Earlier this month, the Criminal Division of the U.S. Department of Justice (“DOJ”) published a revised version of its guidance document entitled “Evaluation of Corporate Compliance Programs” (“Updated Guidance”). This is an update from prior versions, originally issued in February 2017 (“Original Guidance”) and amended in April 2019 (“Amended Guidance”), and maintains the DOJ’s stated commitment to regularly provide fresh compliance advice to nourish an eager corporate defense bar.
The Updated Guidance does not reflect a significant change in the DOJ’s overall views, expectations, or practices with respect to the evaluation of compliance programs. Instead, it provides some enhanced recommendations and related advice based on the DOJ’s recent experience assessing programs and constructive feedback from the business community and compliance and investigation professionals.
Consistent with prior DOJ compliance guidance releases, the U.S. Sentencing Guidelines, and the Justice Manual (outlining the principles for the DOJ’s prosecution of companies), the Updated Guidance spotlights three “fundamental questions” federal prosecutors should ask in examining compliance programs, with the goal of determining whether the programs have a sturdy infrastructure, necessary resources, and a cooperative culture -- all of which are essential to maintaining an effective program:
- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
- Does the corporation’s compliance program work in practice?
As the DOJ explains in the Updated Guidance, ultimately, the new document tasks prosecutors with endeavoring to understand why companies set up their compliance programs the way they do, and how such entities efficiently facilitate the meaningful, customized improvement of those programs over time.
Overview of the Updated Guidance
The Updated Guidance spotlights the need for companies to employ programs that are dynamic, tailored, and consistently assessed to account for evolving corporate risks – rather than reflective of mere “snapshots” in time. This overarching theme includes a notable modification to the DOJ’s prior view on the ongoing maintenance of compliance programs, focusing even more acutely now on whether programs are adequately resourced, regularly monitored, and operating effectively at all levels.
With the Updated Guidance, the DOJ also emphasizes its commitment to a reasonable, individualized, and flexible approach to assessing compliance programs, which considers each company’s unique circumstances within the framework of existing program expectations, including size, industry sector, global footprint, regulatory landscape, and other factors related to the company’s operations.
In terms of program specifics, the Updated Guidance adds expectations relating to the following: (1) enhanced access to (and use of) relevant data; (2) shrewd allocation of compliance resources; (3) improved checks and balances for training; (4) vigilant management of third-party and merger and acquisition risks; and (5) mindfulness of the intrinsic value of corporate benchmarking.
Thoughtfully attending to the clarifications in the Updated Guidance and integrating reasonably scoped and commensurate program modifications (based on the revised advice) will help corporations and other entities mitigate evolving compliance risk and tactfully prepare their programs for scrutiny by the DOJ’s flexible evaluation methodology in the event they are subject to a corporate enforcement action.
Principal Revisions in the Updated Guidance
Enhanced Data Gathering, Analysis, and Usage
Perhaps the most prominent revision and area of focus in the Updated Guidance pertains to the DOJ’s recommendation that compliance programs be functionally dynamic, with a risk assessment process designed to frequently gather relevant data, analyze it, and utilize the data in a manner that informs regular, customized program enhancements – rather than relying on static risk assessment procedures premised on what the DOJ terms mere “snapshots” in time.
This focus on data-driven analysis is also represented in the section of the Updated Guidance addressing compliance resourcing and program monitoring and testing. For example, the Updated Guidance counsels that “control personnel” within the corporate compliance structure should have sufficient access to relevant sources of data to allow for timely and effective monitoring and testing of policies, procedures, controls, and financial transactions. Similarly, with respect to testing compliance program efficacy, the DOJ encourages the regular collection and examination of compliance data.
The DOJ understands that such data is enormously valuable in determining program success, including, for example, in examining incoming and outgoing company payments. Consistent monitoring of payment data can help capture inconsistencies and “exceptions” that may signify trouble, not only with respect to illicit activity, but also in terms of compliance program effectiveness. Further, the government notes in the Updated Guidance that it may credit a risk-based program that devotes apt attention and resources to data from high-risk transactions, even when this fails to avert an infraction.
Improved Compliance Resourcing
Ensuring adequate compliance resourcing and the hiring and training of skilled compliance personnel are consistent themes emanating from the DOJ in its various compliance guidance materials. The Updated Guidance continues this theme, with a major focus on alerting companies to ensure their compliance programs are not only sufficiently resourced, but also fully accessible to employees. Indeed, it instructs prosecutors to identify how and where corporations publish their policies and procedures, track when they are accessed to determine which policies are receiving the most attention, and ensure that employees have the tools needed to review and comply with these standards.
This instruction reveals DOJ’s concern that compliance program requirements are actually followed in practice by employees, managers, and C-Suite executives. Put another way, the DOJ has great disdain for “paper tiger” programs with standards and controls that may read well in a conference room, but have little practical application and are generally ignored by, or inaccessible to, company personnel.
One of the keys here for companies seeking to meet the DOJ’s expectations in the compliance resourcing area is to grant appropriate authority to those responsible for compliance so they have direct and independent access to the company’s governing authority (or an appropriate subgroup). With such access, compliance leadership can regularly report to the brass on compliance incidents, elicit relevant feedback from corporate executives, and pitch, as appropriate, for additional funding, more experienced compliance personnel, and a seat at the C-Suite table for input on corporate decision making.
Appropriately Customized Training
The Updated Guidance also includes a significant amount of innovative information about the DOJ’s view of effective training, including an emphasis on the use of data (discussed separately above) to assess whether training has impacted compliance program adherence by corporate personnel. For example, data indicating repeat offenders and an increase (or decrease) in compliance incidents or illegalities over time can be used to determine whether program enhancements have been impactful.
The DOJ also discusses the potential significance of shorter, more targeted training sessions to help keep the attention of employees while also enabling them to timely identify and raise issues to appropriate compliance, internal audit, and other risk management leaders. The DOJ is clearly concerned with whether employees are positioned to ask questions arising out of training sessions either online or in person through an accessible (and anonymous, if requested) communication channel (similar to the way a whistleblower hotline may be used to report compliance incidents in the field).
And the DOJ, as expressed in the Updated Guidance, has now openly articulated in writing its expectation that companies with the necessary means will devote time and other resources to train their compliance, audit, risk, accounting, and internal controls personnel. This makes good sense.
Attentive Management of Third-Party and M&A Risk
Predictably, the Updated Guidance reflects the DOJ’s longtime focus on third-party risks and the expectation that companies robustly manage intermediary engagements both during the onboarding process and, perhaps more importantly, throughout the entirety of the engagement (via ongoing relationship monitoring and training, as necessary and appropriate). The DOJ also recognizes, however, that the need for, and degree of, suitable due diligence can vary based on a variety of factors, including, for example, the size and nature of the company, type of transaction, and third party.
Consistent with this guidance, the latest revisions make clear that federal prosecutors should gauge the extent to which a company knows the qualifications and associations of its third parties, including the business agents, consultants, intermediaries, and distributors commonly involved in corruption and related schemes to conceal misconduct (such as the offer or payment of bribes to foreign officials).
Therefore, companies are expected to determine and memorialize the business rationale for engaging any third party and gain a fulsome understanding of each third party’s business relationships -- particularly with respect to foreign officials, who, for example, can create risk for companies under many criminal statutes, most notably the heavily enforced Foreign Corrupt Practices Act (“FCPA”).
Similar to the DOJ’s expectations for risk management relating to third parties, the Updated Guidance explicitly affirms prior statements by the DOJ that a properly constructed and functioning compliance program should include comprehensive due diligence of any acquisition targets, adding that there should also be “a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.” As with third parties, the DOJ expects that companies will thoroughly evaluate targets prior to acquisition, whenever feasible, and then efficiently assimilate newly acquired entities, followed by post-acquisition monitoring and auditing.
Increased Consideration of Corporate Benchmarking
Finally, while somewhat more subtle, the DOJ, in the Updated Guidance, weaves in references to compliance benchmarking. In the section on risk assessments, the DOJ challenges companies to adopt a procedure for tracking and incorporating lessons learned from compliance issues experienced by companies operating in a similar industry sector and/or geographic region.
Along these lines, the Updated Guidance also encourages companies to examine, test, and improve its compliance program based upon lessons learned from the misconduct of other companies. Often called “benchmarking” in the compliance world, the DOJ’s references to such comparative efforts in the Updated Guidance (in the context of program efficacy) evidences an acknowledgement of the importance of the practice and its intent to inquire into benchmarking when evaluating programs.
Conclusion: Inherent Value in Periodic, Updated Guidance
While the Updated Guidance does not substantially alter the playing field with respect to the DOJ’s evaluation of corporate compliance programs, its considerable value lies in the elucidation of newly refined nuggets of practical guidance for compliance professionals based on the DOJ’s real-world experience and, in DOJ parlance, “lessons learned” from the business, compliance, and investigation communities. These inputs from outside sources to DOJ, and the DOJ’s consideration of same (in short order, considering the Amended Update in 2019 was issued just a little over a year ago), help foster a cordial compliance dialogue between the government and the corporate defense bar on issues of great importance for companies. The result is a meaningful compliance roadmap provided by the DOJ, revised on a regular basis, which corporations can use as a barometer to review, analyze, and measure their current compliance programs, with confidence that the DOJ is dedicated not only to evaluating, but also listening and learning. This will invariably encourage future updates by the DOJ addressing less-frequently discussed compliance topics, including those more germane to financial and controls issues.