On February 8, 2017, the US Department of Justice (DOJ) released guidance titled “Evaluation of Corporate Compliance Programs,” which provides insight into how the DOJ evaluates and assesses compliance programs during a corporate investigation. Although the DOJ has consistently stated that it does not use a rigid framework or checklist when evaluating a compliance program, this guidance provides a list of common topics and questions used in such a process. While the guidance notes that much of the information is found in other sources (such as the US Attorney’s Manual, prior corporate settlements, and the DOJ and SEC FCPA Guide), it provides an outline of the DOJ’s approach and can assist companies when assessing their own compliance program.
A summary of the topics discussed in the guidance are found at the end of this alert. From a practical perspective, the new guidance offers several takeaways:
- Continued emphasis on compliance: Over the past few years, the DOJ issued a number of guidance documents detailing its expectations for compliance programs, all of which build on the US Sentencing Guidelines and DOJ commentary in deferred prosecution agreements. The DOJ and SEC jointly issued detailed guidance in November 2012, and again in April 2016 with the announcement of the FCPA Pilot Program. Combined, these publications, in addition to DOJ’s hiring of a compliance specialist to oversee program reviews, demonstrate a clear emphasis on the importance of well-functioning corporate compliance programs operating in line with DOJ’s expectations.
- Another piece of the global puzzle: In addition to the DOJ, recent years have seen regulatory bodies and self-policing organizations outside the US detail their own expectations for compliance programs. In addition to the publications from the Organization for Economic Co-operation and Development (OECD) referenced in this guidance, a number of other entities, including the UK Ministry of Justice, the Singapore Corruption Practices Investigations Bureau, and the International Organization for Standardization (ISO) have each published their own guidance on compliance programs. Multinational companies now have various resources to utilize when creating and assessing compliance programs. This may be particularly useful when determining appropriate procedures in subsidiaries around the world.
- Focus on resources: As noted in our prior alert about the Pilot Program, the DOJ is delving deeper into a compliance program to understand not only the framework of the policies and procedures, but also to evaluate the compliance personnel. The DOJ expects that those individuals have the appropriate background and experience to manage the risks that the company faces. Additionally, those personnel must have the autonomy, power, and resources to effectively implement the compliance program.
- A common thread: Regulators weigh a company’s reaction to reported misconduct – remedial and corrective actions, investigations – quite heavily. We have defended several cases where clients received extraordinary credit for implementing a compliance program even after bad conduct came to light. Bear in mind, however, that the DOJ is not officially providing credit for a compliance program that did not exist when company employees were violating the law. But regardless, the DOJ wants to encourage companies to react appropriately to wrongdoing (e.g., taking steps to build a compliant business culture), and credits those actions as “cooperation.” When a company can show that it responds to wrongdoing with targeted discipline, reporting and training, the DOJ often concludes that punishing fines and restrictions are not necessary to prevent future wrongdoing. So it is never too early – or too late – to get started on building or enhancing a corporate compliance program.
- High-risk relationships and transactions: The two final topics, third party management and mergers and acquisitions, are often discussed by the DOJ as high-risk areas for companies and commonly part of the fact patterns resulting in settlements. A high percentage of FCPA actions involve misconduct related to a third party. A company must understand its universe of third parties and the policies to manage those relationships, including ongoing due diligence and training of third parties. With respect to mergers and acquisitions, the DOJ expects appropriate review before and after the transaction to ensure that any misconduct at the target does not continue and that the purchaser’s compliance program is integrated into the new company.
While the new guidance from the DOJ is by no means a step-by-step guide for compliance, it does further illustrate the DOJ’s priorities and methodology with respect to reviewing and analyzing compliance programs. When managing a DOJ investigation, being able to provide satisfactory response to DOJ inquiries on these topics is often the determining factor for how the DOJ will resolve an investigation.
Summary of topics
- Analysis and remediation of underlying misconduct: The DOJ may ask about the root cause of the misconduct, whether or not there were any prior indications that the misconduct was occurring, and what the company has done to help resolve the misconduct.
- Senior and middle management: The DOJ continues to emphasize the “tone at the top” and evaluates whether senior management and the board of directors encourage and instill a culture of compliance, including their own background and how senior management and the board interact with compliance.
- Autonomy and resources: The DOJ wants to ensure that the compliance department is provided with adequate resources and funds to effectively mitigate risk, including whether the compliance department has sufficient autonomy and power, whether compliance personnel have appropriate experience and qualifications, and the compliance department’s “stature” in the company.
- Policies and procedures: As the backbone of any compliance program, the DOJ will review aspects of a company’s policies and procedures, including its design and accessibility and how well it is integrated in the overall operations.
- Risk assessment: The DOJ expects companies to have a rational and appropriate methodology for identifying, analyzing, and addressing their individualized risk profiles.
- Training and communications: To ensure that a compliance program is not simply a “paper program”, the DOJ will review whether employees receive training commensurate with the risk associated with their responsibilities and in the appropriate language and form, and what resources are available in addition to specific trainings.
- Confidential reporting and investigation: The DOJ may ask about a company’s procedure for receiving, handling and managing whistleblower reports, including how it collects and analyzes confidentially reported information to properly scope an investigation.
- Incentives and disciplinary measures: The DOJ may question a company about how it incentivizes compliance and disciplines employees for misconduct, including whether managers were held accountable for misconduct that occurred under their supervision. Further, the DOJ may look into whether these disciplinary actions were applied consistently and across all groups.
- Continuous improvement, periodic testing, and review: A company should be ready to discuss how it reviews and assesses the compliance program on an ongoing basis, including what, if any, internal audits or reports were conducted, how those were reported to management, and what is the company’s process to continually monitor the compliance program.
- Third party management: Because the DOJ views third party relationships as being high risk, it will likely request information about how a company manages third-party relationships from a corruption standpoint. This includes what controls are present and how the relationship is managed on an ongoing basis.
- Mergers and acquisitions: Companies can often inherit corruption issues through mergers and acquisitions. When relevant, the DOJ may request information about the due diligence process and integration and implementation following the transaction.
 For further information on the Pilot Program, please see our client alert here.
 For further information on the new ISO 37001 (“Anti-bribery management systems -- Requirements with guidance for use”), please see our client alert here.