This week we are pleased to have a guest post from Edward Heath and Kevin Daly. Attorneys Heath and Daly are members of Robinson + Cole’s Manufacturing Industry Group and regularly counsel clients on trade compliance, anti-corruption compliance, and other corporate compliance issues.
Earlier this year, the United States Department of Justice (DOJ) issued new guidance regarding how it evaluates corporate compliance programs in the context of civil and criminal enforcement matters. Rather than deviating from DOJ’s existing approach, the new guidance set forth the factors DOJ will use to assess the adequacy of corporate compliance programs in greater detail than in prior guidance. Accordingly, it provides important insight into what DOJ will likely prioritize when evaluating whether a company under investigation maintained effective compliance controls.
As a general matter, the “the adequacy and effectiveness” of a company’s compliance program is a factor in DOJ’s decision whether to pursue a criminal charge and, if so, in the subsequent assessment of the severity of the penalty sought. See DOJ’s Principles of Federal Prosecution of Business Organizations. Additionally, the U.S. Sentencing Guidelines provide that the presence of an effective compliance program at the time of the charged conduct is a factor in calculating an appropriate criminal fine. DOJ’s recent guidance attempts to give more definition to what makes a compliance program effective or ineffective, setting forth three key questions to guide the inquiry.
The first question asks, “Is the corporation’s compliance program well-designed”. Here, DOJ will consider whether the program is tailored to the risks the business is likely to face, whether employees receive training and communication regarding the program, whether the program provides a mechanism for employees to report compliance concerns, whether the program addresses risks posed by third-party relationships, and whether the company conducts compliance due diligence in the course of mergers and acquisitions.
The second question asks, “Is the program being applied earnestly and in good faith”. To answer this question, DOJ will look at factors such as whether there is management commitment to the program, whether sufficient resources are devoted to the program, and whether the company provides incentives for compliance as well as disincentives for noncompliance.
Finally, the third question asks, “Does the corporation’s compliance program work”? Here, the DOJ analyzes whether the program is periodically reviewed and improved, and whether potential misconduct is investigated and then remediated when detected.
Importantly, although the guidance is organized into these three discrete questions, several key takeaways emerge from the guidance as a whole.
-
DOJ requires a compliance “program” to entail more than just a written policy. Companies are expected devote resources to the program on an ongoing basis, such as by training employees, reviewing the effectiveness of the programs, and updating and improving it as circumstances warrant.
-
Additionally, the guidance makes clear that DOJ does not view a compliance program as a cookie cutter endeavor; a program should be tailored to the specific risks applicable to the company’s location, business model, and the sector in which it operates.
DOJ recognizes that that no compliance program can prevent all possible misconduct, and the new guidance explicitly acknowledges that a compliance plan will not be deemed ineffective simply because misconduct occurred. However, a program that fails to measure up to these expressed standards may fall short of its duty to protect the company against internal wrongdoing and then place the company in a tenuous position in the face of DOJ scrutiny.