As the spring conference season winds down, there was one topic that remained top of mind. At the Food and Drug Law Institute (“FDLI”)’s Annual Conference on May 17-18, 2023, the U.S. Department of Justice (“DOJ”)’s Consumer Protection Branch (“CPB”), and the Food and Drug Administration (“FDA”) continued the discussion surrounding each agency’s approach to the CPB’s new Voluntary Self-Disclosure Policy for Business Organizations (“Voluntary Self-Disclosure Policy”). The Voluntary Self-Disclosure Policy responds to Deputy Attorney General Lisa Monaco’s September 2022 memorandum (the “Monaco Memo”), which directed all DOJ components that prosecute corporate crime to review or issue new written policies on corporate self-disclosure of criminal misconduct. The Monaco Memo, in turn, reflects the DOJ’s continued efforts to increase transparency and predictability for companies deciding whether to self-disclose misconduct. The DOJ’s continued efforts led the Criminal Division to announce its Corporate Enforcement and Voluntary Self-Disclosure Policy (“Criminal Division Policy”) in January 2023, and several other DOJ branches and divisions, including CPB, have followed suit, borrowing from the Criminal Division’s guidance while tailoring their policies to the specific matters within their jurisdiction. As part of the FDLI panel discussion, CPB and FDA provided their perspectives on the new CPB policy, discussed best practices to implement, and emphasized questions to ask and answer in the evaluation of a company’s compliance program.

Relatedly, in March 2023, the Department of Justice (“DOJ”) Criminal Division updated its Guidance on Evaluation of Corporate Compliance Programs (“Corporate Compliance Guidance”). Now that conference season is over and industry has had a chance to hear from the regulators, this would be a good time for companies to take note of the DOJ’s recent policy and guidance updates and review corporate compliance programs against the policy and guidance updates concurrently to determine a compliance program’s efficacy in identifying misconduct and in addressing any issues that arise.

This blog post will address the core aspects of the Corporate Compliance Guidance and Voluntary Self-Disclosure Policy and identify key areas of focus for companies seeking to bolster internal compliance programs and reporting functions.

I. January 2023 Update to Criminal Division Policy and February 2023 Release of CPB Voluntary Self-Disclosure Policy

The Foreign Corrupt Practices Act (“FCPA”) Corporate Enforcement Policy was created in March 2019 to encourage companies to voluntarily self-disclose misconduct in an FCPA matter to the Criminal Division with the presumption that the company will not be prosecuted for the self-disclosed misconduct absent aggravating circumstances. Aggregating circumstances can include, but are not limited to, the involvement of executive management of a company in its misconduct, significant profit to the company from the misconduct, and pervasiveness or repeated misconduct within the company. If declination is not available, the company may still be able to receive a reduced fine for such misconduct. The January 2023 update to the Corporate Enforcement Policy further clarifies how prosecutors may apply the facts and circumstances in their evaluation of whether to pursue a declination or criminal resolution.

January 2023 Update to the Corporate Enforcement Policy

In assessing the self-disclosure and surrounding circumstances, the DOJ requires prompt notification and cooperation from the company. Where a company has voluntarily self-disclosed misconduct to the Criminal Division, fully cooperated, and timely and appropriately remediated such misconduct (which includes payment of all disgorgement, forfeiture, and/or restitution resulting from the misconduct), the company can presume that it will receive a declination absent aggravating circumstances involving the seriousness of the offense or the nature of the offender.

Regarding the qualifications for a valid self-disclosure, the Criminal Division Policy maintains the timeframe found in the FCPA Corporate Enforcement Policy, requiring voluntary self-disclosures to be made in a “reasonably prompt time” after the company becomes aware of the offense and “prior to an imminent threat of disclosure or government investigation.” The timeframe for self-disclosure is stricter in the presence of aggravating factors, as noted below. Furthermore, the company must have no prior obligation to disclose the conduct to another regulatory agency. Food and drug companies in particular should take note of this requirement, as there may be many instances where an obligation to report a safety event would disqualify the company from receiving the benefits of the Criminal Division Policy.

Aggravating circumstances that may result in the determination of a criminal resolution include (1) the involvement of executive management of a company in its misconduct, (2) significant profit to the company from the misconduct, and (3) pervasiveness of misconduct or repeated misconduct within the company. However, per the updated Criminal Division Policy, prosecutors may still recommend and determine a declination if a company demonstrates that it:

  1. Made a voluntary self-disclosure immediately upon becoming aware of the allegation of misconduct;
  2. Had an effective compliance program and system of internal accounting controls at the time of the misconduct and disclosure; and
  3. Provided extraordinary cooperation with the Department’s investigation and undertook extraordinary remediation that exceeds the respective factors listed herein.

The updated Criminal Division Policy also requires proactive and full cooperation by the company being investigated, including the continuous and timely reporting and disclosure of relevant facts, preservation, collection, and disclosure of relevant documentation and information, as well as timely and appropriate remediation by the company, including a thorough analysis of the cause of misconduct, implementation of an effective compliance program to address the causes of misconduct, and appropriate discipline of employees engaged in or responsible for the misconduct.

February 2023 release of the CPB Voluntary Self-Disclosure Policy

The Voluntary Self-Disclosure Policy applies to all violations of the Federal Food, Drug, and Cosmetic Act. Following the general directive in the Monaco Memo, the Voluntary Self-Disclosure Policy states that CPB will not seek a guilty plea for such violations absent aggravating factors if the company voluntarily self-reports, fully cooperates, and appropriately remediates the misconduct.

To qualify as a voluntary self-disclosure, the report must be made directly to CPB, mirroring the Criminal Division’s stipulation that disclosure to another agency is insufficient. Other requirements track the Criminal Division’s policy. Regarding the content of the disclosure, however, the Criminal Division requires “all relevant, non-privileged facts” while the CPB policy on its face does not similarly exclude privileged information.

Aggravating circumstances that may result in the determination of a criminal resolution include, but are not limited to, (1) pervasiveness of misconduct throughout the company, (2) intentional or willful conduct placing consumers at a significant risk of death or serious bodily injury, (3) conduct that intentionally or willfully targets older adults, immigrants, veterans and servicemembers, or other vulnerable victims, and (4) the knowing involvement of upper management in the misconduct. The guidance expands upon the Criminal Division Policy by specifying the two categories of intentional or willful conduct; the Voluntary Self-Disclosure Policy, however, fails to address how the CPB will interpret and apply this language. CPB prosecutors are likely to be given wide discretion in characterizing such conduct and CPB noted that prosecutors will weigh aggravating factors on a case-by-case basis and consider any potentially mitigating factors that are included in a company’s disclosure, explaining further that harsher outcomes are more likely when there is a pattern of bad behavior, prior wrongdoing involving the same personnel, or a weak compliance culture promoting ambivalence to internal policies. 

Companies should also note that CPB will also not impose an independent compliance monitor for a company that cooperates with CPB and voluntarily self-discloses the relevant conduct, provided the company also demonstrates that it has implemented and tested an effective compliance program.

II. March 2023 Update to Guidance on Evaluation of Corporate Compliance Programs

The DOJ’s Criminal Division updated the Corporate Compliance Guidance, the first update in three years[1], to provide prosecutors with a set of factors to consider in the evaluation of a company’s compliance programs. While not required to incorporate the elements identified in the Corporate Compliance Guidance, companies may consider the update as a resource for any evaluation, revision, and/or implementation of their corporate compliance program. 

Among other updates, the changes to the Corporate Compliance Guidance included new additions and significant revisions to:

  1. Use of personal devices, communication platforms and messaging applications, including those offering ephemeral messaging; and
  2. Compensation structures to drive compliance or disincentivize non-compliant behavior and misconduct.

On the use of personal devices, companies should ensure they have (1) established and implemented policies governing the use of personal devices and third-party messaging platforms for corporate communications, (2) communicated, and provided training on, such policies to employees, and (3) enforced such device use policies effectively and addressed violations identified by the company. 

In discussing best practices for compliance programs during the FDLI conference, CPB emphasized that companies ought to have procedures in places to ensure access to any instances of misconduct, report any such instances as early as possible to minimize enforcement risk or resulting penalties, and remediate any violations. FDA emphasized that companies would be wise to implement procedures for uncovering the root cause of any misconduct that occurs as a company can only implement effective remediation and reap the full benefits of the Voluntary Self-Disclosure Policy after the underlying cause is identified. Further, while remediation is an important element of prosecutors’ assessment of circumstances, remediation alone is not sufficient. FDA noted that voluntary self-disclosures and full cooperation by the company in prosecutors’ investigations of any misconduct are crucial in achieving a presumed declination. In addition, companies should ensure they have sufficient resources to effectuate their compliance programs and avoid overly ambitious policies that they cannot actually implement as prosecutors will take not just the existence, but also the efficacy of a company’s compliance program into account when determining the appropriate resolution.

III. What Should Companies Do?

With DOJ’s revisions to the Evaluation of Corporate Compliance Programs and release of new voluntary self-disclosure policies, companies should proactively stress-test and update their compliance programs’ policies and procedures. In Assistant Attorney General Kenneth A. Polite, Jr.’s remarks on the January 2023 Updates to the Corporate Enforcement Policy, he notes that in 2022 alone, the DOJ Criminal Division’s Fraud Section (i) secured convictions of over 250 individuals, including more than 50 who were convicted at trial; (ii) entered into seven criminal resolutions with corporations; and (iii) announced two Corporate Enforcement Policy declinations. 

In evaluating and updating its compliance policies and procedures, a company may consider:

  1. Is the company’s compliance program well designed?
    • Are compliance policies and procedures comprehensive and well-integrated into the company’s operations and workforce?
    • Is the compliance program designed to maximize effective prevention and detection of misconduct by employees and management’s enforcement of the same?
  2. Is the company’s training and communications tailored to the composition, subject matter, and size of the company?
    • Are employees trained to address real-life scenarios?
    • Are employees provided with compliance policies and the resources to report misconduct on a case-by-case basis?
  3. Is the company applying risk-based diligence to third-party relationships?
  4. Is the company conducting comprehensive due diligence of any acquisition targets?
    • Once acquired by the company, are acquisition targets appropriate integrated with the company and trained on the company’s compliance program requirements?
  5. Is the company’s compliance program empowered to act?
    • Are senior leaders at the company fostering a culture of compliance?
    • Is the company’s compliance program adequately funded to investigate any allegations of misconduct, and to remediate any misconduct?
    • Are the company’s resources reflective of the size and composition of the company and its workforce?
  6. Are a company’s compensation structure and consequence management efforts effective?
    • Does the compliance program establish incentives for compliance and disincentives for non-compliance?
    • Does a company impose financial penalties to deter risky behavior and foster a culture of compliance?
    • Are disciplinary actions made publicly available to the workforce?
  7. Does a company’s compliance program work in practice?
    • Is the compliance program regularly audited (i.e. tested, revised, and updated, as needed)?
    • What are the company’s investigation procedures and how does the company respond to findings?

Given the DOJ’s recent policy updates to both pre-emptive guidance and enforcement policies and the Department’s concerted efforts to answer questions and propose recommendations to companies, companies should proactively evaluate their compliance programs and update policies and procedures, as needed, to avoid potential enforcement risks.


[1] On June 1, 2020, the DOJ Criminal Division released revised guidance to be used in the design and evaluation of corporate compliance programs building upon guidance issued in April 2019 related to the evaluation of corporate compliance programs and expanding on the DOJ’s 2017 guidance on the same topic.