Compliance and legal teams whose companies are internally investigating possible sanctions and export controls violations will have to work a lot harder to get credit with federal officials for making a voluntary self-disclosure, thanks to a new guidance document from the Department of Justice.

The rationale for proceeding with greater caution emanates from guidance issued last month by the National Security Division (NSD) of the Department of Justice. Established by Congress in 2006, the NSD is responsible for protecting the United States from national security threats and achieves this by uniting prosecutors and law enforcement officials with the intelligence community.

According to the NSD’s recent guidance, foreign governments are engaged in an aggressive campaign to acquire superior technologies and commodities that are developed, made, and controlled in, and by, the United States. As “gatekeepers” of export-controlled technologies, companies “play a vital role in protecting our national security,” the guidance states. Thus, where investigations of corporate criminal misconduct reveal willful violations of U.S. export controls and sanctions, the Justice Department warned that it will seek to hold companies and individual employees criminally liable.  

The guidance makes clear NSD’s expectations for what it requires from companies seeking credit for the voluntary self-disclosure of potential export and sanctions violations of the Arms Export Control Act and the International Emergency Economic Powers Act—two statutes implementing the U.S. government’s export control and sanctions regimes.

On a practical level, compliance and legal teams that are already grappling with the FCPA Pilot Program will now also find themselves wrestling with similar issues pertaining to self-disclosures concerning potential sanctions and export control violations, but with much harsher consequences.

“The document is quite similar in a great deal of respects to the FCPA Pilot Program, but the focus of the two policy statements is somewhat different. There isn’t as much of an incentive to voluntarily self-disclose potential export controls and sanctions violations.”

Thomas Best, Partner, Steptoe & Johnson

“The document is quite similar in a great deal of respects to the FCPA Pilot Program, but the focus of the two policy statements is somewhat different,” says Tom Best, a partner at law firm Steptoe & Johnson. “There isn’t as much of an incentive to voluntarily self-disclose potential export controls and sanctions violations.”

Both the NSD guidance and FCPA Pilot Program offer identical definitions for what constitutes voluntary disclosure, full cooperation, and remediation. For a disclosure to be deemed voluntary, for example, the company must disclose the conduct “prior to an imminent threat of disclosure or government investigation” and “within a reasonably prompt time after becoming aware of the offense,” with the burden placed on the company to demonstrate timeliness.

Furthermore, as with the FCPA Pilot Program, the NSD guidance expressly implements into export control and sanctions cases the Yates Memo, requiring companies to disclose all relevant facts about culpable individuals involved in any export control or sanctions violations. Only after the threshold requirements of the Yates Memo have been met, “prosecutors should assess the scope, quantity, quality, and timing of cooperation based on the circumstances of each case when determining how much credit to give a company,” the NSD guidance states.

The NSD guidance also offers a laundry list of factors that the agency will weigh in determining a company’s level of cooperation. Such actions include the preservation, collection, and disclosure of relevant documents, including documents located overseas, and making available for interviews company officers and employees who possess relevant information, among many other factors.

If a company fails to cooperate, it will not receive credit for remediation, the guidance states. That being said, the following factors generally will be required for a company to receive credit for timely and appropriate remediation:

Implementation of an effective compliance program, the criteria for which will be periodically updated and based on the company’s size and resources.

Appropriate discipline of culpable employees, as well as those with oversight of the responsible individuals. The company should also consider how compensation is affected by both disciplinary infractions and failure to supervise adequately.

Any additional steps that demonstrate a company’s recognition of the seriousness of the criminal conduct, an acceptance of responsibility, and implementation of measures to prevent the misconduct from occurring again, including measures to identify future risks.

In remarks at the Practicing Law Institute’s U.S. export controls and sanctions conference last year, Assistant Attorney General John Carlin stressed the importance of vigilance. “Policies and procedures are simply not enough; they must be fully executed and reinforced,” Carlin said. “Simply ‘checking the box’ by implementing an export control and sanctions compliance program without the proper support or follow-through will not insulate a company from prosecution.”


The following actions are required for a company to receive full cooperation under the National Security Division guidance:
As set forth in the DAG Memo on Individual Accountability, disclosure on a timely basis of all facts relevant to the wrongdoing at issue, including all facts related to involvement in the criminal activity by the corporation’s officers, employees, or agents;
Proactive cooperation, rather than reactive; that is, the company must disclose facts that are relevant to the investigation, even when not specifically asked to do so, and must identify opportunities for the government to obtain relevant evidence not in the company’s possession and not otherwise known to the government;
Preservation, collection, and disclosure of relevant documents and information relating to their provenance;
Provision of timely updates on the company’s internal investigation, including but not limited to rolling disclosures of information;
Where requested, deconfliction of an internal investigation with the government investigation;
Provision of all facts relevant to potential criminal conduct by all third-party companies (including their officers or employees) and third-party individuals;
Upon request, making available for interviews those company officers and employees who possess relevant information; this includes, where appropriate and possible, officers and employees located overseas as well as former officers and employees (subject to the individuals Fifth Amendment rights);
Disclosure of all relevant facts gathered during the company’s independent investigation, rather than a general narrative, including attribution of facts to specific sources where such attribution does not violate the attorney-client privilege;
Disclosure of overseas documents, the location in which such documents and records were found, and who found the documents (except where such disclosure is impossible due to foreign law, including but not limited to foreign data privacy;
Unless legally prohibited, facilitation of the third-party production of documents and witnesses from foreign jurisdictions; and
Where requested and appropriate, provision of translations of relevant documents in foreign languages.
Source: National Security Division guidance.

Carlin added that companies must also know their markets and their people. “When you’re part of a large corporate family with many segments located overseas, some subject to very different export control laws in foreign countries, you have to be careful to ensure that conduct illegal in the United States does not become practice here,” he said. “If you have doubts, check with your regulator.”

Harsher consequences

Unlike the FCPA Pilot Program, the benefits of voluntarily self-disclosing potential export control and sanctions violations are not as clear, especially since the consequences are harsher. Whereas the FCPA Pilot Program provides companies with the possibility of receiving a declination, the best a company can hope to receive under the NSD guidance is a non-prosecution agreement.

Furthermore, because the fine guidelines in Chapter 8 of the U.S. Sentencing Guidelines don’t apply in export control and sanctions prosecutions, prosecutors have much more discretion in the fines they can assess. The FCPA Pilot Program, in comparison, provides for up to a 50 percent reduction off the bottom end of the Sentencing Guidelines fine range.

Also unlike the FCPA Pilot Program, the NSD guidance cites examples of aggravating factors that, if present to a substantial degree, will result in a more stringent resolution, including:

Exports of items controlled for nuclear non-proliferation or missile technology reasons to a proliferator country;

Exports of items known to be used in the construction of weapons of mass destruction;

Exports to a terrorist organization;

Exports of military items to a hostile foreign power;

Repeated violations, including similar administrative or criminal violations in the past;

Knowing involvement of upper management in the criminal conduct; or

Significant profits from the criminal conduct, including disproportionate profits or margins, whether intended or realized, compared to lawfully exported products and services.

Broadly speaking, the guidance signals NSD’s intent to become more directly involved in the enforcement of sanction and export control violations. Traditionally, companies have made voluntary self-disclosures of U.S. export controls and sanctions violations to one of the following relevant civil regulatory bodies:

The Department of State, Directorate of Defense Trade Controls (DDTC) for violations of the International Traffic in Arms Regulations (ITAR);

The Department of Commerce, Bureau of Industry Security (BIS) for violations of the Export Administration Regulations (EAR); or

The Department of the Treasury’s Office of Foreign Assets Control (OFAC) for violations of U.S. sanctions regulations.

The relevant regulatory body would then determine whether to refer the matter to the Department of Justice for criminal prosecution. Although the NSD guidance directs companies to continue to submit self-disclosures to the appropriate civil agency, it also mandates that companies act as “gatekeepers” and simultaneously submit the self-disclosure to the CES in circumstances where the company, including its counsel, becomes aware of violations that are willful.

“U.S. corporate entities and their counsel, when evaluating what previously may have been handled as a civil matter, now must consider whether the issues involved conduct by persons who knew their actions were not lawful,” says Daniel McGillycuddy, a partner at law firm Morrison & Cohen. “The guidance makes clear that more criminal investigations and, logically, prosecutions will be part of the changing landscape, and the guidance offers benefit to those who self-report similar to, though not as far-reaching, as the FCPA Pilot Program—clearly a crucial consideration for all experienced, sophisticated practitioners when advising on questions of cross-border and regulatory enforcement risks.”

On a practical level, the differences between the two documents—both in form and substance—mean that compliance and legal teams will have to give a lot more careful consideration concerning self-disclosures.

“This does change the risk calculus as to whether, and when, you also make a disclosure to the Department of Justice,” says David DiBari, a managing partner at law firm Clifford Chance. “What that means is that companies will need to also make a decision whether to bring in the Department of Justice, perhaps at an earlier stage in the investigation.”

From a broader standpoint, the NSD guidance signals that the NSD intends to ramp up its enforcement activities in this area. “We’ll need to wait and see when the rubber meets the road how this is actually going to be implemented in practice,” says Melvin Schwechter, a partner at law firm BakerHostetler. “Companies will be looking carefully to see whether tangible benefits are, in fact, received from this.”