by F. Joseph Warin, Patrick Stokes, Michael Diamant, Laura Sturges, Chris Sullivan, Oleh Vretsona, Courtney Brown, Lora MacDonald, Caroline Ziser Smith, and Patricia Herold
On Monday, June 1, 2020, the U.S. Department of Justice (“DOJ”) Criminal Division issued, without fanfare, updated guidance on the “Evaluation of Corporate Compliance Programs” (the “Compliance Program Update” or “Update”), which sets out considerations for DOJ prosecutors to take into account when assessing corporate compliance programs, making charging decisions, and negotiating resolutions. Previous iterations of the document (covered in our 2017 Mid-Year FCPA Update and May 3, 2019 Client Alert) have been a valuable resource for companies as they design, maintain, and evaluate their corporate compliance programs, and the Update provides welcome insight into how DOJ’s thinking is evolving, particularly with respect to risk assessments, monitoring, and resources. Assistant Attorney General Brian Benczkowski noted that the Update “reflects additions based on [DOJ’s] own experience and important feedback from the business and compliance communities.”
The Compliance Program Update emphasizes DOJ’s commitment to a flexible approach when evaluating corporate compliance programs that takes individual companies’ circumstances into account within the framework of existing guidance. Specifically, the Update calls for “a reasonable, individualized determination in each case” (emphasis added) of the effectiveness of a company’s compliance program, including its “size, industry, geographic footprint, and regulatory landscape,” with a dual focus on the program in effect at the time of the underlying conduct and the program in effect at the time of resolution. The Update also reflects the ongoing evolution and increasing sophistication of DOJ’s compliance program expectations, with an emphasis on allocating adequate resources to the compliance function, an increased focus on using ongoing, data-driven monitoring of risks to guide the design and implementation of the compliance program, and the inclusion of more granular guidance regarding DOJ’s expectations.
Building on DOJ’s previous guidance and consistent with the Justice Manual, which sets forth the principles guiding prosecution of companies, the Compliance Program Update instructs prosecutors to ask three “fundamental questions” when evaluating a corporate compliance program. Together, the questions seek to evaluate whether companies combine a thoughtfully designed program with the resources and culture necessary to create a program that works effectively in practice:
- “Is the corporation’s compliance program well designed?” (unchanged from previous guidance)
- “Is the program being applied earnestly and in good faith?” In other words, is the program adequately resourced and empowered to function effectively? (updated to include the words “adequately resourced and empowered to function,” placing a more explicit emphasis on companies’ demonstrated commitment to compliance)
- “Does the corporation’s compliance program work” in practice? (unchanged from previous guidance)
See JM 9-28.800.
Under each of the questions noted above, and consistent with prior guidance, the Update provides 12 compliance topics related to the core elements of effective compliance programs: effective policies and procedures, training, reporting mechanisms and investigations, third-party due diligence, tone from the top, compliance independence and resources, incentives and disciplinary measures, and periodic testing and review. The Update clarifies that prosecutors will consider these topics “both at the time of the offense and at the time of the charging decision and resolution.”
Key Takeaways of the Compliance Program Update
Confirming our philosophy that there is no “one size fits all” approach to compliance and that an effective compliance program is tailored to a company’s unique characteristics and risks, the Compliance Program Update demonstrates an evolving understanding of how companies’ compliance programs operate and a willingness to engage with the specific circumstances that influence the design of a company’s compliance program. For example, the Update now instructs prosecutors to consider why a company has “chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time,” and to consider “the reasons for the structural choices the company has made.” Other revisions include:
- Importance of Ongoing Risk Assessments: The Update asks prosecutors to consider whether risk assessments are based on “continuous access to operational data and information across functions” rather than a “snapshot” in time. The Compliance Program Update also now asks prosecutors to specifically consider how companies implement any learnings from their periodic reviews in policies, procedures, and controls, and increases the emphasis on lessons learned. For example, the Compliance Program Update asks prosecutors to consider whether the company tracks and incorporates any of these lessons into its periodic risk assessments. Moreover, the Update takes a broad view of “lessons learned,” suggesting that companies not only draw from their own experiences, but also learn from issues that have beset other companies operating in the same industry and/or geographic region. This approach is something many companies already do to remain familiar with relevant industry trends, enforcement actions, and good practices.
- Importance of Adequate Resources and Accessibility: Not surprisingly, the Compliance Program Update continues to focus heavily on assessing whether compliance programs are adequately resourced and accessible to employees. For example, it instructs prosecutors to identify how companies publish their policies and procedures, track how their policies and procedures are accessed to determine which policies attract more attention than others, and ensure that employees have the tools needed to ensure compliance. This requirement reflects DOJ’s emphasis on ensuring that compliance program requirements are followed in practice. Notably, the Update also adds a new set of questions related to the compliance function’s “access to relevant sources of data to allow for timely and effective monitoring and/or testing.”
- Testing the Design of the Program: The Update suggests additional ways companies can test the design of their compliance programs. For example, while recognizing that companies may choose to invest in targeted compliance training programs that equip employees with sufficient knowledge for identifying and raising compliance issues to appropriate company functions, the Compliance Program Update also asks whether there is a process for employees to ask questions arising from training sessions and whether the company has evaluated how training has impacted employee behavior or operations. When evaluating the effectiveness of confidential reporting structures, such as hotlines, companies also are expected to take measures to test whether employees are aware of the hotline and feel comfortable using it, as well as to track reports from start to finish.
- Continued Focus on Third Parties: The Compliance Program Update reflects DOJ’s continued real-world focus on third-party risks and the corresponding expectation that companies carefully manage third parties “throughout the lifespan of the relationship,” and not just during the onboarding process. Although DOJ recognizes that “the need for, and degree of, appropriate due diligence may vary” based on different factors, the revisions make clear that DOJ expects companies to take a thoughtful approach to their third-party relationships and that simply conducting cookie-cutter due diligence at the outset of a relationship will be insufficient to meet DOJ’s expectations. Accordingly, the Update suggests, companies should document the business rationale for utilizing a third party; conduct appropriate due diligence based on the third party’s particular risk profile; incorporate relevant anti-corruption compliance provisions in third-party contracts; and “engage in risk management of third parties throughout the lifespan of the relationship,” with ongoing monitoring and training. Clearly, the overwhelming number of DOJ resolutions in which third party agents, intermediaries, and distributors are the conduit for corrupt payments inform this Update. Practically, companies should review third parties annually and obtain from them a certification of compliance.
- M&A Due Diligence: The Update recognizes that pre-acquisition due diligence may not always be possible (and, if so, expects companies to be able to explain why it was not possible), but emphasizes that companies will be expected to justify their approach if they conduct less than typical pre-acquisition due diligence. The Compliance Program Update reiterates DOJ’s expectation that companies integrate newly acquired entities into their existing compliance program structures and internal controls in a timely and orderly fashion and particularly highlights the importance of post-acquisition audits.
- The Update enhances the corporate understanding of DOJ’s evolving views on what good practices DOJ considers to be components of an effective corporate compliance program. For example, it reinforces the need for companies to “foster a culture of ethics and compliance with the law at all levels of the company” (emphasis added). This revised language continues a shift previously reported in our May 3, 2019 Client Alert, as DOJ broadens its compliance culture focus on the “tone at the top” to encompass the “tone at the middle,” and elsewhere.
Although not a game-changer, the Update amplifies DOJ’s core themes: tailored, company-specific compliance programs enhanced by continuous inputs from the company’s real business experiences, which DOJ characterizes as “lessons learned.” In the future, it might be prudent for DOJ to address financial and accounting system structures and approaches, as money is the lifeblood of all corruption. As with prior guidance, companies can use the Update as a benchmark to evaluate their existing compliance programs. Companies also should expect to see complementary revisions in DOJ’s template for “Attachment C,” which is appended to DOJ’s corporate resolutions and sets forth DOJ’s minimum expectations for corporate compliance programs in that context. Finally, companies also should consider complementary guidance from other U.S. agencies and international organizations—particularly the resources linked at the end of the Update, which in many instances reflect growing consensus regarding governmental expectations for corporate compliance programs.
F. Joseph Warin, Patrick Stokes, and Michael Diamant are partners, Laura Sturges, Chris Sullivan, and Oleh Vretsona are of counsel, and Courtney Brown, Lora MacDonald, Caroline Ziser Smith, and Patricia Herold are associates, at Gibson, Dunn & Crutcher LLP.
Disclaimer
The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.