8 6月 2020 Doug Davison  -  Adam Lurie  -  Douglas Tween  -  Sean Solomon  -  Aviva Kushner

DOJ updates its corporate compliance guidance, incorporating feedback from business community and increasing focus on data and continuous improvement

Overview
 
On June 1, 2020, the Criminal Division of the U.S. Department of Justice (“DOJ”) published updated guidance on its approach to the evaluation of corporate compliance programs (the “2020 Guidance” or “Guidance”). The Guidance – which updates prior versions issued in February 2017 and revised in April 2019 – is intended to assist prosecutors in assessing the effectiveness of a corporation’s compliance program for the purposes of determining the appropriate form of resolution or prosecution. (See here for a redline of the updated guidance against its prior version.)
 
While the Guidance does not carry the force of law, it does provide companies valuable insight into how the DOJ evaluates compliance programs, the quality of which will be factored into the DOJ’s charging decisions. Although the 2020 revisions to the Guidance do not reflect a significant shift in DOJ policy or approach to enforcement, they do reflect a more nuanced approach that places greater emphasis on data analysis and takes into account lessons learned over the past three years and feedback from the business community.
 
Background
 
In early 2017, the DOJ’s Fraud Section (one of several sections within the larger Criminal Division) issued the original “Evaluation of Corporate Compliance Programs” Guidance. The purpose of the document was to provide a list of “some important topics and sample questions that the Fraud Section has frequently found relevant in evaluating a corporate compliance program.” The 2017 Guidance included a list of 119 questions, grouped into 11 topics, that prosecutors might ask companies in evaluating the effectiveness of their compliance programs. The overarching themes of the 2017 guidance were that companies’ compliance programs should be well-funded and supported by management, closely integrated into everyday business operations, demonstrably effective, and appropriately tailored to a company’s unique risk profile.
 
In April 2019, the DOJ’s Criminal Division released an updated version of the guidance, providing more structure and clarity as to how it assesses corporate compliance programs. As explained in an address by Assistant Attorney General ("AAG") Brian Benczkowski, the 2019 update directed prosecutors to consider three fundamental questions in evaluating a company’s compliance program: (1) is the program well designed; (2) is it being implemented effectively; and (3) does it work in practice? Each question was accompanied by a series of subsidiary questions designed to help focus the inquiry.
 
The June 2020 “Refresh”
 
In announcing the 2020 Guidance, AAG Benczkowski said that the additions reflect DOJ experience and “important feedback from the business and compliance communities.” Below are some highlights.

Adequate resources

The Guidance includes new language changing the second fundamental question from whether the compliance program is being “implemented effectively” to whether the program is “adequately resourced and empowered to function effectively.” By shifting the focus to resourcing and empowerment, the DOJ is sending a message that compliance departments need to have real stature within the organization. How programs are staffed, funded, and treated internally will be an important part of the analysis. In a similar vein, new language in the Guidance instructs prosecutors that a well-designed compliance program may be unsuccessful in practice if the implementation is under-resourced.

Focus on data resourcing and accessibility

The Guidance contains new language stressing the importance of compliance programs that adapt quickly, particularly with respect to what is reflected in data. Specifically, it asks whether compliance and control personnel have sufficient access (whether direct or indirect) to relevant sources of data for timely monitoring and/or testing of policies, controls, and transactions. The Guidance further asks whether any impediments exist that limit access to such relevant sources of data, and if so, what the company is doing to address the impediments.

 

Risk-based assessments based on data

The 2019 Guidance instructed prosecutors to review whether a risk assessment is “current and subject to periodic review.” But the 2020 Guidance takes it a step further, asking whether a company’s periodic risk assessments are based upon “continuous access to operational data and information across functions,” or rather, “are limited to a ‘snapshot’ in time.” Prosecutors are then to consider whether any such periodic review has led to updates in a company’s policies, procedures, and controls.

Responding to “lessons learned”

The Guidance instructs prosecutors to explore whether companies have adapted their compliance programs based on “lessons learned.” Notably, the Guidance adds language to this section, clarifying that “lessons” in this context derive both from inside the company and from other companies – those in the same industry, geographical region, and/or those facing similar risks. Prosecutors are also to review whether companies have a process for tracking and incorporating into periodic risk assessments any of these lessons learned.

Effectiveness of reporting mechanisms

The Guidance tells prosecutors to look to whether a company has ensured that employees are comfortable using whistleblower/reporting hotlines, and to whether the company tests “the effectiveness of the hotline, for example by tracking a report from start to finish.”

Third party management

The Guidance stresses that management of third-party relationships is an ongoing process – not one relevant solely to the onboarding process. To that end, the Guidance instructs prosecutors to explore whether the company engages in risk management of third parties “throughout the lifespan of the relationship,” or whether it does so “primarily during the onboarding process[.]”

M&A due diligence, before and after the fact

The Guidance makes clear that due diligence in the M&A context is just as critical post-acquisition as it is pre-acquisition (where pre-acquisition due diligence is in fact possible, as the DOJ now recognizes is not always the case). For example, while the prior guidance instructed prosecutors to look to the process by which compliance policies and procedures have been implemented at new entities, the updated Guidance instructs them to look also to whether post-acquisition audits were conducted. Similarly, the Guidance tells prosecutors to review more than just whether comprehensive due diligence of targets was conducted; prosecutors should look also to whether a program includes “a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.”

Individualized evaluation

The Guidance reaffirms the DOJ’s approach to evaluating corporate compliance programs as one that looks to the unique facts of each case, and considers various factors, including (and as newly-articulated in the Guidance), the company’s size, industry, geographic footprint, and regulatory landscape.

Conclusion

The DOJ’s updated guidance is just the latest in a series of steps taken to clarify its expectations with respect to corporate compliance efforts, and to emphasize the role that compliance programs and cooperation play in enforcement and penalty decisions.[1]

While compliance is not a check-the-box exercise, the DOJ’s Guidance effectively provides companies with a roadmap against which they can measure their own efforts. Those companies that (1) use this roadmap to inform their approach to implementing and maintaining a compliance program that is tailored to their unique risk profiles, and (2) can demonstrate how their program has grown and adapted in response to evolving risks and lessons learned, will be well-situated to minimize the likelihood of misconduct occurring and to seek a more favorable resolution with the DOJ in the unfortunate event that misconduct does occur.

 

 

[1]    See here for our prior publications discussing DOJ-issued guidance on compliance programs.