On April 30, 2019, Brian A. Benczkowski, the assistant attorney general for the Criminal Division of the United States Department of Justice, announced the release of an updated version of the Criminal Division’s guidance for the Evaluation of Corporate Compliance Programs.[1] This document is intended “to assist prosecutors in making informed decisions” in corporate investigations relevant to “determining the appropriate (1) form of any resolution or prosecution; (2) monetary penalty, if any; and (3) compliance obligations contained in any corporate criminal resolution,” including monitorships and/or reporting obligations.[2] It does this by listing “sample topics and questions” on a variety of issues within corporate compliance that prosecutors should use to evaluate a corporation’s compliance program, although the document is “neither a checklist nor a formula.” Corporations, too, may want to take a fresh look at their compliance programs in light of this new guidance.
The DOJ last issued guidance on corporate compliance in February 2017. The April 2019 guidance expands upon and reorganizes this guidance in several important ways.
First, the guidance is now organized around three “fundamental questions” that a prosecutor should ask when evaluating corporate compliance:
The first question examines the program’s attention to risk assessment, policies and procedures, training and communications, confidential reporting and investigation of these reports, potential third-party misconduct, and potential misconduct within targets of mergers and acquisitions.
The second question looks at whether senior and middle management are committed to compliance, the program’s autonomy and resources, and incentives and disciplinary measures.
The third question focuses on continuous improvement, testing and review of the program; the investigation of misconduct; and the company’s efforts to analyze and remediate misconduct.
Aside from reorganization, the April 2019 guidance also expands on several of the topics that were not covered as thoroughly in the 2017 version.
On the subject of risk management, prosecutors will now look at whether a company’s compliance program prioritizes policing and examining high-risk areas and transactions such as “questionable payments to third-party consultants” or “suspicious trading activity,” or else devotes “a disproportionate amount of time to policing low-risk areas” such as hospitality and entertainment.
The updated guidance also pays additional attention to the structure of a company’s compliance function: whether it is independent or housed in the legal department or a business department, to whom the compliance officers report, and whether compliance officers also have other functions within the company.
Finally, several additions to the guidance emphasize measuring and analyzing past performance and thereafter making adjustments to the compliance program. For example, the guidance on risk management now asks whether the risk assessment process is “current and subject to periodic review” and accounts for “risks discovered through misconduct or other problems with the compliance program.” Likewise, the guidance asks whether compliance policies and procedures deal with “changes to the legal and regulatory landscape.” Finally, the guidance asks whether companies track and analyze patterns in anonymous reporting of misconduct to identify weaknesses in their compliance programs.
From the new additions to the April 2019 guidance and the document as a whole, several themes emerge:
Learning from your past mistakes. The new guidance repeatedly emphasizes learning from past misconduct and compliance program failures. In addition to the new sections discussed above, prosecutors will look at:
Being able to defend your decisions. The guidance also asks prosecutors to look at a company’s rationale for making particular choices with respect to compliance, including:
Communication and the flow of information. Finally, several topics within the guidance focus on the way information about compliance and misconduct is communicated within a company, including:
The DOJ will look favorably upon a company’s compliance program where, among other things, the company learns from its mistakes, can defend its structural decisions, is using and collecting data in a manner designed to enhance the program, and effectively communicates and processes relevant information. Going forward, corporations would do well to keep this new guidance in mind, both to prevent misconduct and to ensure that prosecutors appreciate their compliance efforts in case misconduct does, despite their best efforts, occur.
[1] Brian A. Benczkowski, Assistant Attorney General for the Criminal Division of the U.S. Dep’t of Justice, Keynote Address at the Ethics and Compliance Initiative (ECI) 2019 Annual Impact Conference (Apr. 30, 2019), available at https://www.justice.gov/opa/speech/assistant-attorney-general-brian-benczkowski-delivers-keynote-address-ethics-and.
[2] U.S. Dep’t of Justice, Criminal Division, “Evaluation of Corporate Compliance Programs,” at 1 (2019), available at https://www.justice.gov/criminal-fraud/page/file/937501/download.