United States: Updated DOJ Guidance On Evaluation Of Corporate Compliance Programs Provides Additional Detail To The Existing Framework For Program Assessment

On Monday, June 1, 2020, the Department of Justice (DOJ) Criminal Division published updates to its guidance on the factors that federal prosecutors should consider when assessing the effectiveness of corporate compliance programs for the purposes of charging decisions, sentencing recommendations, and determining reporting and monitoring requirements as part of a corporate resolution (2020 Compliance Guidance). The new version primarily makes clarifications and adds technical guidance to the "Evaluation of Corporate Compliance Programs" guidance document that DOJ released in April 2019.¹ This latest version continues to reflect the fact-specific compliance program analysis familiar to experienced defense counsel and compliance officers, but several revisions are noteworthy.²

Consideration of Program Effectiveness at Multiple Points During the Investigative and Charging Process

Although it has been long-standing DOJ policy to consider any remedial measures that a company has taken to strengthen its compliance program in the wake of alleged misconduct,³ the 2020 Compliance Guidance directly instructs prosecutors to evaluate a corporate compliance program "both at the time of the offense and at the time of the charging decision and resolution."⁴ The addition of this language reinforces that a company that finds itself subject to an enforcement action should take proactive steps to enhance its compliance program, document any changes and report regularly on those improvements to DOJ throughout the course of negotiations.

New Emphasis on Continuous Program Improvement Guided by Proactive Risk Assessment

While DOJ has previously emphasized that compliance programs must be dynamic and responsive, with risk assessment processes that are "current and subject to periodic review," the 2020 Compliance Guidance directs prosecutors to go further and ask whether such reviews are "limited to a 'snapshot' in time or based upon continuous access to operational data and information across functions" and whether periodic reviews have "led to updates in policies, procedures, and controls."⁵ Companies should be "tracking and incorporating into [their] periodic risk assessment lessons learned either from the company's own prior issues or from those of other companies operating in the same industry and/or geographical region."⁶ DOJ will also consider whether a company "review[s] and adapt[s] its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks."⁷

These statements emphasize the importance of proactive risk assessment, and they reflect DOJ's expectation that a program be designed to prevent as well as detect and correct violations, particularly in industries such as life sciences, banking, energy, and manufacturing, where regulation-specific guidance and enforcement policy present unique compliance risks.

New Emphasis on Data-Driven Decision-Making and Testing

The 2020 Guidance continues to emphasize the importance of a well-resourced and independent compliance function. Now, instead of asking whether a corporation's compliance program is "being implemented" effectively, the new guidance tells prosecutors to evaluate specifically whether the compliance program is "adequately resourced and empowered to function" effectively.⁸ This change suggests that DOJ considers the adequacy of the resources and the power and independence of compliance function to be critical to assessing the effectiveness of the compliance program's implementation.

Acknowledging the critical role of data in modern compliance work, the 2020 Compliance Guidance also adds important assessment questions concerning the existence and accessibility of data resources for compliance and control professionals:

These questions appear to acknowledge that most companies now have the ability to harvest vast amounts of data—not only their employees' electronic communications, but detailed information on accounting transactions, sales performance, and distribution and supply chains. Prosecutors are now encouraged to ask whether compliance professionals have meaningful access to these data resources, so that they can develop actionable analysis and implement appropriate responsive measures.

Another area of emphasis in the new guidance is the need to gather and review data on the effectiveness of anonymous complaint reporting tools, such as the "reporting hotline," including the existence of measures to assess whether employees are aware of and comfortable using the hotline and whether the company periodically tests the effectiveness of the hotline.¹⁰ In addition, the new guidance emphasizes assessment of the consistency of disciplinary actions and decisions.¹¹

Compliance officers in many industries use "dashboards" and analytics tools to inform a more real-time and continuous risk assessment process, and DOJ's new guidance suggests that such tools will continue to be useful investments, particularly for larger organizations. Further, the new guidance reflects the value of transaction testing, particularly for resolutions of hotline calls and other core programmatic monitoring activities. The 2020 Compliance Guidance's emphasis on monitoring disciplinary actions spotlights a potential vulnerability for some large companies' programs: achieving such consistency in process and outcomes is particularly challenging for multinational companies or those with disparate business divisions where objective comparisons may be difficult if not impossible.

More Guidance on Third-Party Management

Third parties have long been a focus in corporate enforcement actions and DOJ's related guidance documents. The 2020 Compliance Guidance underscores that third-party risk management is a continuous process, stretching from needs assessments, through due diligence and onboarding, and continuing through the lifespan of the relationship. The updated guidance asks prosecutors to inquire whether a company conducted a needs assessment before engaging a third-party,¹² and if it "engage[s] in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?"¹³ This acknowledges the reality that as markets change over time, so do companies' business models and their relationships with their third-party partners.

Mergers & Acquisitions: Due Diligence and Integration

The 2020 Compliance Guidance reinforces the need for companies to incorporate compliance considerations into their mergers and acquisitions through both pre-closing activities, including compliance due diligence, and post-closing integration. The updated guidance instructs prosecutors to ask whether a company was "able to complete pre-acquisition due diligence, and, if not ,why not?" and if the company has "a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls."¹⁴

This revised section is an important resource for both compliance officers and legal and compliance personnel supporting a company's business development function. The question of whether to "save" certain compliance remediation efforts or inquiries for post-closing diligence or covenants is a difficult one, particularly in jurisdictions where representations and warranties in merger agreements, sale agreements, or joint venture/collaboration agreements are unlikely to shield or insure one party from the violative conduct of the other. However, it is clear that DOJ will recognize good faith pre-closing diligence efforts. For example, in the Foreign Corrupt Practices Act and trade sanctions contexts, parties that have self-disclosed issues identified during merger or joint-venture due diligence have secured more favorable resolutions of liability.¹⁵ For this reason, compliance officers are increasingly playing a role in due diligence, often working with expert outside counsel, accounting firms, or forensics firms to assist in policy, contract, and other reviews of potential partner/target companies.

Training, Education and Communications

Consistent with other guidance documents, the 2020 Compliance Guidance stresses the importance of training, education, and communication in assessing compliance program effectiveness. The updated guidance adds the following related questions:

Commitment at All Levels of the Organization

While DOJ has tended to emphasize the importance of the "tone from the top" in previous compliance-related guidance documents, the 2020 Compliance Guidance specifically mentions the need for commitment and buy-in from middle management.¹⁹ The DOJ's inclusion of those individuals could be a tacit acknowledgement of the key role that middle management often play in building a culture of compliance. Notably, many recent DOJ enforcement actions have included authorizations or direct actions by employees or others who would qualify as middle management.²⁰

Recognition of Foreign Law

Finally, in a footnote in the 2020 Compliance Guidance, DOJ notes that prosecutors should interrogate companies' representations regarding the impact of foreign law requirements on the design and structure of their compliance programs: "Where a company asserts that it has structured its compliance program in a particular way or has made a compliance decision based on requirements of foreign law, prosecutors should ask the company the basis for the company's conclusion about foreign law, and how the company has addressed the issue to maintain the integrity and effectiveness of its compliance program while still abiding by foreign law." ²¹ This language suggests that to the extent a company's foreign operations deviate from standard US compliance requirements, the company may need to invest in more rigorous analysis of the relevant foreign legal systems, document that analysis, and potentially consider how to reconcile foreign and US expectations. For example, employment protections in China, Germany, and other jurisdictions tend to be much stronger than under the US employment-at-will system, which may give rise to differences in disciplinary measures taken against otherwise similarly situated employees. This and other disparities could create material differences in the operation of compliance investigation or monitoring outcomes for a multinational company and raise questions in, for example, a multijurisdictional DOJ investigation. The 2020 Guidance addition suggests that material differences should be supported by justification documentation and not made on an ad hoc basis.²²

Conclusion

As with previous DOJ guidance documents, the 2020 Compliance Guidance emphasizes that prosecutors' assessments of compliance program effectiveness are not based on a checklist or formula; rather, prosecutors make individualized determinations based on companies' particular risk profiles and the measures they have undertaken to mitigate such risks. The 2020 Compliance Guidance nevertheless offers additional clarity on how federal prosecutors will be thinking about the effectiveness of corporate compliance programs when making critical decisions about whether to bring and how to resolve an enforcement against a business organization.

Footnotes

1. For additional analysis of the guidance that the Criminal Division released in 2019, see Arnold & Porter,  DOJ Issues New Guidance on Evaluating the Effectiveness of Compliance Programs (May 6, 2019).  DOJ's Antitrust Division also has issued guidance on "Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations" that is similar to, and references, the prior iteration of the Criminal Division's guidance.  See Arnold & Porter, " A New Model for Incentivizing Antitrust Compliance Programs": Changes to DOJ Antitrust Enforcement (July 23, 2019).

2. A full comparison between the 2020 Compliance Guidance and the version DOJ published in April 2019 is available here.

3. See, e.g., U.S. Sentencing Guidelines §8B2.1(b)(7).

4. 2020 Compliance Guidance at 2.

5. Id. at 3.

6. Id. at 4.

7. Id. at 16.

8. Id. at 2, 9.

9. Id. at 12.

10. Id. at 6, 7.

11. Id. at 13.

12. Id. at 7.

13. Id. at 8.

14. Id. at 9.

15. See, e.g., DOJ & SEC, A Resource Guide to the U.S. Foreign Corrupt Practices Act, (Nov. 14, 2012), , at 62 (explaining that "DOJ and SEC declined to take enforcement action against an acquiring issuer when the issuer, among other things, uncovered the corruption at the company being acquired as part of due diligence, ensured that the corruption was voluntarily disclosed to the government, cooperated with the investigation, and incorporated the acquired company into its compliance program and internal controls"); U.S. Dept. of Treas., Resource Center, Agreement between the U.S. Department of the Treasury's Office of Foreign Assets Control and Cobham Holdings, Inc. (Nov. 27, 2018).  For more on self-disclosures in the context of U.S. trade sanctions and export controls, see Arnold & Porter,  DOJ's Revised Self-Disclosure Policy for US Trade Sanctions and Export Control Violations Offers 'Concrete and Significant' Benefits for Corporations (Jan. 30, 2020).

16. 2020 Compliance Guidance at 4.

17. Id. at 5.

18. Id. at 5-6.

19. Id. at 10.

20. See, e.g., DOJ, Press Release, Pharmaceutical Company Targeting Elderly Victims Admits to Paying Kickbacks, Resolves Related False Claims Act Violations (Sept. 26, 2019).

21. Id. at 19.

22. It is also worth noting that enforcement authorities around the world have demonstrated a greater interest in corporate compliance in recent years.  For example, in January 2020, the United Kingdom's Serious Fraud Office (SFO) published the part of its Operational Handbook entitled "Evaluating a Compliance Programme."  For analysis of the SFO's compliance guidance, see Arnold & Porter,  UK Economic Crime Group: Enforcement Update (Apr. 14, 2020).

Originally published 3 June, 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.