On June 1, 2020, the U.S. Department of Justice (“DOJ”), Criminal Division, updated its guidance on the “Evaluation of Corporate Compliance Programs” (“the 2020 Update”) to provide increased clarity on several of the key questions prosecutors might ask in assessing the adequacy of compliance programs when making charging, plea, sentencing and settlement determinations.
The DOJ has consistently rejected a one-size-fits-all approach to evaluating corporate compliance programs. This was emphasized in the DOJ’s compliance guidance that was issued in 2017 (“the 2017 Guidance”), an amended version of which was issued in 2019 (the “2019 Update”), and continues to hold true with the 2020 Update. The most recent version of the DOJ Guidance calls for “a reasonable, individualized determination in each case of the effectiveness of a company’s compliance program, including its size, industry, geographic footprint, and regulatory landscape.”
The 2020 Update continues to utilize the “three fundamental questions” that were first articulated by the DOJ (using somewhat different language) in 1999, and then again in the 2019 Update: (1) “Is the corporation’s compliance program well designed?” This question was unchanged from the 2019 Update. (2) “Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?” This was modified to include the words “adequately resourced and empowered to function effectively,” which we believe is a significant addition. (3) “Does the corporation’s compliance program work” in practice? This was unchanged from the 2019 Update.
Most significantly, the 2020 Update adds to what is already a substantial list of questions and considerations for evaluating compliance programs.
The questions are an excellent tool for organizations to utilize in assessing their own programs. While not all questions are applicable to all organizations (as noted above, there is no one-size-fits-all), reviewing the questions will undoubtedly be a helpful exercise for most companies – and an opportunity to assess and improve, which, as noted above, the guidance embraces. While we focus here on recent changes to the guidance, we recommend review of the full document, which is available here: https://www.justice.gov/criminal-fraud/page/file/937501/download. Here are what we see as the more significant of the additions to the 2019 Update.
Questions Regarding Whether the Compliance Program is Well Designed
Regarding risk assessment, the 2020 Update:
- Instructs prosecutors to seek to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s program has evolved over time.
- Asks if any periodic review of the program is limited to a “snapshot” in time or is based upon continuous access to operational data and information.
- Seeks to determine if the company has a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry or geography.
- Asks if the periodic review has led to updates in policies, procedures, and controls.
Policies and procedures – The 2020 Update asks:
- What is the company’s process for designing and implementing new policies and procedures and updating existing policies and procedures, and has that process changed over time?
- Have the policies and procedures been published in a searchable format for easy reference?
- Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?
Training and communications – The 2020 Update:
- Notes that some companies have invested in shorter, more targeted training sessions to enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management functions.
- Asks if there is a process by which employees can ask questions arising out of the trainings.
- Asks if the company has evaluated the extent to which the training has an impact on employee behavior or operations.
Confidential reporting structure and investigation process – The 2020 Update asks:
- How is the reporting mechanism publicized to the company’s employees and other third parties? Has it been used? Does the company take measures to test whether employees are aware of the hotline and feel comfortable using it?
- Does the company periodically test the effectiveness of the hotline, for example by tracking a report from start to finish?
Third party management – The 2020 Update asks:
- Does the company engage in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?
M&A – The 2020 Update:
- Notes that pre-M&A due diligence, where possible, enables the acquiring company to evaluate more accurately each target’s value and negotiate for the costs of any corruption or misconduct to be borne by the target.
- Notes that a well-designed program should include a process for timely and orderly integration of the acquired entity into existing complance program structures and internal controls.
- Asks if the company is able to complete pre-acquisition due diligence and, if not, why not.
- Asks what has been the company’s process for conducting post-acquisition audits at newly-acquired entities.
Questions Regarding Whehter the Corporation’s Compliance Program is Adequately Resourced and Empowered to Function Effectively
Commitment by senior and mid-level management – The 2020 Update:
- Notes that beyond compliance structures, policies, and procedures, it is important for a company to create and foster a culture of ethics and compliance with the law at all levels of the company. The effectiveness of a compliance program requires a high-level commitment by company leadership to implement a culture of compliance from the middle and the top. (New language in bold.)
Autonomy and resources – The 2020 Update:
- Asks the reasons for the structural program choices the company has made.
- Asks how the company invests in further training and development of the compliance and other control personnel.
- Regarding data resources and access, asks if compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions. Asks if any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments.
Incentives and disciplinary measures – The 2020 Update:
- Asks if the compliance function monitors its investigations and resulting discipline to ensure consistency.
Questions Regarding whether the Corporation’s Compliance Program Works in Practice
Continuous improvement, periodic testing, and review – The 2020 Update:
- Asks if the company reviews and adapts its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks.
Much has changed since the Department of Justice first encouraged companies to develop effective compliance programs, and the compliance community decidedly benefits from the detailed guidance now offered in this area. But with the 2020 Update, the risks of giving short shrift to what the government expects have never been higher.