DOJ Updates Guidance on the Evaluation of Corporate Compliance Programs

Summary

On June 1, 2020, the Criminal Division of the U.S. Department of Justice released updated guidance to its prosecutors on how to evaluate the design, implementation, and effective operation of corporate compliance programs in determining whether, and to what extent, the DOJ considers a corporation’s compliance program to have been effective at the time of the offense and to be effective at the time of a charging decision or resolution. [1] The guidance updates a prior version issued on April 30, 2019. [2] The updated 2020 guidance makes several notable changes to the language of its predecessor, but the core structure and content of the guidance remains the same.

Background

DOJ policy and the U.S. Sentencing Guidelines for years have directed federal prosecutors and sentencing judges to evaluate corporate compliance programs. [3] For example, the Justice Manual’s “Principles of Federal Prosecution of Business Organizations” state that prosecutors, in deciding whether to bring criminal charges against a corporation, should consider “the adequacy and effectiveness of the corporation’s compliance program at the time of the offense, as well as at the time of a charging decision” and the corporation’s remedial efforts “to implement an adequate and effective corporate compliance program or to improve an existing one.” [4] Further, in determining potential criminal fines against corporations under the U.S. Sentencing Guidelines, sentencing judges consider whether the corporation had an effective compliance program at the time of the misconduct as a mitigating factor in calculating a corporation’s culpability score. [5]

Beginning with the 2019 guidance, the DOJ sought to provide consolidated guidance on the evaluation of corporate compliance programs, and to harmonize that guidance with other related department guidance. [6] The 2019 guidance itself built on prior related guidance from DOJ, including guidance by the DOJ’s Fraud Section in February 2017, [7] the DOJ’s March 2018 announcement that the DOJ’s FCPA Corporate Enforcement Policy would be applied as non-binding guidance in all Criminal Division cases, [8] and the DOJ’s October 2018 announcement of updated Criminal Division policy concerning the selection and appointment of corporate compliance monitors. [9] The DOJ intended the 2019 guidance to “better harmonize the [prior] guidance with other Department guidance and standards while providing additional context to the multifactor analysis of a company’s compliance program.” [10]

Discussion

Building on that backdrop, the revised guidance elaborates on many of the central themes and provides additional guidance to prosecutors when evaluating corporate compliance programs. As with its predecessor, the updated guidance states that it is intended to assist prosecutors in evaluating whether a “corporation’s compliance program was effective at the time of the offense, and is effective at the time of a charging decision or resolution, for purposes of determining the appropriate (1) form of any resolution or prosecution; (2) monetary penalty, if any; and (3) compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations).”

The guidance reinforces the DOJ’s focus on “the particular facts at issue and the circumstances of the company.” Where the 2019 guidance stated that prosecutors should make “an individualized determination in each case,” the updated guidance elaborates further and instructs DOJ attorneys to make “a reasonable, individualized determination in each case that considers various factors including but not limited to, the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.” [11] This expansion stresses the importance of context in evaluating corporate compliance programs, including the importance of considering context external to a company’s operations, for example, the current coronavirus pandemic.

The guidance remains focused on three “fundamental questions” that provide structure to the analysis:

1. “‘Is the corporation’s compliance program well designed?’”
2. “‘Is the program being applied earnestly and in good faith?’ In other words, is the program adequately resourced and empowered to function effectively?”
3. “‘Does the corporation’s compliance program work’ in practice?” [12]

The guidance notes that these questions should be answered while considering the compliance program “both at the time of the offense and at the time of the charging decision and resolution.” [13]

“Is the corporation’s compliance program well designed?” Part I of the guidance sets out the elements of a well-designed compliance program, including in the areas of risk assessment, company policies and procedures, training and communications, confidential reporting structure and investigation process, third-party management, and mergers and acquisitions. Although none of these elements is new, the update contains various additions, including:

• Risk assessment: A company’s assessment of risks is the “starting point” for evaluating the design of compliance programs, and under the guidance prosecutors should probe how the risk assessment informed “why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.”
  • The 2020 guidance contemplates companies undertaking data-driven periodic reviews and asks: “Is the periodic review limited to a ‘snapshot’ in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures and controls?”
  • The guidance also adds a new “Lessons Learned” subsection that asks: “Does the company have a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region?”
• Policies and procedures: The guidance adds several clarifications on the topic of a company’s compliance policies and procedures, looking not only to the process for “designing and implementing new policies and procedures” as it did in 2019, but also to the company’s process for “updating existing policies and procedures,” and asking whether “that process [has] changed over time.”
  • The guidance adds two new questions, asking whether “the policies and procedures [were] published in a searchable format for easy reference,” and (pointing to data analytics again) asking whether “the company track[s] access to various policies and procedures to understand what policies are attracting more attention from relevant employees.”
• Training and communications: As it did in 2019, the guidance articulates the factors prosecutors should consider when assessing “the steps taken by the company to ensure that policies and procedures have been integrated into the organization, including through periodic training and certification.” The guidance asks “whether the company has relayed information in a manner tailored to the audience’s size, sophistication, or subject matter expertise.”
  • In addition to the “practical advice or case studies to address real-life scenarios, and/or guidance on how to obtain ethics advice on a case-by-case basis as needs arise” suggested in 2019, the revisions in the 2020 guidance note that some “companies have invested in shorter, more targeted training sessions to enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management functions.”
  • The 2020 revisions also ask if “there [is] a process by which employees can ask questions arising out of the trainings,” whether online or in-person, and if “the company evaluated the extent to which the training has an impact on employee behavior or operations.”
• Confidential reporting structure and investigation process: The guidance contemplates an anonymous or confidential reporting mechanism for alleged compliance violations and asks not only how “the reporting mechanism [is] publicized to the company’s employees” as it did in 2019 but also to “other third parties.”
  • Two of the 2020 revisions look to testing of the reporting mechanism, asking if “the company take[s] measures to test whether employees are aware of the hotline and feel comfortable using it” and if “the company periodically test[s] the effectiveness of the hotline, for example by tracking a report from start to finish.”
• Third-party management: Always an area of focus, the guidance continues to emphasize that “a company’s third-party management practices are a factor that prosecutors should assess to determine whether a compliance program is in fact able to ‘detect the particular types of misconduct most likely to occur in a particular corporation’s line of business.’” [14] The 2020 revisions to the guidance now note specifically that “[p]rosecutors should also assess whether the company knows the business rationale for needing the third party in the transaction, and the risks posed by third-party partners, including the third-party partners’ reputations and relationship, if any, with foreign officials.”
• Mergers and acquisitions: Like the 2019 provisions, the guidance maintains the view that “[a] well-designed compliance program should include comprehensive due diligence of any acquisition targets,” but now also expects the compliance program to look forward, evaluating whether there is “a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.”
  • The guidance further emphasizes the importance of M&A due diligence “where possible,” explaining that “[f]lawed or incomplete pre- or post-acquisition due diligence and integration can allow misconduct to continue at the target company, causing resulting harm to a business’s profitability and reputation and risking civil and criminal liability.”
  • Acknowledging that thorough due diligence on a target is not always possible, the guidance explicitly expects an explanation for why it was not or could not have been completed, asking: “Was the company able to complete pre-acquisition due diligence and, if not, why not? . . . What has been the company’s process for implementing compliance policies and procedures, and conducting post-acquisition audits, at newly acquired entities?”

“Is the program adequately resourced and empowered to function effectively?” Part II addresses the second fundamental question, which changed in wording and emphasis. Previously, the question asked: “Is the program being implemented effectively?” The updated guidance replaced “implemented” with “adequately resourced and empowered to function,” using more specific factors that might be measured when evaluating a compliance program. The guidance further elaborates that “[e]ven a well-designed compliance program may be unsuccessful in practice if implementation is lax, under-resourced, or otherwise ineffective.” Although each of these elements was included in the previous version, the guidance expands on the following topics, among other additions:

• Involvement of senior and middle management: The guidance explains that “it is important for a company to create and foster a culture of ethics and compliance with the law at all levels of the company” and that an effective program “requires a high-level commitment by company leadership to implement a culture of compliance from the middle and the top.”
• Autonomy and resources: The guidance discusses numerous factors concerning whether a compliance department has the autonomy and resources necessary to accomplish its various mandates. The majority of the content remains the same from the 2019 guidance, but there are several additions in the update.
  • Regarding the “Structure” of the company and compliance function, the updated guidance asks: “What are the reasons for the structural choices the company has made?”
  • The updated guidance also asks: “How does the company invest in further training and development of the compliance and other control personnel?”
  • Significantly, the list of factors for prosecutors to consider in evaluating whether a compliance function is adequately resourced and empowered is expanded to include “Data Resources and Access.” On this topic, the updated guidance asks: “Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?”
• Incentives and disciplinary measures: The guidance continues to address the incentives for employee compliance with policies and the disciplinary measures in place should violations occur. The updated guidance adds a question on the topic of “Consistent Application,” which asks: “Does the compliance function monitor its investigations and resulting discipline to ensure consistency?”

“Does the corporation’s compliance program work in practice?” Part III provides criteria for assessing whether a compliance program is effective in practice, including assessment of a compliance program’s capacity for continuous improvement, periodic testing, and review, investigation of misconduct, and analysis and remediation of underlying misconduct. Although each of these elements was included in the previous version, the guidance contains updates including, among other additions:

• Continuous improvement, periodic testing, and review: The updated guidance asks, on the topic of “Evolving Updates,” whether “the company review[s] and adapt[s] its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks[.]”

Implications

Although the updated guidance does not include major changes to DOJ policy concerning the elements and contours of corporate compliance programs, the guidance provides additional details that further explain how the Criminal Division will evaluate corporate compliance programs in criminal cases. The guidance includes additional emphasis on various aspects of compliance functions, such as mid-level management’s importance in fostering a culture of compliance, continual review and updates to features in the compliance program, and a continued emphasis that each evaluation should consider the particularized circumstances of the company at issue.

The guidance’s substantial emphasis on continual data-driven improvement suggests that the DOJ wishes to encourage, rather than punish, companies’ remedial efforts to address potential past gaps or weaknesses in the compliance function. The guidance’s focus on processes for tracking and making use of data analytics reflects an expectation that companies will make use of the data available to them.

In addition, the guidance’s rephrasing of the second “fundamental question” to focus on whether compliance departments are “adequately resourced and empowered to function” is notable. This rephrasing suggests that the Criminal Division may shift its focus from the more malleable question of whether a program is “being implemented effectively,” to evaluating more concrete metrics that serve as evidence of implementation, such as the resources and autonomy provided to a company’s compliance function.

Companies should consider the guidance a useful resource for understanding the DOJ’s expectations for the design, implementation, and sustainment of corporate compliance programs. The DOJ’s continuing attention to the issues addressed in the guidance reflects the importance the DOJ ascribes in its deliberations to companies’ compliance systems and controls. Companies should carefully review the guidance and should consult, as necessary, with counsel experienced in these matters regarding any review of compliance programs in light of the new guidance.

Endnotes