The Department of Justice on Monday posted another round of new revisions to its “Evaluation of Corporate Compliance Programs” guidance. The update clarifies and describes what new factors prosecutors may consider in the areas of risk management, policies and procedures, training and communications, mergers and acquisitions, and more in their evaluation of corporate compliance programs.
“The revised guidance on the Evaluation of Corporate Compliance Programs reflects additions based on our own experience and important feedback from the business and compliance communities,” Assistant Attorney General Brian Benczkowski of the Justice Department’s Criminal Division said in a statement. “Although much of the substance of the prior version remains unchanged, the updates we have made are in keeping with our continued efforts as prosecutors to improve our own policies and practices to ensure transparency and the effective and consistent enforcement of our laws.”
The Criminal Division first released its “Evaluation of Corporate Compliance Programs” guidance in February 2017. Prior to the revisions posted Monday, the guidance was last updated in April 2019.
Compliance program structure. In the introduction to the guidance, new language has been added to reflect how the Criminal Division evaluates a company’s risk profile and solutions to reduce its risks. The new language states prosecutors will make a “reasonable, individualized determination in each case that considers various factors including, but not limited to, the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.” (emphasis added)
Another notable change relevant to chief compliance officers is revised language directing prosecutors to ask companies whether the compliance program is “adequately resourced and empowered to function” effectively, whereas the last guidance directed prosecutors to ask if the compliance program has been “implemented effectively.”
“A rubber stamp compliance department with no ability to act or report up to the board simply will not pass muster,” says Kenneth Polite, former U.S. attorney for the Eastern District of Louisiana and now a partner at Morgan Lewis. “The guidance also amplifies the notion that effective compliance is a journey, not a destination. Ongoing, continual revision; monitoring; and assessment of compliance risk are essential.”
Language concerning two other fundamental questions asked by prosecutors in their evaluation of corporate compliance programs—(1) “Is the corporation’s compliance program well designed?” (2) “Does the corporation’s compliance program work in practice?”—was not revised.
New language has been added stating the Criminal Division has frequently found relevant to evaluate a corporate compliance program “both at the time of the offense and at the time of the charging decision and resolution.”
The revised guidance also adds clarifying language to the “Risk Assessment” section, instructing that “prosecutors should endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.”
DOJ Corporate Compliance guidance gets an update
The Department of Justice recently updated its Guidance on Evaluation of Corporate Compliance Programs. The Guidance matters to business leaders because the DOJ can be expected to go easier on companies that have followed the Guidelines and harder on firms that have not.
It sets out criteria for evaluating whether corporate compliance and ethics programs are: (i) well-designed; (ii) adequately resourced and empowered to function effectively; and (iii) working in practice. These criteria impact DOJ decisions on bringing criminal charges, seeking fines, and insisting on post-resolution monitoring.
The June 2020 updates emphasize purposeful compliance and ethics program design, thorough and responsive process implementation, and pursuit of data-driven continuous improvement based on in-house and peer experience. It also creates both opportunity and pitfalls for businesses. Compliance and ethics expert Robert Zafft offers some best practices.
1. Don’t let the tail wag the dog – Remember that the Guidance tells you what the DOJ will look for, not how best to run your compliance and ethics program.
2. Periodically map company structures, training, and processes to the guidance – Mapping in advance of a referral to the DOJ helps (i) preempt problems; (ii) maximize communications privilege; and (iii) steer busy investigators through ready data.
3. Render unto Ceasar – Implement Guidance criteria that: (i) reflect compliance and ethics best practices; (ii) are easy to implement; (iii) generate favorable data; and (iv) do not create additional risk.
4. Beware guidance pitfalls – Think carefully before implementing Guidance criteria that are (i) commercially unreasonable; (ii) create significant additional risk; or (iii) represent process tampering rather than improvement.
5. Forestall or fix (but never hide) red flags – Instill communications discipline, monitor follow-through on processes and problems, and document continuous improvement.
A former McKinsey & Company consultant and Senior Expert for the Organization for Economic Cooperation and Development, Greensfelder, Hemker & Gale Attorney Robert Zafft advises and provides training for companies of all sizes on compliance and ethics matters. He also teaches business ethics at Olin Business School and has recently published The Right Way to Win: Making Business Ethics Work in the Real World.
*(With thanks to Greensfelder Partner and former DOJ prosecutor Patrick Cotter)
Risk-tailored initiatives. As noted in past versions of the guidance, prosecutors are directed to credit the quality and effectiveness of a risk-based compliance program. Under this risk-based section of questions, new language has been added relative to “updates and revisions,” specifically directing prosecutors to consider the following question: “Is the periodic review limited to a ‘snapshot-in-time’ or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures, and controls?”
Also included is new language on “lessons learned.” Specifically, it directs prosecutors to consider the following newly added question: “Does the company have a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region?”
Policies and procedures. A new question has been added as it relates to accessibility: “Have the policies and procedures been published in a searchable format for easy reference? Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?”
Training and communication. The Criminal Division added new language to acknowledge some companies “have invested in shorter, more targeted training sessions to enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management functions.” The overall message from this section is that prosecutors should asses “whether the company has relayed information in a manner tailored to the audience’s size, sophistication, or subject-matter expertise.”
Regarding the form, content, and effectiveness of the training, new questions added direct prosecutors to ask the following:
- “Whether online or in-person, is there a process by which employees can ask questions arising out of the trainings?”; and
- “Has the company evaluated the extent to which the training has an impact on employee behavior or operations?”
Clarifying language has been added asking how companies publicize reporting mechanisms to both employees and third parties. Other new questions added include: “Does the company take measures to test whether employees are aware of the hotline and feel comfortable using it? Does the company periodically test the effectiveness of the hotline—for example, by tracking a report from start to finish?”
Third-party risk management. Prosecutors are directed to consider “whether the company knows the business rationale for needing the third party in the transaction, and the risks posed by third-party partners, including the third-party partners’ reputations and relationships, if any, with foreign officials.” Another new question added is, “Does the company engage in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?”
Mergers and acquisitions. The Criminal Division adds language clarifying that a well-designed compliance program should include only comprehensive due diligence of any acquisition targets, but also “a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.” The Criminal Division further stresses it will pay close attention to flawed or incomplete due diligence and integration in both the pre- or post-acquisition stage.
Autonomy and resources. New questions in this section include: “What are the reasons for the structural choices the company has made?” and, regarding experience and qualifications, “How does the company invest in further training and development of the compliance and other control personnel?”
Language has also been added regarding data resources and access, with the following questions: “Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?”
Overall, there are a couple of places where the Criminal Division stresses the “lessons learned” aspect as it pertains to the evolution of a compliance program. One new question, for example, is, “Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?”