On April 30, 2019, the Department of Justice (DOJ) released an updated version of its “Evaluation of Corporate Compliance Programs” (the “Guidance”). The DOJ has previously published guidance on the same topic, most recently in February 2017. The Guidance, while building on prior principles, offers significantly more detail about how prosecutors will evaluate compliance programs. Specifically, the Guidance now directs that prosecutors should ask three fundamental questions:
- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith?
- Does the corporation’s compliance program work in practice?
Under this framework, the Guidance provides 12 specific factors over 18 pages (double the 2017 version’s length) for prosecutors to consider. Along with re-organizing the material and adding an additional factor, the Guidance now also includes contextual notes introducing each topic. As with previous materials, the factors and questions in the Guidance are not meant to be a checklist or a “rigid formula.” Rather, the DOJ encourages prosecutors to evaluate compliance programs in the context of a company’s business and to make individualized determinations.
1. Is the Program Well Designed?
The Guidance now contains a more comprehensive analysis to determine whether a “program is adequately designed for maximum effectiveness in preventing and detecting wrongdoing” and whether management is appropriately enforcing that program. Key elements include:
- Risk Assessment: Prosecutors should understand how a company has identified, assessed, and defined risk in light of its specific business and risk profile. The Guidance instructs prosecutors to examine the company’s risk management process, risk-tailored resource allocation, and updates and revisions to its compliance program in reaction to lessons learned.
- Policies and Procedures: Prosecutors should then evaluate whether the company’s policies and procedures aim to reduce the risks identified in its assessments. The Guidance suggests that, at a minimum, a company should have an accessible code of conduct that sets forth the company’s commitment to compliance. It should also have policies and procedures that encourage compliance in day-to-day operations. Prosecutors should assess the design, comprehensiveness, and accessibility of those policies and procedures, as well as the individuals responsible for implementing and acting as gatekeepers of the processes. Importantly, the Guidance removed language from this factor suggesting that prosecutors should consider whether misconduct violated a specific policy, how the misconduct was funded, and whether vendors were involved.
- Training and Communication: The Guidance states that a “hallmark of a well-designed compliance program is appropriately tailored training and communication.” Prosecutors should therefore assess a company’s efforts to provide periodic, risk-based training; to relay information appropriately given the company’s sophistication, size, and expertise; to provide practical advice; and to address prior compliance issues. Updates to this factor include considering whether training is given in all high-risk areas and whether supervisors receive additional training.
- Confidential Reporting Structure and Investigation Process: Unlike previous versions, the Guidance expressly instructs prosecutors to consider whether a compliance program provides whistleblower protection—that is, whether there is a “trusted mechanism by which employees can anonymously or confidentially report” allegations of misconduct without fear of retaliation. Prosecutors should assess whether qualified personnel review and timely respond to complaints. The government also will evaluate the level of resources dedicated to investigations and the tracking of results.
- Third-Party Management: The Guidance reinforces that prosecutors should assess whether a company uses a risk-based due diligence approach to its third-party relationships. This includes evaluating whether a company considers a third party’s reputation and relationships with foreign officials as well as asking whether the company has an appropriate business rationale for using a third party. Further, prosecutors should assess how, once engaged, a company monitors and trains a third party and addresses any red flags.
- Mergers and Acquisitions: Similarly, prosecutors should assess whether a company’s compliance program includes comprehensive due diligence of acquisition targets. The Guidance notes that pre-acquisition scrutiny indicates whether a company’s compliance program can effectively enforce internal controls and remediate misconduct.
2. Is the Program Effectively Implemented?
The Guidance continues to discourage mere “paper programs” and instructs prosecutors to consider the following when determining if a compliance program is effectively implemented:
- Commitment by Senior and Middle Management: The Guidance emphasizes “conduct at the top.” It instructs prosecutors to assess whether senior management clearly articulates and disseminates ethical standards and whether senior management leads by example, including through remediation efforts. It also instructs prosecutors to examine whether middle management reinforces and encourages those standards.
- Autonomy and Resources: Prosecutors should evaluate whether compliance personnel have sufficient seniority, resources, and autonomy from management. Compliance personnel also should have appropriate experience and qualifications. The Guidance, however, recognizes that sufficiency depends on the size, structure, and risk profile of each company. The Guidance now also directs prosecutors to determine if internal audits are conducted at a level that ensures independence and accuracy.
- Incentives and Disciplinary Measures: Prosecutors should assess whether a company encourages compliance by establishing and consistently enforcing clear disciplinary procedures. Prosecutors may also consider a company’s efforts to incentivize compliance through providing certain benefits.
3. Does the Compliance Program Work in Practice?
The Guidance specifically recognizes that the mere occurrence of misconduct does not necessarily mean a program was ineffective at the time of the incident. Rather, prosecutors should view a company’s identifying, remediating, and self-reporting any misconduct as a strong indicator of its compliance program’s efficacy. To that end, prosecutors should consider how the company detected, investigated, and remediated the misconduct. Moreover, to determine whether a compliance program is effective at the time of a charging decision, prosecutors should evaluate if and how the program has evolved and whether the company has analyzed the misconduct’s cause and performed necessary remediation.
- Continuous Improvement, Periodic Testing, and Review: Prosecutors should consider whether a company meaningfully reviews its compliance program to ensure that it is not “stale.” To do so, prosecutors should assess whether a company conducts periodic audits, updates risk assessments and compliance procedures, and measures its culture of compliance. Prosecutors also may recognize a company’s efforts to promote improvement and sustainability.
- Investigation of Misconduct: Unlike previous versions, the Guidance now directs prosecutors to evaluate whether a compliance program contains a mechanism for timely and thorough investigations of alleged misconduct. Prosecutors should first determine whether a company properly ensures an independent and objective investigation appropriate in its scope. Next, prosecutors should evaluate how a company responds to the investigation.
- Analysis and Remediation of Any Underlying Misconduct: The Guidance ends by emphasizing that an effective compliance program can identify and remediate root causes of misconduct as well as take appropriate and timely disciplinary actions. Prosecutors should consider whether these factors exist when evaluating a compliance program’s efficacy.
While the Guidance does not make any significant substantive changes to the DOJ’s previous material on the topic, it does provide additional details about the DOJ’s expectations regarding corporate compliance programs. This detailed analysis is beneficial for not only those involved in enforcement actions but also for compliance and legal professionals implementing and monitoring compliance programs. These professionals should ask the same three fundamental questions posed to prosecutors when evaluating whether a compliance program adheres to the DOJ’s best practices.