☰ In this section

The Champion

June 2013 , Page 42 

Search the Champion Looking for something specific?

Access to The Champion archive is restricted to NACDL members. However, this page and others deemed to serve the public interest - as opposed to a narrower benefit to the criminal defense profession - are left unprotected for access by all interested persons.

Deferred Prosecution Agreements in the Financial Services Industry: Trends and Tips

By Anne M. Chapman and Kathleen E. Brody

In the last decade or so, deferred prosecution agreements (DPAs) have become the preferred method for resolving government investigations of companies — from both the prosecution and defense perspectives. For the government, such agreements avoid the expense of trial and usually require the defendant to implement remedial measures to address the problems identified in the investigation. Companies avoid indictment and prosecution, generally earn immunity for the problematic conduct identified by the government, and ideally come out with enhanced compliance measures in place.

Especially in recent years, DPAs involving companies in the financial services industry have risen sharply, and there are reports that more investigations of financial services businesses are ongoing. Government regulators have been facing increasing criticism, however, by those who see DPAs as an easy way out for big companies accused of serious wrongdoing. In light of what appears to be regulators’ widening their nets to ensnare more financial services companies and the individuals working for them, defense counsel should have in mind some background on DPAs, the range of provisions that might find their way into the agreements, and the potential pitfalls defendants might face along the way.

Background and History

Corporate DPAs and nonprosecution agreements (NPAs)1 were common toward the middle of the last decade, and they now, in the words of former DOJ Criminal Division head Lanny Breuer, “have become a mainstay of white collar criminal law enforcement.”2 Companies in the financial services industry have been parties to these agreements throughout this period. There was also a rise in corporate DPAs and NPAs following the Enron collapse and the creation of the Corporate Fraud Task Force.3 The so-called Thompson Memorandum, a 2003 memo from Deputy Attorney General Larry D. Thompson outlining the principles for prosecution of business organizations, contained guidelines for plea agreements and noncriminal alternatives,4 which may have led to the increased use of DPAs and NPAs in the following years.5 

Ten years ago, the DOJ and Banco Popular de Puerto Rico entered into a DPA based on the bank’s deficiencies in filing suspicious activity reports (SARs).6 That agreement contains most of the usual elements also found in more recent DPAs — information in lieu of indictment, acceptance of responsibility, requirements to cooperate with requests for information, forfeiture, civil money penalties, waiver of speedy trial rights and statutes of limitations, deferral of prosecution, and immunity against prosecution for certain conduct. The NPA stemming from Merrill Lynch & Co.’s conduct in connection with the Enron collapse was also signed in 2003.7 This NPA included another common provision in DPAs and NPAs — a third-party monitor. In the case of Merrill Lynch, the company agreed to retain, for 18 months, both an independent auditing firm and an individual attorney to monitor its compliance with the remediated policies and procedures set forth in the agreement.

As the use of third-party monitors in connection with DPAs and NPAs became more widespread, criticism of this practice also rose. In one infamous case, then-United States Attorney for New Jersey Chris Christie selected his former boss, Attorney General John Ashcroft, to oversee a DPA with medical supply company Zimmer Holdings.8 Under the agreement, Ashcroft stood to earn up to $52 million.9 Christie also selected monitors to oversee four other agreements with medical supply companies.10 These appointments, along with the perception that prosecutors in the DOJ were operating with too much discretion, led to proposed legislation in Congress to impose uniform standards for DPAs and NPAs.11 The legislation was not successful, but did lead the DOJ to issue the so-called Morford Memorandum in March 2008, outlining nine principles for drafting provisions regarding third-party monitors.12 Two years later, the DOJ issued another memorandum adding a tenth principle for monitor provisions.13 Following the articulation of these principles, the use of third-party monitors has generally declined in the last few years.

With the increasing public and regulatory scrutiny of the financial industry since the most recent financial crisis, DPAs and NPAs involving financial institutions have also risen sharply. In 2012 alone, regulators reached agreements with HSBC Bank, ING Bank, Standard Chartered Bank, and MoneyGram. Earlier agreements involved American Express, Barclays, Credit Suisse, and Sigue, among others. The misconduct at issue in these cases generally (but not exclusively) involves anti-money laundering and trade sanctions violations. It has also been widely reported that the DOJ and other agencies are currently investigating other financial services businesses, so more DPAs and NPAs will likely be forthcoming.

Criticisms and Pressures On Prosecutors

The public’s ire with banks and other financial institutions in the wake of the recent financial crisis has been joined in some cases by criticism from Congress. Legislators have also been open with their disapproval of regulators’ use of DPAs and NPAs, viewing the obligations imposed by such agreements as too lenient in light of the conduct at issue.

Among the prominent and vocal critics has been Sen. Elizabeth Warren of Massachusetts, who blasted a Treasury official during a Senate Banking Committee hearing in March.14 Warren’s questioning focused on the recent HSBC deal, which followed an earlier congressional investigation that exposed significant holes in the bank’s anti-money laundering program and seemingly intentional conduct designed to skirt the Bank Secrecy Act and certain regulations.15 Warren pointed to what appear to be gross inequities in the consequences for street crime versus the type of white collar crime at issue: “If you’re caught with an ounce of cocaine, the chances are good you go to jail. If you’re caught repeatedly, you can go to jail for life. Incidentally, if you launder nearly a billion dollars in drug money, your company pays a fine and you go home and sleep in your own bed at night.” Other regulators, including Attorney General Eric Holder, Federal Reserve Chairman Ben Bernanke, and SEC Chairwoman Elisse Walter, also faced similar criticism from Warren and others in Congress.

The fallout from this criticism might not be insignificant. The federal judge presiding over the HSBC case took more than six months to approve the DPA. In December 2012, Judge John Gleeson invited DOJ and HSBC lawyers to present their arguments why he should approve the agreement, noting the public criticism of the deal. In his July 1, 2013, order approving the DPA, Judge Gleeson again noted the significant public criticism and the possibility for governmental abuse in connection with DPAs, emphasized the court’s continuing supervisory power over its implementation, and ordered both parties to file quarterly reports with the court.

In addition, seemingly in response to the mounting criticisms, prosecutors have required as part of recent resolutions guilty pleas from foreign subsidiaries of larger parent companies. In late 2012 and early 2013, Japanese subsidiaries of UBS and the Royal Bank of Scotland, which were accused of manipulating LIBOR interest rates, pleaded guilty to felony wire fraud. The DOJ has also responded to criticisms by shifting the focus of its investigations and prosecutions to individual wrongdoers — including high level executives — and publicly making clear that individuals will not be granted immunity in connection with corporate DPAs.16 It has been reported, for instance, that the ongoing JPMorgan investigation involves several potential individual targets.17 

Nevertheless, the criticisms and increased focus on subsidiaries and individuals will likely not end the widespread use of DPAs and NPAs, particularly in the financial services industry.

General Principles, Drafting Tips, and Potential Pitfalls

As noted above, DPAs tend to follow a certain formula, generally containing the same types of provisions, including money forfeitures, acceptance of responsibility, prohibitions against the company making public statements denying responsibility, and provisions describing processes upon the government’s allegation of a breach or for extending the agreement. Within that general outline, however, there is usually a good bit of negotiating room, depending on the specific circumstances of each case. What follows are some general principles and issues to keep in mind during negotiations and drafting.

Contract Principles

DPAs are contracts, and courts that have addressed DPAs and other similar agreements apply general contract principles when construing them.18 It goes without saying, therefore, that companies considering DPAs should view them as imposing binding obligations.19 In the case of a DPA, however, the failure to meet those obligations could result in consequences much graver than a money judgment. With that in mind, the company should think hard about whether it can meet the government’s terms and what financial and other burdens will follow from the company’s promises. For instance, in a highly regulated industry like financial services, a company’s promises to one regulator could have ripple effects, not only triggering reporting obligations and licensing issues, but also possibly resulting in multiple-front negotiations.

On the flip side, DPAs also impose obligations on the government. Typically, a company will earn some level of immunity in connection with the successful fulfillment of its promises, and the government will agree to be bound by some level of confidentiality. In addition, both parties to the DPA are bound by the duty of good faith and fair dealing inherent in every contract.20 This concept can become more important to a company that finds itself close to a government declaration of breach — or even worse, an indictment. If litigation is anticipated or actually ensues, the company should be prepared to argue (if appropriate) that the government breached its obligations under the agreement, breached the duty of good faith and fair dealing, and made its determination that the company breached in bad faith.21 

Statement of Facts

The typical DPA entered into with the DOJ involves a relatively detailed statement of facts and the company’s agreement that it is responsible for that conduct. But the statement of facts is not necessarily an admission of criminal liability — as stated in the HSBC DPA, “Neither this Agreement nor the criminal Information is a final adjudication of the matters addressed in such documents.”22 

The recitation in the statement of facts can be more or less lengthy and detailed depending on the conduct at issue and the number of violations, among other things. Companies should consider the benefits and drawbacks of including more or fewer details in the statement of facts. On the one hand, nonprosecution provisions are sometimes co-extensive with the conduct described in the statement of facts. Thus, the more conduct included in the statement of facts, the broader the immunity from prosecution. On the other hand, there may be some benefit to limiting the detail depending, for instance, on what collateral consequences could follow in other licensing jurisdictions.


The extent of the government’s agreement not to prosecute and related grants of immunity should be viewed as the most important provisions from the company’s perspective. As noted above, typically the DPA will provide some immunity at least in connection with the conduct described in the statement of facts, but it may be possible for the company to negotiate for more immunized conduct. For instance, if there have been ongoing disputes between the government and the company that will be resolved in connection with the DPA, the company could ask that the immunity provisions cover any conduct involved in the earlier disputes. Similarly, if the government’s investigation was significantly broader than what is eventually alleged to be the culpable conduct in the statement of facts, the company might ask that the entirety of the conduct under investigation be covered. One example of this is the 2010 American Express DPA. That agreement provided immunity not only for conduct described in the statement of facts, but also conduct described in “other accounts that were the subject of grand jury subpoenas in the course of this investigation, as well as [American Express’s] efforts to comply with grand jury subpoenas issued in the course of the investigation.”23 In addition, some DPAs will require the company to continue to provide materials and information to the government over the deferral period. The company should consider whether the materials provided under such provisions should also receive immunity.

The immunity provided for in a DPA can be use immunity, transactional immunity, or some combination of the two. For instance, in the HSBC DPA, the government agreed “not to use any information related to the conduct described” in the statement of facts against HSBC “in any criminal or civil case” (use immunity) and also not to “bring any criminal case [against HSBC] … related to the conduct described” in the statement of facts (transactional immunity).24 The MoneyGram DPA contains similar immunity provisions, but also provides transactional immunity for “information that the Company disclosed to the Department prior to the date on which this Agreement was signed.”25 

A company can usually secure immunity in a DPA for itself and its affiliate companies. As noted above, however, the DOJ will not grant immunity to individuals in connection with a corporate DPA. For better or worse, however, the DOJ is not the only regulator negotiating DPAs and NPAs with companies, and individual immunity in such agreements may be possible in some cases. Companies and their counsel negotiating a DPA should therefore consider whether some individual immunity might be appropriate.


Confidentiality is a close second in importance to immunity, especially if a company has provided a large amount of information and materials in connection with the investigation that preceded the signing of the agreement, or is agreeing to provide materials over the course of the deferral period. In a highly regulated industry such as financial services, there are likely to be many agencies and plaintiffs’ securities lawyers interested in the information the company discloses in connection with the investigation and agreement. On one side of the pendulum, the MoneyGram DPA provides essentially no confidentiality, at least with respect to law enforcement and regulatory agencies — MoneyGram consented to “any and all disclosures, subject to applicable laws and regulations, to other governmental authorities, including United States authorities and those of a foreign government of such materials as the Department, in its sole discretion, shall deem appropriate.”26 The agreement requires MoneyGram to disclose to the DOJ any requested information related to fraud-induced money transfers, money laundering, and its anti-money laundering program.27 

Especially when dealing with disclosure of transactional data or other documents that might contain personal consumer information, more stringent confidentiality provisions might be necessary or desirable.28 

Compliance Measures, Reporting, and Monitoring

Various compliance measures can be considered for inclusion in financial industry DPAs. Among others, these measures might include structuring executive bonuses to reflect adherence to compliance policies;29 establishing board oversight of compliance executives and forming board governance or compliance committees;30 requiring reporting to the DOJ and other agencies;31 making significant investments in compliance staff and programs;32 changing compliance reporting structures, in particular separating the compliance and legal departments;33 creating global compliance standards;34 developing risk management measures to give particular consideration to countries or regions with high risk for fraud, corruption, or money laundering;35 enhancing due diligence practices for current business partners and for potential mergers and acquisitions;36 and instituting compliance training.37 

In some cases, as with MoneyGram, a monitor with reporting obligations may be appointed.38 Because monitors often have unfettered access to nonpublic company information, the monitor selection process is critical. DPAs often give the government greater authority than the company in the selection process.39 In some cases, the necessary qualifications for the monitor are specified in the agreement.40 DOJ standards require a federal prosecutor to, at least, notify the appropriate U.S. Attorney or department component head before executing a DPA or NPA that involves a third-party monitor.41 The agreement must be provided to the assistant attorney general for the Criminal Division after it has been executed.42 

Civil and Regulatory Penalties

Depending on the circumstances, it may even be possible to negotiate for civil and regulatory penalties rather than criminal penalties. The collateral consequences of a criminal charge for a financial services company can be harsh, including requiring reporting to other regulators and possibly even affecting its licenses in other jurisdictions. Because financial companies are so heavily regulated, however, it would typically be possible to easily identify civil or regulatory provisions that encompass the company’s alleged wrongful conduct. One possible example of this is the widely reported ongoing investigation by the DOJ and other agencies of JPMorgan Chase in connection with its traders intentionally mismarking credit positions in order to hide huge losses. JPMorgan has disclosed the investigation in its securities filings, but made no mention of potential criminal liability.43 This has led some to speculate that the DOJ and SEC, which is also investigating, may not push criminal charges.


The DOJ and other regulators are likely to continue aggressive use of DPAs. As former DOJ Criminal Division head Breuer noted, DPAs “have had a truly transformative effect on … corporate culture across the globe” resulting in “unequivocally[] far greater accountability for corporate wrongdoing — and a sea change in corporate compliance efforts.”44 Companies would typically be well-served to enter into a DPA in lieu of indictment. The more educated counsel can be about the range of potential provisions, the better a company will fare in negotiations and the greater chance the company will have for successful compliance with its obligations under an agreement.


  1. NPAs are distinguishable from DPAs in that NPAs do not involve criminal charges and are not filed with any court, but, like DPAs, NPAs do involve the acceptance of responsibility for criminal conduct. See Memorandum from Craig S. Morford, Selection and Use of Monitors in Deferred Prosecution Agreements and Non-Prosecution Agreements with Corporations (March 7, 2008) (Morford Memorandum), at 1 n.2, available at http://www.justice.gov/dag/morford-useofmonitorsmemo-03072008.pdf.
  2. Lanny A. Breuer, Speech to the New York City Bar Ass’n (Sept. 13, 2012).
  3. Washington Legal Foundation, Federal Erosion of Business Civil Liberties, at 6-2 (2008), available at http://www.wlf.org/upload/WLF%20timeline.pdf.
  4. Memorandum from Larry D. Thompson, Principles of Federal Prosecution of Business Organizations (Jan. 20, 2003).
  5. Federal Erosion of Business Civil Liberties at 6-3.
  6. Banco Popular de Puerto Rico Deferred Prosecution Agreement (Jan. 16, 2003), available at http://www.fincen.gov/news_room/ea/files/bancopopular.pdf.
  7. Merrill Lynch & Co., Inc., Non-Prosecution Agreement (Sept. 17, 2003), available at http://southcarolinacriminallawyer.files.wordpress.com/2011/08/merrill-lynch-non-prosecution-agreement.pdf.
  8. See Federal Erosion at 6-8.
  9. Id.
  10. Id.
  11. See id.
  12. Morford Memorandum.
  13. Memorandum from Gary G. Grindler, Additional Guidance on the Use of Monitor in Deferred Prosecution Agreements and Non-Prosecution Agreements with Corporations (May 25, 2010), available at http://www.justice.gov/dag/dag-memo-guidance-monitors.html.
  14. U.S. Senate Committee on Banking, Housing & Urban Affairs, Hearing on Patterns of Abuse: Assessing Bank Secrecy Act Compliance and Enforcement (March 7, 2013), video available at http://www.banking.senate.gov/public/index.cfm?FuseAction=Hearings.Hearing&Hearing_ID=66d5f8e5-2ea1-48e1-adb6-5b514960ba8d.
  15. The report from the U.S. Senate Permanent Subcommittee on Investigations of the Committee on Homeland Security and Government Affairs is titled U.S. Vulnerabilities to Money Laundering, Drugs, and Terrorist Financing: HSBC Case History, and is available at http://www.hsgac.senate.gov/download/report-us-vulnerabilities-to-money-laundering-drugs-and-terrorist-financing-hsbc-case-history.
  16. Lanny A. Breuer, in a Sept. 13, 2012, speech to the New York City Bar Association in which he responded to criticism of DPAs focused on the DOJ’s refusal to immunize individuals as part of DPAs, said that “regardless of whether we indict a company or agree to defer prosecution, individual wrongdoers can never secure immunity through the corporate resolution.”
  17. Ben Protess & Azam Ahmad, With Tapes, Authorities Build Criminal Cases Over JPMorgan Loss, New York Times DealBook (Oct. 10, 2012), http://dealbook.nytimes.com/2012/10/10/at-jpmorgan-inquiry-built-on-taped-calls/.
  18. E.g., United States v. Stolt-Nielsen S.A., 524 F. Supp. 2d 586, 606 (E.D. Pa. 2007), rev’d on other grounds by Stolt-Nielsen, S.A. v. United States, 442 F.3d 177 (3d Cir. 2006).
  19. Standard Chartered’s DPA included clauses that prohibited public statements contradicting its acceptance of responsibility and acknowledging that it “knowingly and willfully engaged in this criminal conduct.” When John Peace, chairman of Standard Chartered’s board, replied to a news conference inquiry by denying any willful act to avoid sanctions, he was required to issue a retraction under the DPA’s “cure” clause and was summoned, along with other Standard Chartered executives, to Washington to meet with Justice Department officials. Peter J. Henning, Sending a Message for Backpedaling on Settlements, New York Times DealBook (March 25, 2013), http://dealbook.nytimes.com/2013/03/25/sending-a-message-for-backpedaling-on-settlements/.
  20. See, e.g., United States v. San Pedro, 781 F. Supp. 761, 773-74 (S.D. Fla. 1991).
  21. United States v. Aleman, 286 F.3d 86, 91 (2d Cir. 2002) (“the prosecution’s determination that it is dissatisfied with the defendant’s performance under the cooperation agreement … may not be reached dishonestly or in bad faith”) (quoting United States v. Khan, 920 F.2d 1100, 1105 (2d Cir. 1990)). 
  22. HSBC DPA ¶ 2.
  23. American Express DPA at 5-6.
  24. HSBC DPA ¶ 8.
  25. MoneyGram DPA ¶ 8.
  26. MoneyGram DPA ¶ 5.
  27. MoneyGram DPA ¶ 5.
  28. See S.E.C. v. American Intern. Group Inc., where a member of the press sought access to AIG’s confidential monitor reports that were created pursuant to a consent decree with the Securities Exchange Commission (SEC), arguing that there was both a First Amendment and common law right of access to the reports. 854 F. Supp. 2d 75, 78 (D.D.C. 2012) (AIG I), rev’d on other grounds, S.E.C. v. Am. Int’l Group, No. 12-5141, 2013 WL 375650 (D.C. Cir. Feb. 1, 2013) (AIG II). The court expressly rejected the argument that there was a First Amendment right of access to the documents, holding that the media had not satisfied the experience prong of the test. Id. at 79 (“[I]t is impossible to say that access to such a document has historically been available.”).
  29. HSBC DPA ¶ 5.v.; MoneyGram DPA att C ¶¶ 4-5.
  30. HSBC DPA ¶ 5.e.; MoneyGram DPA att C ¶ 1.
  31. MoneyGram DPA att C ¶¶12-15.
  32. HSBC DPA ¶ 5.i.
  33. HSBC DPA ¶ 5.e. However, in Pfizer H.P.C. Corp.’s recent DPA, the chief compliance officer and risk officer report directly to the chief executive officer and periodically to the Audit Committee of the Board of Directors. Pfizer H.P.C. Corp. DPA att C.2 at 1(a).
  34. HSBC DPA ¶ 5.p.; MoneyGram DPA att C ¶¶ 2-3.
  35. HSBC DPA ¶ 5.y. and 5.g; MoneyGram DPA att C ¶ 11.
  36. HSBC DPA ¶ 6.1.; MoneyGram DPA att C ¶¶ 6-7.
  37. HSBC DPA ¶ 6.h.
  38. See Standard Chartered Bank DPA.
  39. MoneyGram DPA ¶ 10.
  40. Id.
  41. Morford Memorandum at 2.
  42. Id.
  43. JPMorgan Chase & Co. Form 10-K for the fiscal year ended Dec. 31, 2012 (Feb. 28, 2013), at 316.
  44. Lanny A. Breuer, Speech to the New York City Bar Ass’n (Sept. 13, 2012).
Advertisement Advertise with Us

In This Section

Advertisement Advertise with Us