DOJ Releases Updated Guidance on Evaluating Corporate Compliance Programs
The Department of Justice (DOJ) Criminal Division recently issued updated guidance for white-collar prosecutors regarding the “Evaluation of Corporate Compliance Programs” (the “Guidance”). The Guidance is intended to harmonize with existing guidance, as well as provide additional context for DOJ’s multifactor analysis of a company’s compliance program when resolving a criminal case.1 Companies should therefore (i) carefully analyze the Guidance, including to understand what DOJ considers to be a well-designed compliance program, and (ii) reassess its existing compliance program accordingly.
DOJ’s Increasing Emphasis on Corporate Compliance Programs
A corporation’s compliance program has become an increasingly important factor that prosecutors evaluate at the conclusion of a criminal investigation. DOJ’s Guidance is intended to help prosecutors make informed decisions as to whether, and to what extent, the corporation’s compliance program was effective at the time of the offense and/or at the time of a charging decision or resolution. Such determinations bear on the appropriate (i) form of any resolution or prosecution, (ii) monetary penalty, if any, and (iii) compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations).
Apart from its direct application in criminal cases, this new Guidance also provides a valuable roadmap for companies who are interested in conducting a self-assessment of the “effectiveness” of their own compliance programs. Given the format and organization of the Guidance, as well as the number of detailed questions that it poses, companies wanting to take a more proactive approach would be well-advised to study it, as well as to summarize it to their Boards of Directors who are responsible for overseeing the corporate compliance function.
DOJ’s Three Fundamental Corporate Compliance Program Questions
Although the Guidance does not provide a rigid formula to assess the effectiveness of corporate compliance programs, it does set forth three “fundamental questions” that prosecutors should ask when evaluating compliance programs, each briefly discussed below.
- Is the compliance program well-designed? According to DOJ, a well-designed compliance program starts with whether and “how the company has identified, assessed, and defined its risk profile, and the degree to which the program devotes appropriate scrutiny and resources to the spectrum of risks.” The policies and procedures that implement the program must provide content and effect company norms in a manner that reduces identified risks, makes clear that misconduct is not tolerated, and appropriately distributes responsibility. In addition, a well-designed program includes appropriately tailored training and communications in order for all employees to understand the program. Other components include management of third-party relationships, internal reporting, whistleblower and investigation processes, and comprehensive due diligence of any acquisition targets.
- Is the compliance program being implemented effectively? A prosecutor will not be swayed by a well-designed compliance program that is not implemented effectively. The effectiveness of the program requires commitment, sincerity, leadership and oversight from senior and middle management. Adequate funding and sufficient autonomy are also indicators of an effective program. Mechanisms such as internal auditing and disciplinary measures to aid in implementation are highly valued.
- Does the compliance program actually work in practice? In accordance with the Principles of Federal Prosecution of Business Organizations, prosecutors must actually determine both whether a compliance program was working at the time of the offense as well as whether the program is working at the time of resolution. This task can often prove difficult, especially where misconduct is not immediately detected or reported. To do this, prosecutors consider whether and how the misconduct was detected and what resources were in place to investigate suspected misconduct, as well as the nature and thoroughness of the company’s remedial efforts. In addition, compliance programs should be reviewed over time to ensure they evolve with changes to a corporation’s business, operating environment, customers, regulations, and industry standards.
Conclusion: DOJ Further Reveals Its Playbook for Assessing Compliance
Although evaluating corporate compliance programs is not new to federal criminal investigations, the Guidance provides a clear playbook for prosecutors. As previously noted, corporate leaders should evaluate and implement this playbook to evaluate the effectiveness of their own compliance programs, and act upon these findings. While a robust program is never a guarantee against a criminal prosecution, the more a company can “show” (not just “claim”) a genuine commitment to compliance and self-governance, the less likely that a criminal response would be warranted. In short, this new Guidance helps to take some of the guess-work out of how to favorably influence the broad discretion of the prosecutor. In addition, and perhaps more practically, the guidance also helps to clarify—in more measurable and objective terms—what compliance “effectiveness” means.
1 This new Guidance builds on other resources upon which federal prosecutors rely to make these informed decisions, including the “Principles of Federal Prosecution of Business Organizations” in the Justice Manual, and the October 2018 Benczkowski Memo, which provides guidance regarding the selection of corporate monitors.