November 12, 2019

November 11, 2019

Subscribe to Latest Legal News and Analysis

DOJ Guidance on Evaluation of Corporate Compliance Programs: Key Takeaways

Boards and management should make use of recent expanded guidance from the US Department of Justice to ensure that their compliance programs are considered “effective” if and when an investigation arises. Companies should affirmatively answer three fundamental questions in evaluating a compliance program: 1) Is the compliance program well designed? 2) Is the program being implemented effectively and in good faith? 3) Does the compliance program work in practice?

IN DEPTH


On April 30, 2019, the US Department of Justice’s Criminal Division (DOJ) issued new guidance to prosecutors, drawn from a number of existing departmental sources offering varying degrees of specificity, on evaluating corporate compliance programs. This guidance updates and answers questions posed in previous guidance issued in February 2017, to reflect DOJ’s evolving view of compliance program effectiveness. Boards and Management should make use of DOJ’s expanded guidance to ensure that their compliance programs are considered “effective” if and when an investigation arises. Companies should affirmatively answer three fundamental questions in evaluating a compliance program: 1) is the compliance program well designed? 2) is the program being implemented effectively and in good faith? and 3) does the compliance program work in practice?

The DOJ details specific factors that prosecutors should consider when investigating corporations and other organizations in the Justice Manual’s “Principles of Federal Prosecution of Business Organizations.” These factors include “the adequacy and effectiveness of the corporation’s compliance program” at both the time of the offense and the time of the charging decision, and remedial efforts to “implement an adequate and effective corporate-compliance program or to improve an existing one.” DOJ’s 2017 guidance offered some general questions to help prosecutors make such an assessment—although it did not provide prosecutors with corresponding answers on compliance program effectiveness.

The “effectiveness” of compliance programs also currently appears in other DOJ policy memoranda and federal sentencing guidelines, but without substantial guidance as to what prosecutors should deem effective. Specifically, Sections 8B2.1, 8C2.5(f) and 82C.8(11) of the US Sentencing Guidelines provide that consideration should be given to whether a corporation had an effective compliance program in place at the time of misconduct when calculating the appropriate fine. DOJ’s memorandum on the selection of compliance monitors (the Benczkowski Memo) also instructs prosecutors to consider, at the time of resolution, whether the corporation has made “significant investments in, and improvements to, its corporate compliance program and internal controls systems,” and whether “remedial improvements to the compliance program” have been tested to demonstrate that the program would prevent or detect similar misconduct.

DOJ’s new expanded guidance provides more specific factors for federal prosecutors to consider when determining whether a company deserves settlement credit through a demonstrated commitment to compliance. While broadly mirroring information in the Justice Manual, past DOJ memoranda and guidance, the federal sentencing guidelines, and many DOJ Deferred Prosecution Agreements and Non-Prosecution Agreements, the updated guidance provides more detail to assist prosecutors in making informed decisions about whether a corporation’s compliance program was effective at the time of the offense and is effective at the time of a charging decision or resolution. Just as importantly, the updated guidance allows corporate boards and executives to make a similar assessment and to address any shortcomings in their organization’s compliance program.

DOJ acknowledges that there is no “rigid formula” when it comes to assessing compliance programs. A company should tailor its compliance program to its specific risk profile. In doing so, however, compliance officers, board members and corporate executives should keep in mind that prosecutors will ask three “fundamental” questions in making an assessment of a company’s compliance program:

1. Is the corporation’s compliance program well designed?

DOJ takes the position that a well-designed compliance program depends on a risk assessment: has the company “identified, assessed, and defined its risk profile?” In turn, does the program devote appropriate scrutiny and resources to the range of possible risks? Prosecutors will look to whether a compliance program is appropriately designed to detect the particular types of misconduct that are likely to occur in the company’s line of business, regulatory landscape and business environment. Well-designed compliance programs also should be periodically updated, often through additional risk assessments.

Under the DOJ guidance, prosecutors will next look to a company’s compliance policies and procedures, including a code of conduct that sets forth the company’s commitment to compliance with relevant laws. The creation of well-designed policies should involve the right people—including appropriate seniority and relevant business units. Such policies should be drafted to be comprehensive, accessible and reinforced through internal controls systems.

The DOJ guidance also expects appropriately tailored training and communications, with a focus on training employees in control functions and high-risk areas. Training and guidance should be accessible and available in appropriate languages. Employees should know the company’s position concerning misconduct. Similarly, employees should have clear, accessible and confidential reporting channels for reporting misconduct—and there should be appropriate processes for investigating such reporting. Such mechanisms are considered “probative” in assessing whether a company has established mechanisms for detecting and preventing misconduct.

The DOJ guidance specifically calls out third-party management and M&A as risk areas where DOJ expects companies to have well-developed programs to assess and address potential compliance issues.

2. Is the program applied earnestly and in good faith? In other words, is the program implemented effectively?

DOJ next looks to whether a company has demonstrated a commitment to the compliance program by senior and middle management. To the government, this is perhaps one of the most important factors in assessing the effectiveness of a compliance program. Prosecutors will ask whether senior management, including the board, has “clearly articulated the company’s ethical standards, conveyed and disseminated them in clear and unambiguous terms, and demonstrated rigorous adherence by example.” Prosecutors will then evaluate whether middle management has reinforced those standards.

DOJ will also ask whether a compliance program has appropriate autonomy and resources, focusing on whether there is sufficient seniority and authority within the organization, sufficient resources and staff to undertake the necessary work of a well-designed compliance program (including internal audit), and sufficient autonomy from management, including access to the board or audit committee.

DOJ will also look to incentives and disciplinary measures taken in response to compliance and non-compliance, respectively. It is critical that appropriate human resources processes are developed and consistently applied.

3. Does the corporation’s compliance program work in practice?

Effective compliance programs cannot exist only “on paper.” They must work in practice. Prosecutors will closely review whether a program was working when misconduct was identified, especially in circumstances where misconduct was not immediately detected. While Section 8B2.1(a) of the US Sentencing Guidelines makes clear that misconduct in and of itself does not mean that a program is ineffective, the DOJ guidance indicates that prosecutors should view identification of misconduct by a compliance program as a “strong indicator that the compliance program was working effectively.” Prosecutors will consider whether and how the company detected potential misconduct, what resources were in place to investigate the potential misconduct, and the “nature and thoroughness of the company’s remedial efforts.”

Prosecutors will evaluate whether a compliance program continued to improve and evolve through ongoing risk assessment, periodic testing and review. Internal audit should conduct periodic compliance audits based on identified risks, compliance controls should be tested, and gap assessments should be undertaken from time to time.

Finally, companies must undertake analysis and remediation of identified underlying misconduct. Root cause analyses are a key component of determining the appropriate scope and extent of remediation when compliance violations are identified.

© 2019 McDermott Will & Emery

TRENDING LEGAL ANALYSIS


About this Author

Tony Maida Health Care Attorney McDermott WIll Law Firm
Partner

Tony Maida is a partner in the law firm of McDermott Will & Emery LLP and is based in the Firm’s New York office.  Tony has extensive experience in health care fraud and abuse and compliance issues, including the federal Anti-Kickback and Physician Self-Referral/Stark laws, false claims and overpayments, and government investigations.    He works closely with our health and white collar teams on criminal, civil, and administrative investigations and counseling clients on corporate transactions and compliance programs.

Tony previously served...

1 212 547 5492
Michael Peregrine Corporate Governance Lawyer McDermott
Partner

Michael W. Peregrine is a partner in the law firm of McDermott Will & Emery LLP and is based in the Firm’s Chicago office.  He represents corporations (and their officers and directors) in connection with governance, corporate structure, fiduciary duties, officer-director liability issues and charitable trust law.  Michael is recognized as one of the leading national practitioners in corporate governance law.

Michael is outside governance counsel to many prominent corporations, including hospitals and health systems, voluntary health organizations, social service agencies and health insurance companies.  He frequently serves as special counsel in connection with confidential internal board reviews and investigations.  He regularly advises boards on fiduciary duty issues associated with complex business transactions.    

312-984-6933
Paul M. Thompson, McDermott Will Emery, White Collar Criminal Defense,
Partner

Paul M. Thompson is a partner in the law firm of McDermott Will & Emery LLP and serves as the Partner-in-Charge of the Firm’s Washington, D.C., office.  Paul focuses his practice on white-collar criminal defense, congressional investigations and appellate matters.  Paul has been repeatedly recognized by the National Law Journal in its Appellate Hot List.  He was named as a “Star” in Benchmark Litigation 2015 for his work on white-collar matters and appeals. 

Paul is a former federal prosecutor.  He has represented clients...

1 202 756 8032
Sarah Walters, Mcdermott Will Emergy, Trial Lawyer
Partner

Sarah Walters is an experienced trial lawyer who focuses her practice on white collar criminal defense, regulatory enforcement and compliance matters, and complex civil litigation. In addition to both criminal and civil trial work, Sarah has substantial experience conducting internal investigations and assists companies in developing compliance policies and training programs.

Before joining McDermott, Sarah served 10 years as an Assistant United States Attorney in the Boston US Attorney’s office, holding the position of Chief of the Economic...

617 535 4031
Michael S. Stanek white-collar and securities defense, government investigations, Lawyer
Associate

Michael (Mike) S. Stanek focuses his practice on white-collar and securities defense, government investigations, anti-corruption compliance and political law. He represents corporations, boards and individuals in a variety of enforcement matters, including the Foreign Corrupt Practices Act (FCPA) and the federal securities laws and regulations. He is highly skilled in designing, managing and executing global internal investigations and investigations before numerous government enforcement authorities. Mike also counsels clients with respect to corporate compliance policies, procedures,...

202 756 8355