The United States Department of Justice (DOJ) released updated guidance regarding its Evaluation of Corporate Compliance Programs on June 1, 2020. The release comes just over a year since the guidance was last updated in April 2019. While these latest changes are less extensive than the most recent ones, there are some key differences that suggest the DOJ may be shifting some areas of focus when it comes to assessing the effectiveness of corporate compliance programs.
DOJ’s general roadmap remains much the same. Prosecutors are directed to ask the same key questions (albeit now with some clarifying language – italicized below in the second question):
- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
- Does the corporation’s compliance program work in practice?
However, there are some key additions in the new guidance that have the potential to significantly impact the way prosecutors evaluate corporate compliance programs. The 2020 guidance contains some new qualifying language that arguably expands the scope of available credit. In addition, the new guidance also adds additional factors for prosecutors to consider in evaluating the risk assessment and the independence and effectiveness of compliance departments.
Here are the key changes in DOJ’s new guidance:
- Retains the directive that prosecutors should evaluate the compliance program at the time of the offense, but adds that the status of the compliance program at the time of sentencing is also relevant. This suggests that the DOJ may be willing to give credit for enhancements made to the program in the interim.
- Deletes a condition for giving credit for functioning compliance programs. The old guidance authorized prosecutors to “credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction in a low-risk area.” The new guidance grants the same authorization, but deletes “low risk area,” apparently making credit available regardless of the seriousness of the infraction.
- Adds a new factor for evaluating the compliance risk assessment. Prosecutors are directed to consider whether the company has a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry or region. In this same vein, the new guidance adds an expectation that the company is reviewing and adapting its compliance program based on lessons learned from its own or others’ misconduct.
- Adds a new factor for prosecutors to consider in evaluating the autonomy and effectiveness of a compliance program. Compliance and control personnel should have access to relevant data to allow for timely and effective monitoring and testing of policies, controls, and transactions. Prosecutors are also directed to consider whether there are any impediments to that access.
- Adds, as an alternative to training through practical advice, case studies, and guidance on how to obtain ethics advice, “shorter, more targeted training sessions to enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management functions.” This suggests that more limited training, if reasonable, might be acceptable.
- Adds an expectation that a company’s confidential reporting hotline is accessible to relevant third parties (e.g., vendors, customers, etc.). This means companies will need to develop a methodology for sharing hotline information with third parties who might not have access to internal websites and information portals.
- Suggests that pre-acquisition due diligence may not always be necessary, so long as the company has a reasonable explanation why it was not conducted. But, adds the expectation that companies will conduct post-acquisition audits.
- Retains the prior emphasis on culture of compliance at the top, but adds that compliance at the middle is just as important, and should be evaluated by prosecutors.
- Adds the expectation that companies invest in “further training and development” of compliance and control personnel. This suggests that prosecutors may be looking to see if compliance personal are attending conferences or training themselves to stay abreast of regulatory and compliance developments.
- Acknowledges that aspects of a compliance program may be impacted by or based on foreign law.
While the new guidance arguably provides for expanded credit opportunities, it appears to come with increased burdens in some costly and complicated areas, such as increased data flow and access (which impacts existing compliance frameworks for data privacy and user access) and the structure and design of the corporate risk assessment (where effectiveness is dependent on accurate statistical modeling). It remains to be seen whether the forgoing changes, as a whole, will have the effect of increasing the burden on corporations in designing, implementing, and managing compliance programs. Regardless, companies should heed the guidance and utilize the comprehensive roadmap it offers to evaluate their own compliance programs to ensure their overall current and continuing effectiveness.