Justice News

Principal Associate Deputy Attorney General Marshall Miller Delivers Remarks at the Ethics and Compliance Initiative IMPACT Conference
Jersey City, NJ
United States
Wednesday, May 3, 2023

Remarks as Prepared for Delivery

Good morning. Thank you for that warm welcome and kind introduction. It’s great to be with you today to discuss the Justice Department’s corporate criminal enforcement priorities. I bring with me greetings from Deputy Attorney General  (Deputy AG) Lisa Monaco who spoke to this group last year.

In my remarks, I will focus on the increasing intersection of corporate crime and national security and the department’s commitment to consistency and transparency in our corporate enforcement work.

Then I’m looking forward to engaging in dialogue with this group of subject matter experts. The Deputy Attorney General and I are deeply interested in how the department can best provide clarity and predictability to help you and your organizations identify and mitigate risk, incentivize compliance, and stay out of the crosshairs of our enforcement efforts.

But before I dive in, let me take a few moments to thank you for the work you all do every day to promote compliance in companies across America and across the globe. It is not always easy being the voice of compliance in the room. Undoubtedly, many of you have had to raise thorny or uncomfortable issues – with your own teams, with company leadership, and with the government. I’m sure every one of you has had to make tough and sometimes costly decisions. Thank you for the work you do to prevent misconduct before it happens and to foster ethical, compliance-promoting cultures at the institutions where you work.

In today’s world, corporate crime presents a significant and growing threat to our national security — a threat increasingly at the heart of our approach to corporate crime at the Department of Justice.    

We’re seeing that threat play out every day in our investigations and our prosecutions. As we engage in corporate criminal enforcement, we are identifying national security risks and violations in more and more of our cases. And the flip side is true: as we pursue national security investigations, we are encountering corporate crime with disturbing frequency.

Make no mistake: companies in the private sector are on the front lines of the geopolitical and national security challenges that mark today’s global environment. From money laundering and cyber- and crypto-enabled crime to sanctions and export control evasion and even funneled payments to terrorist groups, corporate crime increasingly — now almost routinely — intersects with national security concerns.

Since October 2022 — so over the last seven months — roughly two-thirds of the department’s major corporate criminal resolutions have implicated United States national security. The charges have varied, from sanctions violations to terrorism crimes and money laundering for Russian interests, and so have the corporate defendants, which have operated in industries from construction and finance to agriculture and telecommunications. But the trend is real, and we’re committed to dedicating the resources necessary to counter the threat.

In today’s world, the stakes are higher than ever, and more and more frequently the personal and collective security of Americans and our allies hangs in the balance. Let me use one egregious example to drive home the point: last October, the department secured the first-ever corporate guilty plea to material support for terrorism from LaFarge, S.A.

Now, LaFarge wasn’t some fly-by-night shell company. Far from it. We’re talking about a huge, publicly traded, multinational construction company — in fact, the world’s largest cement manufacturer — funneling money to the world’s most deadly and notorious terrorist groups like ISIS, for the purpose of maximizing its profits. Let that sink in for a moment.

Through senior executives, LaFarge brazenly paid millions of dollars to terrorist groups in order to run a cement plant in Syrian territory controlled by ISIS and to gain market advantage over its competitors in the region. Now, LaFarge stands convicted of a terrorism offense and on the hook for financial penalties of more than $750 million.

Simply put, times have changed. Our adversaries—terrorist groups, oligarchs, malign nation-states, and more — are engaging in novel ways to raise money and sow discord, through cybercrime, crypto-laundering, sanctions evasion, export control circumvention and technology theft. To meet the moment, companies must pay a new level of attention to a wider range of national security compliance issues than ever before. 

Where in years past a compliance team might have mitigated national security risks through sanctions-screening software and attention to a few sanctioned countries, today a new level of diligence and attention is required. In this way, to quote Deputy Attorney General Monaco, sanctions truly are the new FCPA.

Investing significant additional compliance resources in this space is common sense; it’s good business; and it's the right thing to do.

Let me give a couple of recent examples of why a more expansive view of compliance is necessary — ripped from last week’s headlines. Last Tuesday, the department reached a ground-breaking resolution with the British American Tobacco company and its Asia-based subsidiary in a case involving bank fraud and sanctions violations. Again, no fly-by-night operation here: BAT has been in business for over 120 years and, as of 2019, was the largest tobacco company in the world by net sales.

And yet despite its venerable history, for over a decade from 2007 to 2017, British American Tobacco used an offshore subsidiary and a third-party intermediary to conduct surreptitious and illicit business in North Korea. While falsely claiming no involvement in North Korea, BAT used the intermediary to maintain control over a program of North Korean tobacco sales and to launder the resulting income, to the tune of approximately half a billion dollars. And our investigation exposed that North Korean revenue from BAT’s tobacco sales was funneled to support that rogue nation’s nuclear weapons program.

Simply put: the department is finding dangerous violations of our national security laws in unexpected places. And we believe company executives and compliance officers need to reassess corporate risks with that threat landscape in mind.

Let me give you another, quite different example: also last week, the department unsealed criminal charges against a North Korean official and a handful of China-based crypto launderers, for their alleged roles in cyber-enabled, sanctions-evading, revenue generation schemes – again, to support the North Korean weapons program. Of course, the DPRK generates much of its cryptocurrency revenue through rank theft — by hacking crypto exchanges and other virtual asset providers and stealing cryptocurrency. But some of last week’s charges exposed a novel North Korean scheme that capitalizes on a toxic combination of high-tech labor shortages, remote telework, and identity theft. Based on those charges and additional investigative work, we now know that thousands of skilled information technology (IT) workers are using fake or stolen identities, obtaining telework employment at companies across the world, and then laundering their salary payments into the coffers of the North Korean regime. In some instances, those IT workers have also introduced vulnerabilities into company systems to enable DPRK hackers to conduct intrusions. 

While last week’s charges related to IT workers at blockchain companies, the FBI has tracked the North Korean scheme across numerous businesses and industries, as well as social networking, health and fitness, and entertainment platforms.  And the threat here extends not just to salary payments redirected to evade sanctions, but also to insider-enabled cybercrime and intellectual property theft—as to which unaware companies can quickly fall victim. In May of last year, to help companies and compliance personnel better protect against this threat, the U.S. government released an advisory warning, identifying red flag indicators and due diligence measures for companies hiring freelance or remote IT workers and software developers.

So what’s the takeaway? First, it’s a reminder that even business operations and lines far removed from the defense sector — cigarettes, cement, information technology — can pose dire national security risks if the company is not highly sensitive to high-risk actors, high-risk areas, and high-risk internal activity.

Before last year, remote IT workers were not on anyone’s list of threat vectors for sanctions evasion. And at first blush, the agricultural industry and the tobacco market don’t jump out as national security hotspots. But our investigation exposed BAT and infiltrating IT workers as important components in funding North Korea’s WMD proliferation program.

Particularly for any company whose operations touch parts of the world controlled by autocracies, the message is simple: national security laws must rise to the top of your compliance risk chart, with the recognition that even the most innocuous-looking transaction or activity could implicate our collective security. 

But secondly — and just as importantly, we need to put a premium on collaboration. On the cyber- and crypto-enabled crime front, the Department of Justice is working more closely with companies than ever before, as we prioritize dynamic threat disruption and place victims at the center of our work.  And the department is increasing outreach to the private sector about national security compliance risks.  With threats shifting and risks morphing, it is critical that we work together — government and industry — to identify and share information about new risk streams and threat actors.

For our part, the Department of Justice is dramatically scaling up our investment in fighting national security-related corporate crime. 

When I was in the private sector, I spent time assessing the priorities of the Department of Justice from the outside — and of course, I’d carefully review policy announcements and speeches like this one. But another way I gauged areas of focus was by assessing where the department was investing new resources. Speeches can set policies, but they don’t charge cases — prosecutors do. 

In March, the Deputy Attorney General announced that we are adding over two dozen new prosecutors to our National Security Division to focus on corporate crime; that group will include the first-ever Chief Counsel for National Security Corporate Enforcement. And we’re also staffing up the Bank Integrity Unit of the Criminal Division’s Money Laundering & Asset Recovery Section, where, among other things, we investigate and prosecute complex and cross-border sanctions cases that involve financial institutions.

We are investing those resources because the days when corporate crime solely jeopardized pensions and jobs and markets are gone. We know that our adversaries seek to use our technology against us and our allies, often to repress their own populations and extend their international influence.

So, in February, the Deputy Attorney General announced the formation of the Disruptive Technology Strike Force — a multi-agency collaboration led by the Justice and Commerce Departments to target illicit actors, strengthen supply chains, and protect critical technological assets from being acquired or used by our adversaries.

The illegal export of sensitive technology is a direct threat to our national security, with implications for the stability of our economy and the competitiveness of American businesses. These threats require our constant vigilance in enforcing our export control laws.

The department is now issuing joint advisories with the Commerce and Treasury Departments — akin to the FCPA guidance we publish jointly with the SEC that I know the private sector relies on. We will also continue issuing joint guidance on national security compliance risks, like the joint FBI, State, and Treasury advisory on North Korean IT workers I mentioned earlier. This is another way the Department will inform the private sector about enforcement trends and convey our expectations as to national security-related compliance.

Speaking of expectations, over the last nine months, the Deputy AG and I have each delivered remarks discussing the department’s efforts — across our components and across the country — to achieve consistency, transparency, and predictability.

We want corporate and compliance leaders to have a clear understanding of how the department will assess different fact patterns and how companies can expect to be treated. We hope this sets expectations around behavior and creates a zone of understanding where companies can step up and own up when they discover wrongdoing.

An animating principle in this work has been to standardize and upgrade the department’s approach to voluntary self-disclosure. If you’ve been following our message on corporate crime in the last year, I trust one thing has come through loud and clear: the department is placing a new and enhanced premium on voluntary self-disclosure. 

We know that it’s critical for companies that discover wrongdoing to be able to predict how the department is going to evaluate a voluntary self-disclosure. 

To that end, at the Deputy AG’s direction, every DOJ component and office with any responsibility for corporate enforcement matters now has a VSD policy in place. Those policies are publicly available on the DOJ website, and they all adhere to core department-wide principles. For the first time, all 94 U.S. Attorneys’ Offices have now adopted a single Voluntary Self-Disclosure policy that applies from Anchorage to Miami, from San Diego to right here in Jersey City.

Our work on this is not done. We are reviewing how components deploy those policies – looking at metrics and considering how we should tweak and recalibrate those policies going forward. And we are seeking feedback from all quarters. If you have experiences or insights you wish to share, please don’t hesitate to reach out to our office.

One area where we’ve received lots of input about self-disclosure relates to mergers and acquisitions. Encouraging corporate responsibility includes avoiding unintended consequences – like deterring companies with good compliance programs from acquiring companies with histories of misconduct.

Acquiring companies should be rewarded — rather than penalized — when they engage in careful pre-acquisition diligence and post-acquisition integration to detect and remediate misconduct at the acquired company’s business. That’s why, as I’ve said before, the Department of Justice will not treat as a recidivist any company with a track record of compliance that acquires a company with a history of compliance problems, so long as those problems are promptly and properly addressed in the context of the acquisition.

The Criminal Division’s Voluntary Self-Disclosure Policy currently incentivizes companies to come forward and disclose misconduct uncovered during due diligence by offering a presumption of a declination of prosecution. Consistent with this policy, the Criminal Division has declined to take enforcement action against companies that promptly and voluntarily self-disclosed misconduct uncovered in the M&A context and then remediated and cooperated. The Criminal Division’s Evaluation of Corporate Compliance Programs — last revised earlier this year, in March 2023 — also emphasizes the importance of including compliance voices in the M&A process. 

We are working toward an update and extension of that approach across the department as part of our ongoing efforts to promote and standardize voluntary self-disclosure. That update and extension will highlight the critical importance of the compliance function having a prominent seat at the table in evaluating and de-risking M&A decisions.

The department welcomes your feedback on the issue. Indeed, I understand our team has already spoken to a number of you here in the audience to identify areas where more clarity from the Department would be helpful. Stakeholder outreach and engagement are core tenets of the Corporate Crime Advisory Group process the Deputy AG announced at the beginning of her tenure.

Before we get to some questions, let me close with two key takeaways.

First, today’s world is filled with national security risks — risks that impact our nation, our markets, and our workplaces. Those of you in compliance are on the front line. When you mitigate compliance risks for your companies, you are serving your clients well and protecting our national security. Thank you for that work.

Second, at the Department of Justice, we are working every day not only to conduct robust enforcement but to do so with transparency, uniformity, and predictability so we can empower and incentivize companies to detect, deter, and report corporate misconduct. We look forward to continuing our work with the compliance community on that important effort.

Thank you. I look forward to taking some questions.

Updated May 3, 2023