New guidelines from the Department of Justice (DOJ) Criminal Division emphasize that “individualized determinations” will drive the evaluation of corporate compliance programs. Announced June 1, 2020, these revisions also will impact how the Antitrust Division approaches corporate compliance at the charging stage in criminal antitrust investigation. Moreover, the guidelines are expressly intended to “assist prosecutors in making informed decisions as to . . . the appropriate (1) form of any resolution or prosecution; (2) monetary penalty, if any; and (3) compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations).”
These relatively modest changes, updating similar guidance issued in April 2019, emphasize that the DOJ seeks to make “reasonable” determinations in each case, considering factors such as company size, industry, geography, regulatory landscape, and other internal and external factors that might impact a company’s compliance program. The guidance emphasizes that the DOJ does not use any rigid formula to assess effectiveness. But the guidance continues to be organized as sample topics and questions, focused around three fundamental questions that have remained the same:
- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith (i.e. is the program adequately resourced and empowered to function effectively)?
- Does the corporation’s compliance program work in practice?
Regarding whether a corporation’s compliance program is well-designed, prosecutors now are instructed to develop an understanding of the reason the company established its compliance program in its particular manner and how the compliance program has evolved over time. The new guidance encourages prosecutors to question whether the company’s risk assessments are subject to periodic review and whether those reviews result in changes in company policy. This inquiry includes an examination of whether the company has a process for tracking and incorporating lessons learned from prior issues within the company itself and other companies in the same industry or region.
Another set of changes related to whether the compliance program is “well-designed” targets the accessibility of policies and procedures and the effectiveness of training and management of employees and third parties. Prosecutors are instructed to ask whether policies have been published in easily accessible and searchable formats. The DOJ also wants to assess whether employees have the ability to ask questions resulting from training and communications, and whether that training actually impacts corporate behavior and operations. This concern includes whether third parties are aware of reporting mechanisms within the company and whether risk management of those third parties continues through the lifespan of the relationship rather than just the onboarding process.
The DOJ additionally focuses on ensuring that compliance programs are adequately resourced and empowered to function effectively. Here, the new guidance seeks to ensure commitment to ethics and compliance not only by top-level management but also middle management. As part of this commitment, prosecutors will investigate whether the company has invested in further training and development for compliance and control personnel, and whether those personnel have sufficient access to relevant sources of data to timely and effectively monitor and test policies, controls, and transactions. Companies must identify and address any impediments to the compliance function’s access to this data. Compliance functions also must monitor investigations and discipline to ensure consistency across the board.
The last concept is whether the program works well in practice. Here, the new guidance encourages prosecutors to determine if the company compliance program is reviewed and adapted based upon lessons learned from its own misconduct and/or that of other companies facing similar risks.
Taken together, the revised guidelines show the increased depth at which prosecutors will evaluate a company’s program both on and beyond written policies and procedures. These changes show an emphasis on ensuring employee and third-party awareness and access, commitment from middle-management, adequate investment in compliance, and the review and adaption of programs based on prior incidents in the company and/or the industry.