Report providing insight into common cybersecurity weaknesses related to the protection of Controlled Unclassified Information (CUI). The Audit Report recounts that between 2018 and 2023, DoD OIG issued five audit reports focused on DoD contractors’ “inconsistent implementation of Federal cybersecurity requirements for protecting CUI that are contained in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.” The Audit Report also states that the DoD OIG has supported five DOJ investigations conducted under the Initiative.

The Audit Report recounts that DoD currently has more than 183,000 active contracts covering all sectors of the economy, many of which require contractors to process, store and/or transmit CUI on their own networks and systems. Through DFARS 252.204‑7012, DoD requires its contractors handling CUI to implement, or have a plan to implement, the 110 security controls found in NIST SP 800‑171; these cover a spectrum of subjects, including access controls, audit and accountability, incident reporting, physical protection and risk/security assessments. At its core, DFARS 252.204‑7012 requires contractors to provide “adequate security” for CUI and imposes certain incident reporting obligations.

When a federal agency issues regulations or other guidance, government contractors should take note and follow them. All government contractors may be expected to adhere to DFARS 252.204‑7012 requirements to protect CUI and could be held to account for related fraud. Government contractors could face penalties not only for failing to comply with their specific contract requirements, but also for failing to ensure compliance with all regulations and rules cited in guidance like the Audit Report.

Active Litigation of Cyber-Fraud Cases

Cybersecurity companies that do not cooperate or settle FCA investigations often find themselves in active litigation with or without the United States’ intervention. The two most closely watched 2024 cases are against higher education institutions.

Penn State

A case pending against Penn State University based on alleged cybersecurity failures was brought by a relator and, at the time of this writing, is stayed while the United States considers intervention. The whistleblower in this case is the former chief information officer for Penn State, who was hired after a breach to review and ensure cyber compliance. The relator alleges that Penn State knowingly failed to comply with numerous cybersecurity controls that are required for DoD contractors by DFARS 252.204‑7012.

Interested observers should keep an eye on the Penn State case regardless of the United States’ intervention decision. More and more whistleblowers and their counsel are deciding to litigate strong FCA cases without the United States’ intervention. While most litigated FCA cases are settled out of court (given the significant risk to defendants from an adverse trial verdict), some are tried before juries. It is possible that one of the cyber-fraud FCA cases pending right now will eventually be the first to go to a jury trial wherein the defendant risks significant statutory damages, penalties and fees if it loses.

Georgia Tech

The other pending cyber-fraud litigation, against the Georgia Institute of Technology (Georgia Tech), is based on allegations that the school misrepresented compliance with several cybersecurity regulations governing what contractors must do to protect government information on its systems. Ironically, the complaint alleges lax cybersecurity standards at the Georgia Tech research lab that focuses on cybersecurity and cyberattack attribution for multiple U.S. defense contracts. This case was brought by a pair of relators who were previously senior members of Georgia Tech’s cybersecurity compliance team. It is the first FCA case in which the United States has intervened against a higher education institution for failing to comply with contractual cybersecurity requirements.

The United States filed a scathing Complaint in Intervention in August 2024 that cites Georgia Tech’s employees’ testimony during the investigation and quotes generously from internal communications, including instant messages. The United States alleges that for many years there was “no enforcement” of cybersecurity regulations at Georgia Tech and that the defendant knew that the lack of this compliance resulted in “false claims” being submitted to the United States. The government claims that one of the reasons Georgia Tech failed to comply with cybersecurity regulations and requirements was because they were “too burdensome.”

Among its fraud claims, the United States alleges that Georgia Tech failed to: (1) develop or implement a system security plan outlining how it would protect against unauthorized disclosure of sensitive, covered defense information in its possession; (2) install, update and run anti-virus software on its various devices; (3) assess its system on which sensitive DoD data was processed, stored or transmitted; and (4) provide DoD with an accurate summary level score to demonstrate its lab’s compliance with applicable cybersecurity regulations. The failure to provide a score was because, the United States alleges, no such score ever existed for its lab, and the one reported to DoD was “fictitious” or “virtual.” Armed with two former cyber compliance employees as relators and with what appears to be significant and detailed evidence to support its allegations, the United States seems, at this stage of the proceedings, to be on solid footing in pursuing this case. All cyber professionals should follow this case, watch for developments and study its allegations while comparing their own policies and actions against those contained in cases like this one.

Mitigating Risk

The federal and many state governments incentivize relators to bring forth detailed allegations of fraud, as several of the examples discussed in this article demonstrate. The United States wants to hear from relators with personal knowledge of fraud and has shown a great willingness to work with relators or even intervene on these cases. Simultaneously, governments actively encourage recipients of government funds to be vigilant in combatting fraud by ensuring compliance with all applicable laws, rules, regulations and contract terms. Just as relators are awarded a portion of recoveries in successful FCA cases, target companies are also afforded credit for having meaningful compliance policies and for self-disclosing fraud.

What can cybersecurity contractors proactively do to avoid fates similar to those highlighted herein?

Stay Educated

In addition to reviewing the cases and reports discussed in this article, smart contractors should keep apprised of new cyber-fraud cases and carefully follow the pending cases as they make their way through the courts. There should be lessons learned from every cyber-fraud settlement and litigation announced. Each one is a new opportunity for contractors to review and update their compliance policies and controls.

Review, Update and Train All Staff on Compliance Policies

Real, transparent and robust compliance programs are critical. Special attention should be paid to all applicable federal laws, regulations, and guidance in creating and routinely updating these policies. Once current, meaningful compliance policies are established and documented, then mandatory yearly training on the policies must follow.

Listen to, Investigate and Take Action Following Internal Complaints

Careful notice, investigation and timely follow-up are crucial following any internal reports of suspected fraud. In most cases, whistleblowers try to address and correct suspected fraud internally before they ever reach the step of reporting to the government. By conducting meaningful and thorough investigations into fraud allegations and voluntarily disclosing potential wrongdoing, contractors may be able to avoid costly and high-profile investigations and FCA litigation.

See “Navigating U.S. Privacy Laws in Internal Investigations” (Aug. 28, 2024).

 

Veronica Nannis is a shareholder at Joseph Greenwald & Laake PA, with nationwide experience representing whistleblowers and litigating False Claims Act cases. In 2023, she represented a whistleblower claiming Medicare fraud against an Indiana hospital, which settled the matter by paying the government $345 million, a record-setting settlement for a case based on the Stark Law.

Cadwalader has announced that Laura Perkins has joined the firm as a partner in its global litigation group. She will be a member of the firm’s global compliance, investigations and enforcement practice, based in Washington, D.C. She arrives from Hughes Hubbard & Reed.

Perkins’ practice focuses on government and internal investigations, crisis management, white-collar criminal defense, cross-border compliance counseling, risk assessments, due diligence, and national security and sanctions issues. She assists corporations, boards of directors, audit committees and senior executives with sensitive internal investigations and proceedings before the DOJ, SEC, and other U.S. and international agencies. She advises on matters relating to the FCPA, anti-corruption, financial fraud, sanctions violations, money laundering and healthcare fraud.

Perkins previously served as co-chair of the anti-corruption and internal investigations group and co-managing partner at Hughes Hubbard & Reed. Prior to entering private practice, she spent nearly 10 years at the DOJ, most recently serving as Assistant Chief of the FCPA Unit of the Criminal Division’s Fraud Section. She supervised, prosecuted and tried some of the largest individual and corporate FCPA cases in the U.S. and was involved in the development of the FCPA Pilot Program (that became the FCPA Corporate Enforcement Policy) and the drafting of the FCPA Resource Guide. She also oversaw nearly a dozen independent compliance monitors and served as a U.S. Delegate to the OECD’s Working Group on Bribery. In her earlier role as Senior Counsel to the Assistant Attorney General of the Criminal Division, she advised DOJ leadership on white-collar criminal cases and policy matters and assisted with responding to Congressional inquiries and investigations.

For commentary from Perkins, see “Coming Year’s FCPA Enforcement Developments Build on Eventful 2023” (Dec. 20, 2023).