Justice Department revises the Evaluation of Corporate Compliance Programs

Compliance officers will want to peruse it carefully.

Assistant Attorney General Brian Benczkowski unveiled the guidance during a keynote address at the Ethics and Compliance Initiative (ECI) Annual Impact Conference in Dallas. He said the Criminal Division was releasing the new version of the Evaluation of Corporate Compliance Programs “to better harmonize the prior Fraud Section publication with other Department guidance and legal standards.”

The Criminal Division published its prior guidance in February 2017 at a time when Hui Chen was still compliance counsel for its Fraud Section, before she chose to leave the agency in June 2017.

“Because a corporate compliance program must be evaluated in the specific context of a criminal investigation, the Department does not use any rigid formula to assess the effectiveness of corporate compliance programs,” Benczkowski said. “We recognize that each company’s risk profile and solutions to reduce its risks warrant particularized evaluation.  Accordingly, we make an individualized determination in each.”

Compared to the original guidance, the newly revised guidance is far more comprehensive, spanning 18 pages, compared to the previous version’s seven pages. “In drafting the updated version of the document, we have sought to provide additional transparency in how we will analyze a company’s compliance program,” Benczkowski said.

As stated in the Justice Manual, there are three fundamental questions a prosecutor should ask in evaluating a company’s compliance program, Benczkowski said:

• Is the program well-designed?
• Is the program effectively implemented?
• Does the compliance program actually work in practice?

As Benczkowski pointed out, the updated version uses these three questions as a framework to categorize the topics that the Justice Department has frequently found relevant in evaluating a corporate compliance program. Compliance officers will not find anything earthshattering in the new guidance, just that it’s far more comprehensive.

As with the old guidance, the new guidance provides consideration for risk assessments; policies and procedures; training and communication; confidential reporting and investigations; commitment by senior and middle management; adequate authority and resources; incentives and disciplinary measures; and continuous improvement, periodic testing, and review. It also covers third-party risk management and mergers and acquisitions, like the previous guidance.

One section where the Justice Department offers more detail, for example, concerns training. Specifically, in directing prosecutors to “assess whether the company has relayed information in a manner tailored to the audience’s size, sophistication, or subject matter expertise,” the revised guidance states that, “Some companies, for instance, give employees practical advice or case studies to address real-life scenarios, and/or guidance on how to obtain ethics advice on a case-by-case basis as needs arise.”

The Department of Justice has also expanded its guidance under the section concerning policies and procedures. “Any well-designed compliance program entails policies and procedures that give both content and effect to ethical norms and that address and aim to reduce risks identified by the company as part of its risk assessment process,” the guidance states. “As a threshold matter, prosecutors should examine whether the company has a code of conduct that sets forth, among other things, the company’s commitment to full compliance with relevant federal laws that is accessible and applicable to all company employees. As a corollary, prosecutors should also assess whether the company has established policies and procedures that incorporate the culture of compliance into its day-to-day operations.”

An example of a third revision can be observed in the section concerning the effectiveness of the reporting mechanism. In this section are three new questions: Does the company have an anonymous reporting mechanism, and, if not, why not? How is the reporting mechanism publicized to the company’s employees? Has it been used?

And a fourth example is in the section describing a “properly scoped investigation by qualified personnel.” In that section, two new questions have been added:  How does the company determine which complaints or red flags merit further investigation? How does the company determine who should conduct an investigation, and who makes that determination?

“As before, the topics and questions are neither a checklist nor a formula,” Benczkowski concluded. “We hope this updated version provides additional insight to both prosecutors and companies with respect to the evaluation of compliance programs.”