Earlier this month, the Criminal Division of the United States Department of Justice (DOJ) updated its Evaluation of Corporate Compliance Programs guidance. In considering enforcement actions against companies, prosecutors use the guidance to assist in evaluating (1) the form of any resolution or prosecution, (2) the amount of a monetary penalty, if any, and (3) whether to impose compliance obligations, such as a monitor or reporting requirements. The guidance thus provides valuable insight into the factors prosecutors consider when making these decisions.
This is the third iteration of the guidance; it was first published in 2017, and updated in 2019. (We reported on the 2019 guidance here.) Overall, the new guidance reaffirms the DOJ’s previous emphasis on the importance of re-evaluating, testing, and revising compliance programs on a continuous basis in light of changing risks, testing results, and lessons learned. The guidance also provides more granular detail on steps companies should take towards those goals.
Like the 2019 guidance, the 2020 guidance centers around three “fundamental questions” drawn from the DOJ’s Justice Manual, one of which the DOJ updated in the latest version. As phrased in the 2020 guidance, these include:
1. Is the corporation’s compliance program well designed?
2. Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
3. Does the corporation’s compliance program work in practice?
As in its previous guidance, the DOJ stresses that these criteria are “neither a checklist nor a formula” for evaluating compliance programs, but rather, will be weighed as part of a “reasonable, individualized determination” particular to each investigation. The updated guidance adds specific factors that the DOJ will consider in this analysis, including the company’s “size, industry, geographic footprint, regulatory landscape,” as well as “other factors, both internal and external to the company’s operations, that might impact its compliance program.” Hence, according to the guidance, the above questions “may not all be relevant, and others may be more salient given the particular facts at issue and the circumstances of the company.”
Significantly, the new guidance also clarifies that the DOJ will consider each of these questions both as of the time that an offense was committed as well as at the time the DOJ makes a charging or resolution decision. Under the DOJ’s 2018 Benczkowski Memorandum (named for the Assistant Attorney General who issued it), the extent to which a company has improved and tested its compliance program at the charging stage is a primary consideration in whether the DOJ will require the company to retain a monitor. It thus remains critically important for companies to be prepared to demonstrate that they have effectively addressed past compliance failures when they engage in discussions with prosecutors.
Because the updates to Question 3 were minimal, we focus on Questions 1 and 2.
Question 1: The Compliance Program’s Design – Updating Policies, Employee Engagement, and Third-Party Relationships
The 2020 guidance reiterates that the effective design of a compliance program in targeting the specific risks of the business, along with management’s explicit support for compliance, are “critical factors” in evaluating the program. The new guidance further instructs prosecutors to “understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.” To that end, the guidance adds several factors prosecutors should consider:
Question 2: How the Compliance Program Is Being Applied – Resource Allocation
The 2020 guidance changes the focus of the second “fundamental question.” In the 2019 guidance, the question asked whether the compliance program was “being implemented effectively.” Now, it asks whether the compliance program is “adequately resourced and empowered to function effectively.” The 2020 phrasing signals an increased emphasis on the company’s commitment to its compliance program, which the guidance notes must emanate “from all levels of the company,” including both “the middle and the top.” This is borne out by new factors on companies’ allocation of resources to compliance.
The DOJ’s new guidance is not a shift from the agency’s previously stated priorities. Rather, it builds upon the DOJ’s earlier guidance by underscoring the importance of continuous compliance evaluation, testing and improvement and by setting forth concrete measures that companies should take in doing so. Hence, companies can lessen the risk and extent of adverse DOJ action by demonstrating that they systematically analyze and reassess their compliance risks (including those posed by third parties) and their policies and procedures, devote adequate resources to compliance, and ensure that relevant personnel are utilizing those resources.