Year in review: 2021 White-collar criminal enforcement

As we head into 2022, it is helpful to reflect on the white-collar enforcement trends of the past year to assess what may lie ahead. Last year, as the Biden Administration began, we predicted an uptick in corporate enforcement. In the past several months, the path has been paved with messages and policy changes from the United States Department of Justice (DOJ), the Securities Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC). We have written about those changes, including the DOJ Memo that outlines additional requirements for cooperation, the SEC's focus on corporate admissions, and the proposed SEC Insider Trading Amendments. We now evaluate the enforcement trends of 2021 to determine areas we expect the government to focus on, and in turn, where companies should bolster their compliance efforts.

Environmental, social and governance

While US regulators have always focused on proper disclosures, particularly those that may impact investors, that focus has now turned to environmental, social and governance issues (ESG). The Biden Administration's emphasis on climate change policies has led to significant changes in regulatory policies and ESG enforcement actions. In March 2021, the SEC created a Climate and ESG Task Force in the Division of Enforcement aimed at developing initiatives to identify ESG-related misconduct proactively through the evaluation and pursuit of tips, referrals and whistleblower complaints on ESG-related issues. At the same time, the CFTC established a Client Risk Unit (CRU) focused on the role of derivatives in understanding, pricing and addressing climate-related risks and transitioning to a low-carbon economy. This shift in regulatory priorities will inevitably lead to more ESG investigations and "greenwashing" lawsuits.

At its core, "greenwashing" refers to claims that companies' ESG disclosures are misleading to consumers and investors. Often, these are cases where a company represents that its practices or products are more environmentally friendly than the company can demonstrate. There has already been a great deal of greenwashing civil litigation. For example, in Swartz v. The Coca Cola Company, Sierra Club v. The Coca Cola Company and Earth Island Institute v. The Coca Cola Company consumers challenged Coca Cola's claim that its bottles were "100% recyclable" and that Coca Cola's marketing slogan, "World without Waste," was false and misleading. Government agencies are likewise starting to bring enforcement actions. In August 2021, the SEC reportedly initiated an investigation into a financial institution’s asset management unit following a whistleblower’s allegations that it was misrepresenting its ESG credentials to clients and investors.

In 2022, we are likely to see an acceleration in enforcement actions concerning misrepresentations and/or omissions related to ESG claims. In prepared remarks given to members of the American Bar Association, Todd Kim, DOJ Assistant Attorney General and head of its Environment and Natural Resources Division (ENRD), warned businesses that President Biden planned to use the "full capacity of the federal government" to tackle the climate crisis in 2022, focusing on communities that are "disproportionately burdened by environmental hazards and harms." Kim advised companies looking to avoid regulatory penalties to implement compliance functions proactively and ensure sufficient resources are delegated to investigate and address potential problem areas. Specifically, he recommended that companies:

1. integrate environmental compliance into their culture;
2. institute systems designed to foster decision-making that improves environmental and health outcomes;
3. ensure that, if environmental problems arise, there are systems in place to investigate, determine, and document what went wrong and why; and
4. establish and enforce systems of accountability all the way up the corporate chain for environmental issues. These recommendations expressly bolster the need for companies to evaluate their compliance policies from an ESG perspective.

Off-channel communications

While changes in technology have always proven difficult for companies that are required to monitor or maintain employee communications, the shift to remote working accompanying COVID-19 has exacerbated the risks posed by off-channel communications. These are typically communications not monitored by the institution and not retained under various regulators' business records requirements. Despite most companies having a policy that prohibits the use of "off-channel" communications for business, including the use of text messaging, mobile messaging platforms, such as WhatsApp and WeChat, or any ephemeral messaging services, employees continue to use them. This puts companies at risk of violating various business record requirements, and failing to meet their obligations to monitor business communications. It may also inhibit a company's ability to fully cooperate in a government investigation.

On October 6, 2021, Gurbir Grewal, the SEC's Enforcement Director, spoke about the importance of recordkeeping requirements, and the need for market participants to put in place appropriate policies and procedures to preserve "off-channel" communications. He urged market participants to take a proactive compliance approach and address the increased use of personal devices and other technological developments, rather than wait for an enforcement action. Shortly after, the SEC contacted a number of financial institutions about tracking their employees' digital communications. The Financial Industry Regulatory Authority (FINRA) has also stated that it will be enforcing violations regarding the supervision and retention of off-channel communications in its 2021 Report on FINRA's Examination and Risk Monitoring Program. Relatedly, Lorinda Laryea, co-principal deputy chief of the DOJ's criminal fraud section, stated at the Miami ABA conference that a failure to produce responsive documents because they were not retained by a company could impact a company's cooperation credit.   

Monitorships

In 2018, AAG Boris Benczkowski authored a memo to DOJ prosecutors that "[i]n general, the Criminal Division should favor the imposition of a monitor only where there is a demonstrated need for, and clear benefit to be derived from, a monitorship relative to the projected costs and burdens." After this memorandum, in 2019, only five independent monitors were imposed out of the 31 Non-Prosecution Agreements or Deferred Prosecution Agreements. In 2020, zero were imposed despite at least 18 resolutions.

In October 2021, by contrast, the DOJ announced that, to the extent the Benczkowski memorandum was interpreted to state that the imposition of monitors "would be the exception and not the rule," guidance is rescinded, particularly where a company's compliance program is not fully tested or implemented. In the current administration, we have seen two recent instances where the DOJ formally imposed a monitor. Companies settling with the DOJ will now have to work harder to show that the compliance program is sufficiently well-tested and implemented to avoid repetition of the alleged misconduct. Given that corporate monitors are a costly and burdensome process for companies, companies should promptly review their compliance programs to make sure they are sufficiently robust rather than waiting for an issue to surface.

False Claims Act

As with previous years, qui tam cases are likely to remain a feature, with a continued focus on COVID-19-related fraud and the healthcare industry. The False Claims Act's qui tam provisions empower private individuals who have knowledge about a company or individual defrauding the government or a federal program to bring a lawsuit on behalf of the government. As an incentive for these types of lawsuits, if the case settles, the whistleblower can receive a monetary award ranging from 15% to 30% of the government's total recovery.

For fiscal year 2020, the last year for which statistics are available, whistleblowers filed 672 qui tam suits, and the DOJ recovered over US$1.6 billion in these and earlier-filed suits. The DOJ reported that its largest recoveries in 2020 derived from the pharmaceutical industry. These figures are in line with historical figures, and we expect them to continue unabated. The DOJ is also applying data analytics to health care submissions in order to identify and institute cases, as it prominently stated in an October 2021 press release detailing multiple settlements. It also filed a complaint where analytics were used to identify providers that allegedly fraudulently billed federal healthcare programs for services. In addition, fraud cases under the Paycheck Protection Program (PPP) and other CARES Act programs are increasing. In 2022, there have already been over 15 COVID-related fraud cases, several of which involve misrepresentations concerning PPP loans. We expect these cases will continue in 2022.

Whistleblowers

Whistleblowers made headlines again in 2021 with high-profile cases and record-breaking whistleblower awards from the SEC and CFTC. In October, the CFTC announced a US$200 million award to an anonymous whistleblower, the largest award to a single whistleblower ever. The SEC announced that its whistleblower awards in fiscal year 2021 were US$564 million, and that over US$1 billion has been awarded over the life of the SEC program. The SEC also announced its second-highest whistleblower award this year at US$114 million split between two whistleblowers. And high profile whistleblowers, such as in the Elizabeth Holmes trial and major tech company whistleblowers, have raised the profile of whistleblowers further. In addition, the CFTC and FinCEN have both raised the financial incentives for whistleblowers. Accordingly, in 2022, we are likely to see a continued uptick in whistleblower complaints both internally at companies and externally with the government. Companies should therefore diligently review all internal complaints where there could be a corporate governance or compliance issue. This sort of review will enhance the ability of companies to remediate any potential issues.

These enhanced incentives have been accompanied by increased protections for whistleblowers. At the tail end of 2020, Congress enacted two laws, the Anti-Money Laundering Act (AML Act) and the Criminal Antitrust Anti-Retaliation Act (CAARA), that substantially increases whistleblower protections for people who report criminal violations of antitrust laws. Significantly, the AML Act permits compliance professionals and other individuals whose very role is to detect and report misconduct to collect an award for whistleblowing upon completion of a successful enforcement action. The resources supporting regulatory enforcement of whistleblower protections are also expected to increase, especially given the large awards seen this past year.

At the state level, many legislatures have also enacted laws expanding whistleblower protections this past year, and have issued interpretive guidance advising government employees of these protections. In late 2021, New York State dramatically expanded its whistleblower law in various key respects in favor of would-be whistleblowers. The state law, which took effect on January 26, 2022, extends whistleblower protections to former employees and independent contractors. It also expanded whistleblower protections to cover employees who reasonably believe that a violation of law, rule, or regulation occurred. The new law also removes the requirement that the whistleblower must first report the violation to their employers. Instead, under the new law, whistleblowers must only make a good faith effort to notify the employer of a violation, and even this internal reporting requirement has various exceptions, such as imminent and serious danger to the public health or safety or fear of physical harm. Because the new law generally requires a good faith effort to report internally, companies should ensure that policies encourage ready reporting to identified persons including Human Resources and Compliance, and that such policies are widely distributed.

With respect to the specific concerns that may be raised by whistleblowers, expect to see an increase in trending issues such as environmental issues, workplace safety related to COVID-19, and overall treatment of employees. These issues fall into the broader topic of ESG, and, given the attention by the government and companies to ESG, it is likely that whistleblowers will be looking out for these issues as well.

Cyber security and cryptocurrency

Cybersecurity and cryptocurrency were also hot topics in 2021 as the Biden Administration has made prosecuting cybercrime a priority. In July, the President formally established the Industrial Control System Cybersecurity Initiative, which is designed to be a collaborative effort between the federal agencies and the critical infrastructure community to update cybersecurity technology systems. Following these announcements, the Office of Foreign Asset Control (OFAC), the DOJ, the SEC and FinCEN all released updated guidance and reports addressing ransomware and the use of financial systems to facilitate ransom payments, including growing use of cryptocurrencies.

In addition to these measures, in October, the DOJ announced a new Civil Cyber-Fraud Initiative and the creation of a National Cryptocurrency Enforcement Team. The Initiative will utilize the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients. The enforcement team was created to investigate and prosecute misuses of cryptocurrency, particularly crimes committed by virtual currency exchanges, mixing and tumbling services and money laundering infrastructure actors.

The Internal Revenue Service (IRS) also continues to flex its enforcement muscle in the crypto space. In April and May, federal district courts in Massachusetts and California granted separate orders allowing the agency to serve a "John Doe Summons" on two other digital currency exchangers. The summonses on their face target unknown taxpayers who have conducted cryptocurrency transactions above a specific monetary threshold via the exchanger's platform. The crypto exchanger is also required to produce various other records relating to the individuals and their cryptocurrency transactions. It is likely that this will lead to enforcement actions against non-compliant taxpayers, but crypto exchangers should also be weary as trends in the collected data may expose crypto exchanges too.  

Given all these measures to reevaluate and redefine the government's strategies for regulating cybersecurity, we can expect an increase in government enforcement actions for companies that fail to implement adequate controls, particularly with respect to cryptocurrencies as evidenced by some of the enforcement actions this past year. For instance, in one of the highest civil penalties to date, the CFTC and FinCEN ordered BitMEX, a cryptocurrency derivatives exchange, to pay US$100 million for illegally operating a cryptocurrency trading platform, and for failing to implement Customer Information Program (CIP), Know-Your-Customer (KYC) procedures and an adequate AML program. The SEC also took on its first case against a Decentralized Finance (DeFi) Lender when it charged Blockchain Credit Partners and several individuals with securities fraud for the unregistered offer and sale of two digital tokens, a governance token and a token that paid interest. While the case settled for around US$13 million, it indicates a shift and expansion in enforcement efforts.

As the laws and regulations surrounding cybersecurity and cryptocurrency evolve, so too must companies' compliance programs. Companies face the duel risk of being victimized by cybercrime and at the same time violating DOJ, SEC, OFAC and FinCEN rules and regulations. Cryptocurrency companies and exchanges face the added complexity of broader regulatory oversight. Companies must devote the needed resources to address cybersecurity compliance concerns and remain ahead of evolving regulations.

Foreign Corrupt Practices Act

FCPA enforcement actions in 2021 were the fewest in a decade. Corporate penalties also decreased with penalty totals dropping more than 90% from the previous year. This decrease does not, however, signal a trend towards less FCPA enforcement. To the contrary, the Biden Administration's 2021 policy changes and recent announcements by various federal agencies suggest that 2022 will be a more active enforcement year than 2021.

On June 3, 2021, President Biden released his Memorandum on Establishing the Fight Against Corruption as a Core United States National Security Interest which highlighted objectives for combatting foreign corruption and increasing anti-corruption efforts. The memorandum also implemented an interagency review to recommend strategies for countering corruption, which culminated in a report and the United States Strategy on Countering Corruption. Interestingly, while traditionally the SEC and DOJ have led FCPA enforcement efforts, the June memorandum called upon thirteen additional agencies to take part in the review, suggesting that the Biden Administration is planning to expand the agencies tasked with enforcement as well as change the way the government thinks about its approach to corruption.

Following the June memorandum, as discussed in our client alert, the DOJ established Joint Task Force Alpha aimed at enhancing coordinated anti-corruption enforcement efforts between the US, Mexico, Guatemala, El Salvador and Honduras. In October, the DOJ announced that it planned to "surge resources to the department's prosecutors" and it would establish a tip line to assist investigators and prosecutors in collecting potential treasure troves of information from competing companies, lay persons, as well as local cooperating prosecutors and investigators.

The SEC made similar announcements that also point to increased enforcement efforts in 2022. In February, Allison Herren Lee, acting chair of the SEC, announced that she was rolling back two Trump Administration policies. The first, reauthorized senior officers in the Division of Enforcement to approve the issuance of a Formal Order of Investigation and the second, rescinded a policy that permitted the SEC to consider requests for waivers from automatic penalties as part of the settlement negotiation process.

As mentioned above, there was also a strong uptick in the number of whistleblower tips in 2021, and specifically, FCPA-related whistleblower tips. The increase in whistleblower tips could well turn into new investigations and actions in the coming year.

Despite only a few FCPA enforcement actions this year, the Biden Administration has made it clear that it is planning to crack down on anti-corruption enforcement. This year seemed to set the stage for future enforcement actions, including by agencies traditionally not involved in anti-corruption endeavors. Companies looking to avoid investigation in 2022 should conduct a holistic analysis of their reporting and compliance programs, particularly in the age of remote working environments.

Anti-money laundering

The AML Act and the Corporate Transparency Act (CTA) became effective on January 1, 2021 heralding a new year of AML enforcement efforts. The AML Act greatly expands the authority of the DOJ and Department of the Treasury to subpoena records from foreign banks that maintain correspondent U.S. bank accounts. The CTA directs FinCEN to establish a registry of beneficial ownership information for U.S. companies in an effort to make it more difficult for anonymous shell companies to operate. The AML Act re-focuses on the importance of guarding against terrorist financing, which underscores that compliance programs should be focused on preventing this risk as much as traditional money laundering.

FinCEN appears to be leading AML enforcement in the US and took a particularly active role this year. In January, FinCEN extended the comment period for its proposed rule aimed at closing AML regulatory gaps for certain convertible virtual currency and digital asset transactions. In March, FinCEN issued a notice that the definition of "financial institution" was extended to include art and antiquities traders due to the increase in illicit activity associated with the trade. Pursuant to the CTA directive, in April, FinCEN solicited public comments in answer to specific questions related to "procedures and standards for reporting companies to submit" and by May had received hundreds of comments. In June, FinCEN, OFAC, and other regulators issued a first set of National AML/CFT Priorities and FinCEN separately issued a report to Congress proposing a rulemaking process for the issuance of no-action letters to provide opportunities for other agencies and shareholders to provide input.  

In addition to issuing administrative guidance and updating policy objectives, FinCEN also led the way in enforcement actions. The year started off with its headline announcement that it had assessed a US$390 million civil penalty against a financial institution for violations of the Bank Secrecy Act by failing to maintain an AML program, failing to file suspicious activity reports, and failing to file currency transaction reports. This case was significant not only because of the amount in penalties, but because it represents one of very few cases where FinCEN has charged a major financial institution without any other governmental agency filing a parallel case. Another case was the BitMEX case mentioned above, which was significant because it reflected heighted concerns expressed by several agencies regarding cyber-enabled financial crime and the use of virtual assets to launder illicit proceeds.

In the wake of the AML Act, the CTA and the updated regulations and enforcement actions, financial institutions should evaluate their current compliance programs and policies to ensure that the new AML/CFT priorities are properly integrated, especially since these priorities will probably be the focus of regulators for the next few years. Companies will also want to keep an eye on FinCEN to familiarize themselves with the CTA's new reporting requirements since, like the AML Act, the CTA expands the scope of the government's enforcement power and heightens security protocols for businesses, requiring certain corporations, LLCs, and similar entities to file reports with and keep updated beneficial ownership information with FinCEN.

Companies should also be alert as to how to navigate the potential conflict between foreign laws and the extra-territorial subpoena power in the AML Act for correspondent banks, as stated in our recent memo on the subject.

Special thanks to Irina Silver-Frankel for her contributions to this article.