On February 8, 2017, the US Department of Justice (DOJ) released guidance titled ‘Evaluation of Corporate Compliance Programs,’ which provides insight into how the DOJ evaluates and assesses compliance programs during a corporate investigation. Although the DOJ has consistently stated that it does not use a rigid framework or checklist when evaluating a compliance program, this guidance provides a list of common topics and questions used in such a process. While the guidance notes that much of the information is found in other sources (such as the US Attorneys’ Manual, prior corporate settlements, and the DOJ and SEC FCPA Guide), it provides an outline of the DOJ’s approach and can assist companies when assessing their own compliance programs. Given the extensive experience of the US authorities in dealing with compliance programs, companies operating in the Asia-Pacific region should look to such guidance when designing and implementing their compliance programs.
A summary of the topics discussed in the guidance are found at the end of this alert. From a practical perspective, the new guidance offers several takeaways.
Continued emphasis on compliance
Over the past few years, the DOJ has issued a number of guidance documents detailing its expectations for compliance programs, all of which build on the US Sentencing Guidelines and DOJ commentary in deferred prosecution agreements. The DOJ and SEC jointly issued detailed guidance in November 2012, and again in April 2016 with the announcement of the FCPA Pilot Program.1 Combined, these publications, demonstrate a clear emphasis on the importance of well-functioning corporate compliance programs operating in line with the DOJ’s expectations.
Another piece of the global puzzle
In addition to the DOJ, recent years have seen regulatory bodies and selfpolicing organizations outside the US detail their own expectations for compliance programs. In addition to the publications from the Organization for Economic Co-operation and Development (OECD) referenced in this guidance, a number of other entities, including the UK Ministry of Justice, the Singapore Corruption Practices Investigation Bureau, and the International Organization for Standardization (ISO)2 have each published their own guidance on compliance programs. Multinational companies now have various resources to utilize when creating and assessing compliance programs. This may be particularly useful when determining appropriate procedures in subsidiaries around the world.
Focus on resources
As noted in our prior alert about the Pilot Program, the DOJ is delving deeper into a compliance program to understand not only the framework of the policies and procedures, but also to evaluate the compliance personnel. The DOJ expects that those individuals have the appropriate background and experience to manage the risks that the company faces. Additionally, those personnel must have the autonomy, power, and resources to effectively implement the compliance program.
A common thread
Regulators weigh a company’s reaction to reported misconduct – remedial and corrective actions, investigations – quite heavily. We have defended several cases where clients received extraordinary credit for implementing a compliance program even after bad conduct came to light. Bear in mind, however, that the DOJ is not officially providing credit for a compliance program that did not exist when company employees were violating the law. But regardless, the DOJ wants to encourage companies to react appropriately to wrongdoing (e.g. taking steps to build a compliant business culture), and credits those actions as ‘cooperation.’ When a company can show that it responds to wrongdoing with targeted discipline, reporting, and training, the DOJ often concludes that punishing fines and restrictions are not necessary to prevent future wrongdoing. So it is never too early – or too late – to get started on building or enhancing a corporate compliance program. This is particularly true for Asian companies that do not have a historically strong practice of building a culture of compliance.
High-risk relationships and transactions
The two final topics in the guidance, third party management and mergers and acquisitions, are often discussed by the DOJ as high-risk areas for companies and commonly part of the fact patterns resulting in settlements. A high percentage of FCPA actions involve misconduct related to a third party. The use of third parties in Asia is pervasive. A company must understand its universe of third parties and the policies to manage those relationships, including ongoing due diligence and training of third parties. With respect to mergers and acquisitions, the DOJ expects appropriate review before and after the transaction to ensure that any misconduct at the target does not continue and that the acquiror’s compliance program is integrated into the new company.
While the new guidance from the DOJ is by no means a step-by-step guide for compliance, it does further illustrate the DOJ’s priorities and methodology with respect to reviewing and analyzing compliance programs. When managing a DOJ investigation, being able to provide satisfactory response to DOJ inquiries on these topics is often the determining factor for how the DOJ will resolve an investigation. For companies not facing a DOJ investigation, the guidance is an invaluable resource when instituting best practice.
Summary of topics
Analysis and remediation of underlying misconduct
The DOJ may ask about the root cause of the misconduct, whether or not there were any prior indications that the misconduct was occurring, and what the company has done to help resolve the misconduct.
Senior and middle management
The DOJ continues to emphasize the ‘tone at the top’ and evaluates whether senior management and the board of directors encourage and instill a culture of compliance, including how senior management and the board interact with compliance and whether there is ‘conduct at the top’.
Autonomy and resources
The DOJ wants to ensure that the compliance department is provided with adequate resources and funds to effectively mitigate risk, including whether the compliance department has sufficient autonomy and power, whether compliance personnel have appropriate experience and qualifications, and the compliance department’s ‘stature’ in the company.
Policies and procedures
As the backbone of any compliance program, the DOJ will review aspects of a company’s policies and procedures, including their design and accessibility and how well they are integrated in the overall operations.
The DOJ expects companies to have a rational and appropriate methodology for identifying, analyzing, and addressing their individualized risk profiles.
Training and communications:
To ensure that a compliance program is not simply a ‘paper program’, the DOJ will review whether employees receive training commensurate with the risk associated with their responsibilities and in the appropriate language and form, and what resources are available in addition to specific trainings.
Confidential reporting and investigation
The DOJ may ask about a company’s procedure for receiving, handling, and managing whistleblower reports, including how it collects and analyzes confidentially reported information to properly scope an investigation.
Incentives and disciplinary measures
The DOJ may question a company about how it incentivizes compliance and disciplines employees for misconduct, including whether managers were held accountable for misconduct that occurred under their supervision. Further, the DOJ may look into whether these disciplinary actions were applied consistently and across all groups.
Continuous improvement, periodic testing, and review
A company should be ready to discuss how it reviews and assesses the compliance program on an ongoing basis, including what, if any, internal audits were conducted, how those were reported to management, and what is the company’s process to continually monitor the compliance program.
Third party management
Because the DOJ views third party relationships as being high risk, it will likely request information about how a company manages third-party relationships from a corruption standpoint. This includes what controls are present and how the relationship is managed on an ongoing basis.
Mergers and acquisitions
Companies can often inherit corruption issues through mergers and acquisitions. When relevant, the DOJ may request information about the due diligence process and integration and implementation following the transaction.