In recent years the Criminal Section of the U.S. Department of Justice ("DOJ") has been increasing its emphasis on evaluating a company's compliance program when making corporate charging decisions as reflected in its Evaluation of Corporate Compliance Programs Guidance Document ("the Guidance"), originally published in 2017. In 2019,1 the DOJ expanded and clarified the Guidance, creating a framework with three fundamental questions that prosecutors must ask when evaluating a charging decision:
- Is the corporation's compliance program well designed?
- Is the program being implemented effectively?
- Does the corporation's compliance program work in practice?
On June 1, 2020, the DOJ again amended the Guidance.2 Of particular note, the new Guidance:
- Makes clear that prosecutors are to ask these three fundamental questions not only at the time the offense occurred, but also at the time of the charging decision and resolution.
- Places greater emphasis on adequate resourcing.
- Emphasizes the need for compliance and control personnel to have meaningful access to data.
DOJ's clarification regarding the relevant time period of which the three fundamental questions should be asked implies that companies may be credited for proactive remediation efforts taken during an active investigation. With respect to adequate resourcing, the new Guidance notably changes one of the key framework questions, detailed above. Instead of asking whether a compliance program is being "implemented effectively," the Guidance now asks whether a compliance program is "adequately resourced and empowered to function effectively." This revision provides companies with concrete guidance as to what specifically the DOJ may be looking for in evaluating effective implementation of a compliance program. Finally, the new Guidance reflects the DOJ's recent increased focus on companies using data analytics to ensure efficient and effective compliance programs. The Guidance further emphasizes that prosecutors will not only be looking to whether data sources are available to relevant personnel, but also at how companies are addressing any impediments to data access.
The DOJ has stated the latest Corporate Compliance Program updates-discussed above and outlined in greater detail below-are "additions based on our own experience and important feedback from the business and compliance communities."3
I. Compliance Program Design
Throughout the updated Guidance, the DOJ emphasizes that it is key for companies to maintain dynamic compliance programs that evolve as risks change. A key question for prosecutors now is how a compliance program has evolved over time. Specifically, the DOJ asks whether a company's compliance program reflects a "snapshot" of risk in time, or whether there are processes at the company to ensure that the compliance program is evolving in response to data and information gathered in real time across business functions.
The DOJ's focus on ensuring that compliance evaluation occurs on an ongoing basis applies not only to a company's own compliance program. The new Guidance makes clear that this inquiry also applies to whether companies are evaluating the risk presented by third parties with which they engage throughout the third party's lifecycle, rather than just at onboarding, to address risks that evolve and change over time.
Further, the new Guidance provides an additional layer to prosecutors' efforts to understand and account for a company's risk profile, including how a company is identifying, assessing, and determining its own risk. The revised Guidance urges prosecutors to understand the "why" behind a company's compliance program, including why it was established in the way that it was, and, for the first time, any consideration of whether foreign law played a role in how the program was designed.
It is clear that the DOJ will now inquire into whether companies have a process for tracking and incorporating "lessons learned" from risk assessments or previous misconduct. Further, to ensure company employees are apprised of changes to the compliance program, the DOJ will inquire whether company policies are easily accessible, clear, and available in a searchable format.
The revised Guidance makes clear that the DOJ is more focused than in years past on determining whether companies have effective feedback loops to ensure that efforts to train employees and deploy reporting mechanisms are both useful and practical. For example, prosecutors will now ask whether employees have been given the opportunity to ask questions in response to trainings. Similarly, prosecutors will ask whether the company is testing that trainings have the intended impact on employee behavior and whether hotline reporting mechanisms are effective from start to finish.
Finally, the DOJ clarifies what it expects for companies in managing risk during mergers and acquisitions. Prosecutors will now evaluate whether a company was able to complete pre-acquisition due diligence, and if not, why the company was unable to do so. The new Guidance also emphasizes the need for companies to conduct post-acquisition audits, in addition to implementing compliance policies for newly acquired entities.
II. Compliance Program Implementation
As discussed above, DOJ's new Guidance changes one of the fundamental questions in evaluating a corporate compliance program from "is the corporation's compliance program being implemented effectively" to "is the corporation's compliance program adequately resourced and empowered to function effectively."
The DOJ has previously emphasized the importance of prosecutors evaluating the autonomy and resources a company gives to those enforcing the compliance program through factors such as structure, seniority and stature, funding, and experience. The new Guidance, however, places greater emphasis on the risk of under-resourcing.
The new Guidance also introduces a new factor-Data Resource and Access. This affirms the DOJ's recent focus on ensuring that compliance personnel make adequate use of data analytics.4 The DOJ is specifically interested in whether compliance and control personnel have sufficient access to data to allow them to effectively test and monitor policies, controls, and transactions, and whether companies are proactively addressing any impediments to this access.
Finally, in evaluating whether a company has created a robust compliance culture, the revised Guidance shifts focus away from solely tone at the top to also include tone at the middle. In light of this, prosecutors will likely be focused on whether a company's compliance culture effectively reaches employees at all levels of seniority.
III. Does the Corporation's Compliance Program Work in Practice?
In evaluating whether a company's compliance program was working effectively at the time of the offense, the DOJ previously emphasized the need for continuous improvement, periodic testing, and review. The new Guidance provides additional clarity into what effective monitoring and review looks like in practice, noting that prosecutors will now evaluate whether compliance programs were revised based on lessons learned both from a company's own experience in addressing misconduct, as well as from misconduct occurring throughout the industry.5
- Compliance Program Design: Now more than ever, it is clear that companies are expected to continuously evaluate their compliance programs and revise it as appropriate, based on evolving risks and to adequately reflect "lessons learned." Further, companies should be able to defend their decision-making with regard to their compliance programs and explain the "why" behind these decisions to the DOJ, including with regard to decisions made involving pre-acquisition due diligence, should an enforcement action ever arise. Finally, companies should consider implementing procedures to test their compliance training and reporting programs to ensure effectiveness and accessibility.
- Compliance Program Implementation: Adequate resourcing will be a clear indicator of effective implementation going forward. While tone at the top is likely to remain important in considering charging decisions, the revised Guidance reflects that tone at the middle will become an equally important factor in evaluating a company's compliance culture. Additionally, the DOJ continues to make clear its expectation that companies use data analytics to maximize the efficiency of their compliance programs.
- Effectiveness of Compliance Program: Prosecutors will expect that a company incorporate its own experience with risk into strengthening its compliance program, and also that it incorporate risks and misconduct faced by comparable companies. Now, more than ever, it is key for companies to stay up to date with emerging risks and trends and proactively evaluate their own risks accordingly.
- A more comprehensive summary of the DOJ's 2019 Guidance is available here.
- See https://www.justice.gov/criminal-fraud/page/file/937501/download.
- Dylan Tokar, Justice Department Adds New Detail to Compliance Evaluation Guidance, Wall St. J. (June 1, 2020), https://www.wsj.com/articles/justice-department-adds-new-detail-to-compliance-evaluation-guidance-11591052949.
- A more robust evaluation of the DOJ's recent focus on whether companies adequately use data analytics is available here.
- An in-depth discussion and resources regarding evaluating corporate culture as part of compliance programs is here.
Article originally published on 3 June 2020 The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.