The reality of life under a DPA is no picnic for senior executives as it presents governments with a more efficient way of holding individuals to account and influencing changes on a firm’s compliance culture from within.
“No company wishes to be prosecuted, given the expense and reputational damage involved as well as the risk of being barred from tendering for public sector contracts if it is convicted,” said Alun Milford, Partner at Kingsley Napley LLP. “Only those companies that offer full cooperation with the authorities will be invited to enter into a DPA. These agreements are not a soft option, however, and the conditions of any DPA offered need to be considered very carefully.”
Researchers at the University of Toronto and Tulane University found that companies subject to DPAs experienced substantial hits to share prices in the first three years compared to those who were prosecuted. They also found that DPA businesses experienced “negative real consequences” after entering an agreement, measured in both a fall in sales and employee numbers.
“These results are inconsistent with the idea that DPAs reduce the collateral damage to stakeholders who are not responsible for the crimes committed by the organization,” said R. Christopher Small, Rotman School of Management, University of Toronto.
Mainstays of a DPA
Payment of a financial penalty – sometimes hundreds of millions of dollars – and implementing better compliance programs are the mainstays of a DPA. But the real pain often comes from the ongoing monitoring and cooperation in any further investigation related to the alleged offence.
In the US, the terms typically include an agreement to be assessed regularly by an independent individual or organization, known as a “monitor” for compliance. Monitors have proven so expensive that consideration is often given as to their duties and terms of oversight.
In 2012, HSBC apologized and paid a record $1.9bn fine to US authorities as part of a DPA concerning allegations that billions of dollars in drug money had been laundered through its Mexican branches by cocaine cartels. The independent compliance monitor appointed to assess progress, and the subsequent compliance upgrades, cost the bank north of $1bn.
For these reasons, legal experts will often work closely with firms beforehand to measure the strong ancillary considerations that have to be considered in deciding whether or not to enter into a DPA.
The practice began in the US, and in recent years it has spread to the UK (in 2014) and beyond when lawmakers everywhere appreciated that they could levy large fines and request behavioral changes rather than risk losing a prosecution.
“In the UK, DPAs can only apply to offences of fraud, bribery and other economic crime. In the US, however, DPAs can be used for a wider range of wrongdoing.”
Josie Welland, Rahman Ravelli
The US Securities and Exchange Commission (SEC) first flexed its muscles in 2011 after accusing steel pipe manufacturer Tenaris of bribing Uzbekistan government officials during a bidding process to supply pipelines for transporting oil and natural gas. Enforcers found Tenaris had made $5m in profit and, under the terms of the DPA, the company had to pay $5.4m in disgorgement and prejudgment interest.
A year later, the SEC agreed its first DPA with an individual, Scott Herckis of Heppelwhite Fund LP. The Connecticut-based hedge fund was charged with misleading investors and misappropriating about $1.5m in fund assets. A New York federal judge ordered the distribution of $6m of the assets of Heppelwhite’s founder, Berton Hochfeld, to defrauded investors.
Several other countries, including Canada, France, Singapore and Australia have either introduced or are considering DPAs now, and while broadly similar in approach there are differences in scope and application across jurisdictions.
It is not mandatory under law, despite what some regulators have impressed, that a company is required to admit criminal conduct in order for prosecution to be suspended for a set period. Once an agreement is struck, conditions are laid out. If the conditions are met over time, then the prosecutor will drop the criminal proceedings and the company will avoid the risk of a conviction.
“In the UK, DPAs can only apply to offences of fraud, bribery and other economic crime,” said Josie Welland of Rahman Ravelli law firm. “In the US, however, DPAs can be used for a wider range of wrongdoing, although they are most commonly used for bribery and corruption, environmental and health and safety offences.”
US authorities have a wider discretion when it comes to their use, although there are restrictions on cases involving national security, foreign affairs and the conduct of government officials, she explains. In both the US and UK, DPAs apply to organizations, but one major difference between the regimes is that the US can also agree them with individuals.
Conducting the misconduct
The UK also differs from the US regarding the bodies that are able to enter into a DPA, said Welland. Under Schedule 17, Part 1 of the Crime and Courts Act, only “designated prosecutors” can enter a DPA. Designated prosecutors include the Serious Fraud Office (SFO) and the Director of Public Prosecutions.
“In the US, however, federal, state, and county prosecutors, and those in other positions with the authority to enforce federal and state regulations, have the power to enter into a DPA,” Welland said. “This may partly explain why 2019 alone saw 17 corporate DPAs concluded in the US – eight more than have ever been reached in the UK since Schedule 17 came into effect.”
British bank Standard Chartered signed a two-year DPA in 2012 with the US Justice Department and the state of New York for illegally transferring millions of dollars through the US financial system on behalf of sanctioned countries, including Iran. It initially agreed to forfeit $227m. Two years later, however, before the agreement expired, prosecutors reopened the investigation following claims that the bank hadn’t fully disclosed the extent of its wrongdoing by continuing its misconduct.
A three-year extension of the DPA was agreed, and Standard Chartered had to pay another $667m, promising to “work closely with the authorities to make additional substantial improvements” to its sanctions compliance. In 2017, again just before the deal was due to expire, the terms were extended again, for the reason that the bank hadn’t made sufficient progress.
By 2019, the bank was still struggling to find an acceptable resolution with the US, and its chief executive warned that the final penalties could reach more than $1bn.
“The year 2020 proved to be a record-breaking year in terms of the sums recovered through corporate resolutions, and the busiest full year under this Administration’s Justice Department when measured by the number of agreements concluded.”
Joel Cohen, white collar crime specialist, Gibson Dunn
The reasons for the continued extensions, rather than simply taking the bank to trial, were never made public, but legal experts believe prosecutors were more interested in working with the company to bring it into compliance. Although not as damaging as a court case may have been, the monitoring program ran longer than seven years with a bill of $1bn and counting.
Some commentators speculated that a Biden government, combined with the economic damage wrought on the planet as a result of the pandemic, could force regulators to stand down their enforcement drive. Wishful thinking.
“The world changed significantly in 2020,” said Joel Cohen, white collar crime specialist in the New York office of law firm Gibson Dunn, and the man who as a federal prosecutor took down Jordan “Wolf of Wall Street” Belfort. “Amid the uncertainty wrought by Covid-19, however, the use of corporate non-prosecution agreements and DPAs by the US Department of Justice proved to be a constant,” Cohen said. “The year 2020 proved to be a record-breaking year in terms of the sums recovered through corporate resolutions, and the busiest full year under this Administration’s Justice Department when measured by the number of agreements concluded.”
DPAs are growing in number, and the total fines are also soaring, with more than $9.4bn recovered by the US in 2020.
Through 2020, a record-breaking 13 resolutions each with total recoveries of $100m or more were struck, ensuring more agreements over the $100m threshold were reached than in any other year in the last two decades. Together, the top 13 resolutions accounted for approximately 94% of total recoveries in 2020, lawyers at Gibson Dunn found.
With recoveries in 2020 totalling nearly twice the average yearly recoveries from 2005 through 2020, it remains to be seen whether 2020 proves an outlier, they said, or whether the overall trend towards more resolutions above the $100m and $1bn thresholds continues.
Even the onset of Covid-19 and the need to quickly adjust to new working arrangements has done little to slow the march of US authorities, who are striking more costly DPAs than ever. And there is clear evidence others around the world are following in their path.
In January 2020, the SFO entered into €991m DPA with Airbus as part of a €3.6bn global resolution, its ninth since 2014, and it later followed up with guidance to firms that it was constantly reviewing the threshold to an agreement.
Data analytics as defense
In October 2020, the UK’s fraud watchdog published a section from its internal handbook regarding its approach to DPAs, stating it would “provide further transparency” on what it expects from companies looking to cooperate.
One new aspect not previously in the public domain regarding “Corporate compliance programs” concerns the ability of the prosecutor when drawing up remediation terms to consider whether it is necessary and proportionate to require the company “to adopt the use of data analytics to test compliance controls and behaviour.”
If the company does not have an adequate compliance program in place, the DPA may require one to be enhanced with stronger systems and controls, pushing the corporate towards more advanced data storage and surveillance.
“Consistent with global trends, the guidance notes that such obligations may include the use of data analytics to test the company’s compliance program,” said Judith Seddon, of Boston law firm Ropes & Gray.
Any company seeking to resolve allegations of misconduct will have to make improvements to its systems and controls to help prevent any recurrence, said Caroline Doherty de Novoa, of London magic circle firm Freshfields Bruckhaus Deringer. The new guidance is quite high level, she said, noting the fresh line on the use of data analytics to bolster compliance controls and conduct. “While the SFO has so far stopped short of imposing formal monitors, some form of corporate renewal has been a feature of all DPAs to date,” Doherty de Novoa said. “The direction of travel has been for these requirements to be more structured and, in some cases, more intrusive.”