On June 1, 2020, the Justice Department announced the latest set of updates to its “Evaluation of Corporate Compliance Programs” policy. The policy, which was first released in 2017 and revised last year, provides companies with detailed guidance on how the Department will review the adequacy and effectiveness of compliance programs when making charging and resolution decisions in criminal investigations. According to a statement made by Assistant Attorney General Brian Benczkowski, the revisions were based on both the DOJ’s own experience and feedback from the business and compliance communities.
While not a wholesale revision, the changes made in this update provide important insights into the Department’s view on key issues in the design and maintenance of compliance programs. They reflect an evolving “real world” approach to compliance, reinforcing that prosecutors should consider various practical factors in evaluating a compliance program—including consideration of how a company’s size, industry, geographic footprint, and “regulatory landscape” – might affect its compliance program. At the same time, the guidance makes clear that compliance programs cannot be static, and companies must empower their compliance departments to develop metrics to evaluate program effectiveness on an ongoing basis.
Some notable changes and key takeaways are summarized below:
Effective compliance program implementation
The prior version of the guidance identified three “fundamental questions” that a prosecutor must ask in evaluating a compliance program. One of these questions was whether the program was being “implemented” effectively. The new policy clarifies that effective implementation in this context means that the program is adequately resourced and compliance personnel are “empowered” to function effectively. The revisions emphasize that even a well-designed program will be unsuccessful if it is under-resourced, and companies need to be prepared to justify the choices made in how their programs have been structured within the overall business organization. Under the new guidance, prosecutors will be looking to see that companies provide compliance and control personnel with sufficient access to data to conduct timely and effective monitoring and testing, as well as make investments in the training and development of compliance personnel.
Impact of foreign law considerations
The updated guidance adds a key footnote directing prosecutors specifically to consider how foreign law considerations affect the structure of a company’s compliance program. If a company makes compliance decisions based on the demands of foreign law, it must be prepared to justify its analysis and explain “how the company has addressed the issue to maintain the integrity and effectiveness of its compliance program while still abiding by foreign law.” It is helpful that the updated guidance acknowledges that foreign law considerations can affect how companies design and implement their compliance programs in different countries. But the guidance makes it imperative that companies document these issues in real time and stand ready to explain how they affected compliance decisions.
The guidance previously emphasized the importance of risk assessments in an effective compliance program. The new version instructs prosecutors to scrutinize not only why a company has designed its current program the way it has, but also why and how the program has evolved over time. That is, prosecutors will be looking to see an evolution of policies and procedures that reflect the outcomes of regular, periodic assessments that have been performed. As a result, it will be critical for compliance teams to not only conduct periodic assessments and make changes, but document how those changes reflect the results of their reviews.
The new guidance makes plain that the Department favors a continuous review approach, and not a periodic “snapshot” approach, to program review and updating. Compliance teams must be given “continuous access to operational data and information across functions” in the company. The changes to the guidance also emphasize that companies must have a process to track and incorporate into its risk assessments lessons learned from issues that arose during the review period—as well as issues facing other companies in the same industry and/or region. In other words, compliance teams will be expected to stay up-to-date on problems facing companies in their industry or region, and demonstrate the application of any lessons learned from those matters to program design.
Ensuring that compliance policies and procedures are well-communicated throughout the company is a critical responsibility of compliance teams. The new guidance places even greater emphasis on this, directing prosecutors to ask specifically whether a company’s compliance policies and procedures are published in a searchable format for easy reference. Making a copy of a policy available in the compliance department or on a static website may no longer be sufficient. In addition, the new guidance directs prosecutors to ask whether the company tracks access to various policies and procedures to understand which policies are attracting more attention from employees. Tracking and analyzing such search metadata will now be considered an essential part of the regular risk assessment process.
To evaluate whether a company has an effective training program, the revised guidance directs prosecutors to examine whether a company is evaluating the effect of its training program on employee behavior or operations. Presumably, the Department will want to see that the company has developed certain metrics and/or conducts meaningful qualitative analysis of its training program (through survey data, for example) to determine what effect, if any, the program is having. In addition, while the guidance does not take a position on the format of training programs, the revisions make clear that any format used must provide a mechanism for employees to ask questions arising out of the training materials.
Confidential hotlines and related reporting mechanisms have been standard practice for years. The revised guidance emphasizes that a company’s reporting mechanism should be publicized to relevant third parties, not just internally. The guidance also emphasizes that the company should develop measures to test whether employees are actually aware of its hotline and “feel comfortable” with it. As with the approach to evaluating training programs, implementing appropriate metrics, survey data, and procedures to track reports from filing to conclusion will be important. Prosecutors are directed to examine how internal investigations and discipline arising from hotline reports are monitored by the compliance team to ensure consistency.
The revised guidance continues the trend of emphasizing that third-party management is not just about onboarding due diligence, but management of the risks posed by a third-party relationship throughout the “lifespan of the relationship.” Companies that focus only on risk management during the onboarding process will likely come up deficient here.
Post-acquisition diligence and compliance integration
Similarly, the revised guidance moves away from a limited discussion of compliance due diligence during the merger and acquisition process, and toward a compliance approach that covers both the pre-acquisition and post-acquisition process. Reflecting existing best practices, the new guidance provides that a well-designed compliance program should contain processes for comprehensive pre-acquisition diligence, appropriate post-acquisition diligence, and “timely and orderly integration” of the acquired entity into existing compliance and control structures. Prosecutors are instructed to examine all three components, and ask why any or all could not have been conducted in an given transaction.
Many of the changes made to the DOJ guidance reflect best practices and areas of emphasis that companies have addressed since the last revision to the policy. Helpfully, the new version of the guidance recognizes that companies are not uniform, and clarifies that prosecutors should consider not only the particular facts at issue in a case when evaluating a compliance program, but also the “circumstances of the company.” This is an important clarification, as it instructs prosecutors that not all factors in the guidance can be applied equally across all businesses, and that the evaluation must be individualized. That said, careful attention to the areas of emphasis in the revised policy will be critical as companies design, evaluate, and modify their compliance programs going forward.