Advice for compliance from new DOJ Criminal Division head

Below is an abridged version of that conversation.

Q: What is your approach to criminal enforcement now that you’re at the helm?

A: My approach is very similar to that of my predecessors: We are going to continue to ensure that corporations and their employees follow the law, that they adhere to their ethical obligations, and that culpable companies and individuals are held accountable. And we’re also going to try to continue to provide guidance for the industry, transparency as to what we are doing and why we are doing it, and what we expect of companies and actors in this space.

[A]t the end of the day, most companies want to obey the law. Most employees want to obey the law, and most companies don’t want employees in their ranks engaging in misconduct. So, while I think we need to enforce the law vigorously, as we have done, at the same time, we need to approach our task here at the Department and the Division with a measure of humility, recognizing that the work that we do can bring with it a great deal of consequences for those that we investigate both reputationally and financially.

We also need to bear in mind—and I try to bear in mind with my work—that in many cases, individuals who really have nothing to do with the conduct we are investigating—shareholders or innocent employees—can often bear disproportionate consequences of the wrongdoing that we are looking into. That’s why we need to be thoughtful about the conduct we pursue and how we do it.

Q: What are some top challenges ahead for the Criminal Division over the next few months and years?

A: In the near term, the challenges that we’re facing are the same as the challenges that everybody across government and the private sector is facing, which is the pandemic. There is no question that the pandemic has had a big impact on what we do.

Over the long term, one of the challenges we have identified is deterring corporate wrongdoing before it even occurs. We have finite resources in the Criminal Division and generally in government. There is no shortage of potential misconduct for us to take a look at. For us to be truly successful and focus on the type of misconduct that is truly deserving of the government’s attention, while still having an impact, we need to incent the private sector to take action on its own, or we need to deter corporate wrongdoing before it even begins.

Q: How important is a company’s E&C program when it comes to a Department’s decision about resolving a case?

A: In two words: very important. A company’s compliance program can often deter and prevent fraud before it even begins. In addition to preventing misconduct, a compliance program that detects misconduct at an early stage can put a company in a position to preserve and gather evidence that might not otherwise be available … and that, in turn, puts the company in a much better decision to voluntarily self-disclose to the Department or other regulators and potentially achieve the benefits that are available under the Criminal Division’s Corporate Enforcement Policy.

In addition, we assess the adequacy and effectiveness of a corporate compliance program both at the time the misconduct occurred, as well as at the time of resolution when deciding how to resolve a case. The adequacy and effectiveness of the compliance program factors directly into our charging decision.

Q: How does the Department of Justice decide on which topics to issue policy updates?

A: We really don’t want there to be any surprises when it comes to our work. For that reason, we periodically publish policies or guidance that address various topics regarding our enforcement work that we believe will be helpful and useful to either the compliance community or companies directly or to the attorneys that practice before us. The topics are those that we feel, based on our practice and based on our experience collectively as a Division, will have the most impact on our core mission.

Q: Was there a reason why the updated “Evaluation of Corporate Compliance Programs” guidance was not released with great fanfare?

A: Generally, it’s not that unusual for us to not release press releases or make a big splash when updating policies. The document has received a lot of attention in the compliance community and among the bar. We understand folks will pick up on things that we put out and give them due attention. We can always come in afterward at events like this where we speak with relevant stakeholders and elucidate our thinking a little bit more. Sometimes we will make a big splash, but often we’ll just do things quietly and let it percolate through the [compliance] community.

Q: The revised guidance places a lot of emphasis on monitoring and testing the compliance program. What’s behind that emphasis?

A: We always see companies come in and talk about how great and how effective their compliance programs are, but we’ve also seen instances of companies doing that but can’t really show us what they’re doing with respect to testing the effectiveness. You can have the best compliance program possible on paper, but the devils are really in the details. A program that looks great on paper that isn’t effectively implemented is really not going to be terribly effective, and it’s not going to be something that carries great weight with the Department of Justice. We need hard evidence that a program is both well-designed but also effectively implemented. And part of an effective compliance program is testing.

Q: The revised guidance also places new emphasis on “lessons learned” from past misconduct and the misconduct of other companies. Is the Criminal Division trying to set a trap?

A: No, we are not setting any traps. We are not looking to trick companies or trap them. We include questions about lessons learned and guidance about lessons learned because learning from prior mistakes, from prior issues within a company—or other companies within a similar industry or a similar region—is an important part of a compliance program’s implementation, improvement, and evolution. We all learn from past experiences. It’s common sense that we do that.

I think it’s also a mistake to think we would not otherwise ask about or look into prior misconduct if we were to engage with a company during the course of an investigation. The best way to stay out of Department offices and off our radar screen is to avoid repeating mistakes that a company has made in the past or that similar companies or companies in the same region have made in the past. And the best way to do that logically is to learn from what your company has done or what comparable companies or competitors have done and make changes in response.

If a company doesn’t do that, if they’re not learning and making changes, and then they wind up across the table from us during an investigation, we’re going to want to know why. And we’re going to want to know why they were on notice this conduct was illegal, or that these practices were a problem, and they took no action in response. If the company just ignored it or just didn’t think it was important to train, or develop, or implement changes in responses to what they learned, that is not going to be a good answer to prosecutors in our investigation.

Q: The guidance also asks whether companies “engage in risk management of third parties throughout the lifespan of the relationship.” What should that look like in practice?

A: One thing we have seen in a number of our investigations and in a number of our cases is companies that conduct due diligence before obtaining a third party, and once they’re satisfied that the third party has passed the test, so to speak … they’re not revisited again. The problem we have found with that is that in certain cases third parties that don’t begin as a compliance risk later become a compliance risk.

[W]e do feel there should be a periodic revisiting of their rationale behind the use of the third party, steps they take to ensure the risk profile of the third party has not changed, and then just basic due diligence to ensure that the third party that began as a non-compliance risk is not a compliance risk going forward. Ongoing attention to potential risk areas is important, and third parties are a big part of that.

Q: New language has been added in the guidance regarding access to data. What was the thought process behind that?

A: Companies today use data for all sorts of commercial purposes. We’ve learned over time and have come to believe that, in addition to being commercially important, data is also a fundamental aspect of a compliance program. It can help identify issues like problematic transactions with third parties, and it can allow a company to monitor, test, probe the effectiveness of its compliance program. Without data, without a robust ability to examine data and understand its own operations, a company will probably have a very difficult time determining whether its due diligence processes are effective, whether internal complaint lines are being used and whether they’re accessible to employees, whether training is actually being taken by employees, and whether it’s having an impact.

Q: The revised FCPA Resource Guide stresses the interplay between internal accounting controls and compliance programs. What’s the thought process behind that?

A: We do recognize that distinction in the new edition. There is a lot of overlap between a compliance program and internal accounting controls. In most instances, where a company has a well-designed compliance function, it’s also going to have well-designed accounting controls, and vice versa. The point of the distinction in the FCPA Resource Guide is that, despite the overlap, there is in fact a difference. While there is significant overlap, both are something they need to be focused on.