von Leslie CaldwellProf. Dr. Thomas Grützner, Dr. Stefan Bartz

In the following article we will discuss the current developments and trends for 2020 and outline what EU-based companies with a US presence should look out for in 2020 regarding US white-collar and compliance trends in the US.

Most important developments

White-collar criminal prosecution

In 2019, the Trump administration has continued its practice of announcing corporate friendly-sounding policy changes in the areas of white-collar criminal prosecution, particularly in the areas of corporate fraud. There has been a lot of messaging about recognizing individuals as the ones who commit crimes instead of punishing corporations and shareholders. There has been further messaging about cutting back on the number of cases that are initially focused on corporations and of cases in which the government requires a corporate resolution. The new guidelines on the evaluation of corporate compliance programs from February 2019 and the FCPA corporate enforcement policy from March 2019 are also consistent with that.

But in practice, it can be seen that the big focus remains on corporations, a high level of skepticism among prosecutors about compliance programs, application of hindsight in reviewing corporate conduct and compliance programs, and a view that, if systemic failure occurred, there must have been a deficiency in the compliance program. So there is certainly a disconnect between the policies being issued by DOJ and what actual prosecutors on the ground are doing.

Compliance program

Over the last year, there has also been a shift on the compliance program side. Again, consistent with the administration’s corporate friendly rhetoric, there has been an increased emphasis on granular guidance from the DOJ about implementation of compliance programs.

Previously, most of the guidance entailed outlining the components of the compliance program, how it should read in formal terms, how it should be communicated throughout the company, etc. Now, significant emphasis is placed on implementation, controls testing, and consistent follow-up and updates, to see if the compliance program is actually working.

This has been interpreted by some government attorneys to take a more granular look at a company’s controls. The Securities and Exchange Commission (SEC), for example, may in the past have asked what was the justification for a particular sales decision, such as the granting of a large discount to a customer. Now, they might also ask whether the person or people who approved the discount did any checking to determine see whether the stated justification was in fact true. This is yet another indicator of dissonance between the government’s high-level business-friendly rhetoric versus its ground-level operations.

US regulators’ focus in 2020

Most affected industries

Social media companies in particular are being targeted by the regulatory authorities and will continue to be under the microscope for all sorts of different issues. They are under investigation by US and foreign antitrust regulators, US State Attorneys General, and in some cases, US Attorney’s Offices. It is unlikely that this will change as they are large companies operating in many different business areas that are currently in an unregulated state.

Technology companies will continue to be of general interest to regulators. As can be seen in the Northern California market, there is increased regulatory interest in pre-IPO companies, particularly those with large valuations. That will most likely continue, and as some companies postpone their IPOs for longer times than in the past, the scope of the companies under review will only grow.

Financial institutions and financial services will always remain in the government’s focus because of the amount of money involved and the great potential for misconduct.

Another industry where the regulators are probably questioning next steps is the merger between the financial industry and the tech industry as well as cryptocurrency companies. Regulators are particularly concerned with questions such as like how do you regulate a virtual currency and who regulates trading in cryptocurrencies? The companies themselves are also determining their approach to regulation: What is required? Who is the regulator? What is permitted and not permitted? These are questions with complex implications.

Given the large amounts of money being generated in the cryptocurrency world, the presence of many fraudulent actors, and the volatility of the markets, regulation and oversight are needed and will continue to evolve.

Cross-border investigations: US law and GDPR

There is a wide discrepancy between US law and GDPR, which is particularly critical in cross-border investigations.

In the US, companies generally have free access to information on corporate assets, such as computers, phones and other devices, and employees rarely have a legal basis to object when their data is reviewed. GDPR, on the contrary, gives individuals a significant level of control over their own data. In addition, violations of GDPR can result in high fines and damages claims.

In light of GDPR, attorneys conducting corporate investigations involving EU-based data have to be much more careful than in the past, given the disparity in individual rights recognized in the US versus those recognized in the EU. And as more countries outside the EU evolve in the direction of GDPR, the challenge will only grow.

This discrepancy must be taken into account by lawyers conducting cross-border corporate investigations, given the disparity in individual rights recognized in the EU versus those recognized in the US. Currently, more and more countries outside the EU evolve in the direction of GDPR. Even some US states are adopting their own strict data protection laws. For example, the California Consumer Privacy Act (CCPA) is taking effect in January 2020. The CCPA is much more aligned with GDPR than other current US laws. If companies have a presence in California or have data belonging to California residents, they will be required to comply with that law. It may be that all heading in the direction of GDPR, especially given recent high-profile data breaches and misuses of data.

Due to GDPR, in most cases it is difficult to collect and transfer information about digital communication, such as emails, even though this can be exculpatory in the discovery phase.

A lot of countries – not just those within GDPR – have data protection laws, some of which might be even more stringent than GDPR. Nearly all of those laws give individuals more control over their data than they would have in the US.

What to expect in 2020 from US regulators

Current developments show a discrepancy between corporate friendly-sounding policy changes and actual practice with regard to white-collar enforcement. Companies should therefore not rely on the official rhetoric coming out of DOJ at the higher levels. The actual on-the-ground practices can be quite different.

In addition, there are signs that the US authorities will be focusing on specific industries and companies in the area of technology and social media. Nonetheless, the financial sector will remain an enforcement priority.

In cross-border investigations, we also expect an increasing recognition of foreign data protection rules, in particular GDPR, but US regulators are still not likely to accept blanket data protection excuses when it comes to the collections and transfer of information.