DOJ’s Updated Guidance for Evaluating Corporate Compliance Programs

In early June, the Department of Justice Criminal Division released without fanfare updated guidance to be used by federal prosecutors in the evaluation of corporate compliance programs. The new guidance, “Evaluation of Corporate Compliance Programs” (“2020 Guidance”), which revised guidance issued in 2017 and 2019, retains much of the substance of the 2019 document, and according to Assistant Attorney General Brian Benczkowski, “reflects additions based on our own experience and important feedback from the business and compliance communities.”

A panel of experts at the virtual ABA White Collar Institute on June 24 discussed some  of the key takeaways from the 2020 Guidance on a panel titled “Compliance, Cooperation and Monitorships:  Current DOJ Policy.” Two aspects of the 2020 Guidance were given particular emphasis.

First, corporate compliance programs, to be deemed genuine and effective by DOJ, must be examined, tested and updated on a continual basis, including (and perhaps especially) during a government investigation. Compliance efforts should integrate current data analytics capabilities wherever possible. If deficiencies are found, then changes should be made, and the 2020 Guidance makes clear that DOJ expects regular review of compliance efforts.

Second, the quality of a company’s compliance program continues to be a major factor in deciding on the appropriate resolution of a government investigation, and the 2020 Guidance makes clear a program’s effectiveness will be considered at the close of an investigation as well as when the underlying company conduct occurred. Consequently, under DOJ policy, the strength of a company’s past and present compliance efforts will ordinarily have an effect on the terms of a resolution, including the often quite important matter of whether a monitor is required (and the scope of a monitorship).

* * *

Like the prior iteration in 2019, the 2020 Guidance has three parts, which track three “fundamental questions” prosecutors are directed to ask by Section 9-28.800 (Corporate Compliance Programs) of the Principles of Federal Prosecution of Business Organizations:

(1) “Is the corporation’s compliance program well designed?”;

(2) “Is the program being applied earnestly and in good faith?  In other words, is the program adequately resourced and empowered to function effectively?”; and

(3) “Does the corporation’s compliance program work in practice?”

(Emphasis added.)

The 2020 Guidance elaborates on Question 2 by explaining that an effective compliance program must be “adequately resourced and empowered to function effectively.” It also clarifies that the “individualized determination” called for in each case must be “reasonable” and consider factors including “the company’s size, industry, geographic footprint, regulatory landscape, and other factors both internal and external to the company’s operations, that might impact its compliance program.”

In regard to the first fundamental question — “Is the corporation’s compliance program well designed?” – many of the changes demonstrate the importance of continual review and improvement, as noted above. Hence the 2020 Guidance directs prosecutors to focus not only on a company’s initial assessment of risk but also on revisions to a company’s compliance program, including whether

• the risk assessment is “current and subject to periodic review”;
• “the periodic review is limited to a ‘snapshot’ in time or based upon continuous access to operational data and information across functions”; and
• a company tracks and incorporates into risk assessment “lessons learned” from its own issues or those of companies in the same region or industry.

(Emphasis added.)

Prior guidance focused on the design, comprehensiveness and accessibility of a company’s policies and procedures.  The 2020 Guidance further directs prosecutors to

• examine whether a company maintains policies and procedures in an easily searchable and accessible format;
• has a process for updating its policies and procedures; and
• “track[s] access to various policies and procedures to understand what policies are attracting more attention from relevant employees.”

(Emphasis added.)

The 2020 Guidance also increases focus on training, and directs prosecutors to assess whether

• “training adequately covers prior compliance incidents and how the company measures the effectiveness of its training curriculum” and the effectiveness of reporting structures;
• a company invests in targeted training that enables employees to identify and report potential issues to compliance, internal audit, or other risk management personnel; and
• a company publicizes and tests reporting mechanisms and periodically tests the effectiveness of a hotline “by tracking a report from start to finish.”

Finally, the 2020 Guidance directs prosecutors to assess how a company manages its third-party relationships. While the strength of a company’s third-party management practices was a factor in prior guidance, the 2020 Guidance

• directs prosecutors to consider whether a company engages in “risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process” (emphasis added);
• emphasizes pre-acquisition due diligence and post-acquisition audits when acquiring targets; and
• focuses on whether the company has “a process for timely and orderly integration of . . . acquired entit[ies] into existing compliance program structures and internal controls.”

***

            In regard to the second and third fundamental questions — “Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?” and “Does the corporation’s compliance program work in practice?” – the 2020 Guidance increases the emphasis on company behaviors that show that its compliance program is adequately resourced and empowered to function effectively. The 2020 Guidance instructs prosecutors to consider whether compliance personnel have “sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions” and whether any impediment limits access to data. The 2020 Guidance also stresses

• the importance of creating and fostering a culture of compliance at all levels of a company;
• the need for those charged with day-to-day operational responsibility for compliance programs to have adequate resources and direct access to appropriate governing authorities; and
• the importance of incentives for compliance and disincentives for non-compliance and focuses on whether “the compliance function monitor[s] its investigations and resulting discipline to ensure consistency.”

The revisions in these sections of the 2020 Guidance reinforce the theme of continual review and adaptation of compliance programs in light of evolving business and economic conditions, “lessons learned” from real world experience, regular testing, and internal investigations. The 2020 Guidance retains the importance of “conduct[ing] a thoughtful root causes analysis of misconduct and timely and appropriately remediat[ing] to address the root causes.”

* * *

In connection with a government investigation, compliance efforts can have a substantial impact in negotiations over a resolution. The quality of a compliance program, including remediation efforts once unlawful activity is discovered, is one of the three factors given great weight by DOJ – together with whether a company voluntary reports misconduct and gives full and timely cooperation. Reflecting the importance of remediation, the 2020 Guidance makes clear that the quality of a company’s compliance program will be considered “both at the time of the offense and at the time of the charging decision and resolution.”

While the importance of both time periods has been clear for many years, the language of the 2020 Guidance further reinforces the importance of implementing changes to compliance programs during a federal criminal investigation. Under the current Guidance, real improvements to compliance programs will both help a company negotiate a more favorable resolution of a government investigation and favorably influence whether a monitor is required as part of an agreement with DOJ.

The 2020 Guidance, like its 2017 and 2019 precursors, is written to guide the decision-making of prosecutors. Yet, the DOJ guidance also provides a useful roadmap to companies and their advisors in the design, implementation and updating of compliance programs. As a result, careful study of the 2020 Guidance will aid companies and their counsel in designing programs to deter and detect possible wrongdoing – and, when misconduct occurs, to resolve a government investigation on more favorable terms.

To read more from Jonathan S. Sack, please visit www.maglaw.com.