As US regulators get tough on DPAs, it’s clear cooperation only goes so far

The Biden administration’s crackdown on white collar crime is manifesting itself in a number of ways – from the CFTC’s aggressive enforcement of its anti-market manipulation provisions, through to the recent unveiling of the United States Strategy on Countering Corruption.

Firms that have previously come under the microscope of regulators now find themselves in a trickier position than before. Partly this is due to the treatment of Non-Prosecution Agreements (NPAs) and Deferred Prosecution Agreements (DPAs).

Historically, as long as a firm was able to demonstrate it had addressed the infraction for which a DPA was put in place, that was usually the end of the matter. Now, however, we’re seeing the US Government and regulators coming down hard on companies for any subsequent infractions – even where those bear little or no resemblance to the first offence.

The second offence may have taken place years later, or happened in a different market, or occurred on a much-reduced scale – or even been of an entirely different nature to the first offence. Regardless, regulators now seem to be taking a much tougher stance. We’ve seen recently a number of major financial institutions bear the brunt of this.

There is an argument, therefore, that cooperating with regulators when subject to a DPA doesn’t get you as far as it used to. On top of that, regulators are also raising the bar when it comes to cooperation requirements. The US Department of Justice announced late last year that corporations would only get credit for cooperating with the government if they disclosed evidence of “all individuals involved in or responsible for the conduct under investigation” rather than just those who were “substantially involved” in that conduct.

Individuals increasingly in the firing line 

The DoJ says this approach allows it to conduct its own investigations and evaluate the culpability of all individuals involved. This emphasis on individual accountability is part of an increasing focus on prosecuting corporate executives for financial crimes. Historically, such individuals were often shielded by the financial institution they belonged to – not anymore. Regulators are increasingly looking to prosecute not only the individuals directly responsible for the conduct, but those further up the chain of command, with the threat of fines or even jail time if offences are proven.

This increase in personal liability represents a sea change in the way white collar crime is being enforced. And there’s another driver for all this – whistleblowing. The Anti-Money Laundering Act 2020 has significantly enhanced protections and incentives for whistleblowers, while the CFTC Whistleblower Program provides financial incentives for individuals who report possible violations of the Commodity Exchange Act that leads to successful enforcement. These measures could lead to an upsurge in allegations of impropriety and subsequently an increase in regulatory investigations.

What should businesses do?

• Take a holistic approach to compliance. It’s not enough to fix the issue that came to the attention of the regulator the last time. The current appetite for coming down hard on subsequent infractions, regardless of their nature, shows that every business needs to get its house in order.
  
  
• Leverage a variety of tools to mitigate risk. Businesses must be clear on how each business activity could bring risk into the organization and decide on the most appropriate tools and mechanisms for mitigating those risks. This requires an effective combination of people, processes, culture and technology (see below), but it begins with robust risk assessment that is attuned to the evolving business environment – for example, the growing importance of ESG reporting and individual executive use of social media platforms.
  
  
• Accept that risk is a constantly moving target. The switch by many financial institutions to remote or hybrid working is a prime example, as highlighted by the $200m penalty imposed by the SEC upon JPMorgan Chase for sensitive business communications outside of approved channels. Preventing traders from leaking material non-public information becomes a more complex undertaking when they are not in the same room as their manager, or their compliance officer. Banks and other financial institutions have been ramping up their surveillance technology for some time now, but this is a task that many will be undertaking with increased urgency, as existing mechanisms to detect inappropriate behaviour (e.g. insider trading) may no longer be sufficient.
  
  
• Never let your guard down. Above all, businesses must accept that there is no room for complacency when it comes to financial crime. The risk landscape is constantly evolving, and therefore businesses must be open about the need to continually re-assess the threats they face, and the actions required to mitigate them.