New Articles

New DOJ Sanctions and Export Control Enforcement Policy Incentivizes Self-Disclosure

export control

New DOJ Sanctions and Export Control Enforcement Policy Incentivizes Self-Disclosure

On December 13, the U.S. Department of Justice (“DOJ”) released a revised policy that expands and clarifies certain incentives for voluntary self-disclosure of potential criminal sanctions and export control violations.

The new policy (the “VSD Policy”), which is effective immediately, has important ramifications for companies and their interactions with DOJ regarding potentially willful violations of US sanctions and export control laws.

Notably, the DOJ’s policy now extends to financial institutions and establishes disclosure benefits in mergers and acquisitions for acquiring companies who discover misconduct through “thorough and timely due diligence.” The policy also establishes a presumption of a non-prosecution agreement for companies that meet certain criteria in the absence of aggravating circumstances, as well as substantial mitigation credit where a penalty is warranted.

Components of the VSD Policy

Most notably, the VSD Policy specifies that, subject to certain conditions and absent aggravating factors, there will be a presumption that a company will receive a non-prosecution agreement and will not pay a fine for self-disclosed sanctions and export control violations. In order to be subject to such a presumption, the company must (1) voluntarily self-disclose violations, (2) fully cooperate with DOJ and (3) timely and appropriately remediate any violations.1

The VSD Policy also sets out specific definitions for these criteria. For instance, in order to “voluntarily self-disclose” pursuant to the VSD policy, a disclosure must be:

-Prior to an imminent threat of disclosure or government investigation;

-Within a reasonably prompt time after a company becomes aware of the offense; and

-Include all relevant facts known to the company at the time of disclosure, including with respect to individuals substantially involved or responsible for the disclosed violations.2

Importantly, voluntary self-disclosures must be made to DOJ in order for the VSD Policy to apply. In other words, companies that make self-disclosures to regulatory agencies but not to DOJ will not be able to receive the benefits of the VSD Policy. Equally of note is that any company receiving the benefits of the VSD Policy, including one that receives a non-prosecution agreement, will not be permitted to retain any gains from the unlawful conduct and will be required to pay all disgorgement, forfeiture, and/or restitution stemming from the disclosed violations.

The VSD Policy sets forth a number of specific requirements that companies must meet in order to “fully cooperate.” In order to “fully cooperate” under the VSD Policy, a company must:

-Disclose all facts relevant to the wrongdoing on a timely basis. This includes, inter alia, relevant facts from an internal investigation and updates to those facts (as well as updates on an internal investigation), attributed to specific sources. Such facts must include those related to involvement in criminal activity by officers, employees, or agents and facts about potential criminal conduct by third parties.

-Proactively, rather than reactively, cooperate. This proactive cooperation must include the timely disclosure of relevant facts, even if the company is not asked to do so.

-Preserve, collect, and disclose relevant documents and information in a timely manner. These actions include the disclosure of overseas documents (as well as where they are located and who found them), the facilitation of third-party production of documents, and document translations where appropriate.

-De-conflict witness interviews in order to align a company’s internal investigation with an investigation by DOJ when requested and appropriate (although, the VSD Policy notes, DOJ will not affirmatively direct a company’s internal investigation); and

-Make company officers and employees possessing relevant information available for interviews by DOJ when requested, including former employees and those located overseas, and facilitate interviews of third-party witnesses when possible.3

Finally, in order to “timely and appropriately remediate” pursuant to the VSD Policy, there are several actions that a company must undertake:

-A “root cause” analysis that analyzes underlying conduct and remediates those root causes where appropriate;

-The implementation of a compliance program, which would be updated periodically. The VSD Policy acknowledges that such a program will vary depending on the organization’s size and resources, but notes that it may include information on:

-A company’s culture of compliance, including that criminal conduct will not be tolerated by the company;

-Company resources dedicated to compliance, as well as the compensation and promotion of compliance personnel and their quality and experience;

-The independence of a company’s compliance function, the auditing of the compliance program, the access of the board of directors to compliance expertise, and the reporting structure of compliance personnel; and

-Details about a company’s risk assessment, its effectiveness, and how a compliance program has been tailored based on that risk assessment;

-Discipline of employees, including those responsible for misconduct and those with oversight and supervisory authority;

-Retention of business records and the prohibition on the improper destruction of such records, including guidance and controls on personal communications; and

-Any additional steps necessary to demonstrate recognition of misconduct, the acceptance of responsibility, and measures to reduce the risk of future misconduct.4

Aggravating Factors

As noted, the presumption of a non-prosecution agreement and the absence of a fine will only be available under the VSD Policy in cases of voluntary self-disclosures where there are no aggravating factors. The VSD Policy includes a non-exhaustive list of such aggravating factors, and specifies that if such factors are substantially present, a “more stringent” resolution may result:

-Exports of items controlled for nuclear nonproliferation or missile technology reasons to a proliferator country;

-Exports of items known to be used in the construction of weapons of mass destruction;

-Exports to a Foreign Terrorist Organization or Specially Designated Global Terrorist;

-Exports of military items to a hostile foreign power;

-Repeated violations, including similar administrative or criminal violations in the past; and

-Knowing involvement of upper management in the criminal conduct.5

Even if such aggravating factors are present, the VSD Policy provides incentives for companies to voluntarily self-disclose violations, cooperate with DOJ, and timely and appropriately remediate, consistent with the definitions in the VSD Policy. In such instances, DOJ will recommend a fine that is capped at 50 percent of the amount otherwise available. In addition, if the company has implemented an effective compliance program, DOJ will not require the appointment of a monitor for the company.

Takeaways for Companies

DOJ’s new VSD Policy is a clear effort by the agency to encourage and reward timely voluntary self-disclosure by companies that identify potential willful violations of export control and sanctions laws. The VSD Policy brings DOJ’s practices closer in line with those of the Office of Foreign Assets Control and the Bureau of Industry and Security, both of which also incentivize self-disclosure by limiting penalties. DOJ’s incentives aim to encourage the private sector to implement effective compliance programs to prevent and detect violations in the first place and report them to DOJ in a timely manner if they occur. A clear goal of the VSD Policy is also to provide DOJ with the information and resources to prosecute individuals responsible for wrongdoing.

Notably, unlike previous guidance issued by DOJ, the VSD Policy does not include a carve-out for financial institutions. As a result, these entities will be able to take advantage of the VSD Policy going forward. Additionally, the VSD Policy provides incentives for self-disclosure in mergers and acquisitions. Specifically, the VSD Policy specifies that a successor entity that makes a timely voluntary self-disclosure (even as a result of post-acquisition due diligence) will be able to take advantage of the incentives set forth in the VSD Policy. Companies wishing to review or strengthen their compliance programs should consult sanctions and export control counsel in order to ensure that such programs are tailored to the criteria set forth by DOJ and reflective of the risk involved in the company’s activities.

Also worth noting is that while the VSD Policy aims to incentivize self-disclosure to the DOJ by providing certain defined benefits, those benefits are not without cost or risk. Companies with a potential sanctions or export control violation should consult experienced sanctions and export control counsel to provide guidance on the decision of whether to self-disclose, which involves a complicated balance of numerous factors.

_______________________________________________________________

1 U.S. Department of Justice, Export Control and Sanctions Enforcement Policy for Business Organizations, 2, Dec. 13, 2019 (hereafter “VSD Policy”).

2 VSD Policy at 2.

3 VSD Policy at 3-4.

4 VSD Policy at 5-6.

5 VSD Policy at 6.

______________________________________________________________

Greg Deis is a partner in Mayer Brown’s Chicago office and co-chair of the firm’s White Collar Defense & Compliance practice.

Ori Lev is a partner in Mayer Brown’s Washington DC office and a member of the Financial Services Regulatory & Enforcement practice and the Consumer Financial Services group.

Tamer Soliman is a partner in Mayer Brown’s Washington DC and Dubai offices, global head of the firm’s Export Control & Sanctions practice and a member of the International Trade practice.

Margaret-Rose Sales is counsel in Mayer Brown’s Washington DC office and a member of the International Trade practice.

Mickey Leibner is an associate in the Public Policy, Regulatory & Political Law, International Trade and Cybersecurity & Data Privacy practices in Mayer Brown’s Washington DC office.

How to Survive the Coming Data Privacy Tsunami

Just as we have gotten used to the idea that the EU’s General Data Protection Regulation (GDPR) is a fact of life and have made modifications in our data collection procedures, the Brazil General Data Protection Law (LGDP), the California Consumer Privacy Act (CCPA), and waves of proposed new data privacy laws are swirling in the calm forewarning of a privacy tsunami heading our way. In the middle of such deep acronym swirls, it could be easy to be overwhelmed. However, all the privacy regulations share a number of commonalities and by addressing these now, you will be on high ground as the waves begin to pound.

The compliance life raft

While you will need to pay attention to the details of individual data regulations as they arise, whether already adopted, pending adoption, or only proposed, all the regulations share certain commonalities that you should consider addressing as part of ongoing operations.

1. Accountability and governance

At the heart of data privacy requirements is the aim to have organizations develop a plan to self-manage data in a way that respects end users. To address accountability and governance requirements in your organization, consider, have you:

-Reviewed the applicability and risk to the organization from data privacy issues, and considered alternatives, including insurance, in case you are fined?

-Mandated that data privacy become part of the policy program, including staff training, measurement, and compliance reporting?

-Clearly documented roles, responsibilities, and reporting lines to embed privacy compliance?

2. Consent and processing

A fundamental privacy regulation concept is that end users are aware when and why their data is collected, and what happens to it once it’s given. To address these requirements, ask yourself whether you have:

-Reviewed that the data being collected and used is necessary and for the benefit of completing a desired action by the user?

-Identified sensitive data and ensured it is treated as such through the use of special encryption or by validating vendor storage practices for sensitive data, etc.?

-Confirmed that user consent for data collection is clearly captured and documented, and that user data can be modified or erased?

3. Notifications and data rights

Gone are the days of legalese or simply taking data from users because we can. Data privacy regulations require transparency, user awareness, and forthright behavior by businesses. To ensure you get this right, ask yourself whether the organization has:

-Written user notices clearly so they can be easily understood—properly targeted to children where relevant—and are reflective of specific data collection and usage purposes?

-Updated the internal organization’s data privacy policy to clearly state the rights of prospects and customers regarding the collection and processing of their personal data?

-Created and tested processes to correct and delete all user data if needed?

Developed a solution to give users their data in a portable electronic format?

4. Privacy design

Organizations that treat privacy as a core design principle will always be in alignment with data privacy regulations. In my consulting experience, I see many self-disciplined organizations that have historically had good privacy practices and have little to address with each new law. To get to that state, ask whether you have:

-Created or updated the policy and associated process to embed privacy into all technology and digital projects, including those outsourced to vendors and partners?

5. Data breach notification

For many organizations, the question nowadays isn’t whether the organization will have a breach, but rather when will it happen and how will they respond. To address regulatory breach aspects, ask whether the organization has:

-Created (or reviewed and updated an existing) data breach policy and response plan to reflect detection, notification, and the actions to mitigate loss?

-Considered and obtained insurance for a possible data breach and regulatory penalties that the organization may face but not be able to handle on its own?

-Incorporated data breach terms and requirements into all vendor and third-party contracts?

6. Data localization

New data privacy regulations state where data physically must be stored, and if transferred to another country, what are the requirements for doing so. Your organization will be well positioned to meet this requirement if it can answer:

-Have we identified and updated all cross-border data flows from the country where the data is collected, and reviewed data export for on-premise and cloud solutions?

7. Children’s online privacy considerations

Data privacy regulations are concerned with end users, but  are even more strict about children and their online data protection and rights. It is best to get ahead of these issues by asking whether the organization has:

-Defined what data it collects from children, whether as a business practice or through efforts like “take your child to work day”?

-Are user notifications and online privacy statements written in a way that a child could understand them, and do they state that parental consent is required?

8. Contracting and procurement

Most businesses may struggle to understand exactly what personal user data is collected via websites, mobile applications, and other digital platforms, especially through third-party software solutions and vendors. To make sure that your organization isn’t caught out, ask whether you have:

-Reviewed and ensured that all vendors, customers, and third-party agreements reflect data regulatory requirements?

-Defined procurement processes such that privacy is integrated into all products and services the organization buys, including regarding data minimization, the visibility of onward data flows, and data ownership?

The bottom line

After years of collecting as much data as we could, we are starting to realize that all of that data has an evil twin: risk. In addition, consumers have become more aware that their data is a valuable resource, and they’re asking more questions about how it’s used and who has access to it. Governments, too, are starting to pay attention. Make sure that you get ahead of the coming data privacy regulatory waves before it becomes an unimaginable problem.

KRISTINA PODNAR is a digital policy innovator. For over two decades, she has worked with some of the most high-profile companies in the world and has helped them see policies as opportunities to free the organization from uncertainty, risk, and internal chaos. Podnar’s approach brings in marketing, human resources, IT, legal, compliance, security, and procurement to create digital policies and practices that comply with regulations, unlock opportunity, strengthen the brand and liberate employees.

Podnar speaks regularly at industry conferences, contributes articles to publications, and delivers masterclasses on digital policy. Podnar is the Principal of NativeTrust Consulting, LLC. She has a BA in international studies and an MBA in international business from the Dominican University of California and is certified as both a Change Management Practitioner (APMG International) and a Project Management Professional (Project Management Institute).

The Power of Digital Policy: A practical guide to minimizing risk and maximizing opportunity for your organization is available on Amazon and through other fine booksellers. For more information, visit Kristina @ www.kpodnar.com and on LinkedIn and Twitter.

Descartes Air Cargo Advance Screening Solutions Provides Compliance Technology

Nippon Cargo Airlines confirmed this week the implementation of the Descartes Air Cargo Advance Screening Program to support efforts towards compliance for air cargo imports to the U.S. The announcement confirmed with the mandatory advanced security filings taking place, the company will rely heavily on the required ACAS to meet compliance requirements.

“Compliance with regulations, such as ACAS, is essential to ensuring safe and secure operations for our customers and NCA,” said Keita Sataka, Senior Vice President at NCA. “Descartes has a strong history of providing NCA and the air cargo industry with customs and security filing technology, and their ACAS solution provides a proven, reliable, cost effective way to meet data collection and submission requirements.”

The functionality of the ACAS requires pre-loading data to be submitted, following mandatory data requirements for air forwarders and carriers. The Descartes Global Logistics Network streamlines  the validation process by managing the flow of master and house bill information with automation.

“We’re pleased to help NCA comply with ACAS requirements,” said Scott Sangster, VP Global Logistics Network at Descartes. “Air cargo transportation is a vital part of the growing international logistics market, and Descartes’ solutions help carriers, like NCA, and other stakeholders in the air cargo community accelerate the movement of freight while meeting important security initiatives worldwide.”

Source: Descartes

Shipping Compliance Primary Focus in Labelmaster Partnership

In an effort to support globally compliant shipping of dangerous goods while advocating for safety within the global supply chain, Labelmaster has entered into a strategic partnership with partners from both The Dangerous Goods Office Limited and Viking Packing. All three companies share a similar background in handling dangerous goods and providing packing and shipping logistics solutions.

Dangerous goods shipping is complex and challenging, making it important for shippers to have the right resources and processes in place,” said Leach. “The partnership of The Dangerous Goods Office and Viking Packing with Labelmaster presents a tremendous opportunity to help companies shipping dangerous goods establish safe and compliant practices and identify process gaps that put their global supply chain at risk.”

Geoff Leach, principal of United Kingdom-based The Dangerous Goods Office Limited, brings with him over 30 years of experience including his position as head of the CAA’s Dangerous Goods Office. Dave Weilert, president of Viking Packing, brings with him industry knowledge and matchless leadership skills that boast a historical partnership with Leach in the past leading to the formation of The Dangerous Goods Office Ltd.

“In addition to the consulting support and industry expertise Geoff will provide, Viking Packing will work to supplement Labelmaster’s packaging solutions to deliver even greater value to its customers.”

Labelmaster President Alan Schoen concluded:

“The risk associated with shipping and handling dangerous goods is greater than ever; unfortunately, many organizations put their company’s operational efficiency, competitive agility, reputation and bottom line at risk by not having the necessary knowledge, infrastructure and training to ensure compliance across the supply chain. Partnering with The Dangerous Goods Office Ltd and Viking Packing supports our commitment to helping our customers simplify the complexities of DG transport by offering the industry’s best packaging, services and guidance to handle and ship hazmat in a safe, compliant and efficient manner.”

Source: Labelmaster

Reducing Emissions

Connecticut shipping company Eagle Bulk continues moving forward to meet its anticipated January 2020 completion date for the installation of fleet scrubbers. The initiative, which was originally announced by the company back in September, will comprise of implementing 34 fleet scrubbers during the set date for the launch of the new sulphur emissions cap regulation by the International Maritime Organization.

With the topic of fleet scrubbers becoming increasingly discussed, not all players in the industry are convinced it’s a solution that will prove longevity for the sector in maintaining compliance efforts. Additionally, the recent spike in demand for the installation of these scrubbers provides a challenge for manufacturers to keep up and provide the industry demands.

Other companies that have jumped on board with the scrubbers include Scorpio Group, Star Bulk, International Seaways, DHT, and of course, Eagle Bulk. Star Bulk plans to equip its entire fleet with the scrubbers while Frontline recently increased the goal to 40 percent of its fleets.

With roughly one year until the emissions cap regulation is launched, fleet scrubbers will continue to be of discussion while for some the demand will continue to increase.

Source: Hellenic Shipping News, West, Reuters, Eagle Bulk

 

 

USTR: China Must “Allow Market Forces to Operate”

Washington, D.C. – If China is going to deal successfully with its economic challenges at home, “it must allow market forces to operate, which requires altering the role of the state in planning the economy,” according to the latest Report to Congress on China’s WTO Compliance compiled by the Office of the U.S. Trade Representative (USTR).

The country, the report added, likewise “must reform state-owned enterprises, eliminate preferences for domestic national champions and remove market access barriers currently confronting foreign goods and services.”

The report cited a “dramatic expansion in trade and investment” among China and its many trading partners since the country acceded to the WTO in December 2001.

U.S. exports of goods to China totaled $122 billion in 2013, representing an increase of 535 percent since 2001 and positioning China as the U.S.’ largest goods export market outside of North America, while U.S. services exports reached $38 billion in 2013, representing an increase of 603 percent since 2001.

Services supplied through majority U.S.-invested companies in China also have been increasing dramatically, totaling an additional $39 billion in 2012, the latest year for which data is available.

“Despite these results, however, the overall picture currently presented by China’s WTO membership remains complex, largely due to the Chinese government’s interventionist policies and practices and the large role of state-owned enterprises and other national champions in China’s economy,” the report said.

In 2014, as in past years, when trade frictions have arisen, the U.S. “pursued dialogue with China to resolve them,” it said.

But, when dialogue with China “has not led to the resolution of key trade issues, the United States has not hesitated to invoke the WTO’s dispute settlement mechanism.”

Since China’s accession to the WTO, the U.S. has brought 15 WTO cases against China, more than twice as many WTO cases as any other WTO member has brought against China, according to data supplied by the Geneva-headquartered global trade group.

In doing so, “the United States has placed a strong emphasis on the need for China to adhere to WTO rules, holding China fully accountable as a mature participant in, and a major beneficiary of, the WTO’s global trading system,” the USTR report said.

“The United States views economic reform in China as a win-win for the United States and China,” the report concludes “not only because the Chinese government’s interventionist policies and practices and the large role of state-owned enterprises in China’s economy are principal drivers of trade frictions, but also because a sustainable Chinese economy will lead to increased U.S. exports and a more balanced U.S.-China trade and investment relationship will help drive global economic growth.”

12/31/2014