Holland & Knight, the Florida Chamber of Commerce, Greater Miami Chamber of Commerce and Miami-Dade Chamber of Commerce hosted the 2023 Florida Enforcement Summit on Oct. 18, 2023. The half-day program focused on current federal and Florida enforcement priorities, adopting and administering effective compliance programs, and managing corporate compliance.

Guest speakers at the 2023 Florida Enforcement Summit included:

• Markenzy Lapointe, U.S. Attorney for the Southern District of Florida, whose jurisdiction ranges from Miami to West Palm Beach
• Eric Bustillo, Director of the U.S. Securities and Exchange Commission's (SEC) Miami Regional Office, which has jurisdiction over Florida, Louisiana, Mississippi, Puerto Rico and the U.S. Virgin Islands
• Julie Chaikin, Deputy Statewide Prosecutor of Florida

Panelists from Holland & Knight included:

• Miami Partner Wifredo A. Ferrer, former U.S. Attorney for the Southern District of Florida
• Dallas Partner Jessica B. Magee, former Associate Director of Enforcement, SEC Fort Worth Regional Office
• Miami Partner Barbara A. Martinez, former Chief of the Special Prosecutions Section, U.S. Attorney's Office for the Southern District of Florida

Guest Speaker Highlights

Panel I: Federal Enforcement Priorities

Markenzy Lapointe shared his insights into current enforcement priorities and initiatives.

• He stated that the U.S. Department of Justice (DOJ) has recently focused on its enforcement policies related to corporate crime. For example, the Deputy Attorney General, Lisa Monaco, stated in a Departmentwide memo that when resolving cases involving corporations, the DOJ will consider whether a corporation has 1) a history of misconduct, 2) voluntarily disclosed the misconduct at issue, 3) cooperated with the DOJ during its investigation, and 4) adopted and administered an effective compliance program both before and after the misconduct at issue took place.
• Lapointe explained that the DOJ encourages declination of cases in which a company has generally instituted a culture of compliance. The DOJ understands that individual mistakes are made and will look at the company as a whole when making enforcement decisions. For more on how the DOJ assesses a corporation's culture of compliance, see the DOJ's Evaluation of Corporate Compliance Programs (Updated March 2023).
• Lapointe recommended that businesses think about what they can show enforcement authorities to demonstrate that they have and continue to take compliance seriously.

The U.S. Attorney also shared advice on how corporations should cooperate with the DOJ both when corporations believe that they, their personnel or someone else has engaged in misconduct and when they believe that they have been the victim of a crime such as a cyberattack.

• Lapointe recommended that businesses report cyberattacks to the FBI. Companies can navigate the complex network of ransomware schemes much more effectively in partnership with the FBI than alone. Lapointe recommended that companies subject to cyberattacks put embarrassment aside and take advantage of the FBI's tools, resources and expertise by self-reporting the attack immediately.
• Lapointe also elaborated on the concept of self-reporting when corporations, their personnel or someone else has engaged in misconduct. He explained that the DOJ endeavors to do more than simply enforce antifraud provisions of the U.S. Code against businesses that have violated them, but rather is seeking collaboration with the business community to prevent fraud in the first place. In other words, the DOJ would appreciate hearing from corporations that see any kind of misconduct (or the risk thereof), both within and outside their organizations.
• To that end, the DOJ recently implemented a safe harbor policy for companies that voluntarily self-disclose criminal misconduct discovered in connection with mergers and acquisitions. Under the new policy, acquiring companies that 1) promptly and voluntarily disclose criminal misconduct within the Safe Harbor period (six months from discovery), 2) cooperate with the ensuing investigation and 3) engage in requisite, timely and appropriate remediation, restitution and disgorgement (within one year of closing) will receive the presumption of a declination. (For more on this new policy, see Holland & Knight's previous alert, "Understanding the Department of Justice's New Safe Harbor Policy," Oct. 19, 2023.)
• Lapointe explained that companies must be honest partners for collaboration to succeed. Businesses can show that they are honest partners by having infrastructures for compliance in place before the misconduct occurs and incentivizing compliance at all levels of the organization. The DOJ wants to see companies get ahead of problems by investing in an effective compliance program early, identifying wrongdoers, self-disclosing and cooperating with the DOJ's investigation.
• The U.S. Attorney cited the recent indictment of 17 Broward Sheriff's Office employees as an example of effective partnership with the DOJ. He recommended that companies follow the Broward Sheriff's Office example by identifying wrongdoers and self-reporting to the DOJ. The DOJ will look favorably on such cooperation when resolving a case.
• Lapointe also emphasized the importance of timely self-disclosure. If the DOJ expends enough resources to investigate or indict, it may very well be too late to self-disclose and benefit from cooperation. In short, companies that wait to self-disclose do so at their own risk.

Eric Bustillo shared his insights into current SEC enforcement priorities and policy updates.

• Bustillo described the mechanisms of SEC enforcement in light of the SEC's limited resources. He explained that cases come to the SEC through whistleblowers, the agency's use of artificial intelligence (AI) and data analytics, and collaboration with the FBI and other law enforcement agencies. Bustillo stated that the SEC leverages AI and data analysis to identify insider trading and fraud schemes that they may not have been able to identify without those new tools.
• Bustillo explained that the SEC's recent focus has been on cryptocurrency and cybersecurity. He cited a recent emergency action against a Miami investment adviser for orchestrating a $100 million crypto-fraud scheme and explained that the SEC will continue to invest resources in the cybersecurity space.
• The SEC recently proposed new rules to address cybersecurity risks to U.S. securities markets and adopted final rules on cybersecurity risk management, strategy, governance and incident disclosure by public companies just last month.
• Bustillo advised businesses to understand their disclosure requirements for cybersecurity incidents with regard to each of the relevant regulators, which may include state regulators, federal regulators and foreign regulators. The days of keeping cyberattacks secret and addressing them internally are gone.

Bustillo went on to discuss how businesses can and should use compliance programs.

• The SEC Regional Director explained that companies should not create compliance programs to please the DOJ and SEC. Responsible business leaders should create compliance programs for the benefit of their shareholders, employees and communities and understand the investment will pay dividends in the form of ensuring compliance with the law and avoiding the negative consequences of violating it including fines, penalties and lost business. Compliance programs should ultimately allow leaders to detect violations when they occur and address them appropriately.
• Referencing the Seaboard Report, Bustillo explained that SEC investigations will focus on the internal control systems that existed around the time of the alleged misconduct, corporate culture, self-reporting, cooperation, remediation and discipline of wrongdoers.
• Bustillo emphasized the importance of consistently testing the effectiveness of a company's compliance program. The program should, of course, be adjusted as the company evolves and expands.

Panel II: Florida Enforcement Priorities

Julie Chaikin shared her insights into current Florida enforcement priorities.

• According to Chaikin, the Office of Statewide Prosecution is currently prioritizing crimes against seniors, human trafficking, organized retail theft and fraud of any kind. She noted that workers compensation fraud, insurance fraud, Paycheck Protection Program fraud and Medicaid fraud have become significant concerns.
• Chaikin explained that Florida state authorities often conduct investigations in parallel with federal authorities. Businesses seeking to resolve federal investigations should remember that state investigators may still be pursuing parallel investigations into the same misconduct.

Chaikin went on to discuss the Office of the Statewide Prosecutor's views on corporate compliance programs.

• In line with comments made by Lapointe and Bustillio, Chaikin stated that compliance programs must be more than documents placed on a shelf. The mere existence of a compliance program will not shield a company from prosecution if the company violates the law and cannot demonstrate the effectiveness of the compliance program, how it aided in the detection of misconduct and how the company took appropriate action upon discovering the misconduct.

Key Takeaways

• Investing in the adoption and administration of an effective corporate compliance program may seem like little more than a required corporate expense, but the return on investment for corporations in the form of 1) deterring misconduct, 2) preventing misconduct, 3) identifying misconduct (or even the risk of misconduct) quickly, 4) reducing the harm to the public resulting from misconduct and 5) reducing the penalties imposed by government regulators as a result of any misconduct renders the investment not only responsible, but profitable.
• Once a corporation understands that misconduct took place within the corporation and has a reasonable understanding of the nature of the misconduct, it should consider 1) voluntarily disclosing that misconduct to relevant state and federal regulators, 2) cooperating with any resulting investigations and 3) remedying the compliance failure that allowed the misconduct to take place so as to best position the corporation to obtain full cooperation credit from the relevant regulators as they resolve their investigations. The longer a corporation waits to disclose, the greater the risk that a government regulator will discover the misconduct on its own and be less willing to offer the corporation the maximum amount of cooperation credit.
• As corporations navigate the world of corporate compliance, they should always keep in mind all of their obligations (under state, federal and foreign law) and be mindful of how each of their relevant government regulators (whether from one of the several states, the United States or a foreign state) will assess the corporation's 1) compliance program, 2) voluntary self-disclosure of misconduct (including the timeliness and transparency of the disclosure), 3) level of cooperation with any resulting investigation and 4) efforts to remediate the situation so that the individuals responsible for the misconduct are punished and the internal controls that allowed the misconduct to take place are fixed so that the misconduct does not recur. It is a prudent practice for corporations to operate as if their relevant government regulators are or will be conducting parallel investigations into potential misconduct as that is so often the case.