by Anthony S. Barkow, David Bitkower, Erin R. Schrantz, Keisha N. Stanford, Jessica A. Martinez, Manuel C. Possolo

On Monday, June 1, 2020, the Department of Justice (DOJ) Criminal Division released updated guidance regarding the “Evaluation of Corporate Compliance Programs (PDF: 209 KB).”  Now in its third iteration, this guidance replaces the April 2019 version (PDF: 179 KB), which originated from a set of 2017 guidelines from the Fraud Section.  The updated guidance, like prior iterations, seeks to make corporations aware of the criteria DOJ uses when evaluating compliance programs in making enforcement decisions.  In the latest version, DOJ maintains the existing structure and much of the prior content, but makes targeted changes.

The new revisions are part of a continuing trend at DOJ to more holistically assess corporate compliance programs beyond the specific issue that brought the company to the Department’s attention, jettisoning the more tailored approach of the original 2017 guidance.  In addition, the revisions amplify certain themes in DOJ’s compliance review criteria:  (1) whether a company has demonstrable processes to continuously improve its compliance program; (2) the extent to which available data is mined and analyzed to evaluate the company’s compliance efforts; and (3) how compliance is embedded in the day-to-day operations of the business and viewed by rank-and-file employees.

Evolving Through Continuing Compliance Assessments

The updated guidance reiterates that DOJ assesses a compliance program “both at the time of the offense and at the time of the charging decision and resolution,” making clear that prosecutors continue to assess how compliance programs evolve “over time” in light of new information. Thus, the new guidance makes it imperative that a company that finds itself in DOJ’s crosshairs think about its compliance program both as it was at the time of the alleged offense and as of the time of a future criminal resolution, and anticipate how it will present its compliance program at that juncture. All too often, companies treat the latter exercise as an after-thought, which can have dire effects on a resolution, including the imposition of an otherwise avoidable monitor.

Specifically, the updated guidance demands more systematic efforts to continuously assess and improve a company’s compliance program. The guidance asks whether the company has “a process for tracking and incorporating into its periodic risk assessment” lessons learned not only from its own experience but also the experience of peer companies. With respect to policies and procedures, prosecutors will assess whether periodic reviews of compliance policies are “limited to a ‘snapshot’ in time or based upon continuous access to operational data and information across functions,” and whether that periodic review has actually “led to updates in policies, procedures and controls.” As to third-party relationships, DOJ similarly will examine whether a company performs risk management “through the lifespan of the relationship.”

DOJ makes clear that its expectation of continuous improvement also applies to mergers and acquisitions (M&A), for which a compliance program should include not only pre-M&A due diligence but also “a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.” Accordingly, the updated guidance notes that flaws in either “pre- or post-acquisition” diligence “and integration” may increase a corporation’s risk of civil and criminal liability. At a more granular level, DOJ notes that it will look at whether a corporation’s integration plan involves “post-acquisition audits.”

Using Data Analytics Tools to Enhance Compliance

In keeping with recent trends in the Fraud Section’s compliance mission, and its innovative use of data in the Health Care Fraud Unit, the updated guidance continues to stress the importance of companies using data to build and assess their compliance functions. Most notably, in assessing whether compliance programs are sufficiently autonomous and adequately resourced, prosecutors will evaluate whether “compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions,” as well as whether any impediments to access exist and how they are addressed. Further, in evaluating how a company performs its periodic risk assessments, DOJ will examine whether this review is “based upon continuous access to operational data and information across functions.” In the same way that many businesses rely on key performance indicators and metrics to measure financial risks, the guidance suggests that data analytics should also inform compliance risk assessments.

The guidance also reveals an expectation that companies use data to evaluate how well employees access and internalize core compliance policies and procedures. For example, companies will be assessed in part on whether they “track access to various policies and procedures to understand what policies are attracting more attention from relevant employees.” In essence, DOJ is suggesting that companies evaluate how their employees engage with the company’s compliance materials, such as by analyzing click rates on a company intranet page. That same expectation has spilled into the training context, where the guidance emphasizes that a company is expected to evaluate “the extent to which [its] training has an impact on employee behavior or operations.” As any compliance professional will attest, this is no straightforward task but rather requires compliance professionals working with business managers to design metrics that are both quantitatively measurable and can apply broadly. The guidance does not speak much to the how, but leaves little doubt that DOJ expects data analytics to play an increasing role in effective compliance programs.

Making Compliance Accessible to Employees

Recognizing that a “paper program” that checks the right boxes but remains mysterious to employees in their daily work will not truly be effective, the updated guidance also includes revisions that emphasize the need to implement the core components of a compliance program into day-to-day business operations. To assess whether employees have the necessary tools to identify and avoid misconduct at a practical level, the guidance now instructs prosecutors to determine not only whether a company has communicated its policies and procedures, but also whether “the policies and procedures [have] been published in a searchable format for easy reference.” With respect to training, the updated guidance further asks whether there is “a process by which employees can ask questions arising out of the trainings,” regardless of the format in which training occurs. And finally, the updated guidance reiterates that companies should “take measures to test whether employees are aware of” and “feel comfortable using” confidential reporting mechanisms.

The new guidance broadens the aperture with respect to the conduct of management, clarifying the importance of middle management (not just C-suite executives) in making compliance accessible to, and part of the lived experience of, a company’s employees. While “conduct” at the top is critical to any compliance program’s effectiveness and a key focus of DOJ’s guidance, most employees, particularly in large companies, have little direct contact with senior leadership and therefore take their strongest compliance cues from those who supervise and interact with them on a regular basis. The updated guidance recognizes the important role that these supervisors play in institutionalizing compliance culture, specifically noting that “it is important for a company to create and foster a culture of ethics and compliance with the law at all levels of the company” and that an effective compliance program requires a commitment “to implement a culture of compliance from the middle and the top.”

Anthony S. Barkow, David Bitkower, Erin R. Schrantz, and Keisha N. Stanford are partners, and Jessica A. Martinez and Manuel C. Possolo are associates, at Jenner & Block LLP.

Disclaimer

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.