DOJ Updates Guidance for Corporate Compliance Programs
This week, the US Department of Justice (DOJ) announced1 an update to its 2017 guidance on how the DOJ will evaluate the effectiveness of a company’s corporate compliance program. The updated compliance guideline (Updated Guidance) is twice the length of the original and utilizes a more instructive approach, serving as a roadmap to prosecutors, and prudent companies.
Previously, the DOJ provided only examples of topics and sample questions used to evaluate whether a corporate compliance program deserved credit in a corporate settlement.2 The original compliance guideline did not instruct prosecutors as to the most important elements of a strong program, but simply provided relevant factors.
The Updated Guidance is also titled, Evaluation of Corporate Compliance Programs.3 The Updated Guidance is the most robust explanation of how prosecutors identify and evaluate various elements of a compliance program. It seeks to “harmonize the guidance with other Department guidance and standards while providing additional context to the multifactor analysis of a company’s compliance program,” and in so doing, provides useful guidance for companies that wish to bring their programs in line with best practices.
The Updated Guidance evaluates compliance programs through three fundamental questions:
Is the corporation’s compliance program well designed?
Is the program being applied earnestly and in good faith?
Does the corporation’s compliance program work in practice?
Is the Corporation’s Compliance Program Well Designed?
The Updated Guidance instructs prosecutors to examine the comprehensiveness of a company’s program’s design, and how well ethics and compliance are integrated into the company’s operations and workforce.
As a threshold issue, the Updated Guidance emphasizes that prosecutors should evaluate a particular program through the lens of the company’s business and the unique risks and challenges it faces. Companies should identify, assess and define their risk profiles and design their compliance programs to detect the most likely types of misconduct. Prosecutors will consider how a program has been updated and revised based on that risk assessment.
Policies and Procedures
The DOJ will also focus on company policies and procedures that “give both content and effect to ethical norms.” Looking first to a company’s code of conduct to ensure that policies and procedures are accessible and integrated into the company’s day-to-day activities, prosecutors will evaluate the strength, implementation and communication of the policies. The DOJ will examine whether there has been clear guidance and training for the key gatekeepers, and whether the policies and procedures are adequately disseminated and accessible to all employees.
Training and Communications
The Updated Guidance instructs prosecutors to evaluate the training provided to employees who work in high-risk and control positions. The inquiry will include whether that training was appropriately tailored to the audience’s size, sophistication, position or subject- matter expertise. The key consideration is whether the compliance program is being effectively disseminated to, and understood by, employees.
Confidential Reporting Structure
Companies must have in place an efficient and trusted confidential reporting structure. Prosecutors will consider whether there are proactive measures in place to ensure employees report without fear of retribution or exposure. Once a report comes in, the company must timely respond, adequately analyze the misconduct and determine the persons involved. Any investigation must remain independent, properly scoped and documented, and involve all appropriate senior leadership. In response, companies must implement adequate and tailored remediation.
A company must also have effective means of evaluating and managing third-party partners. This should include robust risk-based due diligence processes. The business rationale for using a third party should be appropriately documented, including payment terms and the work to be performed, particularly for government relationships and contracts. All third-party relationships require ongoing monitoring and assessment to ensure compliance and risk avoidance.
Mergers & Acquisitions
Acquisition targets also require comprehensive due diligence that integrates the compliance function into the merger process. Companies should track and remediate misconduct or risks identified during the due diligence process. As targets are integrated, companies should work to merge compliance functions and ensure there are no gaps in controls.
Is the Program Being Applied Earnestly and in Good Faith?
Prosecutors’ second over-arching consideration is whether the program is being implemented effectively. Prosecutors will evaluate whether a compliance program is simply a “paper program” or one that is “implemented, reviewed and revised.”
Commitment by Senior and Middle Management
Company culture must be ethical and emphasize compliance with the law. This should include a clear message from the highest level of leadership that unethical and illegal behavior will not be tolerated. Prosecutors will consider not only whether leadership take concrete actions in the company’s compliance and remediation efforts, but also whether management at all levels model appropriate behavior to employees.
Autonomy and Resources
From the DOJ’s perspective, effective compliance programs empower those charged with the day-to-day operations of the program with adequate authority, autonomy and resources. The quality and sufficiency of resources prosecutors will consider necessary will depend on the size, structure and risk profile of a particular company.
Incentives and Disciplinary Measures
Companies should establish clear incentives for compliance and disincentives for non-compliance. This starts with disciplinary procedures that are enforced consistently and appropriately throughout the organization, regardless of title or position. The Updated Guidance includes examples of incentives such as promotions and awards for improving the company’s compliance culture, and disincentives such as publication of disciplinary action taken upon discovery of misconduct.
Does the Corporation’s Compliance Program Work?
Prosecutors are not only concerned with the existence of a compliance program, but also with its adequacy and effectiveness. The mere fact that misconduct has occurred, however, does not necessarily mean that the program was ineffective. This is particularly so where the program’s controls identified the violation of law, and resulted in timely remediation and self-reporting. Prosecutors will consider how the misconduct was detected, what investigative resources were in place and the nature and thoroughness of any remediation. The Updated Guidance emphasizes the importance of root cause analysis and changes implemented as a result of that work.
Continuous Improvement, Periodic Testing and Review
A well-implemented compliance program will identify areas for potential adjustment, and will thus need to undergo evolution and improvement. Investigators will examine the ways in which a company tests its compliance programs, and whether remediation is undertaken as a result. The compliance function should regularly report the results of these efforts to management and the board of directors. Prosecutors may even “reward” proactive efforts to audit and improve compliance programs.
Investigation of Misconduct
The Updated Guidance also instructs prosecutors to consider the effectiveness of timely and thorough investigations of alleged violations of the law. These efforts should include robust documentation of the process, remediation and discipline. Investigations must be properly scoped and conducted by qualified personnel with appropriate resources and authority.
Analysis of Remediation of Any Underlying Misconduct
Although listed first in the original compliance guideline, “Analysis of Remediation of Any Underlying Misconduct” closes out the updated version. During the course of an investigation, the DOJ will look at whether the company conducted root cause analysis to understand and remediate the origins of the misconduct and the controls failures. Prosecutors will consider the pervasiveness of misconduct and whether remedial actions demonstrate a recognition of the gravity of the unethical or illegal behavior. This will include an evaluation of how the misconduct was funded, whether any vendors were involved, and what changes and discipline the company undertook as a result.
The DOJ’s decision to update the compliance guideline comes as part of a recent effort to emphasize and clarify the importance of effective compliance programs and cooperation with regulators.4
Starting in March 2018, the DOJ announced that the Foreign Corrupt Practices Act (FCPA) Corporate Enforcement Policy would be applied beyond FCPA cases as non-binding guidance on the Criminal Division. The policy provides incentives, including declination to prosecute, for companies that voluntarily report wrongdoing to the DOJ.5 Thereafter, in October 2018, Assistant Attorney General (AAG)
Brian Benczkowski issued a memorandum providing guidance on the usage of monitors resulting from corporate criminal resolutions.6 AAG Benczkowski announced several factors prosecutors should consider in determining whether to require a corporate monitor as part of a settlement in the first place, including considerations of inadequate compliance program or internal control systems, the pervasiveness of the misconduct, its facilitation by senior management, how the corporation has invested in and improved its corporate compliance program and internal control systems, and what remediation have been undertaken. In announcing the Updated Guidance, AAG Benczkowski referenced a February 2019 settlement7 in which, as a result of voluntary self-disclosure, full cooperation and remediation, the DOJ declined to prosecute a company for its role in an alleged bribery scheme in India.8
Although not binding on prosecutors, the Updated Guidance will likely strongly impact the way the DOJ evaluates corporate compliance programs during investigations and settlement negotiations. As AAG Benczkowski noted in his keynote address announcing the Updated Guidance, “…the importance of corporate compliance cannot be overstated.” The Updated Guidance, though intended as a tool for prosecutors, can provide valuable insight for companies as well. Now that the DOJ has pulled back the curtain on the considerations it uses to determine whether to bring charges, implement a monitor and what penalties to impose, companies should consider whether a robust review of their policies and procedures is necessary.
This should include updates to the company’s code of conduct, which the Updated Guidance stresses should be an evolving document as companies and their business landscapes change. The DOJ has expressed commitment to incentivize and reward companies that implement effective compliance programs. Thus, doing the work to bring a company in line with the DOJ’s guidelines provides an opportunity to avoid government scrutiny. As AAG Benczkowski stated this week, “A company’s compliance program is the first line of defense that prevents the misconduct from happening in the first place. If done right, it has the ability to keep the company off [the DOJ’s] radar screen entirely.”