I. WHAT IS A MONITOR?

"A monitor is an independent third party who assesses and monitors a company's adherence to the compliance requirements of an agreement that was designed to reduce the risk of recurrence of the company's misconduct."1 The Department of Justice ("DOJ") first set forth the guiding principles for when a corporate monitor should be appointed in the "Morford Memo" in 2008. The DOJ has since supplemented this guidance with the 2009 "Breuer Memo," the 2010 "Grindler Memo," and the 2018 "Benczkowski Memo." Yet from 2018 until recently there has been a strong presumption in and around the DOJ against the use of corporate monitors. Even so, Deputy Attorney General Lisa O. Monaco ("DAG" Monaco) spearheaded a mission to bring corporate compliance monitors back in style. In the past two to three years, there has been a shift in the use of monitors. No longer are monitors "shrouded in secrecy" and "disfavored" among government attorneys. This is mainly because of DAG Monaco's initiative to increase the use of monitors in nonprosecution agreements ("NPAs") or deferred prosecution agreements ("DPAs").

II. MONITORS "IN VOGUE" AGAIN

The use of monitors has ebbed and flowed over the years. The current administration has signaled that imposing compliance monitors at the resolution of an enforcement action may be back in fashion.

On October 28, 2021, DAG Monaco stated that "to the extent that prior Justice Department guidance suggested that monitorships are disfavored or are the exception, I am rescinding that guidance. Instead, I am making clear that the department is free to require the imposition of independent monitors whenever it is appropriate to do so in order to satisfy our prosecutors that a company is living up to its compliance and disclosure obligations under [a] DPA or [an] NPA . . . For clients negotiating resolutions, there is no default presumption against corporate monitors. That decision about a monitor will be made by the facts and circumstances of each case."2 The speech was accompanied by a memo issued the same day (the 2021 Monaco Memo), that, among other things, included revisions to prior monitorship guidance.3

This call for prosecutors to "not apply any general presumption against requiring an independent compliance monitor" led to serious pushback. Critics condemned the lack of transparency surrounding the selection of compliance monitors, as well as the little guidance monitors have about the scope of their roles. Therefore, in a September 15, 2022 speech DAG Monaco noted that the DOJ is "releasing new guidance for prosecutors about how to identify the need for a monitor, how to select a monitor, and how to oversee the monitor's work to increase the likelihood of success." 4 This speech was accompanied by a memorandum issued the same day (the 2022 Monaco Memo), that set forth, among other things, the factors the DOJ will consider when evaluating whether imposing a compliance monitor is appropriate, guidelines for selecting a monitor, and guidelines for the DOJ to oversee the monitor's work. 5

A. When a Monitor Should Be Appointed

As set forth in the 2021 Monaco Memo, "the Department should favor the imposition of a monitor where there is a demonstrated need for, and clear benefit to be derived from, a monitorship. Where a corporation's compliance program and controls are untested, ineffective, inadequately resourced, or not fully implemented at the time of a resolution, Department attorneys should consider imposing a monitorship ... Conversely, where a corporation' s compliance program and controls are demonstrated to be tested, effective, adequately resourced, and fully implemented at the time of a resolution, a monitor may not be necessary." 6

Subsequently, the 2022 Monaco Memo set forth 10 specific factors for the DOJ to consider when assessing whether a compliance monitor should be appointed as part of the resolution of a corporate criminal matter:

  1. Did the company voluntarily self-disclose the misconduct?
  2. Did the company implement an effective compliance program to detect and prevent similar future misconduct?
  3. Have the compliance program and internal controls been tested?
  4. Was the misconduct long-lasting or pervasive?
  5. Did the misconduct arise from the exploitation of an inadequate compliance program or inadequate internal controls?
  6. Did compliance personnel actively participate in or fail to escalate the wrongdoing?
  7. Did the company take adequate investigative and remedial measures?
  8. At the time of resolution, has the company's risk profile changed such that recurrence is unlikely?
  9. Does the company have unique compliance challenges or risks?
  10. Is the company subject to the oversight of other regulators or a monitor imposed by another regulator?

In sum, "the Department will not require the imposition of an independent compliance monitor for a cooperating corporation that voluntarily self-discloses the relevant conduct if, at the time of resolution, it also demonstrates that it has implemented and tested an effective compliance program."7 Accordingly, assuming that the company self-reported the misconduct, the fundamental questions are (a) whether the company's remediation and compliance program enhancements are reasonable and proportionate to the severity, pervasiveness, and duration of the underlying misconduct; (b) whether the new control framework is appropriately and reasonably designed to address the company's risk profile; and (c) whether the new control framework has been sufficiently and robustly tested to demonstrate that it works as designed. In most instances, the company will need to provide at least two rounds of testing to demonstrate that the controls are in fact effective.

Therefore, as a practical matter, in order to avoid the imposition of a monitor, companies under investigation should begin their root cause analysis and remedial measures well in advance of settlement discussions with the government so that there is sufficient time to build, implement, and test the new control framework.

B. The Monitor Selection Process

Pursuant to the 2022 Monaco Memo, each division within the DOJ that does not already have a publicly available monitor selection process, must adopt an existing DOJ process or develop and publish its own selection process before December 31, 2022. The 2022 Monaco Memo further sets forth parameters for monitor selection process "elements that promote consistency, predictability, and transparency":

  1. Consideration of monitor candidates will be conducted by a standing or ad hoc committee, which includes an ethics official or professional responsibility officer to ensure no conflicts of interest in the selection of the monitor, and the committee will prepare a memorandum to file confirming that no conflicts of interest exist.
  2. The monitor selection process must be consistent with the DOJ's commitment to diversity and inclusion.
  3. Prosecutors must document the reasons why a monitor is appropriate and seek approval for requiring a monitor from the Office of the Deputy Attorney General unless the monitor is court-appointed.8

In most instances, the company will select three candidates for the government agency requiring the monitor to consider. The government agency has the option of indicating a preferred candidate or rejecting all the candidates and requesting more candidates for consideration. Candidates must be wholly independent of the company — meaning that they have not done work for the company before and that they agree to not do any work for the company for a period of time following the conclusion of the monitorship.

C. The Monitor's Role

The scope of the monitor's role is tailored to the misconduct and related compliance deficiencies of the company it is serving. The stated objectives of the monitorship typically include ensuring compliance with the terms of agreement (DPA, NPA, or guilty plea), preventing recurrence of misconduct and corporate recidivism, ensuring the company fully remediates perceived compliance program deficiencies, and improving the company's internal controls. Indeed, as set forth in a recent Guilty Plea Agreement, "[t]he Monitor's primary responsibility is to assess and monitor the Company's compliance with the terms of the Agreement . . . The Company shall fully cooperate with the Monitor, and the Monitor shall have the authority to take such reasonable steps as . . . may be necessary to be fully informed about the Company's compliance program."9

The monitor will draft a work plan, conduct a review of the company, and issue a report — typically, one report per year — that contains recommendations for compliance program enhancements and improvements to internal controls. The company has the right to disagree with the monitor's conclusions or recommendations; however, these disagreements typically are resolved by the government agency that required the imposition of a monitorship in the first place. The monitor's conclusions and written reports regarding the effectiveness of the company's compliance program and internal controls are based on:

  • Inspection of relevant document
  • On-site observation of selected systems and procedures, including
    • Internal accounting controls
    • Record-keeping
    • Internal audit procedures
  • Meetings and interviews of relevant employees, including senior directors and the board of directors
  • Analyses, studies, and testing of the company's compliance program
  • Interviews with former employees and third parties where reasonable and practicable to do so.

At the conclusion of the term of the monitorship, typically 18 to 36 months, the monitor will issue a final report and a certification that the company has complied with the terms of its agreement with the government and that the company's compliance program is reasonably designed, implemented, and self-sustaining. If the government accepts the monitor's certification, then the monitorship concludes.

Importantly, according to the terms of most monitorships, if the monitor discovers misconduct, then there is mandatory reporting to company's general counsel, chief compliance officer, and/or the audit committee of the company's board of directors. If the monitor discovers a violation of law, in particular a violation of law that is of a nature similar to the underlying enforcement action, then typically the written terms of the monitorship will require the monitor to notify the regulatory or governmental agency supervising the monitorship.

While the monitor will mainly be interacting with the company, the government will remain involved with the monitor. For example, the government will receive regular updates to verify that the monitor is staying on task and on budget.

III. RECENT EXAMPLES OF MONITORS

The past year has seen the imposition of monitors in several high-profile cases. The recent flurry of monitor related activity perhaps gives an early indication that gone are the days when monitors were "disfavored" and that monitors are here to stay (at least for the near future).

A. Stericycle

In April 2022 the DOJ announced it entered into a three-year DPA with Stericycle to resolve allegations that Stericycle Inc. violated the Foreign Corrupt Practices Act ("FCPA"). These violations stemmed from the company paying approximately $10 million in bribes to government officials in foreign countries to obtain and retain business and other advantages. The company earned at least $21.5 million in profits from this illegal scheme. Thus, Stericycle agreed to pay more than $84 million to resolve parallel investigations in the U.S. and Brazil. What is even more noteworthy is that this staggering dollar amount reflected the maximum cooperation credit under the FCPA Corporate Enforcement Policy without voluntary self-disclosure (a 25 percent reduction from the low-end of the U.S. Sentencing Guidelines fine). Still, despite the company's full cooperation, the DPA also imposed an independent compliance monitor for two years, potentially proving the shift in DOJ ideology discussed by DAG Monaco.10

B. Glencore

Similarly, in May 2022 Glencore International A.G., a subsidiary of Switzerland-based commodity trading company Glencore, pleaded guilty to violations of the FCPA. This guilty plea stemmed from a conspiracy within the company to pay over $79.6 million in order to secure improper advantages to obtain and retain business with state-owned entities in foreign countries. Under the plea agreement, Glencore needed to retain an independent compliance monitor for three years. The DOJ's press release notes that while Glencore did take remedial steps to cure the misconduct, "certain of the compliance enhancements are new and have not been fully implemented or tested to demonstrate that they would prevent and detect similar misconduct in the future" so a monitor was necessary.11

C. Ephemeral and Off-Channel Messaging

In perhaps the most buzzworthy crack down of 2022, regulators from the Securities and Exchange Commission ("SEC") and Commodity Futures Trading Commission ("CFTC") handed out over $1.8 billion in fines to several prominent financial institutions in connection with violations of electronic communications storage rules. Through their investigation, regulators uncovered "pervasive off-channel communications" and noted that many employees were regularly using textmessaging applications to communicate about business matters. The firms failed to preserve a vast majority of these communications, as required by law, potentially depriving the government of these off-channel communications. As a result, leading banks such as Barclays and Goldman Sachs will be required to pay over $100 million each in fines. But the hefty price tag associated with this wrongdoing is not its only noteworthy aspect. In addition to the significant financial penalties levied, each of the firms also agreed to retain "compliance consultants." These consultants, who are essentially compliance monitors, are to "conduct comprehensive reviews of [the company's] policies and procedures relating to the retention of electronic communications found on personal devices and their respective frameworks for addressing non-compliance by their employees with those policies and procedures." The retention of compliance monitors in these SEC and CFTC matters, in addition to the substantial fines, not only signals the Biden Administration's aggressive approach in deterring future misconduct, but also it indicates that compliance monitors are perhaps the new reality across many regulatory agencies.12

IV. 10 BEST PRACTICES AND OTHER TIPS FOR COMPANIES THAT ARE REQUIRED TO ENGAGE A COMPLIANCE MONITOR

A corporate monitorship is often a fast-paced and resource-intensive experience. It is also akin to a three year marriage without the possibility of a divorce. The company and the monitor will be spending a significant amount of time together, the relationship will have periods of stress, but you have no choice but to figure out a solution to get through the particular issues of the day. Below, we set forth 10 best practices and other tips for companies about to embark on a corporate monitorship journey. From our experience, a monitorship need not be fatal to a company's on-going operation; in fact, a monitorship can help the company to be a better, stronger organization going-forward.

1. Monitor selection and vetting. In most instances in which a corporate resolution requires a monitor, it is the company's obligation to identify at least three candidates from whom the government selects who will be the monitor. The government typically has the authority to reject all the candidates and request additional options. The candidates must be "independent," which means that they have not done work for the company before, are experts in the relevant legal field, and are familiar with the company's industry.

Companies should interview candidates prior to submitting their names to the relevant government agency for consideration. During the interview process, the company should assess whether the candidate understands that a monitorship is a forward-looking exercise, not a continuation of the underlying enforcement action. Likewise, the company should seek the candidate's views on matter staffing, scope, and pricing, as well as whether the candidate intends to use a forensic accounting firm for controls testing (and the proposed scope of work for that accounting firm). In our experience, companies would be well served to identify monitor candidates who have significant experience building, implementing, and operationalizing compliance programs and related controls. Such a candidate likely will understand the need to balance the commercial realities of running a business with the need to operate compliantly. Monitors without hands-on compliance experience may be too theoretical, and not practical, in their approach to compliance program design. Candidates should be mindful of commercial realities and appreciate that companies must accept some degree of risk every day in order to operate their business.

2. Orienting the monitor to the company's business and compliance program. In most instances, the resolution documents set forth a 30-day period from the engagement of the monitor to the submission of the monitor's work plan to the relevant government agency. During this time, it is helpful to orient the monitor to the company's business and compliance program so that the work plan can be as precise as possible, which in turn will lead to a more organized review period and, hopefully, less mission-creep from the monitor, as the monitor will be less likely to go down the proverbial rabbit hole on an irrelevant issue.

By definition, the monitor will not be familiar with the company, its operations, or its risks. Invite the monitor and the monitor's team to come on-site to the company's headquarters for a few days. During that time, provide the monitor and team with presentations relating to the company's operations, risk assessments, and recent internal audit reports. Offer walk-throughs of key compliance controls and internal accounting controls so that the monitor can include testing protocols for those controls in the work plan. It may be helpful to have investigation counsel provide the monitor's team with a high-level overview of the investigation findings and any identified control deficiencies.

3. The monitor's work plan. Once the monitor is selected and appropriately oriented to the company's business and compliance program, the next substantive step will be the creation of a work plan. The work plan is the first and best opportunity for the company to define the scope, limit mission creep, and contain costs. Which systems, processes, and controls does the monitor plan to test? Does the monitor need to hire a forensic accounting firm to assist with that testing? Can the monitor rely on or otherwise leverage the company's own compliance or internal audit testing? Which company sites does the monitor need to visit in person? Which employees does the monitor plan to interview? For employees in satellite offices, can those employees be interviewed remotely? Does the monitor need to do an e-mail review? If so, how can the custodians or search terms be crafted to limit the volume of documents to be reviewed? From the company's perspective, it is prudent to flesh out these scope-related issues in detail at the outset in the work plan documents, accounting records, transaction testing, site visits, interviews, and audit walkthroughs. Designating internal point-persons who have both the responsibility and the authority to promptly provide responsive materials to the monitor is critical to keeping the monitorship on schedule. Some companies choose to formally create a Monitor Liaison Office ("MLO") within their legal or compliance departments. Other companies choose to hire an outside counsel to assist with responding to the monitor's requests.

4. The Company's point person or response team. Most resolution documents require that the monitor issue an initial report to the relevant government agency within 120 days of receiving approval for the work plan. It is impossible to overstate the frenetic pace of these four months, and it will be the full-time job of one or more persons to respond to the monitor's requests for documents, accounting records, transaction testing, site visits, interviews, and audit walkthroughs. Designating internal point-persons who have both the responsibility and the authority to promptly provide responsive materials to the monitor is critical to keeping the monitorship on schedule. Some companies choose to formally create a Monitor Liaison Office (“MLO”) within their legal or compliance departments. Other companies choose to hire an outside counsel to assist with responding to the monitor's requests.

5. Document production. The existence of the monitor is publicly available information, and monitorships attract scrutiny from journalists, shareholders, competitors, and the general public. Over the years, litigants have sought information and documents related to a monitorship through Freedom of Information Act (“FOIA”) requests, with varying degrees of success. For example, in 100 Reporters LLC v. DOJ, a federal district court held that certain documents prepared by a monitor, including a monitor's work plan and work product — namely the interim and final reports, may be subject to disclosure under FOIA.13 As a practical matter, the company should produce documents to the monitor as if it were producing documents to the government directly — with Bates numbers and appropriate FOIA legends. Likewise, the company should work with the monitor to see whether materials containing commercially sensitive information can be reviewed and analyzed on-site rather than transmitted to the monitor.

6. Interview preparation. As part of the assessment of the company, its compliance program, and its controls, the monitor will need to conduct informational interviews with various employees to understand the efficacy of the compliance program and whether the company is adequately and sufficiently addressing and mitigating its risks. It is imperative that company counsel prepare employees prior to speaking with the monitor. Although the monitorship is not an investigation and the interview is not a "gotcha" exercise, the employees are in effect speaking with the agent and proxy of a regulator, and employees should understand the importance of being truthful and approach the interview with the appropriate demeanor. Where possible and permitted, company counsel should attend these interviews in order to understand any issues as they arise in real time or to assist when an employee, particularly an employee for whom English is not a native language, misunderstands a question.

7. Managing disagreements with the monitor. As previously mentioned, entering into a monitorship is like entering into a marriage without the possibility of divorce. Undoubtedly, as is the case with any intense relationship, there will be disagreements, and the prudent course of action is to pick your battles. For example, in each periodic report, the monitor will make a number of recommendations: some will be helpful and thoughtful; some may be burdensome to implement; and some simply may not work for the company's business operations. Is the proposed control change or process change truly unworkable or is it merely inconvenient? If it is impossible, then you should have a respectful conversation with the monitor with reasons why the recommendation does not work. Keep in mind that the ultimate arbiter of any dispute between the company and the monitor is the government agency that required the monitor in the first place. Accordingly, the company would be wise to escalate issues to the government only in limited circumstances where the company can demonstrate through documents or otherwise that the monitor is being unreasonable or has made a conclusion based on a misunderstanding. Furthermore, engaging the government agency repeatedly on a number of relatively minor disagreements may cause the company to lose credibility to its detriment if a more consequential disagreement with the monitor arises later.

8. Implementing the monitor's recommendations. In each periodic report, the monitor will make recommendations for improvements to the compliance program and the company's internal controls. Typically, the first review period will have the most recommendations (perhaps 100 or more) that need to be implemented within 90 days before the monitor submits the work plan for the next review period. The company's MLO or some other person needs to be tasked with implementing or overseeing the implementation of the recommendations. Monitorships can be delayed or extended when the company fails to timely implement the recommendations such that the changed procedures, protocols, or controls can be tested in the next review period.

9. What to do when things "go wrong". Three years is a long period of time in any organization. Undoubtedly, something will "go wrong" during that time. It may be something relatively trivial, such as senior executives failing to attend compliance trainings or failing to complete annual certifications on time, or it may be something far more consequential, such as a serious breach of the company's anti-corruption policy or as a whistleblower report alleging wrongdoing by senior leadership in an overseas subsidiary. Indeed, even the DOJ and SEC concede and "understand that 'no compliance program can ever prevent all criminal activity by a corporation's employees,' and they do not hold companies to a standard of perfection."14 Accordingly, critical to the monitorship is how the company handles the particular bump in the road.

Whatever the "bump in the road" may be, the company should not assume that the monitor will not find it. The monitor and the monitor's team, which likely includes forensic accountants, have near unfettered access to the company's documents, records, and employees. Furthermore, if the monitor discovers the matter without the company having flagged it — particularly if it involved an issue the company is obligated to report to the monitor or to the government pursuant to the resolution documents — then the monitor likely will lose faith and trust that the company is an honest partner in its remedial efforts and the monitorship. Even worse, the relevant government agency could conclude that the company is in breach of its agreement with the government, require that the monitorship be extended, or seek to impose further penalties.

The far better approach is to be open and honest with the monitor when a problem arises and keep the monitor apprised of the issue and what the company is doing to address it. In some respects, if the company properly identifies, investigates, and remediates an unexpected issue, then the company could use the episode as evidence that the compliance controls work as designed, thus turning the compliance hiccup to its advantage when it comes time for the monitor to certify that the compliance program is reasonably designed and implemented to detect and prevent violations of law and is functioning effectively.

10. Maintain trust and open dialogue with the monitor. The ultimate goal for all stakeholders is for the monitor to certify the end of the designated monitorship period. If there is a loss or a lack of trust, then the monitor may have a hard time signing onto the certification that will end the monitorship. Accordingly, throughout the process, the company should be mindful of the importance of transparency, cooperation, and open dialogue with the monitor.

Footnotes

1. DOJ and SEC, "FCPA — A Resource Guide to the U.S. Foreign Corrupt Practices Act," Washington DC (July 2020) at https://www.justice.gov/criminal-fraud/file/1306671/download.

2. DAG Monaco Gives Keynote Address at ABA's 36th National Institute on White Collar Crime, Washington, DC (Oct. 28, 2021), https://www.justice.gov/opa/speech/deputy-attorney general-lisa-o-monaco-gives-keynote-address-abas-36thnational-institute.

3. DAG Monaco, "Corporate Crime Advisory Group and Initial Revisions to Corporate Criminal Enforcement Policies," DOJ (Oct. 28, 2021), https://www.justice.gov/dag/page/file/ 1445106/download.

4. "DAG Monaco Delivers Remarks on Corporate Criminal Enforcement," New York, NY (Sept. 15, 2022), https://www.justice.gov/opa/speech/deputy-attorney-generallisa-o-monaco-delivers-remarks-corporate-criminal enforcement.

5. DAG Monaco, "Further Revisions to Corporate Criminal Enforcement Policies Following Discussions with Corporate Crime Advisory Group," DOJ (Sept. 15, 2022), https://www.justice.gov/opa/speech/file/1535301/download.

6. DAG Monaco, "Corporate Crime Advisory Group and Initial Revisions to Corporate Criminal Enforcement Policies," DOJ (Oct. 28, 2021), https://www.justice.gov/dag/page/file/ 1445106/download.

7. DAG Monaco, "Further Revisions to Corporate Criminal Enforcement Policies Following Discussions with corporate Crime Advisory Group," DOJ (Sept. 15, 2022), https://www.justice.gov/opa/speech/file/1535301/download.

8. DAG Monaco, "Corporate Crime Advisory Group and Initial Revisions to Corporate Criminal Enforcement Policies," DOJ (Oct. 28, 2021), https://www.justice.gov/dag/page/file/ 1445106/download.

9. US v. Glencore Int'l A.G., 22-crim-297 (Guilty Plea, Attachment D) (SDNY May, 24, 2022), https://www.justice.gov/criminal/ file/1508266/download/.

10. 0 "Stericycle Agrees to Pay Over $84 Million in Coordinated Foreign Bribery Resolution," DOJ Press Release (Apr. 20, 2022), https://www.justice.gov/opa/pr/stericycle-agrees-pay over-84-million-coordinated-foreign-bribery-resolution.

11. "Glencore Entered Guilty Pleas To Foreign Bribery And Market Manipulation Conspiracies," DOJ Press Release (May 24, 2022), https://www.justice.gov/usao sdny/pr/glencore-entered-guilty-pleas-foreign-bribery-and market-manipulation-conspiracies.

12. "SEC Charges 16 Wall Street Firms with Widespread Recordkeeping Failures," SEC Press Release No. 2022-174 (Sept. 27, 2022), https://www.sec.gov/news/press-release/2022- 174; "CFTC Orders 11 Financial Institutions to Pay Over $710 Million for Recordkeeping and Supervision Failures for Widespread Use of Unapproved Communications Methods," CFTC Press Release No. 8599-22 (Sept. 27, 2022), https://www.cftc.gov/PressRoom/PressReleases/8599-22

Originally published by The Review of Securities & Commodities Regulation

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.