May 03, 2019
This week the U.S. Department of Justice (DOJ) Criminal Division released revised guidance on the “Evaluation of Corporate Compliance Programs.” This latest guidance is important not only to help benchmark existing compliance programs but also to understand what DOJ will look for when making critical decisions affecting a company under investigation. DOJ’s Fraud Section had released a prior version of this guidance in February 2017. The 2019 guidance is notable in several respects, including that it is a significantly more detailed statement of DOJ’s views on compliance programs, and it draws from multiple DOJ components beyond the Fraud Section, including the Office of the Assistant Attorney General and the Money Laundering and Asset Recovery Section. DOJ has stated that the new, expanded guidance “seeks to better harmonize the guidance with other [DOJ] guidance and standards while providing additional context to the multifactor analysis of a company’s compliance program.”
The new guidance is built around three “fundamental questions” prosecutors should ask to evaluate compliance programs:
For each question, the guidance identifies some “hallmarks” of effective compliance programs, describes their importance, and provides specific sample questions that a prosecutor could ask a company to evaluate aspects of its compliance program. The prosecutor’s evaluation of a company’s compliance program may affect charging decisions, penalties, or decisions to impose monitoring obligations.
The “starting point” for prosecutors is understanding the company’s own risk assessment and whether the compliance program is appropriately tailored to the company’s risks. DOJ continues to emphasize the fundamental importance of conducting a thoughtful risk assessment, allocating resources to address the most significant risks, and continuously updating the assessment. From there, the prosecutor will look to the policies and procedures in place, and how employees are trained on them. The availability of confidential reporting of misconduct, and the proper investigation of such reports are also critical design elements. Finally, the guidance emphasizes the critical importance of due diligence being performed in two specific areas: managing third party relationships (e.g., representatives, sales agents), and mergers and acquisitions. DOJ expressly recognizes and reinforces the value of integrating due diligence into regular business processes, such as onboarding new third party relationships.
To assess implementation, the guidance advises prosecutors to look for commitment to compliance by management (not only at the top, but also in the middle), a compliance program with adequate independence, resources, and stature within the company, and the presence of incentives and disciplinary measures to foster compliant conduct.
The guidance notes that determining whether a compliance program was effective—even as the prosecutor is investigating a potential offense—is “one of the most difficult questions prosecutors must answer.” To do so, the guidance advises prosecutors to ask whether the compliance program improves and adapts as risks change, whether it effectively investigates potential misconduct, and whether it is able to identify the root cause of misconduct and remediate it. This continues DOJ’s dismissal of “paper” programs, and focus on understanding how the program has actually worked in responding to real situations.
While consistent with the 2017 guidance, which provided sample questions grouped by topic, the updated guidance significantly expands on its predecessor and provides more insight into DOJ’s thinking in several ways.
First, the 2019 guidance is far more detailed (roughly twice as long) and contains descriptions of the components of effective compliance programs, not just sample questions. The more fulsome elaboration by DOJ creates a more useful guide to understanding how it assesses compliance programs, and a more useful tool to benchmark a company’s existing program and to identify areas to enhance going forward.
Second, the 2019 guidance was issued by the Criminal Division, with input from multiple DOJ components, while the 2017 guidance came from the Fraud Section within the Criminal Division. This represents DOJ’s practical effort to approach compliance programs with more consistency across different enforcement areas. As companies have done well to expand compliance programs over the years, DOJ is clearly increasing its efforts to evaluate those actions and the depth and effectiveness of prevention measures within companies.
Third, the more descriptive and structured 2019 guidance also reveals some broader themes regarding DOJ’s thinking. Notably, the 2019 guidance makes clear the importance of risk-based analysis as companies consider and implement compliance programs, appropriately reflecting the reality that in general, effective and responsive risk management, rather than complete risk elimination, is the proper goal. Along these lines, the guidance acknowledges that an effective compliance program may be one “that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction in a low-risk area.” The new guidance also demonstrates that DOJ values a company’s effort to continually update, improve, and revise its compliance program; this theme emerges under each of DOJ’s three fundamental questions. Here, the guidance advises prosecutors to consider whether the company takes a “lessons learned” approach to revising its compliance program, and to examine whether a compliance program has become “stale.”
DOJ has increased its focus on evaluating compliance programs and their effectiveness in recent years, and the 2019 guidance document continues that trend by expanding on the prior guidance in both detail and breadth. Tellingly, the new guidance came from the Criminal Division with input from multiple components beyond the Fraud Section, which had issued the 2017 version. The benefits of robust compliance are well documented.As DOJ recognizes, those benefits can be realized when companies effectively and continually evaluate and seek to minimize compliance risks.