On April 30, 2019, the US Department of Justice (DOJ) released new guidance that provides substantial insight into how the agency evaluates corporate compliance programs. The guidance codifies elements long understood as DOJ priorities for evaluating an operationally effective corporate compliance program and applies them to all corporate investigations, not just FCPA matters. Determining the adequacy and effectiveness of a corporate compliance program has long been one of the key "Filip Factors" that the DOJ uses in determining whether to charge a corporation with any wrongdoing. USAM 9-28.300(A)(5). This new guidance elaborates on six key points within that overarching question, namely: policies and procedures, training and communications, a confidential reporting structure and investigation process, third-party management, and mergers and acquisitions. The bottom line is that when evaluating a corporate compliance program, the DOJ will be sharply focused on answering three fundamental questions: 1) Is the corporation's compliance program well-designed?; 2) Is the program being applied earnestly and in good faith? (i.e., is the program being implemented effectively?); and 3) Does the corporation's compliance program work in practice?
Companies should periodically refresh their risk assessments and allocate compliance resources accordingly
The guidance emphasizes the need to implement a risk-based compliance approach, tailored to the company's individual risk profile. In fact, the guidance explicitly recognizes that prosecutors may credit the quality and effectiveness of a compliance program that devotes appropriate resources and attention to high-risk operations, even if it fails to prevent an infraction in a low-risk area. In order to demonstrate that a compliance program is appropriately tailored to the relevant risks, companies should periodically refresh their risk assessments in order to capture and address the evolving risk landscape. This is the most expansive articulation that the DOJ will accept risk-based resource allocation, and "officially" harmonizes the Department's position with that of other global enforcement agencies such as the UK's Serious Fraud Office.
"Tone-at-the-top," training and culture remain critical
It should come as no surprise that DOJ prosecutors will form an opinion about a company's compliance culture. Whether a company has an effective compliance culture is a subjective assessment that is difficult to measure. The guidance, however, provides some important insights into what DOJ expects to see in this regard. A significant component of this analysis is whether and how the compliance culture is embedded in day-to-day operations. Embedding can be accomplished in several ways, including by ensuring that policies and procedures are easily accessible and understood by all employees, including foreign employees, and by providing tailored training based on employee roles and positions. Corporations should also consider implementing other mechanisms for measuring compliance culture, such as using employee surveys, town halls, or other means by which to determine whether employees are comfortable with escalating concerns, and to obtain their views on whether management leads by example. Given the focus on training in the guidance, companies should also reference applicable or relevant industry models to attempt to measure the success of training programs and their impact on employee understanding and comprehension of the issues. Moreover, prosecutors will examine the application of incentives and disciplinary measures as motivators for compliance and deterrents for non-compliance.
Effective remediation reduces chances of a monitor
Pursuant to the Principles of Federal Prosecution of Business Organizations, prosecutors are required to assess "the adequacy and effectiveness of the corporation's compliance program at the time of the offense, as well as at the time of a charging decision." Thus, how a compliance program has evolved since the time of the infraction through the time of DOJ investigation can have an important impact on the ultimate resolution of the matter, including whether a compliance monitor should be appointed. The updated guidance underscores the trend that corporate compliance monitors should only be appointed where a corporation's controls are deemed ineffective or inappropriately resourced at the time of resolution. In order to determine the efficacy of a corporation's remediation efforts, prosecutors will assess the steps taken by a company in response to an incident to ensure that similar instances of misconduct are unlikely to recur or go undetected. Prosecutors will also evaluate the sustainability of a compliance program by determining whether a company performed a root-cause analysis and how the results of that root-cause analysis have been incorporated into the design and operation of its compliance program. If a compliance program is deemed effective by the time DOJ completes its investigation, it is much less likely that the DOJ will insist upon a monitor.
While the updated guidance is intended for use by prosecutors, it also serves as a useful guide to help corporations craft a compliance program that will withstand DOJ scrutiny. It illustrates the depth of the analysis prosecutors are expected to undertake, and solidifies DOJ's clear expectation that a "paper program" simply is not enough. With the publication of this guidance, prosecutors will likely expect companies to incorporate the key elements into their compliance frameworks.