Department of Justice’s 2020 Update Moves the Needle on Guidance for Evaluation of Corporate Compliance Programs

Key Points

• DOJ’s update offers additional insights into its approach to evaluating corporate compliance programs.
• The update places emphasis on compliance programs that are continuously improving, data driven and supported with sufficient resources and authority.
• Companies can use the update to determine whether enhancements to their compliance programs are appropriate.

  ---

On June 1, 2020, the Department of Justice (DOJ) issued an updated version of its “Evaluation of Corporate Compliance Programs” (the “Update”). The Update, building on prior DOJ guidance, outlines specific factors that DOJ prosecutors should consider when assessing corporate compliance programs, making charging decisions and negotiating dispositions. The Update is the third version of this guidance, which the DOJ first issued in 2017 and then revised in April 2019. In announcing the issuance of the Update, Assistant Attorney General for the Criminal Division Brian A. Benczkowski noted that the “revised guidance . . . reflects additions based on [the DOJ’s] experience and important feedback from the business and compliance communities.”¹

As with the 2019 guidance, this Update centers on the importance of a “risk-based” compliance program that is adequately resourced and empowered to identify areas where misconduct is most likely to occur. It also offers additional transparency into the DOJ’s evolving views about what makes out a robust compliance program. As evidenced in the Update, the DOJ’s evolving approach is incremental in its discussions around applying risk assessment, use of data and lessons learned in connection with a corporate compliance program. With its focus on a “reasonable, individualized determination” in assessing a corporate compliance program, the Update discourages prosecutors from using a rigid, formulaic approach. For corporations, this most recent guidance offers a useful roadmap for not only considering whether enhancements to their compliance programs may be advisable, but also for how prosecutors will look under the hood of a compliance program once a corporation comes under DOJ scrutiny.

Consistent with the 2019 guidance, the Update structures a prosecutor’s evaluation of a corporate compliance program around the following three “fundamental questions”:

1. Is the corporation’s compliance program well designed?
2. Is the program being applied earnestly and in good faith?
3. Does the corporation’s compliance program work in practice?

For addressing these three questions, the DOJ guidance retains the 12 compliance topics that appeared in the 2019 guidance. Those topics form the body of a comprehensive compliance program including risk assessment, effective policies and procedures, training and communications, reporting mechanisms and investigations, third-party due diligence, mergers and acquisitions (M&A), tone from the top, compliance independence and resources, incentives and disciplinary measures, periodic testing and review, investigation of misconduct and remediation of discovered misconduct.

Below are highlights from the more significant topic discussions, including how the DOJ’s recent Update supplements the prior 2019 guidance:

Compliance Programs Must Be Dynamic

• The Update directs prosecutors to assess the adequacy of a compliance program through the lens of the program’s risk assessment efforts, starting with two newly introduced foundational questions, namely, why has the corporation “chosen to set up the compliance program the way that it has, and why and how [has its] compliance program …evolved over time.” Risk assessments still are expected to give “appropriate attention and resources to high-risk transactions.” It also is expected that a compliance program is “risk-tailored” to the varying risks a corporation faces and should adapt to changes in the corporation’s business and circumstances. The theme of leveraging lessons learned also figures prominently in the Update, touching upon various aspects of a corporate compliance program.
• The Update adds a new paragraph, “Lessons Learned – Does the company have a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region?” In addition, the Update asks “does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?” Finally, the Update queries whether compliance “training address[es] lessons learned from prior compliance incidents?” Overall, the Update’s revisions reflect the business reality that a company’s risk profile is rarely static and a company should rely on their real world experience in order to enhance its compliance program.

Make Data, Resources and Training Count

• Given that larger corporations are more data driven today than ever before, it comes as no surprise that the Update emphasizes the role of data in building and maintaining a robust compliance program. Risk assessments should be tethered to “continuous access to operational data and information across functions.” The Update also digs deeper into a company’s reporting mechanism by asking whether the company takes “measures to test whether employees are aware of the hotline and feel comfortable using it.” Finally, the Update adds the question “[d]o compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions?”
• Alongside the use of data, the Update places new emphasis on the prosecutor’s assessment of whether the compliance program is “adequately resourced and empowered to function effectively.” While still recognizing a proportional relationship between the size of an organization and the resources it devotes to compliance, the Update echoes the importance of a compliance program being supported by personnel with sufficient seniority within the company, sufficient resources and sufficient independence from management.
• The Update draws more attention to compliance training, the accessibility of a company’s compliance policies and procedures, and the efficacy of the company’s reporting mechanism, all in an effort to gauge the strengths of a compliance program. The Update asks whether policies and procedures are “published in a searchable format” and whether certain aspects of the program’s policies and procedures are “attracting more attention” from employees and how the company is tracking that fact. In addition, the Update queries whether employees have the ability to ask questions arising out of compliance training. Further, the Update poses the question whether the company has determined which training is having an impact on employee’s conduct or business operations. Finally, the Update points to the soundness of the company’s confidential reporting mechanism in asking if “the company periodically test[s] the effectiveness of the hotline, for example by tracking a report from start to finish?”

Holistic Third-Party Risk Management

• The DOJ has shown a perennial interest in third-party risk management and, like the 2019 guidance, this Update places increased focus on a company’s oversight of third parties. Third parties have historically factored into not only many Foreign Corrupt Practices Act prosecutions, but also enforcement actions involving other violations such as accounting fraud. Certainly, prosecutors will continue to evaluate whether a company understands the business rationale for a third-party relationship and examine whether the contract terms for the relationship are sufficiently described. In this iteration of the guidance, the focus goes beyond initial due diligence of third-party arrangements by addressing management of third party risk throughout the “lifespan of their relationship,” accomplished through various “ongoing monitoring of the third party relationship.” Consistent with the Update’s theme of tailoring risk assessment to the particulars of the company, it similarly highlights the need for a strong compliance program to take into account the unique risks a third party and its arrangement with the company may pose.

Mergers and Acquisitions Due Diligence

• Commercial realities appear to have played a part in the Update’s provisions on M&A due diligence. The Update asks if a company was able “to complete pre-acquisition due diligence and, if not, why not?” The form of the question suggests that the DOJ may make allowance for companies, which for legitimate reasons, could not conduct pre-acquisition due diligence. Any lack of pre-acquisition due diligence, however, would likely place more pressure on companies to ensure that their compliance programs include a “timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.”

While recognizing that there is no cookie cutter approach to compliance programs (the topics are “neither a checklist nor a formula”), the Update helps provide a useful framework in evaluating whether a compliance program has the necessary ingredients to succeed. The direction of the Guidance, with, for example, the focus on data analysis, suggests the DOJ has larger, more sophisticated entities in mind in crafting its framework for evaluating compliance programs. Regardless, with a renewed emphasis on a compliance program that is continuously improving, data driven, and supported with sufficient resources and authority, the DOJ affirms the need for companies to substantiate their corporate compliance programs if they are going to stand up to a prosecutor’s pressure test.

¹ Dylan Tokar, Justice Department Adds New Detail to Compliance Evaluation Guidance, THE WALL STREET JOURNAL (June 1, 2020).