In December 2019, the US Department of Justice (DOJ) announced a revised policy regarding voluntary self-disclosure of export control and sanctions violations by business organizations (VSD Policy).
The VSD Policy, issued by DOJ's National Security Division (NSD), sets forth the criteria that DOJ, through NSD’s Counterintelligence and Export Control Section (CES) and in partnership with the US Attorneys' Offices, will now use to determine an appropriate resolution for an organization that makes a voluntary self-disclosure in export controls and/or sanctions matters. Specifically, the VSD Policy encourages business organizations – which now include financial institutions – to self-disclose to NSD "all potentially willful violations of the statutes implementing the US government’s primary export control and sanctions regime."
The VSD Policy increases incentives for self-disclosure, as the revised policy "signals the [DOJ's] continued emphasis on corporate voluntary self-disclosure, rewarding cooperating companies with a presumption in favor of a non-prosecution agreement and significant reductions in penalties," according to a DOJ press release.
The requirements to receive the benefits of the voluntary self-disclosure are set forth in the revised VSD Policy and discussed in further detail below. Importantly, the VSD Policy does not affect the process for businesses to make voluntary self-disclosures to regulatory agencies, such as the US Department of the Treasury's Office of Foreign Assets Control (OFAC) or the US Department of Commerce’s Bureau of Industry and Security (BIS). Companies that are aware of having committed a potential US sanctions or export controls violation will need to consider the VSD Policy in the context of their interactions with other US agencies. However, given the DOJ's requirement to disclose willful violations of US economic sanctions and export controls "[p]rior to imminent threat of disclosure or government investigation" and "[w]ithin a reasonably prompt time after becoming aware of the offense," any company considering disclosure of regulatory violations to either OFAC or BIS will also need to decide, early in the investigation, as to whether to also disclose to the DOJ. A "wait and see" approach may no longer be advisable given the timing consideration and may, in fact, necessitate an early assessment of willful conduct by the company or its employees.
The VSD Policy was designed to more closely align the NSD guidance with recent guidance issued throughout DOJ, thereby providing increasing clarity of the factors that a company should consider in determining whether to voluntarily self-disclose. The VSD Policy supersedes DOJ's 2016 policy titled "Guidance Regarding Voluntary Self-Disclosures, Cooperation, and Remediation in Export Control and Sanctions Investigations Involving Business Organizations" (the 2016 Guidance).
US sanctions and export controls are primarily administered and civilly enforced by US regulatory agencies, including OFAC, BIS, and the US Department of State's Directorate of Defense Trade Controls (DDTC). NSD has primary responsibility over US export controls and sanctions criminal violations in concert with the US Attorneys' Offices and spearheads criminal enforcement actions investigated primarily by BIS and US Department of Homeland Security agents.
In 2016, NSD published for the first time its criteria for determining the potential benefits that could be afforded to an organization for its self-disclosure, cooperation, and remediation efforts. Significantly, the 2016 Policy exempted financial institutions from the benefits of a voluntary self-disclosure. The 2016 Policy stated that financial institutions "often have unique reporting obligations under their applicable statutory and regulatory regimes" (for example, the "Suspicious Activity Report" requirements and examinations by prudential regulators). Nonetheless, financial institutions were encouraged to make voluntary self-disclosures to DOJ and "may benefit" from such disclosures under DOJ policy applicable to all business organizations. The revised VSD Policy eliminates this exemption, extending the benefits of the VSD Policy to all financial institutions.
As part of the revised VSD Policy, DOJ encourages all companies to voluntarily self-disclose potentially "willful" violations of the three statutes implementing the US government's primary export control and sanctions regimes – the Arms Export Control Act (AECA), 22 U.S.C. § 2778, the Export Control Reform Act (ECRA), 50 U.S.C. § 4801 et seq., and the International Emergency Economic Powers Act (IEEPA), 50 U.S.C. § 1705. For companies that identify such willful violations and (1) voluntarily self-disclose, (2) fully cooperate, and (3) timely and appropriately remediate, consistent with the requirements discussed below, there is a presumption that the company will receive a non-prosecution agreement (NPA) and will not pay a fine, absent aggravating factors.
The VSD Policy applies to a broader range of companies than the 2016 Guidance, extending benefits under the policy to financial institutions as well as companies involved in a merger or acquisition. Specifically, the VSD Policy specifies that a successor entity that makes a timely voluntary self-disclosure – even as a result of post-acquisition due diligence – will be able to take advantage of the incentives set forth in the VSD Policy. Thus, the VSD Policy increases both the tangible benefits of a voluntary self-disclosure and extends such benefits to a broader range of companies.
Key Provisions of the VSD Policy
To qualify under the VSD Policy, the company’s disclosure must first be "voluntary." To be voluntary, the disclosure must:
- Be made "[p]rior to imminent threat of disclosure or government investigation;"
- Be made "[w]ithin a reasonably prompt time after becoming aware of the offense," with the burden on the company to demonstrate timeliness; and
- Disclose "all relevant facts known to it at the time of the disclosure, including as to any individuals substantially involved in or responsible for the misconduct at issue."
In making a voluntary self-disclosure in line with these requirements, the VSD Policy recognizes that "a company may not be in a position to know all relevant facts at the time of a voluntary self-disclosure, especially where only preliminary investigative efforts have been possible." Accordingly, the policy directs companies to make clear that the disclosure is based upon a "preliminary investigation or assessment of information."
The standard for a voluntary self-disclosure under the VSD Policy is not a significant departure from the standard set out in the 2016 Guidance. However, the VSD Policy states that disclosures must be made directly to CES – language that was not included in the 2016 Policy. Specifically, the VSD Policy provides that "when a company identifies potentially willful conduct but chooses to self-report only to a regulatory agency and not to DOJ, the company will not qualify for the benefits of a VSD…in any subsequent DOJ investigation."
To qualify under the VSD Policy, the company must also satisfy certain requirements to receive credit for "full cooperation" for the purposes of the VSD Policy. These requirements are in addition to the provisions of the Principles of Federal Prosecution of Business Organizations, and include:
- Disclosure on a timely basis of all facts relevant to the wrongdoing at issue;
- Proactive, rather than reactive, cooperation, including timely disclosure of facts relevant to the investigation even when not specifically requested;
- Timely preservation, collection, and disclosure of relevant documents and information, including facilitating third-party document production;
- De-confliction of witness interviews and other investigative steps that a company intends to take as part of its internal investigation with steps that DOJ intends to take as part of its investigation; and
- When requested, making available current and former company officers and employees, and third-party witnesses, for interview.
These requirements streamline and add to many of the requirements included in the 2016 Guidance. The VSD Policy also reiterates that, as set forth in DOJ's Criminal Resource Manual, Sec. 9-28.720, eligibility for cooperation credit is not predicated upon the waiver of the attorney-client privilege or work product protection. Companies that do not meet this criteria, or that decide to cooperate only in a later investigation, will not receive the full benefits of the VSD policy.
Timely and Appropriate Remediation
Finally, the company must demonstrate that it took prompt and effective action to remediate the misconduct to qualify under the VSD Policy. Remediation steps include:
- Demonstration of thorough analysis of the root causes of the noncompliance and (where appropriate) remediation to address the root causes;
- Implementation of an effective compliance program;
- Appropriate disciplinary actions with regard to any employee that is responsible for the misconduct or has supervisory authority over the area in which the conduct occurred;
- Appropriate record-keeping policy; and
- Any additional steps that demonstrate recognition of the seriousness of the company's misconduct, acceptance of responsibility for it, and the implementation of measures to reduce the risk of repetition of such misconduct.
With respect to implementing an effective compliance program, the VSD Policy is broadly consistent with OFAC's recent guidance, titled "A Framework for OFAC Compliance," and includes factors such as a "culture of compliance," the dedication of adequate resources to compliance, an effective risk-assessment process, auditing of the compliance program to ensure its effectiveness, and an effective reporting structure of any compliance personnel.
Potential Aggravating Factors
The presumption established under the VSD Policy that DOJ will enter into an NPA with a company that meets the specific criteria set out in the VSD Policy is not applicable where aggravating circumstances exist in relation to the conduct. The updated non-exhaustive list of aggravating factors includes:
- "Exports of items controlled for nuclear nonproliferation or missile technology reasons to a proliferator country;"
- "Exports of items known to be used in the construction of weapons of mass destruction;"
- "Exports to a Foreign Terrorist Organization or Specially Designated Global Terrorist" (clarifying the language of the 2016 Policy, which referred to "exports to a terrorist organization");
- "Exports of military items to a hostile foreign power;"
- "Repeated violations, including similar administrative or criminal violations in the past;" and
- "Knowing involvement of upper management in the criminal conduct" (which is consistent with DOJ's continued emphasis on holding high level executives individually criminally responsible).
These factors are largely consistent with the 2016 Guidance, though the VSD Policy eliminated "significant profits from the criminal conduct, including disproportionate profits or margins, whether intended or realized, compared to lawfully exported products and services" as an aggravating factor in this section. However, the VSD Policy references "significant profit" as an aggravating factor in an earlier section of the policy, meaning that NSD may consider such information. The list of aggravating factors is also non-exhaustive, meaning that NSD will have broad discretion in determining and evaluating aggravating factors.
Benefits of the VSD Policy
Under the VSD Policy, there is a presumption that a company will receive an NPA and will not pay a fine if the company complies with all three of the above requirements and there are no aggravating factors. If aggravating circumstances warrant an enforcement action other than an NPA, but the company satisfies all other criteria, the VSD Policy states that DOJ will recommend a fine that is at least 50% lower than what would otherwise be available under the alternative fine provision and will not require the imposition of a monitor. However, at minimum, even in cases in which the company is receiving a NPA, the company will be required to disgorge all profits and be subject to forfeiture, and/or restitution resulting from the conduct.
In addition, other regulatory authorities such as OFAC, BIS, and DDTC may independently bring enforcement actions for potential violations. Under the VSD Policy, DOJ states that it will "endeavor to coordinate with and consider the amounts of fines, penalties, and/or forfeiture paid to other federal, state, local, or foreign enforcement authorities that are seeking to resolve a case with a company for the same misconduct."
Comparison with Other VSD Policies and Guidance
DOJ’s FCPA Corporate Enforcement Policy
The standards set out in the VSD Policy are largely identical to the requirements for voluntary self-disclosure, full cooperation, and timely and appropriate remediation in the 2017 FCPA Corporate Enforcement Policy (CEP). Indeed, in remarks delivered in conjunction with the VSD Policy, NSD Principal Deputy Assistant Attorney General David Burns confirmed that there was "coordination between NSD and the Criminal Division in anticipation of this Policy rollout." The overlapping requirements are also consistent with then DOJ Criminal Division Acting Assistant Attorney General John Cronan's announcement in 2018 that the CEP would serve as "nonbinding guidance" for corporate investigations beyond the FCPA context. Many aspects of the CEP were also incorporated into the DOJ's Criminal Resource Manual.
However, the VSD Policy diverges significantly from the CEP with respect to certain key aspects of the policy. First, the benefits associated with a voluntary self-disclosure differ between the CEP and the VSD Policy. Specifically, the presumptive result under the CEP is a "declination absent aggravating circumstances" whereas the presumptive result under the VSD Policy is an NPA without a fine, absent aggravating circumstances. In either case, the payment of disgorgement, forfeiture, and/or restitution is required.
Second, the CEP policy does not presume that a company will receive an NPA. As such, although a declination under the CEP is made public, the company is not generally required to admit misconduct under the CEP in the same way as described under an NPA, which reflects how CES differentiates the inherent risk to national security involved in these potential offenses.
Finally, for cases in which aggravating factors are present and a declination is not available, the CEP states that the Fraud Section will accord or recommend a "50 [percent] reduction off of the low end of the US Sentencing Guidelines" for companies that meet the CEP's self-disclosure, cooperation, and remediation standards, while the VSD Policy states that DOJ will accord or recommend a fine that is "at least 50% less than the amount that otherwise would be available under the alternative fine provision."
OFAC Enforcement Guidelines and BIS Enforcement Guidance
The VSD Policy generally tracks the enforcement guidance from OFAC and BIS with respect to the incentives offered to companies that voluntarily self-disclose.
OFAC's Economic Sanctions Enforcement Guidelines (the OFAC Guidelines), effective November 2009, provide companies with an attractive incentive to self-disclose violations of OFAC sanctions programs in exchange for the possibility of receiving an automatic 50% reduction in the base penalty amount for self-disclosures (calculated according to whether a case is deemed egregious or non-egregious).
BIS's Guidance on Charging and Penalty Determinations in Settlement of Administrative Enforcement Cases (BIS Guidance), effective July 2016, also provides for a 50% reduction in penalty or "up to one-half" reduction of the penalty for voluntary self-disclosures.
Beyond substantial VSD credit, both the OFAC Guidelines and BIS Guidance offer additional mitigation credit and, in some cases, no monetary penalty, where companies demonstrate exceptional cooperation and remediation of compliance lapses. Specifically, both include a 25% reduction for a "first violation" or if the company "has not received a penalty notice or Finding of Violation from OFAC in the five years preceding the date of the transaction giving rise to the apparent violation" or, for BIS, the company "has not been convicted of an export-related criminal violation or been subject to a BIS final order in five years, preceding the date of the transaction giving rise to the apparent violation." Both OFAC and BIS also provide for mitigation credit even in cases that do not involve a voluntary self-disclosure. OFAC refers to "substantial cooperation" and BIS to "exceptional cooperation" both providing for reductions of 25% to 40%.
It remains to be seen how the VSD Policy will be applied in practice – particularly given the broad discretion retained by DOJ under the revised policy. To qualify for the NPA or the sentencing recommendation, for example, companies have to meet the CES's rigorous and discretionary standards for what will qualify as (i) voluntary disclosure, (ii) full cooperation, and (iii) timely and appropriate remediation. Of course, it is up to CES to determine what constitutes aggravating conduct under the articulated factors. As noted, upper management involvement in criminal conduct is, per se, an aggravating factor. Accordingly, although the incentive is explicitly stated, DOJ has retained its discretion as to whether a company would qualify for that incentive.
Moreover, a company is disqualified from receiving mitigation credit if it discloses to other regulatory agencies, but not to CES, and CES judges the conduct to be willful, i.e., criminal, upon learning of it. Thus, there is a threat if a company fails to disclose if there is any chance the conduct could be viewed as deliberate, even if the other agencies resolve the matter civilly. CES stated that it would review the issue de novo and without reference to how the regulatory agencies resolved the disclosure. Clearly, CES expects this latter potential adverse consequence to be an added incentive driving self-reporting.
This approach appears to signal NSD's increasing desire to take the lead in determining whether to prosecute violations, rather than waiting for agencies to refer them to such matters. The VSD Policy also increases the complexity for a company in determining whether to self-disclose to NSD, a relevant regulatory agency, or both.
As a general matter, the process for disclosures to the regulatory agencies permits a company to conduct an internal investigation of potential violations and begin remediation prior to the agencies conducting their own review. However, the revised VSD policy may require a company to disclose a potential violation prior to the company completing its own investigation. As such, companies that have identified a potential violation must carefully evaluate when and to whom a disclosure is appropriate, including whether a disclosure to a regulatory agency would impact the company’s ability to receive the benefits of the VSD Policy.
Further, the VSD Policy raises two unresolved issues related to voluntary self-disclosures. First, it is unclear whether a company is eligible for mitigation credit for cooperation where it chose not to self-disclose. Other agencies, such as OFAC and BIS, provide mitigation credit for cooperation even in cases that do not involve a self-disclosure, as discussed above. It is not clear that such credit would be available from CES under the new VSD Policy. Second, it is unclear whether disclosure could be deemed voluntary when it is mandated by other regulators. These factors may impact a company’s decision of when and to whom to disclose.
The decision to self-report to DOJ and/or other agencies such as OFAC, BIS, and DDTC requires a careful balancing of various factors, including the likelihood that DOJ or another agency would otherwise discover the conduct and an assessment of potential penalties. For many companies, including financial institutions which have previously been the subject of heavy scrutiny, the VSD Policy has created new incentives that may favor a voluntary self-disclosure. And we will be interested to see – as it is not yet clear from the Guidance – whether or not CES will publicize NPAs and declinations in an effort to demonstrate and educate regarding the benefits of disclosure and cooperation. It is also not clear that the target companies would be willing to agree to such publication if the disclosure were otherwise confidential.
Moreover, companies must carefully assess and plan the sequence of any disclosure, especially where multiple disclosures may be involved. As detailed above, disclosure to a regulatory agency may not result in a benefit if the agency has already learned of the activity, a real concern, for example, to financial institutions already subject to extensive reporting obligations by their regulators. As such, companies must assess the likelihood that NSD will independently discover and pursue a violation in determining whether to voluntarily self-disclose. Companies should also consider whether to make multiple disclosures, and when, in light of the risks/benefits associated with making such disclosures to the relevant agencies under the revised VSD Policy.
Companies should also be mindful of the inherent risks of producing information and documents to the government that may be subject to countervailing concerns regarding data privacy and other laws promulgated in foreign jurisdictions. Moreover, full cooperation under the VSD Policy requires making even former company officers and employees, as well as third-party witnesses, available for interviews. There is a genuine question as to how CES expects a target company to compel the cooperation of such witnesses over whom it may have little leverage, and for whom CES is unlikely to have jurisdiction.
Finally, companies continue to be well-advised to ensure that their export control and sanctions compliance policies are up to date and their compliance programs, including their culture of compliance, are robust. As referenced above, CES will view mitigation of potentially aggravating factors through this lens.
Steptoe's export control and sanctions enforcement and compliance team stands ready to advise clients on the VSD Policy, including when, how to, and to whom to submit a voluntary-self disclosure. We will continue to monitor and report on export control and sanctions developments. Further commentary is available on the Steptoe International Compliance Blog. You can also follow us on Twitter (@SteptoeIntlReg).
 In this context, NSD uses the definition of willfulness set forth in Bryan v. United States, 524 U.S. 184 (1998), which states that an act is willful if done with the knowledge that it is illegal.
 The VSD Policy notes that "[w]hen a company claims that disclosure of overseas documents is prohibited due to data privacy, blocking statutes, or other reasons related to foreign law, the company bears the burden of establishing the prohibition."
 See VSD Policy Pg. 2 (stating that "[a]ggravating factors, as described below, include exports of items that are particularly sensitive or to end users that are of heightened concern; repeated violations; involvement of senior management; and significant profit.").
 See, 31 C.F.R. pt. 501, App. A (2019).
 See, 15 C.F.R. pt. 766, Supp. 1 (2019).