While the biggest FCPA-related news of 2024 focused on policy changes designed to encourage whistleblowing and voluntary self-disclosure, the DOJ and other enforcement authorities do not just wait for cases to walk in the door. Speaking at the American Conference Institute’s International Conference on the FCPA held in December 2024, regulators revealed how cases are being identified and developed in-house using a variety of tools.

This third article in a series on FCPA enforcement in 2024, which includes insights shared with the Anti-Corruption Report by defense counsel, examines two key ways in which the DOJ identifies and builds cases.​​​​​​​ Part one discussed the role that international cooperation continues to play. The second article looked at the policy changes related to whistleblowers and how they might impact enforcement.

See “DOJ’s 2024 Edits to the ECCP: Data Analytics to Find Risks and Measure Effectiveness” (Nov. 20, 2024).

A Strong Year?

In 2024, the SEC entered into cease-and-desist orders with six corporations to settle FCPA allegations. The DOJ entered into eight corporate settlements, with several additional cases brought against individuals. Those numbers are neither notably low nor surprisingly high.

Yet, Brent Wible, Chief Counselor in the Office of the Assistant AG, characterized it as a “banner year” for the DOJ’s FCPA Unit. In a prepared speech delivered at the ACI Conference, Wible noted that the number of cases in 2024 up to that point (six) was more than in any year since 2020. He asserted that the DOJ’s success goes beyond just the number of corporate settlements, noting that the resolutions resulted in nearly $1.5 billion, which is, again, the highest amount since 2020. Additionally, he pointed out that the DOJ had four successful trials against individuals and announced more charges against individuals in 2024 than in 2023.

Glenn Leon, Chief of the DOJ’s Fraud Section, agreed with Wible’s assessment, again highlighting that “the numbers are up across the board.”

The attitude was similar at the SEC. Tracy Price, Deputy Chief of the FCPA Unit, highlighted that, although the SEC was off to a slow start with only one settlement in the first three quarters of 2024, October and November saw a significant uptick, with more than $100 million in financial remedies in just those two months.

Wible also suggested looking beyond the number of cases to the scope and complexity of the DOJ’s work. “As Criminal Division leaders have said time and time again, we aim to take on the most complex cases – and that means FCPA cases that span the globe and industries,” he said. For example, the DOJ’s corporate FCPA settlements were global and included a China-based company (BIT Mining Ltd.), a subsidiary of a Spanish company (Telefónica Venezolana C.A.), a German company (SAP SE), an American company (Raytheon Company) and Swiss-based companies (Trafigura Beheer BV (Trafigura) and Gunvor S.A. (Gunvor)). “These cases involved bribery of officials in Latin America, Africa and Asia,” he noted.

Industry Sweeps

Industry sweeps have been one significant source of settlements for both the SEC and DOJ over the years. 2024 likely ended a long-running sweep of commodities trading firms, which is a significant example of how enforcers use basic gumshoe skills to identify corruption and bring cases.

Two Trial Wins, Two Individual Guilty Pleas and Two Corporate Settlements

The year began with the trial of Javiar Aguilar, a former trader at Vitol Inc. (Vitol), the U.S. affiliate of the largest independent energy firm in the world, Wible noted. Vitol settled with both the DOJ and the Commodity Futures Trading Commission (CFTC) in 2020. Aguilar was found guilty by a jury in the Eastern District of New York and then pled guilty to additional bribery charges in the Southern District of Texas.

Then, in March, the DOJ announced settlements with Trafigura and Gunvor, both Swiss-based commodities trading firms. Gunvor paid over $661 million to settle allegations related to its dealings with Ecuador’s state-owned and controlled oil company, PetroEcuador. Trafigura agreed to pay approximately $127 million to settle allegations that former employees and agents provided bribes to officials tied to Brazilian state-owned oil company Petróleo Brasileiro (Petrobras).

And in October, the DOJ secured the conviction of Glenn Oztemel, a former trader at Freepoint Commodities LLC. Freepoint settled with both the DOJ and CFTC in late 2023. Oztemel’s brother also pleaded guilty to money laundering for his role.

“In total, since 2022, through its investigations of bribery schemes involving multiple commodities trading companies, the FCPA Unit, in partnership with [the Money Laundering and Asset Recovery Section] and many U.S. Attorney’s Offices, has secured six corporate resolutions with over $1.7 billion in global penalties and convicted over 20 individuals,” Wible noted. “That’s our prosecutors at their finest, holding accountable corporate and individual actors alike for committing widespread misconduct.”

See “Polit and Aguilar Convictions Underscore DOJ’s Dedication to Individual Accountability – Despite the Challenges, Cost and Time Commitment” (Jul. 17, 2024).

Pulling on Threads

The 2024 DOJ settlements and convictions offer a glimpse into one critical way the enforcer can build cases by following information from person to person and company to company. The cases “are a great example of pulling the threads and following the leads,” Lorinda Laryea, Principal Deputy Chief of the DOJ Fraud Section, said at the ACI Conference.

If the DOJ has information about a government official who was receiving bribes from one company, prosecutors will “keep digging to see who else is paying” that person, Laryea said. Prosecutors also will look at what intermediaries were used to pay bribes to the government officials and then trace the money back to the source. “If there is an intermediary who is facilitating bribes, they are often facilitating bribes on behalf of more than one company or more than one government official,” she explained.

The CFTC’s Interest in Bribery

The sweep of commodities trading firms unsurprisingly involved the CFTC. It is not a usual enforcer of the FCPA or other bribery and corruption laws, but that does not mean it is not paying attention to bribery cases, Brian Young, Director of the CFTC Whistleblower Office, said at the ACI Conference. “At the CFTC we do not enforce the FCPA per se, but we get involved in corruption cases when the corruption affects registered activity,” he explained.

If a commodities firm is involved in bribery or corruption, the likelihood is high that registered activity will be impacted. “If a firm is in the commodity trading space and [it is] engaged in any sort of corrupt payments, that is a pretty good indication . . . that [it is] also involved in illicit trading,” Young explained. Practitioners performing internal investigations for firms that trade in any type of commodities – from agricultural products to base metals to Bitcoin – should keep their eye out for misconduct in those activities in addition to any corruption, and consider reporting to the CFTC, he said.

See “Practical Implications of the CFTC’s Enforcement Advisory on Foreign Corrupt Practices” (May 1, 2019).

A Significant Sweep

Beyond its obvious implications for the commodities industry, the sweep of trading firms is a significant illustration of how the DOJ and other enforcers find and build cases. “Investigating and prosecuting corporate crime, including resolving multijurisdictional resolutions, requires not only tenacious factfinding and the use of the full suite of law enforcement tools, but also significant expertise in this area of the law and the legal issues that can arise in corporate investigations,” Wible explained. The string of commodities cases is evidence of “this expertise in action.”

The sweep of commodities trading firms was “extremely significant and far-reaching,” Paula Anderson, a partner at A&O Shearman, told the Anti-Corruption Report. She cautioned that, even if this particular investigatory sweep is near completion, commodities firms should remain on their guard. “This is a vast industry with high-risk operations touching the highest risk jurisdictions,” she said. “It seems apparent that this is an area where the government continues to be particularly focused.”

Matteson Ellis, a member of Miller & Chevalier, agreed that the sweep was significant but said that the largest players seem to have been investigated already and that the industry has taken significant steps to tidy up. “It might be the case that DOJ will prioritize other industries going forward,” he said.

Even if the DOJ focuses elsewhere, Laura Perkins, a partner at Cadwalader, advised caution. “Given the number of cases the DOJ has brought in this space and the age of those resolutions, the sweep is probably nearing conclusion, but commodities firms, as well as all companies, should remain on alert and be proactive in their compliance efforts,” she told the Anti-Corruption Report.

See “Latest SEC Sweep of Off‑Channel Communications Both Befuddles and Turns Up the Heat on Investment Advisers” (Apr. 24, 2024).

Using Data to Develop Leads

While the commodities industry sweep was a good example of using old-fashioned detective work to build cases, the DOJ is taking high-tech approaches, as well. The DOJ is “continuing to make strides to identify misconduct and launch FCPA investigations through data analytics,” Wible reported. “We are trying to be smarter, quicker, [and] more nimble with data,” Leon elaborated.

Dedicated Resources

The DOJ has bolstered its capacity to use data analytics to identify cases by increasing the resources dedicated to the effort. “We have a dedicated data scientist and robust team focused on identifying relevant data sources, both public and private, and leveraging our existing cases and sources of information to generate actionable leads,” Wible boasted.

Leon noted that the Criminal Division’s Health Care Fraud Unit has long had dedicated data analysis resources, but, after many years of ramping up, there are now resources specifically dedicated to the FCPA. “We are doing active data analytics in the FCPA space right now,” he said.

One tool the DOJ is not yet using in the FCPA space is artificial intelligence. “That may or may not be possible in certain circumstances,” Leon shared, but “right now we are just [using] data analytics.”

See “Thoughts From DOJ Experts on Using Data Analytics to Strengthen Compliance Programs” (May 22, 2024).

The Data to Be Analyzed

It was unclear to some what data the DOJ was using to analyze and identify cases, but Laryea clarified that the enforcer uses “all available data, both public and nonpublic.”

The publicly available data seems to be playing the biggest role for the DOJ. For example, Leon noted, many countries have public databases that outline who wins and loses bids for public procurements. The DOJ can then take that data and marry it with other publicly available information, such as local news reports, social media and banking data, to generate insights into possibly corrupt activity. “We are looking at news reports [globally] to see what is breaking in parts of the world that [is] worth following up on,” Laryea reported.

With the addition of dedicated resources, the DOJ can now look at that data more quickly to identify patterns, Leon said. “That is what we have done in the health care fraud space . . . what we have done in the market integrity space and it is what we are now starting to do in the FCPA space,” which is “very exciting,” he shared.

Bearing Fruit

Efforts tied to data analytics use have already born fruit. The DOJ currently has “active, ongoing FCPA investigations started through in-house, home-grown data analytics,” Wible reported.

Leon predicted that there will be more to come in the future. The DOJ’s efforts are “leading to and will lead to issuing subpoenas in part based on the work of data analytics,” he said. Alternatively, there have been instances where, rather than issue a subpoena, the DOJ has gone to companies directly based on data analytics, he reported.

An Expected Development

The defense counsel with whom the Anti-Corruption Report spoke were unsurprised at the DOJ’s use of data analytics. “It is not surprising that the DOJ is using publicly available data to generate FCPA leads, as it is a method the government has used for some time to identify potential criminal cases, including FCPA cases,” Perkins, a former FCPA Unit prosecutor, said.

Even as the DOJ’s policy updates have been focused on encouraging whistleblowers and others to come forward with information about crime, only a portion of cases are generated from voluntary self-disclosures or whistleblower reports, Anderson noted. “There are still the traditional methods of investigation, which have become a lot more sophisticated with the advent of social media, data analytics, enhanced surveillance techniques, etc., and with special units being designated within the FBI and other agencies to detect and investigate misconduct,” she observed.

Publicly available information such as news reports has long been used by the FCPA Unit to help identify cases, Ryan Rohlfsen, a former FCPA Unit prosecutor and a partner at Ropes & Gray, told the Anti-Corruption Report. “As data mining tools become more sophisticated, it seems like a logical extension to fold in additional sources to better pinpoint where there may be misconduct over which the DOJ has jurisdiction,” he said.

The DOJ is not the only body developing leads using data analytics. “Many authorities have been moving in this direction, including investigations teams at multi-lateral development banks,” Ellis observed. “Some are generating more meaningful information than others and acting upon that information,” he said.

What It Means for Companies

The new tools for developing FCPA cases that are in play underscore the need for companies to be mindful of bribery and corruption issues and develop strong compliance programs to foster good behavior.

While noting that there have been a limited number of cases where the DOJ credits its data analytics program with the win, Perkins advised that companies should be aware of the DOJ’s efforts as they consider the risks of not devoting sufficient resources to their compliance efforts.

Companies also should remember that what is sauce for the goose is sauce for the gander. “For companies, this adds to the already increasing pressure to be more proactive in the use of available corporate and public data to help detect and prevent misconduct,” Rohlfsen said.

“Companies must be constantly vigilant and ensure that they have in place a robust, well-functioning compliance program that allows them to monitor and detect violations and respond quickly,” Anderson emphasized.

One particular area where companies should focus is their hotlines. Companies should ensure that they are “quickly responding and evaluating tips to the hotline,” Nathaniel Edmonds, a partner at Paul Hastings, advised. “Companies will need to be able to demonstrate that they have followed the procedures in terms of following up on tips and taking appropriate investigative efforts to substantiate (or not) the allegations,” he said. They also should make sure to have a strong system to track any allegations made and how they were handled. “Remember, if you do not document what was done, it appears to the enforcement authorities that you did not do anything,” he warned.

See our two-part series on the DOJ’s Corporate Whistleblower Awards Pilot Program: “A Look at Forfeiture and Culpability” (Aug. 14, 2024), and “Exclusions, NDAs and Goals” (Sep. 11, 2024).

Socializing is an integral part of numerous business relationships. Many in the private sector have previously held roles in the government and continue to maintain relationships with colleagues still in public sector roles – with coffee dates, meetings for drinks, and even dinners and trips. Most executives at multinational companies know these types of interactions can lead to trouble with foreign officials but may operate under a different set of assumptions when entertaining domestically, particularly with former colleagues. However, what they may not realize is that, in California, these actions may constitute bribery even if they are informal social meetings not tied to a contemplated “official act” by the government employee.

Recent Supreme Court cases have shown that federal bribery statutes are fairly narrow, at least when compared to the FCPA or foreign laws, and require an identifiable quid pro quo. Some of California’s bribery statutes, however, are written quite expansively. Moreover, California courts have interpreted these laws broadly, finding that the inclusion of phrases like “may be required to act . . .” sweeps in undefined, possible future acts. While the key California bribery law does not include the critical “may,” a recent lower court decision raises the question of just how broadly these laws can sweep

In this article we summarize the current narrow state of federal law, discuss California law and the different ways it may be interpreted, and provide a word of caution for anyone who may be entertaining government officials in California.

See “Legal and Compliance Implications of the Supreme Court’s Snyder Decision” (Sep. 11, 2024).

The Federal Bribery Statute

The federal bribery statute^[1] (Section 201) criminalizes anyone who “corruptly gives, offers or promises anything of value to any public official . . . with intent to influence any official act.” It goes on to define an “official act” as “any decision or action on any question, matter, cause, suit, proceeding or controversy.”

McDonnell

In McDonnell v. United States,^[2] the Supreme Court has interpreted Section 201 to require the government to show that a defendant “committed (or agreed to commit) an ‘official act’ in exchange for the” charged bribe payment. In that case, the former Governor of Virginia was convicted of violating the federal bribery statute after he received loans and gifts in exchange for setting up meetings and organizing events for a nutritional supplement company hoping to obtain research studies from Virginia’s public universities. Reversing the conviction, the Court explained that “[t]he text of § 201(a)(3) sets forth two requirements for an ‘official act’: First, the Government must identify a ‘question, matter, cause, suit, proceeding or controversy’. . . . Second, the Government must prove that the public official made a decision or took an action ‘on’ that question, matter, cause, suit, proceeding, or controversy, or agreed to do so.”

Sun-Diamond

Long before McDonnell, the Supreme Court interpreted the federal gratuity statute in United States v. Sun-Diamond Growers of California,^[3] which appears in the same code section as the federal bribery statute, to require a link between an official act and the charged gift. The federal gratuity statute criminalizes anyone who “gives, offers, or promises anything of value to any public official . . . for or because of any official act performed or to be performed by such public official.”^[4] The federal gratuity statute uses the same definition of “official act” as the federal bribery statute: “any decision or action on any question, matter, cause, suit, proceeding or controversy.”

In Sun-Diamond, a trade association was convicted of violating the federal gratuity statute because it gave tickets, meals and other items to the Secretary of Agriculture. Interpreting the text of the federal gratuity statute, the Court held that the “Government must prove a link between a thing of value conferred upon a federal official and a specific ‘official act’ for or because of which it was given.” The Court reversed the conviction and held that a contrary ruling would not “fit comfortably with the statutory text, which prohibits only gratuities given or received ‘for or because of any official act,’” and then defined “official act” as “any decision or action on any question, matter, cause, suit, proceeding or controversy.”

A Strict Interpretation

The reasoning of both Sun-Diamond and McDonnell is rooted in the language of the federal bribery and gratuity statutes, which carefully define an “official act” as “any decision or action on any question, matter, cause, suit, proceeding or controversy.” According to both opinions, because the statutory definition of “official act” sets forth in detail the various acts that constitute a violation, the statutes must be read to require a specific, official act linked to each charged bribe or gratuity. As the Sun-Diamond court succinctly put it, the statute’s “insistence upon an ‘official act,’ carefully defined, seems pregnant with the requirement that some particular official act be identified and proved.” The McDonnell opinion echoes this sentiment when it states that the official act must “be something specific and focused.”

See “Silver Decision Clarifies Scope of ‘Official Acts’ in Domestic Bribery Cases” (May 27, 2020).

California’s Bribery Statutes

The word “may” has had an outsized influence on the patchwork of laws that comprise California’s bribery framework. Irrespective of whether the California bribery statute at issue covers executive officers, county supervisors or judges, courts have seized on the word “may” to conclude that the government need not prove an official act. According to these courts, the word “may” is broad enough to encompass a whole host of present and future conduct that might not be readily apparent at the moment. Because the word “may” is rife with possibilities and contemplates future official acts, courts have concluded that the government need not prove a specific official act linked to each bribe.

Diedrich Case

The seminal case on point is People v. Diedrich,^[5] in which a member of the Orange County Board of Supervisors was found guilty of receiving a bribe to influence his vote on a development in Anaheim Hills. He was convicted under California Penal Code § 165, which prohibits a county supervisor from taking a bribe to influence a matter “on which he may be required to act in his official capacity” (emphasis added). The defendant challenged the conviction, arguing that the government had failed to prove an official act linked to the alleged bribe. The California Supreme Court rejected this argument and explained, “The law does not require any specific action to be pending on the date the bribe is received. . . . The use of the word ‘may’ suggests that payments designed to alter the outcome of any matter that could conceivably come before the official are within the prohibition of the statute” (emphasis added).

Extending the Reasoning

The reasoning of Diedrich has been extended to other California bribery statutes containing the word “may.” For instance, in United States v. Frega,^[6] the Ninth Circuit considered whether an official act is required under California Penal Code §§ 92 and 93, which are California’s judicial bribery statutes. Sections 92 and 93 prohibit the taking and giving of bribes, respectively, in exchange for official action on any matters that “may be brought before” judges (emphasis added). Relying on Diedrich, the Ninth Circuit ruled that “no linkage of payment and specific official act is required” because of the word “may” in Sections 92 and 93.

As another example, consider California Penal Code § 68, which criminalizes receipt of a bribe by an executive officer in exchange for “his or her vote, opinion, or action upon any matter then pending, or that may be brought before him or her. . . .” The California Court of Appeals considered whether “bribery under [S]ection 68 requires a link between the acceptance of the bribe and a specific official action” in People v. Gaio.^[7] Relying on Diedrich, the court concluded that the government did not need to prove a specific, official act because Section 68 uses the word “may.” Rather, the government need only prove “that there existed subjects of potential action by the recipient” (emphasis added).

A Critical Bribery Statute Is Missing the “May”

The reasoning in the above cases hinges entirely on the word “may.” But not all of California’s bribery statutes contain the word “may.” Consider, for instance, California Penal Code § 67, which provides, “[e]very person who gives or offers any bribe to any executive officer in this state, with intent to influence him in respect to any act, decision, vote, opinion, or other proceeding as such officer, is punishable by imprisonment. . . .”

Section 67 is unique among California’s bribery statutes, and not just because it is missing the word “may.” Unlike California’s other bribery statutes, which are limited to a specific public official (e.g., Section 92 applies to judges, Section 165 applies to council members and supervisors, Section 85 applies to legislators), Section 67 applies to executive officers, sweeping in a substantial number of public officials. An “executive officer” is defined as any public official who performs discretionary duties. Because Section 67 covers more government officials than California’s other bribery statutes, it is likely to be more implicated in everyday interactions.

California appellate courts have not weighed in on the question of whether Section 67, with its anomalous language, requires proof of a specific, official act linked to each bribe payment. At the same time, California precedent and federal precedent are tugging in different directions. Even though the federal bribery statute appears to offer the better analytical framework, there is also a real risk that California courts may interpret Section 67, and similar California bribery statutes, as not requiring any specific official act.

Interpreting California Law Through a Federal Lens?

The reasoning in the California decisions does not map neatly onto the text of Section 67, which does not contain the word “may” a single time. Statutory interpretation is an exacting process, and, in California, courts are to “give effect to the usual, ordinary import of the words used in the statute, giving significance to each word, phrase and sentence in context with the purpose of the statute.”^[8] It would be odd, indeed, to superimpose an analysis premised on the word “may” onto a statute that does not contain that word. For that reason, the California cases do not offer the best analytical framework to interpret Section 67.

The federal authorities, on the other hand, offer a more coherent framework for interpreting this outlier law. Indeed, the language of the federal bribery and gratuity statutes closely tracks the language of Section 67. The Section 201 penalizes anyone who “gives, offers or promises anything of value to any public official . . . with intent to influence any official act,” and the federal gratuity statute penalizes anyone who “gives, offers, or promises anything of value to any public official . . . for or because of any official act performed or to be performed.” Similarly, Section 67 penalizes anyone who “gives or offers any bribe to any executive officer in this state, with intent to influence him in respect to any act, decision, vote, opinion, or other proceeding as such officer.”

In essence, Section 67 and Section 201 share the same textual features that compelled the Supreme Court to hold that a specific, official act is required to prove bribery in Sun-Diamond.

It may seem novel to resort to an analogous federal statute to interpret Section 67 in lieu of California bribery decisions already on the books, particularly where California courts have rendered a decision on Section 67’s statutory neighbor (with that critical “may”), but Section 67’s anomalous statutory language compels such a result. In fact, California courts routinely look to analogous federal statutes to interpret similar California laws. Indeed, in a recent appellate decision from California, the court looked to federal law to interpret Section 67.^[9]

A Recent Trial Ruling in California Increases Risk

Despite the fact that it would make good judicial sense to interpret Section 67 to require an official act as federal law does, that may not be the case. This means that those in the private sector should know that interactions with government officials who may be called on to act in their official capacity in the future could be implicated in bribery.

In fact, at least one trial court has recently ruled that the prosecution need not prove an official act is linked to each alleged bribe under Section 67.^[10] In that case, a tax consultant, who was longtime friends with a public relations employee in the assessor’s office, gave a personal loan to the public relations employee, who would go on to become the county assessor. The court ruled that this loan could constitute a bribe, in violation of Section 67, even though the prosecution did not point to any specific official acts that the loan was designed to induce. In fact, at the time of the loan, the public relations employee was not in a position to alter any property values, which was the allegedly improper conduct. The trial court, nonetheless, cited Gaio and adopted the government’s position that “bribery to influence future conduct is criminal,” even when that conduct is not specifically linked to a charged bribe.

Tread Carefully

With this recent ruling in mind, business executives and those in the private sector should be aware of the expansive notion of bribery under California’s bribery statutes.

The interpretation of these statutes can be broad, capturing a wide range of actions that may not be immediately apparent as bribery. Courts have shown a willingness to consider indirect or future benefits as constituting bribery, even when a direct link to a specific official act is not evident at the time of the transaction.

This broad interpretation means that individuals and companies must exercise heightened vigilance in their interactions with public officials in California, ensuring that all conduct remains clearly within the bounds of the law. The risk of prosecution exists not only for clear-cut cases of bribery but also for more nuanced and potentially future-oriented exchanges. Therefore, it is crucial to understand the legal landscape and seek appropriate legal counsel to navigate these complex issues.

See this three-part series on travel and entertainment corruption risks: “Five Hallmarks of an Acceptable Hospitality Expenditure” (Mar. 9, 2016), “Three Musts for a Strong T&E Policy and Five Ways a Company Can Customize Its Program” (Mar. 23, 2016), and “Internal Controls to Ensure the Program Is Working” (Apr. 6, 2016).

 

Kareem Salem is a Partner in the investigations, compliance and white collar defense practice of Manatt, Phelps and Phillips. As a former federal prosecutor with experience overseeing largescale investigations and prosecutions for the U.S. Attorney’s Office, Salem helps clients navigate sensitive internal investigations, defends against regulatory or criminal investigations and engages in complex litigation.

Andrew Beshai is an associate in the investigations, compliance and white collar defense practice of Manatt, Phelps and Phillips. He is a former federal prosecutor who has led significant investigations and tried numerous cases involving various federal offenses. Beshai guides corporations and individuals navigating internal investigations, facing federal charges, and defending against civil enforcement actions and complex litigation.

McKinsey and Company Africa (McKinsey Africa), a wholly owned and controlled subsidiary of global consulting firm McKinsey & Company (McKinsey), recently entered into a three-year deferred prosecution agreement (DPA) with the DOJ to resolve allegations that it engaged in a bribery scheme to win business in South Africa.

As part of the resolution, McKinsey Africa agreed to pay a criminal penalty of $122.85 million, but the DOJ credited 50 percent of that penalty against payments McKinsey Africa made to authorities in South Africa in related proceedings. In the settlement with South Africa, McKinsey Africa agreed to a criminal penalty of 1.1 billion rands (approximately $57 million).

The DOJ also simultaneously unsealed a related guilty plea by Vikas Sagar, an ex-McKinsey senior partner who worked in McKinsey Africa’s South Africa office, and who had previously pleaded guilty to one count of conspiracy to violations of the FCPA.

At a very high level, the case serves as “a reminder of the risks related to managing public-sector clients, partnering with local entities without sufficient due diligence or oversight, and the need to monitor partnering arrangements over time to spot corruption-related red flags,” Miller & Chevalier member John Davis told the Anti-Corruption Report.

This article examines the McKinsey Africa agreement in detail, discusses what the DOJ’s expanding partnerships with international enforcement authorities mean for companies facing anti-corruption investigations, and what broader compliance lessons to take away from this case.

See “Gartner’s Settlement for FCPA Violations in South Africa Raises Important Issues” (Jun. 21, 2023).

McKinsey Africa’s DPA

According to the DPA, between at least 2012 and 2016, McKinsey Africa obtained “sensitive confidential and non-public information” from Transnet, South Africa’s state-owned and state-controlled custodian of ports, rails, and pipelines, and Eskom Holdings, South Africa’s state-owned and state-controlled energy company that has been involved in several other FCPA settlements. This information regarding the award of lucrative consulting contracts was used to submit proposals for multimillion-dollar consulting engagements, while knowing that South African consulting firms with which McKinsey Africa had partnered would pay a portion of their fees as bribes to Transnet and Eskom officials. From the bribery scheme, McKinsey and McKinsey Africa earned approximately $85 million in profits, U.S. Attorney Damian Williams for the Southern District of New York (SDNY) noted in the DOJ’s press release announcing the settlement.

Transnet Bribery Scheme

Around 2011, with intent to obtain business for McKinsey Africa with Transnet, Sagar began meeting with a foreign official who was an acquaintance of his. This official sat on the board of Transnet and had the “ability and authority to influence the award of consulting contracts,” according to the DPA.

Under South Africa’s Broad-based Black Economic Empowerment Act of 2003 and that law’s implementing policies (BEE Program), McKinsey Africa would need to engage with specific local South African subcontractors (BEE program partners) to obtain contracts with Transnet. As required by the BEE Program, McKinsey Africa agreed to split the fees that were payable on contracts for which it partnered with South African companies. “Accordingly, McKinsey Africa’s client would pay a portion to McKinsey Africa and a portion directly to McKinsey Africa’s BEE partner,” the DPA states.

Around 2012, the foreign official suggested to Sagar that McKinsey Africa engage “Company 1” (the name was not identified in the DPA) as its BEE program partner to consulting engagements with Transnet. Sagar agreed to the request.

For more on the BEE Program, see “Lack of Training and Due Diligence Leads to $19‑Million Penalty for Hitachi” (Oct. 7, 2015); and “German Medical Device Company Settles Allegations of Pervasive Global Bribery With SEC and DOJ” (Apr. 17, 2019).

Secret Meetings Held

With the help of the foreign official, secret meetings were arranged between Sagar, the representative of Company 1 and a third-party intermediary at various locations, including “coffee shops, restaurants, and other locations in and around Johannesburg,” according to the DPA.

Sagar followed up on these secret meetings with Company 1 by later talking McKinsey Africa into selecting this company as its BEE program partner.

“Where the public-sector company has specific local partner participation requirements, companies should be extra cautious and be particularly wary of partners recommended by or insisted upon by government officials,” Steven Powell, head of the forensics practice at ENS Africa, told the Anti-Corruption Report.

This case further highlights the practical challenges companies face when misconduct occurs outside approved and official communication channels and when employees are “intent on hiding their actions by using personal accounts, off-site discussions, or third-party apps to hide their activities,” Davis noted.

In situations where illegal activity could not have been prevented, particularly regarding the misconduct of a rogue employee, the DOJ wants to see that the company had in place a robust anti-corruption compliance program, including policies and procedures, monitoring and internal auditing controls, reporting channels and training. If the company can demonstrate that there was a “rogue” employee who was operating outside the bounds of company policy, that should put the company in a stronger position to reduce the risk of an enforcement action, Troutman Pepper partner Peter Jeydel told the Anti-Corruption Report.

If, on the other hand, a company’s policy was unclear, its processes were blurry or leaky, or its training inadequate, the company “may have trouble showing where the lines were and whether the individual crossed them,” Jeydel added. “In that case, the company could be at much greater risk.”

Third-Party Intermediary Risk

In this case, the foreign official introduced Sagar to a third-party intermediary who acted as the “primary point of contact” between McKinsey Africa and its BEE program partner to obtain consulting contracts from Transnet. This third-party intermediary was also tasked with dividing the fees between McKinsey Africa and Company 1. Sagar knew the fees would be paid, in part, for the benefit of the third-party agent and foreign official, the DOJ alleges in the criminal information filed with the DPA (Information).

In return for the bribes, the foreign official acted as McKinsey Africa’s “inside man” at Transnet, providing confidential, inside information from Transnet through the third-party intermediary, such as “McKinsey Africa’s competitors for contracts, and Transnet’s decision-making for such contracts,” the Information says.

The third-party intermediary ultimately orchestrated the award of multiple lucrative contracts to McKinsey Africa over several years, according to court documents.

See “ENSafrica Survey Shows State of Corruption and Compliance in Africa” (Mar. 29, 2017).

Eskom Bribery Scheme

Around 2015, “multiple Transnet executives who had worked with McKinsey Africa transitioned to leadership positions at Eskom,” court documents highlight. At that time, a second third-party intermediary (Company 2) informed Sagar of his intent to form a new consulting firm.

From around 2015 until around 2016, McKinsey Africa sought business with Eskom. At this time, Sagar had joined McKinsey Africa’s client service team for Eskom.

With Eskom, McKinsey Africa’s bribery scheme “proceeded in a very similar manner as it had at Transnet,” court documents state. Only this time, the bribery scheme involved Eskom and a different foreign official.

“This case demonstrates that the risk of doing business with public-sector companies and government officials in Africa is particularly high,” Powell said. In practical terms, companies should perform enhanced due diligence on business partners, clearly identifying if there are potential politically exposed persons (PEPs) within the leadership or ownership structure of the business partner, and the ultimate beneficial owners of that entity, he added.

“A thorough analysis of the role played by the business partner and the envisaged remuneration of that business partner should also be performed,” Powell said.

Cooperation Credit

In a press release, McKinsey South Africa stated that it “welcomes the resolution of these matters and the closure of this regretful situation.”

Highlighting facts laid out in the DPA, McKinsey stressed that it conducted an “extensive investigation” into Sagar’s corrupt conduct and terminated his employment more than seven years ago. “McKinsey has zero tolerance for employees who do not strictly adhere to the company’s compliance policies, procedures, and professional standards,” the company stated.

As also highlighted in the DPA, McKinsey noted that it fully resolved these matters through “significant remediation efforts and investment in our risk control functions and processes, extensive investigation, full cooperation with the authorities in the United States and South Africa, and full repayment of the fees to the state-owned enterprises.”

Additionally, McKinsey stated that it will continue to cooperate with the Criminal Division’s Fraud Section and the U.S. Attorney’s Office for the SDNY in “any ongoing or future criminal investigation arising during the term of the DPA.”

The DOJ noted that the penalty paid by McKinsey reflected the company’s cooperation from the inception of the investigation, which included:

• making numerous factual presentations to the DOJ from information obtained through the company’s internal investigation;
• collecting and producing “voluminous records, including those located abroad,” in response to DOJ requests;
• promptly reporting the discovery of document-deletion efforts by the McKinsey partner involved in the conduct found during its internal investigation, taking additional investigative steps to uncover information and evidence regarding those efforts, and producing such information and evidence to the department;
• tracing complex internal accounting money-flows and currency exchange information in response to requests from the DOJ;
• preserving, collecting and producing to the department documents located abroad, engaging a third-party forensics consultant to analyze key electronic devices and providing to the department the results of that analysis;
• collecting and producing to the DOJ personal email and bank account information of the McKinsey partner involved in the conduct relevant to the Department’s investigation; and
• making company officers and employees available for interviews.

The DOJ also noted that McKinsey Africa temporarily ceased work with all state-owned enterprises while it conducted its internal investigation.

See “Regional Risk Spotlight: What Companies Need to Know About Internal Investigations in South Africa” (Jul. 27, 2016).

Remediation Measures

McKinsey and McKinsey Africa also engaged in remedial measures, including putting Sagar on leave and subsequently separating him from McKinsey, after learning of his role in the scheme.

McKinsey and McKinsey Africa were also credited with voluntarily repaying all revenues that they received from potentially tainted contracts received as a result of the criminal scheme.

Program Enhancements

As for compliance program enhancements, the DOJ credited McKinsey Africa with providing additional anti-corruption training for employees in South Africa and elsewhere in Africa, and enhanced due diligence processes for third-party partners, including instituting controls to ensure that due diligence is completed before work begins on an engagement and imposing a more rigorous risk review for public-sector clients.

“An often-repeated, but often-applicable lesson for companies here is to focus on third-party and public-sector client risks and to direct appropriately resourced program elements toward mitigating those risks,” Davis noted.

These factors, in part, resulted in the criminal penalty calculated under the U.S. Sentencing Guidelines reflecting a 35‑percent reduction off the fifth percentile of the otherwise applicable guidelines fine range, the DOJ stated.

Citing lessons learned from the McKinsey Africa case, Davis highlighted several compliance best practices, including:

• enhanced background checks, including using outside professional due diligence providers that have access to sophisticated databases and deep experience in tracking and identifying risks related to official ownership in specific countries;
• increased diligence and caution when considering transactions with any entity or person suggested by any foreign official or public sector representative, since such suggestions are considered an FCPA-related “red flag” that the suggesting official might have improper ties to the suggested entity or person; and
• obtaining and documenting advice from qualified local counsel that any transactions comply with all aspects of relevant local law and policies, including any relevant conflict of interest policies that might apply to officials tied to the transaction.

The McKinsey case also makes clear that any enhanced risk mitigation efforts should be informed by all relevant facts and should be completed before engaging with or paying any party tied to government officials.

Davis further noted that due diligence efforts should inform specific internal controls and monitoring procedures. He said other enhanced compliance controls may include:

• approval requirements related to sole-source procurement opportunities, with the goal of understanding why the company is receiving them, and whether they raise any red flags;
• consideration of enhanced audits or other targeted compliance reviews of the company’s transaction and of related third parties; and
• monitoring the financial terms of transactions and looking for changes – such as changes to fee- or revenue-sharing arrangements that occur over time even when work requirements did not change.

“In the McKinsey case, such monitoring could have detected anomalies and triggered a review by compliance or audit personnel regarding the cause,” Davis said.

“The McKinsey case involved work with third parties, in a high-risk jurisdiction, involving state-owned customers. That risk trifecta, when present, should often trigger alarm bells within a well-designed compliance program to ensure that correspondingly stringent controls are in place,” Jeydel concluded. “Compliance is always hard, and never perfect, but in the highest risk areas the process needs to match the risk level.”

See “Kevin Abikoff of Hughes Hubbard Discusses the Benefits and Risks of African Local Content Laws” (Feb. 10, 2016).

No Compliance Monitor

As with other recent cases and consistent with DOJ policies and pronouncements, the DPA focused on McKinsey’s extensive cooperation, remediation measures and the overall state of the company’s compliance program in determining that a monitor was “unnecessary.”

Jeydel noted that the broader message for other companies facing an anti-corruption investigation that hope to avoid a monitorship is to be prepared to “devote significant resources and make difficult choices in the resolution process to build trust with prosecutors and demonstrate that a monitorship is not warranted.”

Parallel Resolution With South African Authorities

The DOJ coordinated its resolution with the South African National Prosecuting Authority (South African NPA) – its third coordinated resolution with South African authorities in just over two years. This settlement follows the SAP DPA settled in early 2024 and the ABB DPA settled in late 2022.

ICAB Bearing Fruit

Principal Deputy Assistant Attorney General Nicole Argentieri stated that the resolution shows that the International Corporate Anti-Bribery (ICAB) initiative is “bearing fruit.”

First established in November 2023, the ICAB is “largely a cooperation and information-sharing mechanism with foreign partners,” Jeydel explained. The ICAB provides authorities with data-driven lead generation, “so it will start to give rise to more and more investigation risk in areas where the government previously may not have been looking as closely,” he added.

While the DOJ has long worked with international partners on cross-border anti-corruption cases, the ICAB signals a “step-up in focus and, therefore, in risk for companies concerning international anti-bribery efforts,” Jeydel said.

Anti-Corruption Cases Becoming Increasingly Global

The broader compliance message is that companies “must continue to account for the risks and costs of a multi-jurisdictional investigation in most anti-corruption cases happening these days,” Davis said. This is particularly important as the number of countries with a stake in such investigations and resolutions continues to increase, he added.

Another high-level message signaled by McKinsey’s settlement is how more countries are changing their stance toward anti-corruption enforcement. For example, South Africa historically has not been a very cooperative government regarding U.S.-led anti-corruption enforcement efforts, “but political change in South Africa, among other factors, ha[s] brought about a change in that government’s approach, which no doubt contributed to the pressure applied to McKinsey,” Jeydel said.

Powell further cautioned that the three recent resolutions between the DOJ and South African authorities “sends an ominous warning to multinationals operating in South Africa to ensure that their compliance programs are adequate and effective and that any violations of the U.S. FCPA will be robustly pursued through collaborative measures by the authorities in the United States and South Africa.”

See “2024 in Review: International Cooperation Continues to Drive ABAC Enforcement” (Dec. 18, 2024).

South Africa’s New “Failure to Prevent Corruption Activities Offense”

Powell noted that the South African anti-corruption law that ensnared McKinsey Africa in this case was the Prevention and Combating of Corrupt Activities Act (PRECCA), which takes inspiration from the U.K. Bribery Act by prohibiting public and private corruption. PRECCA also has extraterritorial reach, meaning a South African company could face liability even if corrupt acts or bribery occur outside of South Africa.

Failure to Prevent Offense

In April 2024, PRECCA was amended introducing a new “Failure to Prevent Corrupt Activities offense.” Newly added Section 34 provides that any “associated” person of a company within the private sector or a state-owned entity may be found guilty of an offense if they fail to prevent certain “corrupt activities.” Under Section 34, an “associated” person conceivably could include officers and directors, Powell noted. Corrupt activities include giving, agreeing to give or offering to give a prohibited “gratification,” which must be given with the intent to secure business or a business advantage.

New Adequate Procedures Defense

Private-sector companies can avoid criminal liability by implementing “adequate procedures” designed to prevent associated persons from engaging in misconduct, as established under the corporate alternative dispute resolution (Corporate ADR) policy.

PRECCA does not specify what constitutes adequate procedures, but companies that take inspiration from the DOJ’s various guidance documents, like the Evaluation of Corporate Compliance Programs, will put themselves in a more favorable position with authorities, Powell said.

The Corporate ADR policy, which aims to encourage companies to report and address corrupt activities, provides the South African NPA with the ability to negotiate a non-prosecution agreement or DPA with a company in appropriate situations, “while still being able to proceed with a prosecution and asset forfeiture against the company’s directors, employees, or agents,” Powell explained.

The type of criteria the South African NPA considers is similar to the criteria the DOJ considers when determining whether to enter a DPA or non-prosecution agreement. “Cases are determined on a case-by-case basis, and not all of the criteria may be pertinent to each and every case,” Powell noted.

See “U.K. Enhances Anti-Fraud Efforts With Economic Crime and Corporate Transparency Act” (Jan. 17, 2024).

Compliance leaders face delicate choices when conducting internal investigations, but they can use them as a chance to up their credibility with company managers.

Investigations can also mean an opportunity to review and improve a company’s compliance program. The findings from investigations can be used to create new training materials as well.

During the 2024 Compliance & Ethics Institute held by the Society of Corporate Compliance and Ethics, a panel discussion focused on these issues. It featured Lila Acharya, managing member at Crawford & Acharya; Kathryn Harris, senior director for global compliance at Emergent BioSolutions; and David Peet, director and global compliance investigations counsel at Dentsply Sirona. This article distills their insights.

See “Navigating U.S. Privacy Laws in Internal Investigations” (Aug. 28, 2024).

Who Investigates (and Will Privilege Attach)?

At the beginning of an investigation there are some important initial determinations that need to be made. One early decision is whether an investigation may be serious and require legal advice, and thus be conducted by counsel and covered by privilege, or whether it may be merely confidential, and potentially conducted by non-lawyers, Acharya said. That choice will influence how the ultimate findings can be used, she pointed out.

The choice of either path is significant because “the stakeholder community within a company for a sensitive investigation is diverse and everybody wants to know what is happening,” Peet observed.

“The textbook answer” to how to make this choice would refer to whether the company anticipates litigation or is already facing litigation or government enforcement, Harris said. However, it can be “tricky in practice” to know whether to anticipate litigation, since many relevant facts are unclear until the investigation has begun, she pointed out.

Advantages of Privileged Investigations

An argument in favor of a privileged investigation is that it can make it easier to “manage public perception and internal perception” in terms of the fairness of the investigation, Acharya said.

Additionally, it can be better to have outside counsel investigate if the subject of the investigation is a senior leader at the company, or if there are “particularly sensitive facts that will be easier for people to accept or believe were fairly investigated if it is done by an objective third party,” she explained.

There is often a desire among lawyers “to call everything privileged and then see how it shakes out,” Harris observed. From a company’s point of view, this has the advantage of preserving the ability to designate any finding of the investigation as privileged, she noted. However, the assertion of privilege may not stand if the issue ever comes before a court.

Advantages of Non-Privileged Investigations

There can, however, be pragmatic reasons to choose the non-privileged route. Allowing access to the investigation’s findings can be important in terms of preserving relationships within the company, Peet suggested.

Additionally, many compliance teams include non-lawyers who are extremely helpful in investigations, Peet noted. There are “some great non-lawyers” on Peet’s team, “who execute investigations when they are not conducted under privilege,” he said. “Sometimes, they are a lot closer to the facts than I am.”

Only rare companies opt for conducting almost every investigation under privilege, Acharya said. Those are mostly companies that operate “in a particularly highly regulated space” or have been “in a particularly high amount of hot water,” she noted.

See “Outside Counsel Perspectives on Key Steps in Internal Investigations” (Jun. 10, 2020).

Conducting the Investigation

Whoever is tapped to lead an investigation will likely run into hiccups along the way.

Upjohn Warnings

The choice of a privileged investigation means investigators will deliver Upjohn warnings to interviewees before interviewing them to clarify the investigators’ role as representing the company and not the interviewee, Harris pointed out.

However, detailed warnings do not necessarily need to be given to every single interviewee in an investigation under privilege, Harris stressed. It can be a good idea to “scale the Upjohn to the situation,” she explained.

When interviewing someone merely “to figure something out,” even in a privileged investigation, it can be enough for investigators to emphasize that they represent the company, Harris maintained. But when investigators are interviewing the subject of a big investigation, a fuller Upjohn warning is in order, she noted.

See “Crafting and Delivering Effective Upjohn Warnings” (Apr. 18, 2018).

Managing the Reporter’s Expectations

The employee who first brought an issue to the compliance department’s attention (the reporter) often feels proprietary over an investigation. It can be helpful to keep them informed about how the investigation will progress, Harris said.

One reassuring fact for employees is that only around two-to-three percent of investigations result in terminations, Harris noted. This comforts them that, “if there is an investigation, it does not mean someone is going to be fired,” she said. More often it means coaching, training and enhancements of the compliance program, she noted.

When dealing with reporters, investigators are well advised to make sure those people understand from the very beginning that they are not getting a copy of an investigation report, Acharya recommended. Reporters should be assured that, even if they never find out whether a person about which they raised concerns is disciplined, this does not mean that their information had no impact, she said.

The question of who gets access to the investigation’s findings after its completion can be made less prickly by managing expectations while it is still in process. Company policy, in most cases, is to tell everyone that the outcome will not be shared with them, despite their information having contributed to it, Peet said. There are frequently some “angry reporters” as a result of this, he acknowledged.

One way to minimize the risk of hurt feelings is “creating enough of a relationship at the outset,” with check-ins every 30 to 60 days during the investigation, so that not sharing the outcome with reporters “does not come across as an insult to their spirit of transparency,” Peet said.

Company investigators can routinely inform employees about the process, so that they know what to expect if called for an interview, Acharya said. “A lot of companies that I have worked with have a cheat sheet” showing employees what happens if they are called for an investigation, she remarked.

See our guide to mastering internal investigation interviews: “Logistics” (Feb. 5, 2020), “Warming Up” (Sep. 30, 2020), and “Getting to the Truth and Adapting to the Pandemic” (Oct. 14, 2020).

Confidentiality Breaches

While most investigations are confidential and people are provided with information only on a need-to-know basis, leaks can happen. This is an eventuality that investigators should consider when sharing sensitive information, even with senior leaders who are in the need-to-know category, Peet stressed.

Investigators should think ahead to how they will react if confidence is violated, Peet said. They should ascertain whether they have the backing in the company’s compliance program to hold the individual accountable for violating the confidence and consider whether “to continue providing that individual with information,” he advised.

If confidentiality is breached, it is not unheard of for the person’s employment to be terminated, Acharya said, citing observations from her own practice. “I was pleasantly surprised when there was action taken,” she noted. It can be a difficult call when the person is a senior leader, in whom the company has invested much time and money, but who is “not carrying the ethics and compliance mantle,” she observed.

See “Balancing Employment Law Considerations During Corruption Investigations” (Sep. 20, 2017).

Reporting on Findings

After an investigation produces findings, investigators face the question of whether, and with whom, to share them. The answer to this question can be shaped by whether it was an investigation under privilege, Peet pointed out. That choice anticipates “who is under the tent and who is outside the tent” when it comes to who can have access to the findings, he said. But even for a privileged investigation, some information can be shared with those outside of the tent; it is just a matter of who, when and how much.

Getting the Word Out

If many people were aware that the investigation was happening, it can be useful to share some findings widely, Harris said. For example, if the matter has seen press coverage, or is a subject of a public SEC or DOJ investigation, investigators should be open with employees, she said. “If something is out in the public space, people are going to be talking about it.”

In such situations, it is a good idea for the person sharing findings with employees to be someone on the business side of the company as opposed to a legal officer, especially if the investigation is under privilege, Harris recommended. “Someone who is not in the sphere of privilege” is better placed to present the information, “because they do not have privileged information,” she explained. And if the company leadership is “owning it,” she said, this can ease the path toward remediation.

Peet agreed that an investigation that has received wide press attention argues in favor of some broad announcement to employees. “The situation will dictate whether a communication is necessary to the entire company,” he said.

Conveying Key Themes

Even if an investigation was kept relatively quiet, sharing information at least in general terms can also be helpful, Harris stressed. Discussing “themes coming out of the investigation” is something she recommended doing on a quarterly basis with the business leaders in the company, though this could be less frequent if there were not enough cases from which to draw themes, she said.

The DOJ’s Evaluation of Corporate Compliance Programs (ECCP) contains an expectation that companies will share findings from an investigation “to a certain extent,” Peet observed. “The lessons learned will be shared, and should be shared, more broadly” to ensure that a company’s compliance program is evolving, he said. Edits made to the ECCP in October 2024 stress the importance of companies incorporating lessons learned from previous issues into their compliance program.

See “DOJ’s 2024 Edits to the ECCP: Speaking Up, Compliance Resources and Lessons Learned” (Dec. 4, 2024).

Incorporating Lessons Learned Into Training

After an investigation has concluded, findings should be incorporated into training for the company’s employees to reduce the risk of the same issues popping up again.

Publicly Available Information Is Fair Game

Problematic conduct that the company has publicly acknowledged can be included in training programs for staff, Acharya noted. “That is fair game and that should be fodder for training,” she said.

An issue that is part of “a public DOJ statement” or even appears in a company’s 10K “is worth putting into training,” Peet concurred.

Anonymize Confidential Details

When designing a new training course incorporating a fact pattern that has been the subject of an investigation, companies will often use a hypothetical situation (hypo) that resembles what happened.

Creating hypos using anonymized information from investigations is a simple way of making sure the misconduct makes its way back to those who need to learn from it, according to Peet. Such training can help the company convey to employees what they should do if faced with the same situation, he explained.

Anonymizing, though it spares the blushes of the people involved in the misconduct, should be balanced against an urgent need to be specific about the actions being discouraged.

“I do not think it is necessarily a problem” if employees who committed misconduct recognize their own behavior in the fact patterns presented in training, although it could be a problem “if everybody knew,” Harris said.

“There may be someone in the audience” who knows the hypo refers to their own actions or those of another person, but the risk of not addressing an issue through training may often exceed the risk of leaving the situation out or making it so general as to be useless, Peet argued.

Additionally, some jurisdictions overseas might have data privacy rules restricting what specific details can be incorporated into training, Acharya noted.

Anti-Retaliation Training

Investigations may also highlight the need for anti-retaliation training. Companies should “have a separate training for managers about what retaliation means,” Acharya suggested. Managers should be coached on what to do if their employee is providing information for an investigation, she said.

Employees talking to investigators about an issue that – in the managers’ view – they could have raised in another way can create bitterness. “There can be this instinct among managers: ‘Why didn’t you come to me?’” Harris explained. While this may be an understandable feeling, the concept is “dangerous,” as employees should report wherever they feel comfortable, she affirmed.

Upgrading Compliance

An important result of any investigation is that any compliance gaps that are found get filled.

Companies should involve the investigation team in the remediation process, even if it is just to keep track of what remediation is being done and by whom, Harris said. “Writing people’s names down, as to who is going to do what for the remediation, is the most effective way to do it, rather than just firing off a fact-finding report and hoping for the best,” she commented.

If there is too much of a sense of the compliance team following up on investigation by issuing “instructions” to business managers, this “creates an us-versus-them situation,” Peet remarked. This can “hurt the compliance function in the long run in terms of developing those partnerships.”

Peet said that in his position at his current company, he is responsible for the implementation of an investigation’s findings after it is finished.

Investigators may not be best placed to implement the remediation steps, hands-on, but can be agents of change. “I am not the person to redesign a tool to implement a check on the front end for third-party screening. But I am the person who knows how to find the person responsible for implementing that check,” Peet said.

It can be helpful, Peet suggested, if a compliance leader contacts a business manager to explain the issue that needs remediation, according to the investigation findings, and asks the manager to “be the owner in this as we figure it out.”

Making the effort to build an ongoing partnership with managers in the business, while working through the needed remediation, is “a lot of legwork” on the part of the compliance team, but it “leads to better results in the end,” Peet asserted.

Compliance officers may share their perspective on what can be done to remediate the issue, but it is at least as important to save space for managers to talk about solutions, based on their knowledge of business practicalities, Harris stressed.

“Being open to their ideas in terms of how to remediate,” and “hearing their perspective on what works best for their business,” is the best way for compliance chiefs to approach these discussions with business managers, Harris stressed. “Then, they will be willing to reach out or participate.” Managers will have more of an “open ear” to the compliance function’s recommendations in the future, she said.

See “Foreign Attorneys Share Insight on Data Privacy and Privilege in Multinational Investigations” (Jun. 29, 2016).

Solidifying Relations With the Business

Investigations can present opportunities for compliance executives to enhance their reputation in the eyes of a company’s business management.

“A good, well-done investigation will build trust within the business in the investigations function,” Harris said.

There are many opportunities to build trust and confidence with senior leadership using investigative findings, Peet said. At Dentsply, there is a steering committee that meets quarterly to review investigations. “Findings, remediation status and outcome” come under discussion, he reported. This review shows company stakeholders what the compliance function is doing. “We do not just want to operate in a silo without identifying the value that we are adding to the company.”

Reviewing investigations with business leaders also enhances a sense of stakeholders’ investment in investigation and remediation processes, Peet said. There are great advantages to “bringing them into the tent, giving them some level of ownership,” he emphasized.

The compliance team should make sure that business leaders in their company will turn to them any time they have a concern, Peet said. “If they have another concern or an issue they want to raise, now they are talking to ethics and compliance,” he noted.

An investigation is a good opportunity for compliance leaders to show they are problem solvers, Harris agreed. In her experience, this works best by bringing together the senior leaders responsible for the area in which there was an issue and talking to them about what happened.

See “Loose Lips Sink Ships: Maintaining Confidentiality in Investigations” (Nov. 20, 2024).

The SEC’s Office of the Whistleblower (SEC OWB) and the Commodity Futures Trading Commission’s Whistleblower Office (CFTC WBO), which sit within their respective Enforcement Divisions, were established in 2011 pursuant to the Dodd–Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act). The offices released their annual reports for the fiscal year ending September 30, 2024 (FY2024). The offices continue to receive thousands of tips and make substantial awards, including a $98‑million award by the SEC to two whistleblowers – the year’s largest award by far. To avoid revealing the identity of whistleblowers, the reports do not provide award percentages, respondent names or other significant details concerning the matters that led to the awards. This article discusses the key takeaways from the reports.

See “2024 in Review: Policy Changes Seek to Shift the Self-Reporting Calculus” (Jan. 15, 2025).

Program Basics

Under both the SEC and CFTC whistleblower programs, eligible individuals who provide original information leading to a successful enforcement action with monetary sanctions of more than $1 million may be awarded an amount equal to 10% to 30% of the sanctions collected. The SEC and CFTC post a Notice of Covered Action (NCA) for each such action. Both insiders and outside individuals may apply for awards. In FY2024, nearly two-thirds of SEC whistleblowers who received awards were insiders, according to the SEC OWB’s annual report (SEC Report).

Each agency administers an investor/customer protection fund funded solely from the sanctions collected by such agency. The SEC fund started FY2024 with $337.7 million and ended the year with $361.8 million. The CFTC fund started with $261.4 million and ended with $226.1 million.

See “SEC and CFTC Received Record Number of Whistleblower Tips and Made a Record Award in 2022” (Feb. 15, 2023).

SEC Issues 28 Awards

$255 Million in Awards

In FY2024, the SEC OWB received nearly 400 applications for awards and 49 requests for reconsideration of preliminary determinations. It issued 163 final orders, granting awards in 28 covered actions in the aggregate amount of $255 million. The SEC OWB’s largest award in FY2024 was a $98‑million award shared by two whistleblowers. The next largest awards were for $37 million (twice), $28 million and $24 million.

Most of the year’s largest award – about $82 million – went to a whistleblower whose report led to an SEC investigation and who provided “critical additional information and ongoing assistance.” The remainder of the award went to the individuals who significantly contributed to one aspect of the SEC’s action.

The SEC Report offers a high-level look at the circumstances giving rise to certain other awards, as well as other pertinent statistics:

• One of the $37 million awards went to a whistleblower whose “persistent internal reporting” caused the whistleblower’s employer to investigate and self-report and who provided ongoing and extensive information to the SEC during its investigation.
• The $28‑million award was shared by seven whistleblowers who provided highly significant information leading to the return of millions of dollars to harmed investors.
• One whistleblower, who was awarded $600,000, prompted the SEC to open an investigation and provided information leading to additional charges.
• After a joint whistleblower report prompted an investigation, a third whistleblower alerted SEC staff to an additional issue that resulted in higher sanctions. The three whistleblowers shared an award of more than $1 million.
• The SEC awarded $1.5 million to a whistleblower who, after learning of an enforcement action against one company, reported similar conduct by a different company.
• 27 whistleblowers caused the SEC to open an investigation, while 20 contributed significantly to open investigations.
• Approximately 10% submitted joint applications.
• Seven whistleblowers also received awards for contributions to related actions.

Additionally, the SEC barred one individual from the program for filing five applications the SEC determined to be frivolous or unconnected to the actions in which the individual applied for awards. The SEC’s 2020 amendments to its program rules authorized it to permanently bar a claimant who files three or more such frivolous or unconnected applications.

Most SEC Awards Based on Independent Knowledge

The SEC OWB rules provide that “original information” may be based on either:

• “independent knowledge,” which is factual information not derived from public sources; or
• “independent analysis,” which is information derived from analysis of information that may be publicly available “but which reveals information that is not generally known or available to the public,” according to the SEC Report.

The vast majority of the SEC’s FY2024 awards were based in part on independent knowledge. Four were based on independent analysis and six on a combination of the two.

SEC Award Determinations

The SEC’s 2020 program rule amendments created a presumption of a maximum 30% award in circumstances in which the maximum award is not expected to exceed $5 million and there are no negative factors, including whistleblower culpability, present. In FY2024, the SEC applied that presumption in 90% of such matters.

Positive Factors

When the 30% presumption does not apply, and when allocating an award among multiple whistleblowers, the following factors may increase an award:

• the significance of the information provided by the whistleblower, which is a “critical factor” and may be the most important factor when apportioning an award;
• the whistleblower’s assistance to the SEC throughout the matter, including deciphering complex transactions; identifying key witnesses, documents and other evidence; and communicating with staff;
• law enforcement’s interest in the matter, especially ongoing violations that are harming investors and securities violations with foreign elements; and
• whether the whistleblower participated in internal reporting mechanisms (which is not required to qualify for an award).

Negative Factors

Factors that may result in an award’s reduction include the whistleblower’s:

• unreasonable delay in reporting;
• culpability; and
• interference with an internal reporting system.

SEC Continues to Receive a Steady Stream of Tips

Individuals may submit tips, complaints and referrals (TCRs) to the SEC using its online portal. Certain TCRs may prompt the SEC to conduct an examination or initiate an enforcement investigation.

In FY2024, the SEC received nearly 25,000 whistleblower TCRs. However, more than 14,000 of those TCRs were submitted by just two individuals, notes the SEC Report. Similarly, in its 2023 fiscal year, the SEC received 18,354 TCRs, nearly 7,000 of which were submitted by the same two individuals. Not counting the tips submitted by those individuals, the SEC received roughly 11,000 tips in fiscal years 2023 and 2024 – slightly below the 12,210 and 12,322 tips, respectively, it received in its 2021 and 2022 fiscal years.

More than half of the FY2024 TCRs fell into the categories of manipulation (37%) and offering fraud (21%). Corporate disclosures and financials and initial coin offerings/digital asset securities each accounted for 8%. Unregistered offerings; violations of the FCPA; insider trading; trading/pricing; market events; and municipal securities and public pensions each accounted for less than 3% of total TCRs. The breakdown is based on the violation category selected by the whistleblowers, notes the SEC Report. Additionally, the percentages include the 14,000 tips submitted by the two individuals, which may have skewed the breakdown of other whistleblowers’ tips.

The highest numbers of domestic tips came from South Carolina, Florida, California, Texas and New York. The highest number of foreign tips came from Canada, the United Kingdom, India, Australia and Germany.

See “Recent SEC Whistleblower Cases Focus on Repressive Language in Employment Related Agreements” (Jan. 17, 2024).

CFTC Issues 15 Awards

About 42% of the CFTC’s enforcement matters involved whistleblowers. A majority of the tips in FY2024 concerned digital assets – and cases involving such assets accounted for nearly half the agency’s enforcement docket.

$42 Million in Awards

From the CFTC WBO’s inception, it has issued 53 orders granting aggregate awards of nearly $390 million in actions that have resulted in more than $3.2 billion in sanctions. In FY2024, the CFTC WBO posted 39 NCAs and received 317 award applications, up slightly from FY2023, when it received 301 applications – but more than twice the applications it received in the 2020, 2021 or 2022 fiscal years.

In FY2024, the CFTC granted 15 applications and awarded more than $42 million across 12 orders. The enforcement actions in which it granted those awards resulted in collection of about $162 million in sanctions. The CFTC also denied 274 applications. The total awards in FY2024 were significantly higher than the $14 million in awards in 2023 but well below 2022, when the CFTC issued more than $210 million in awards, including nearly $200 million to a single whistleblower.

The CFTC WBO’s annual report provides some context for several of its larger awards, including awards of:

• $18 million to a whistleblower who provided “highly significant” information from nonpublic sources, as well as independent analysis of publicly available information, which also prompted a related action by another agency;
• $8 million to a “culpable whistleblower” who provided valuable information that assisted multiple regulators’ enforcement actions;
• $1.25 million to a compliance officer – the CFTC’s first such award – who initially reported internally and waited the requisite 120 days to give the company an opportunity to respond before reporting to the CFTC;
• more than $1 million for providing significant information about trading in digital assets markets;
• more than $4 million for providing information about CFTC rule violations that would otherwise have been difficult to detect, even though the whistleblower unreasonably delayed reporting; and
• more than $4.5 million to a non-insider market participant whose observations enabled the CFTC to identify a responsible company.

“Absent a criminal conviction of the whistleblower, culpability alone does not disqualify a whistleblower from receiving an award,” the CFTC noted with regard to the $8‑million award.

The CFTC considers the following factors when determining whether a whistleblower unreasonably delayed reporting:

• being aware of relevant facts but failing to take reasonable steps to report or prevent the violations;
• being aware of relevant facts but only reporting after learning of a related regulatory inquiry, investigation or enforcement action; and
• having a legitimate reason for the delay.

Number of Tips Continues to Grow

In FY2024, the CFTC WBO received 1,744 tips – about 14% more than in the 2022 and 2023 fiscal years, when it received 1,506 and 1,530 tips, respectively, and roughly 70% more than in 2020 and 2021. The CFTC WBO also processed 340 submissions supplementing whistleblowers’ initial filings. In addition to TCRs, the CFTC WBO also processed about 1,000 emails concerning the program, nearly twice as many as in the last two fiscal years.

Of the tips within the CFTC’s jurisdiction, just over half concerned fraud involving digital assets. Nearly one-quarter concerned fraud or manipulation involving other commodities. Four-fifths of the tips the CFTC received came from within the U.S.

See “Takeaways From the CFTC’s First Whistleblower Interference Case” (Aug. 28, 2024).

SEC and CFTC Both Emphasize Whistleblower Protections

“Protecting whistleblower confidentiality is a cornerstone of the [Whistleblower] Program,” according to the SEC Report. Without it, whistleblowers would be less likely to come forward. Moreover, “FY2024 was a blockbuster year for whistleblower protection matters.” The SEC brought 11 actions under Rule 21F‑17, which prohibits impeding any individual from reporting securities violations to the SEC, including actions against:

• J.P. Morgan Securities LLC, which paid an $18‑million fine for entering into settlement agreements with clients that required them to keep the underlying facts confidential and permitted them to respond to SEC inquiries – but prohibited them from contacting the SEC voluntarily;
• GQG Partners LLC, an investment adviser that entered into:
  • nondisclosure agreements with employment candidates prohibiting them from disclosing confidential company information to government agencies without notifying the company; and
  • a settlement agreement with a former employee that included a representation that the employee had not reported violations to government agencies and would withdraw any statements already made;
• Nationwide Planning Associates, Inc. and affiliates, which required clients to sign confidentiality agreements prohibiting them from initiating contact with the SEC and containing representations to the effect that they had not, and would not, report the subject matter to regulators;
• seven public companies whose employment, separation and other agreements required employees to waive their rights to whistleblower awards; and
• a Ponzi scheme defendant who promised defrauded investors he would help them recover funds if they retracted all their statements to regulators and law enforcement.

The CFTC brought its first-ever action against an entity that allegedly impeded a whistleblower’s ability to communicate with it. Trafigura Trading LLC agreed to pay $55 million to settle claims of fraud, manipulation and impeding communication with the CFTC. The company allegedly used employment and separation agreements with broad confidentiality provisions that did not have “carve-out language expressly permitting communications with law enforcement or regulators,” the CFTC noted.

See our two-part series on the DOJ’s Corporate Whistleblower Awards Pilot Program: “A Look at Forfeiture and Culpability” (Aug. 14, 2024), and “Exclusions, NDAs and Goals” (Sep. 11, 2024).

Steptoe has welcomed Claire Rajan as a partner in its investigations and white-collar defense and government affairs and public policy practices in Washington, D.C. She arrives from A&O Shearman.

Rajan’s practice focuses on anti-corruption law, including U.S. political law and the FCPA. She represents clients across various sectors, including technology, media, energy and infrastructure, financial services, life sciences, real estate and consumer goods. She counsels clients with regard to related litigations, federal and state government investigations, internal investigations, transactional due diligence and compliance risk assessments.

Rajan also represents multinational corporate clients in government-facing, multi-lateral development bank and internal investigations relating to corruption, fraud, sanctions, anti-competitive behavior and procurement misconduct. Additionally, she evaluates and enhances corporate compliance programs, including advising clients through the remediation and self-reporting process.

Prior to joining Steptoe, Rajan was the head of A&O Shearman’s political law group and a partner in its investigations & white-collar group.

For insights from Steptoe, see “Legal and Compliance Implications of the Supreme Court’s Snyder Decision” (Sep. 11, 2024).

James Parkinson, a seasoned compliance and government investigations attorney, has joined Bass, Berry & Sims as a member in Washington, D.C.

Parkinson’s practice focuses on counseling businesses and individuals in regulatory compliance and government investigations, with an emphasis on multi-jurisdictional and FCPA matters. He has significant experience navigating cross-border matters and representing clients in criminal and civil enforcement actions involving the FCPA, extradition, securities fraud, insider trading, false statements and environmental issues.

Parkinson also counsels clients with global business operations and partnerships related to U.S. sanctions regimes administered by the Office of Foreign Assets Control, as well as anti-money laundering regulations under the Bank Secrecy Act. His work involves compliance advisory and internal and governmental investigations related to global business operations. His clients include U.S. and non-U.S. entities across a range of sectors, such as banking, fintech, manufacturing, retail and food services, as well as senior executives facing civil and criminal investigation.

Parkinson arrives from Orrick, where he was a partner.

For commentary from Parkinson, see “How to Avoid Corruption When Handling Logistical Issues in Emerging Markets” (Oct. 7, 2015). For insights from Bass Berry, see our three-part series on the Airbus case: “A Milestone in International Anti‑Corruption Cooperation” (Feb. 19, 2020), “Compliance Lessons” (Mar. 4, 2020), and “The Value of Cooperation” (Mar. 18, 2020).