DOJ Updates Guidance on Evaluating Corporate Compliance Programs
June 16, 2020
Earlier this month, the Criminal Division of the United States Department of Justice (DOJ) updated its Evaluation of Corporate Compliance Programs guidance. In considering enforcement actions against companies, prosecutors use the guidance to assist in evaluating (1) the form of any resolution or prosecution, (2) the amount of a monetary penalty, if any, and (3) whether to impose compliance obligations, such as a monitor or reporting requirements. The guidance thus provides valuable insight into the factors prosecutors consider when making these decisions.
This is the third iteration of the guidance; it was first published in 2017, and updated in 2019. (We reported on the 2019 guidance here.) Overall, the new guidance reaffirms the DOJ’s previous emphasis on the importance of re-evaluating, testing, and revising compliance programs on a continuous basis in light of changing risks, testing results, and lessons learned. The guidance also provides more granular detail on steps companies should take towards those goals.
Like the 2019 guidance, the 2020 guidance centers around three “fundamental questions” drawn from the DOJ’s Justice Manual, one of which the DOJ updated in the latest version. As phrased in the 2020 guidance, these include:
1. Is the corporation’s compliance program well designed?
2. Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
3. Does the corporation’s compliance program work in practice?
As in its previous guidance, the DOJ stresses that these criteria are “neither a checklist nor a formula” for evaluating compliance programs, but rather, will be weighed as part of a “reasonable, individualized determination” particular to each investigation. The updated guidance adds specific factors that the DOJ will consider in this analysis, including the company’s “size, industry, geographic footprint, regulatory landscape,” as well as “other factors, both internal and external to the company’s operations, that might impact its compliance program.” Hence, according to the guidance, the above questions “may not all be relevant, and others may be more salient given the particular facts at issue and the circumstances of the company.”
Significantly, the new guidance also clarifies that the DOJ will consider each of these questions both as of the time that an offense was committed as well as at the time the DOJ makes a charging or resolution decision. Under the DOJ’s 2018 Benczkowski Memorandum (named for the Assistant Attorney General who issued it), the extent to which a company has improved and tested its compliance program at the charging stage is a primary consideration in whether the DOJ will require the company to retain a monitor. It thus remains critically important for companies to be prepared to demonstrate that they have effectively addressed past compliance failures when they engage in discussions with prosecutors.
Because the updates to Question 3 were minimal, we focus on Questions 1 and 2.
Question 1: The Compliance Program’s Design – Updating Policies, Employee Engagement, and Third-Party Relationships
The 2020 guidance reiterates that the effective design of a compliance program in targeting the specific risks of the business, along with management’s explicit support for compliance, are “critical factors” in evaluating the program. The new guidance further instructs prosecutors to “understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.” To that end, the guidance adds several factors prosecutors should consider:
- Updates to risk assessments. Prosecutors will be interested in how regularly and systematically the company analyzes its risks and revises its policies and procedures accordingly. In particular, prosecutors will look more favorably upon companies that:
- Base their risk assessments on continuous access to data and information over time rather than focusing on particular “snapshots” in time.
- Use the results of their periodic risk assessment reviews when crafting new versions of their policies and procedures.
- Use systematic processes for incorporating lessons learned by the company, as well as other companies in the same industry and/or region, into their risk assessments.
- Employee engagement. The 2020 guidance also adds a number of factors focused on the practical relevance of policies and procedures to employees on a day-to-day level – again, with an emphasis on how the company analyzes the effectiveness of its activities. For instance, prosecutors will consider whether companies:
- Publish searchable compliance policies in locations that employees can access easily.
- Track their policies to understand which ones garner the most attention from relevant employees.
- Take reasoned decisions on how the company will conduct its training sessions, including whether the company allows employees to ask questions during the training and provides a mechanism for them to raise follow-up questions later.
- Evaluate the effect of their training sessions on employee behavior and operations.
- Establish an anonymous reporting hotline for employees, evaluate whether employees are aware of and comfortable using it, and periodically test its effectiveness, for example, by tracking a report from start to finish.
- Third party monitoring and integration. Although the 2019 guidance expressed a marked concern for companies’ relationships with third parties – a consideration especially important in Foreign Corrupt Practices Act investigations – the 2020 guidance takes this a step further. Prosecutors will now focus on whether companies:
- Make reporting hotlines available to third parties, not just the company’s employees.
- Analyze risks posed by third parties throughout the relationship with those parties, not just at the onboarding stage.
- In the mergers and acquisitions context, timely integrate acquired entities into existing compliance structures and internal controls.
- Employ well-structured processes for post-acquisition audits.
Question 2: How the Compliance Program Is Being Applied – Resource Allocation
The 2020 guidance changes the focus of the second “fundamental question.” In the 2019 guidance, the question asked whether the compliance program was “being implemented effectively.” Now, it asks whether the compliance program is “adequately resourced and empowered to function effectively.” The 2020 phrasing signals an increased emphasis on the company’s commitment to its compliance program, which the guidance notes must emanate “from all levels of the company,” including both “the middle and the top.” This is borne out by new factors on companies’ allocation of resources to compliance.
- Resource Allocation. Prosecutors will focus on the extent to which companies invest resources in the following areas:
- Further training and development of compliance and control personnel.
- Data that compliance and control personnel can access easily to monitor and test policies, controls, and transactions.
- Monitoring investigations and disciplinary measures that result from them in order to ensure consistency in approach.
The DOJ’s new guidance is not a shift from the agency’s previously stated priorities. Rather, it builds upon the DOJ’s earlier guidance by underscoring the importance of continuous compliance evaluation, testing and improvement and by setting forth concrete measures that companies should take in doing so. Hence, companies can lessen the risk and extent of adverse DOJ action by demonstrating that they systematically analyze and reassess their compliance risks (including those posed by third parties) and their policies and procedures, devote adequate resources to compliance, and ensure that relevant personnel are utilizing those resources.