Earlier this month, the U.S. Department of Justice (Department) released a newly updated version of the guidance used by federal prosecutors in evaluating whether a company’s compliance program is effective.
The guidance, titled “Evaluation of Corporate Compliance Programs,” was first released in 2017 and was updated last year.[1] It contains a list of compliance-focused topics and questions that prosecutors can review in deciding (1) whether to charge a company with a criminal offense, (2) whether to seek monetary penalties, and (3) whether to impose other compliance obligations (e.g., the appointment of a corporate monitor).
In releasing the updated guidance, the Department is previewing for companies the types of compliance-related questions they might receive during a federal criminal investigation. At the same time, the Department is delivering to companies a blueprint for an effective compliance program that can withstand prosecutorial scrutiny.
Below, we summarize the main changes to the guidance that companies should heed as they design and revise their compliance programs in the age of COVID-19.
Companies should be investing resources into their compliance programs consistent with their risk profile
The Department designed the guidance to help prosecutors answer three “fundamental questions” about a company’s compliance program.[2] First, “Is the corporation’s compliance program well designed?” Second, “Is the program being applied earnestly and in good faith?” And third, “‘Does the corporation’s compliance program work’ in practice?”
In the updated guidance, the Department maintains its focus on these three fundamental questions. But in answering the second question, the Department now directs prosecutors to consider whether the company’s compliance program is “adequately resourced and empowered to function effectively.” In doing so, prosecutors will weigh, among other things, how the company “invest[s] in further training and development of the compliance and other control personnel.”
Despite this updated guidance, companies should not expect prosecutors to demand that every entity devote the same amount of resources to its compliance program regardless of its risk profile: prosecutors are also now directed to “make a reasonable, individualized determination” about a company’s compliance efforts, “including, but not limited to, the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.”
Companies should be continually evaluating the effectiveness of and revising their compliance program
In the updated guidance, the Department repeatedly emphasizes that compliance is an ongoing process in which companies should always be responding to new feedback. Prosecutors are therefore directed to evaluate the effectiveness of a company’s compliance program “both at the time of the offense and at the time of the charging decision and resolution.” To that end, prosecutors will “endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.” If a company is revising its compliance program “in light of lessons learned,” prosecutors will view those revisions as strong “indicators” that the company is properly tailoring its compliance efforts to its unique risk profile.
This focus on how a company’s compliance program has evolved over time is not limited to answering whether a company’s compliance program is well designed. In answering whether a program “works in practice,” prosecutors will consider whether a company has “review[ed] and adapt[ed] its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks.”
As for a company’s process for revising its compliance program, the Department now directs prosecutors to check whether a company has “a process for tracking and incorporating into its periodic risk assessment lessons learned.” These lessons can be learned “either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region.” Similarly, prosecutors will credit a company if it has not only a “process for designing and implementing new policies and procedures” but also a process for “updating existing policies and procedures.”
The Department has also offered new direction for prosecutors when evaluating how effectively a company is managing its risk from third-party intermediaries. For business relationships with third-party intermediaries, the Department recognizes that “the need for, and degree of, appropriate due diligence may vary based on the size and nature of the company, transaction, and third party.” Still, prosecutors will credit a company where it manages the risk from the third-party intermediaries not only “during the onboarding process” but also “throughout the lifespan of the [business] relationship.”
Companies should consider whether their compliance officials have access to and are sufficiently leveraging data
Perhaps the biggest change in the updated guidance is the Department’s focus on how companies use data to design, evaluate and revise their compliance programs. In determining whether a compliance program is well designed, prosecutors will now investigate whether a company’s “compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions.” Likewise, prosecutors will check whether “any impediments exist that limit access to relevant sources of data and, if so,” review “what . . . the company [is] doing to address the impediments.”
Other data-related issues appear throughout the updated guidance and suggest additional ways in which prosecutors will be scrutinizing a company’s use of data.
Periodic reviews. In evaluating the effectiveness of a company’s periodic reviews, prosecutors will now review whether those reviews are “limited to a ‘snapshot’ in time,” or whether they are “based upon continuous access to operational data and information across functions” — and credit a company for the latter. Prosecutors will also consider whether a company’s use of data “led to updates in policies, procedures, and controls.”
Distribution of compliance policies and procedures. Prosecutors will consider whether a company’s compliance policies and procedures have “been published in a searchable format for easy reference,” and whether a company “track[s] access to various policies and procedures to understand what policies are attracting more attention from relevant employees.”
Training. Prosecutors will also consider whether a company has “evaluated the extent to which the training has an impact on employee behavior or operations.”
Reporting hotline. If a company has an anonymous reporting mechanism like a hotline, prosecutors will check whether the company “take[s] measures to test whether employees are aware of the hotline and feel comfortable using it,” and whether the company “periodically test[s] the effectiveness of the hotline, for example by tracking a report from start to finish.”
Disciplinary measures. Finally, prosecutors will assess whether a company’s “compliance function monitor[s] its investigations and resulting discipline to ensure consistency.”
Companies can use shorter training sessions if they pair them with opportunities for employees to ask questions afterward
In the updated guidance, the Department suggests that it approves of “shorter, more targeted training sessions to enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management functions.” That said, the Department’s approval of these shorter sessions in fact depends on whether employees have opportunities to ask questions afterward, for prosecutors will now consider whether a company has implemented “either online or in-person . . . a process by which employees can ask questions arising out of the trainings.”
Companies should timely integrate acquired companies into their existing compliance program
On the topic of mergers and acquisitions, the Department explains that a well-designed compliance program should include not only comprehensive due diligence of a company’s acquisition targets but also a “process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.” As the Department emphasizes, a company’s failure to conduct proper “post-acquisition due diligence and integration” may lead to an environment in which misconduct can flourish. For that reason, prosecutors will now review a company’s process for “conducting post-acquisition audits . . . at newly acquired entities.”
Companies should build a culture of compliance throughout the organization
The Department also emphasizes in the updated guidance that companies should “create and foster a culture of ethics and compliance with the law at all levels of the company.” To that end, the Department now suggests a company’s “middle” managers should be as committed to implementing a culture of compliance as the company’s senior executives and its board of directors.
Companies should focus on the effects of foreign law on their compliance programs
In answering all three of the fundamental questions, prosecutors will now “consider whether certain aspects of a compliance program may be impacted by foreign law.” Under the updated guidance, if a company structures its compliance program based on foreign law, it must be able to defend to prosecutors its “conclusion[s] about foreign law,” and also explain how it is “maintain[ing] the integrity and effectiveness of its compliance program while still abiding by foreign law.”
Going Forward
Companies should use the updated guidance to review their current compliance program and evaluate its effectiveness. After all, given that the Department now states that prosecutors should evaluate a company’s compliance program “both at the time of the offense and at the time of the charging decision and resolution,” companies can always benefit from trying to improve their compliance efforts. Here are three questions that you can keep in mind in determining whether your current compliance program is likely to survive contact with a federal criminal investigation:
Has my company devoted adequate resources to its compliance program given its risk profile, and has it effectively empowered its compliance personnel? Given the economic carnage caused by COVID-19, companies may — despite protests from their general counsel or compliance officials — be considering cutting the budget for or otherwise deprioritizing their compliance program. Whatever decision a company makes, it should ensure that its compliance program still has adequate resources to analyze its risk profile, implement effective controls, and revise the compliance program as needed.
Does my company have access to and is it leveraging data to continually improve the compliance program? As discussed, prosecutors will now be considering whether “compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions.” Prosecutors will also be considering how the company uses that data by evaluating, among other things, whether a company is periodically reviewing its compliance program “based upon continuous access to operational data and information across functions.” Companies should therefore be thoughtful about how they use data both when developing and when revising their compliance programs.
Does my company have the right tone on compliance? The Department is focused not only on whether a company has a compliance program but also on whether a company has a culture of compliance “at all levels.” A company’s culture of compliance should include compliance training for middle managers and other employees besides its most senior executives and, as much as possible, give employees opportunities to learn about compliance issues outside the context of formal training sessions.
[1] “DOJ Criminal Division Releases Updated Guidance for Evaluation of Corporate Compliance Programs” (May 9, 2019), https://www.kramerlevin.com/en/perspectives-search/doj-criminal-division-releases-updated-guidance-for-evaluation-of-corporate-compliance-programs.html.
[2] U.S. Dep’t of Justice, Criminal Div., “Evaluation of Corporate Compliance Programs” (June 2020), https://www.justice.gov/criminal-fraud/page/file/937501/download.