DOJ Updates Guidance Regarding Corporate Compliance Programs
June 9, 2020
On June 1, 2020, the Criminal Division of the U.S. Department of Justice (“DOJ” or “the Department”) released revisions to its guidance regarding the Evaluation of Corporate Compliance Programs (“the Guidance”), which the Department uses in assessing the “adequacy and effectiveness” of a company’s compliance program in connection with any decision to charge or resolve a criminal investigation, including whether to impose a monitor or other compliance program obligations.[1]
The Guidance, which was first released in 2017 and subsequently revised in April 2019, provides valuable insight into the DOJ’s current priorities as well as a useful benchmark for companies in assessing their own compliance programs. In a statement regarding these most recent changes, Assistant Attorney General Brian Benczkowski expressed that they “reflect[] additions based on our own experience and important feedback from the business and compliance communities.”[2]
This memorandum highlights the key modifications to the Guidance and the additional insight they provide into what the DOJ expects from companies with respect to their compliance programs. Unlike the 2019 revisions, the recent updates are more thematic rather than structural and continue the prior version’s emphasis on incorporating “lessons learned” into a compliance program, continuously assessing and improving it, and using data to track and enhance the program’s operations. The revised Guidance also highlights the continued importance of training employees and, in the M&A context, of integrating a target into the acquiring company’s compliance framework.
I. The Guidance
The Guidance is framed around three main questions derived from the Justice Manual, the answers to which form a key part of the Department’s assessment of how to resolve a criminal investigation against a company[3]:
- “Is the corporation’s compliance program well designed?”This section provides guidance in assessing various factors in the design of the program, including its risk assessment; policies and procedures; how the program is communicated to employees, including through training; the confidential reporting structure and investigation process; how the program manages third-party risk; and how a company handles compliance risk in M&A transactions.
- “Is the program being applied earnestly and in good faith?”The Guidance asks whether the program is “adequately resourced and empowered to function effectively.”[4]The italicized language is new, replacing prior language asking whether the program was being “implemented effectively.”It reflects the DOJ’s focus on ensuring the commitment of senior and middle management to the program; the autonomy and resources of the program; the incentives provided for compliance; and the quality and consistency of disciplinary measures for violations of the compliance and ethics program.
- “Does the corporation’s compliance program work” in practice?The Guidance focuses on how the program is improved over time through testing and review; how a company investigates misconduct; and whether it appropriately remediates wrongdoing.
The introduction to the revised Guidance makes clear that the DOJ recognizes that there is no “one size fits all” compliance program and that it will answer these questions by considering certain specific factors, “including, but not limited to, the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.”[5] Further, the Guidance now encourages prosecutors to “consider whether certain aspects of a compliance program may be impacted by foreign law.”[6]
II. Additional Emphasis On Compliance As A Continuous Process
Reflecting the importance of “lessons learned” in adapting a compliance program to a company’s changing risk profile and operations, the revised Guidance requires prosecutors to evaluate “why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time,” both in response to identified instances of misconduct as well as based on data about the program’s operations.[7] Some examples of this focus in the revised Guidance include the following:
- Risk Assessments: The Guidance now makes clear that the periodic review of a company’s risk assessment should not be “limited to a ‘snapshot’ in time,” but should be “based upon continuous access to operational data and information across functions.”[8] Prosecutors should ask whether this periodic review has “led to updates in policies, procedures, and controls.”[9]
- Addressing Misconduct: Similarly, in assessing whether the program works in practice, the Department will now look directly at whether “the company review[ed] and adapt[ed] its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks.”[10]
- Third-party Management: The Department will also consider whether the company evaluates “the risks posed by [a] third party,” not just “during the onboarding process” but “throughout the lifespan of the relationship” with the third party.[11]
The revised Guidance’s focus on how a compliance program evolves over time is also reflected in its new direction to prosecutors to evaluate a compliance program “both at the time of the offense and at the time of the charging decision and resolution.”[12] This confirms that the Department will conduct a form of “before” and “after” analysis to determine whether the company has made progress in revising its program to address any flaws that failed to detect or prevent the misconduct that is the subject of the criminal violation.
III. Using Data to Create Effective Mechanisms For Improvement
The recent update includes a new sub-section dedicated to data resources and access, which highlights the importance of collecting data to assess the operation of the company’s compliance program. It asks if “compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions.”[13] And, if “impediments exist,” prosecutors should ask what the company is “doing to address [those] impediments.”[14] In determining whether relevant sources of data are being appropriately collected and monitored, the revised Guidance tells prosecutors to determine whether data has been used to track the effectiveness of:
- Access to Policies: Does a company “track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?”[15] Policies and procedures should be published “in a searchable format for easy reference” to assist employee access.[16]
- Training: Does a company “evaluate[] the extent to which the training has an impact on employee behavior or operations?”[17]
- Reporting Mechanisms: Does a company “test whether employees are aware of the [reporting] hotline and feel comfortable using it?”[18]
- Hotline: Likewise, does a company track the effectiveness of a hotline by tracing a report from receipt to resolution?[19]
- Investigations: Does “the compliance function monitor[] its investigations and resulting discipline to ensure consistency?”[20]
These revisions reflect the Department’s view that an increased focus on metrics will allow companies to evaluate the success of compliance initiatives in near real-time, and to identify potential areas of concern that need to be addressed.
IV. Training
The revised Guidance contains several changes worth noting about training, in addition to emphasizing the use of data to assess whether training has impacted behavior. First, the revised Guidance highlights the value of “shorter, more targeted training sessions to enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management functions.”[21] Second, the Guidance now asks whether employees “can ask questions arising out of the trainings,” either “online or in-person.”[22] Third, the DOJ will now assess whether the company invests resources in training its compliance and control personnel.[23]
V. Additional Mergers and Acquisitions (M&A) Considerations
Finally, the Guidance includes changes in the M&A context. The prior version noted that a well-designed compliance program should involve both pre-M&A diligence of a target, and address risks or misconduct identified during the diligence process post-merger. The Guidance now focuses on the latter, by directing prosecutors to assess the company’s “process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls” including whether companies are “conducting post-acquisition audits, at newly acquired entities.”[24] The added emphasis on post-acquisition integration highlights the DOJ’s focus on ensuring acquired entities swiftly meet the acquiring company’s compliance standards.
VI. Key Takeaways
The revised Guidance, while largely consistent with the April 2019 update, highlights the Department’s focus on how companies are assessing and updating their compliance programs. The recent changes emphasize that prosecutors will consider the degree to which the program addresses “lessons learned,” including from whatever misconduct is the subject of the investigation. And, it underscores the importance the Department places on the use of data to assess a program’s effectiveness. Given that this has been a hallmark of past iterations of the Guidance, companies that have not embraced and invested in a data-driven approach to risk analysis may face greater scrutiny and skepticism from prosecutors.
One change to the Guidance makes particularly clear the importance of remediating and improving a compliance program in light of identified instances of misconduct. The revised Guidance’s direction to prosecutors to assess a company’s compliance program as it exists “both at the time of the offense and at the time of the charging decision and resolution” should encourage every company to make the adjustments necessary to prevent or detect misconduct in the future.[25] In other words, it is never too late to demonstrate improvement in a compliance program, and the Department will consider a company’s efforts to do so as part of its overall assessment.
For any questions arising from this alert, you can consult with any member of the White-Collar Defense and Investigations Group.
[1] U.S. Dep’t of Justice, Criminal Div., Evaluation of Corporate Compliance Programs Guidance Document, June 2020, available at: https://www.justice.gov/criminal-fraud/page/file/937501/download; Justice Manual (“JM”) 9-28.300. A blackline that shows the Guidance’s most recent revisions can be found here: Criminal Division Evaluation of Corporate Compliance Programs.
[2] Dylan Tokar, Justice Department Adds New Detail to Compliance Evaluation Guidance, The Wall Street Journal (June 1, 2020), https://www.wsj.com/articles/justice-department-adds-new-detail-to-compliance-evaluation-guidance-11591052949.
[3] U.S. Dep’t of Justice, Criminal Div., Evaluation of Corporate Compliance Programs Guidance Document, June 2020, available at: https://www.justice.gov/criminal-fraud/page/file/937501/download (citing JM 9-28.800).
[4] Id. at 2.
[5] Id. at 1.
[6] Id. at 19 (“Where a company asserts that it has structured its compliance program in a particular way or has made a compliance decision based on requirements of foreign law, prosecutors should ask the company the basis for the company’s conclusion about foreign law, and how the company has addressed the issue to maintain the integrity and effectiveness of its compliance program while still abiding by foreign law.”).
[7] Id. at 2.
[8] Id. at 3.
[9] Id. at 3.
[10] Id. at 16.
[11] Id. at 7-8.
[12] Id. at 2 (emphasis added).
[13] Id. at 12.
[14] Id.
[15] Id. at 4.
[16] Id.
[17] Id. at 6.
[18] Id.
[19] Id. at 7.
[20] Id. at 13.
[21] Id. at 5.
[22] Id.
[23] Id. at 12.
[24] Id. at 9.
[25] Id. at 2.