Updated DOJ Guidance Provides Action Items for Corporate Personnel in Charge of Compliance Programs
The changes in the document offer corporate compliance personnel an opportunity to perform a checkup on their compliance programs to address the issues flagged in the updated guidance.
As explained in the guidance, the department’s Justice Manual (JM) directs federal prosecutors to consider certain factors when investigating a corporation, determining whether to charge a corporation or negotiating plea agreements or other agreements with a corporation.
Among the factors to be considered are “the adequacy and effectiveness of the corporation’s compliance program at the time of the offense, as well as at the time of a charging decision,” and a company’s efforts “to implement an adequate and effective corporate compliance program or to improve an existing one” (JM §9-28.800, §9-28.1000).
Similarly, the U.S. Sentencing Guidelines call for prosecutors calculating appropriate criminal fines against a corporation to consider whether the company had an effective compliance program in place at the time of the criminal misconduct (U.S.S.G. §882.1, §8C2.5(f), §8C2.8(11)).
The changes to the guidance, last issued in April 2019, cover a range of issues for prosecutors to consider when they scrutinize compliance programs.
Among the changes in the updated guidance are the following:
Program effectiveness. The guidance identifies three “fundamental questions” that federal prosecutors should ask when evaluating a corporate compliance program in the context of a criminal investigation:
- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
- Does the corporation’s compliance program work in practice?
Importantly, the question concerning a program’s good-faith application no longer focuses merely on whether the program is “being implemented effectively.” The DOJ now identifies adequate resourcing and empowerment as the source of a compliance program’s effectiveness.
In a new footnote, the guidance directs prosecutors to consider “whether certain aspects of a compliance program may be impacted by foreign law.” If a company states that it has designed its compliance program in a certain way or has made a compliance decision based on foreign law requirements, the prosecutor should ask the company the basis for its conclusion about foreign law and “how the company has addressed the issue to maintain the integrity and effectiveness of its compliance program while still abiding by foreign law.”
When the evaluation happens. Also, in the updated version of the guidance the DOJ states that a prosecutor’s evaluation using the three questions will consider the value of a compliance program “both at the time of the offense and at the time of the charging decision and resolution.”
The change suggests that while a company is under investigation or in negotiations with federal prosecutors, it may wish to revisit its compliance program with an eye to the specific issues that are of concern to the DOJ during the enforcement action.
Effectiveness evaluation factors. In the document’s introduction, the Criminal Division notes that it “does not use any rigid formula to assess the effectiveness of corporate compliance programs” but rather “recognize[s] that each company’s risk profile and solutions to reduce its risks warrant particularized evaluation.”
The updated version of the guidance gives examples of the factors that the division uses to make “a reasonable, individualized determination in each case.” The factors include the company’s size, the industry, the company’s geographic footprint, the regulatory landscape, and other factors, both internal and external, that might affect the compliance program.
Risk assessment. The guidance discusses risk assessment as an element in a prosecutor’s scrutiny of a compliance program’s design. Language has been added indicating that during this scrutiny prosecutors “should endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.”
Updates and revisions. In an expanded discussion of the questions that a prosecutor will consider when looking at how a compliance program has been updated and revised, the Criminal Division directs the prosecutor to consider whether a company’s periodic review of the program is “limited to a ‘snapshot’ in time or based upon continuous access to operational data and information across functions.”
Applying lessons learned. A new section in the updated guidance states that prosecutors will consider whether the company has “a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographic region.”
Design of policies and procedures. Prosecutors now must consider not only how a company designs and implements new compliance policies and procedures, but also how it updates existing policies and procedures.
Searchability of policies and procedures. Expanded text in the section on how a company has communicated its compliance policies and procedures to employees and relevant third parties now calls for prosecutors to consider whether the policies and procedures have been “published in a searchable format for easy reference.”
Training and communication. In the guidance’s discussion of how companies have implemented compliance training, the DOJ now notes that some companies “have invested in shorter, more targeted training sessions to enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management functions.”
Form, content and effectiveness of training. A prosecutor’s evaluation of compliance training provided by a corporation now includes consideration of whether there is “a process by which employees can ask questions arising out of the trainings,” whether the training is online or in person.
Effectiveness of the reporting mechanism. In its discussion about a company’s anonymous compliance reporting mechanism, such as a compliance hotline, the guidance calls for scrutiny of how the mechanism is publicized not only to employees but also to third parties. Also, the document now calls for an evaluation of whether the company “take[s] measures to test whether employees are aware of the hotline and feel comfortable using it.” In addition, the guidance now directs prosecutors to determine whether the company periodically tests the effectiveness of the hotline — “for example, by tracking a report from start to finish.”
Management of third parties. In its discussion of a company’s application of due diligence to its third-party relationships, the guidance calls for prosecutors to focus on whether the company knows the business rationale for needing a third party in a business transaction and the risks that a third-party partner may pose. The updated guidance states that this evaluation should include “the third-party partners’ reputations and relationships, if any, with foreign officials.”
When to scrutinize third-party relationships. With respect to a company’s management of third-party relationships, prosecutors are now directed to evaluate whether the company “engage[s] in risk management of third parties throughout the life span of the relationship, or primarily during the onboarding process.”
Mergers and acquisitions. The updated guidance specifies that a well-designed compliance program includes not only comprehensive due diligence of any acquisition target but also “a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.” The updated document now calls for prosecutors to examine:
- whether the acquiring company was able to complete pre-acquisition due diligence and, if not, why not; and
- whether the implementation of compliance policies and procedures at the newly acquired company includes post-acquisition audits.
Compliance personnel experience and qualifications. When looking at the experience and qualifications of compliance and control personnel, prosecutors now are directed to consider how the company “invest[s] in further training and development of the compliance and other control personnel.”
Data resources and access. The updated guidance includes a new focus on prosecutors’ evaluation of whether compliance and control personnel “have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls and transactions.” Prosecutors also should discern whether there are any impediments that limit access to relevant data sources, and if so, what the company has done to address those impediments.
Compliance incentives and disciplinary measures. When considering whether a compliance program’s incentives and disciplinary measures have been applied fairly and consistently across an organization, prosecutors now must consider whether the compliance function “monitor[s] its investigations and resulting discipline to ensure consistency.”
Updates to compliance policies. DOJ prosecutors are directed to evaluate whether there is continuous improvement, periodic testing and review built into a corporate compliance program. Under the updated guidance, one of the factors that they now must consider is whether the company reviews and adapts its compliance program “based upon lessons learned from its own misconduct and/or that of other companies facing similar risks.”
The updated guidance includes an expanded list of federal government and nongovernmental compliance resources.