The Department of Justice (DOJ) Criminal Division recently issued updated guidance for white-collar prosecutors regarding the Evaluation of Corporate Compliance Programs ("Guidance"). The updated Guidance builds on updates issued in April 2019, and demonstrates DOJ’s continuing emphasis on corporate compliance programs in determining the outcome of criminal investigations. The Guidance, which calls for companies to be more nimble and adaptive, is intended to assist prosecutors assess the adequacy and effectiveness of a corporation’s compliance program, informing the ultimate resolution of criminal cases.
Based on the updated Guidance, companies should:
-
Consider whether their IT infrastructure and compliance program policies support continuous gathering and monitoring of compliance-related data across functions;
-
Ensure that “lessons learned” from inside the company, as well as from the relevant industry and region, are continuously tracked and incorporated into operations; and
-
Internally review – and continuously test the efficacy of – the resources and authority provided to the compliance function to ensure consistency with the new Guidance.
Updates to DOJ’s Three Fundamental Corporate Compliance Program Questions
The Guidance still relies on three fundamental questions to establish the framework for assessing a compliance program: 1) Is the compliance program well designed?; 2) Is it applied earnestly and in good faith?; and 3) Does it actually work in practice? While these general questions remain the same, the updated Guidance reframes the second as an inquiry into the compliance program’s resources and empowerment, rather than implementation of the program itself.
As in the past, the Guidance provides that DOJ will make an “individualized determination in each case,” although the updated version now states that the determination will be “reasonable,” and provides a more detailed list of the factors that will be considered in that individualized determination, including but not limited to: company size, industry, and geographic location.
The new Guidance provides multiple additional factors that prosecutors should consider under each prong of the evaluation framework, and states that prosecutors may consider these factors “both at the time of the offense and at the time of the charging decision and resolution.”
1. Is the Compliance Program Well-Designed?
This prong of the evaluation framework now places greater emphasis on periodic review of compliance programs; consistent incorporation of lessons learned; and accessibility of policies and procedures, as reflected in the following updated elements:
-
Company Perspective: The Guidance calls for greater consideration for the company’s perspective, emphasizing that prosecutors should “endeavor to understand” the company’s reasons for designing their program in a certain way, and how the program has evolved over time.
-
Periodic Review and Updates: Under the new Guidance, prosecutors will consider whether the periodic review of the program is limited to a snapshot in time, or conducted on a rolling basis “based upon continuous access to operational data and information across functions.” Prosecutors will also evaluate whether the periodic review has led to any updates in policies, procedures, or controls.
-
Lessons Learned: The Guidance emphasizes the importance of updating policies and instituting processes for tracking and incorporating lessons learned from periodic reviews, not only from the company’s own operations, but also those of other companies operating in the same industry and/or geographic region.
-
Accessibility of Policies: Policies and procedures should be easily accessible for employees, published in a searchable format, and DOJ will consider whether the company tracks employee access to the policies to “understand what policies are attracting more attention from relevant employees.”
-
“Truly Effective” Training and Communications: These updates focus on whether employees have the opportunity to ask questions arising out of trainings, company handling of employees who fail all or part of trainings, and whether the company has evaluated how training impacts employee behavior or operations. The revised Guidance also now specifically mentions companies investing in “shorter, more targeted training sessions” as a way to “timely identify and raise issues to appropriate compliance, internal audit, or other risk management functions.”
-
Effectiveness of Hotline Reporting: The Guidance now instructs prosecutors to consider whether a company’s anonymous reporting mechanism is publicized not only to employees, but also to third parties. DOJ will now evaluate whether companies are testing employee awareness of and comfort with using a hotline, as well as the overall effectiveness of the hotline.
-
Third Party Relationships: The Guidance emphasizes that companies should be aware of the risks posed by third-party partners. Prosecutors will now consider whether companies engage in risk management for third-party relationships not only during onboarding but also throughout the lifespan of the partnership.
-
Mergers & Acquisitions: The updated Guidance emphasizes the need for pre-acquisition due diligence and post-acquisition audits, and now instructs prosecutors to evaluate whether the company has a process for integrating newly acquired entities into existing compliance program structures.
2. Is the Compliance Program Being Applied Earnestly and in Good Faith?
Previously this element of the Guidance’s framework was based on an evaluation of whether the compliance program was implemented effectively. In the updated version, the Guidance instead asks whether the program is “adequately resourced and empowered to function effectively,” and contains the following changes:
-
Role of Middle and Top-Level Management: DOJ will now consider whether middle-level managers, in addition to top-level managers, have committed to implementing a culture of compliance. The Guidance clarifies that companies must foster a culture of ethics and compliance “at all levels.”
-
Data Resources: The Guidance places greater emphasis on data resources as a measure of whether a compliance personnel have sufficient resources to be effective. Prosecutors will weigh whether compliance and control personnel “have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions” (emphasis added). Prosecutors will also evaluate whether there are any impediments to data access and the company’s efforts to address those impediments.
-
Consistent discipline: The updated Guidance now instructs prosecutors to consider whether the compliance department monitors its investigations and resulting discipline to ensure that they are achieving consistent results across the organization.
3. Does the Compliance Program Actually Work in Practice?
Echoing the changes to the first prong of analysis, the new Guidance also includes a new factor regarding lessons learned for evaluating whether the program works in practice. Prosecutors will now consider whether the company reviews and adapts its compliance program based on lessons learned from its own, and other similar companies’, experiences.