On June 1, 2020, the Department of Justice (“DOJ”) Criminal Division released an update to its “Evaluation of Corporate Compliance Programs” guidance for federal prosecutors, its first change since April 2019. Although the update did not fundamentally alter the structure of the guidance, the revisions directly impact how companies should assess and monitor their compliance programs. Specifically, companies should note the update’s emphasis on greater dynamism in corporate compliance programs.
In effect, the DOJ will now evaluate compliance programs not only on the current effectiveness of the program, but also on whether the program actively evaluates itself and continuously evolves based on new information and changing risks. This includes actively using technology and data to support and inform the program.
Why Evaluation of Corporate Compliance Programs Matters
The Evaluation of Corporate Compliance Programs is official DOJ guidance. Although not mandatory, it is used by federal prosecutors to advise and direct their investigations and prosecution decisions. Federal prosecutors use the guidance to help assess whether a corporation has an effective compliance program, a key factor when determining
- whether to conduct an investigation,
- whether to bring criminal charges, and
- when negotiating a plea or other corporate resolution.
In addition, the evaluation of the effectiveness of a program occurs “both at the time of the offense and at the time of the charging decision and resolution.” This assessment is critical in under the United States Sentencing Guidelines, and is a consideration when calculating an appropriate organizational sentence and criminal fine.
A close review of the Evaluation of Corporate Compliance Programs guidance is therefore critical to the design and enhancement of any compliance program. A company with a compliance program that fails to address concerns identified in the guidance will be at higher risk for government involvement and potential sanction, and will not receive the full benefits available under the guidance or the Sentencing Guidelines. Further, although the update does not dramatically change fundamental aspects of the guidance, even recently updated compliance programs should be evaluated with the new changes in mind, particularly whether the compliance program appropriately reflects (and documents) the dynamism stressed in the update.
Update Stresses Dynamism in Corporate Compliance
In the updated guidance, prosecutors are required to make
a reasonable, individualized determination in each case that considers various factors including, but not limited to, the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.
To do so, prosecutors are to ask three fundamental questions when evaluating a corporate compliance program:
- is the program well-designed?;
- is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively; and
- does it actually work in practice?
The second fundamental question has been updated from its previous edition, which only asked “is it implemented effectively?” This change reflects the broader theme of the update, which is that prosecutors should not only look to whether a compliance program is implemented properly, but rather if the compliance program can adapt and respond to concerns, challenges, and new information that arise. In other words, is the compliance program dynamic?
Other changes of the update follow this theme. In answering the first of the fundamental questions, “is [the compliance program] well designed,” the updated guidance asks prosecutors to “endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.” In the company’s risk assessment of the program, the updated guidance asks prosecutors to look to whether the assessment is “limited to a ‘snapshot’ in time or based upon continuous access to operational data and information across functions” and whether risk assessments incorporate lessons learned from the company’s own or others’ issues. Further, compliance programs are judged by whether risk assessments have “led to updates in policies, procedures, and controls.” Again, the guidance makes clear that static compliance programs that do not actively adjust to ongoing concerns will not be viewed favorably by prosecutors.
Compliance employees are also addressed in the updated guidance. Employee training is evaluated on the basis of “whether the company has relayed information in a manner tailored to the audience’s size, sophistication, or subject-matter expertise.” Specifically, prosecutors are to determine whether training sessions have the ability for employees to ask questions, as well as whether the company has “evaluated the extent to which the training has an impact on employee behavior or operations.” In addition, prosecutors are to evaluate any employee reporting mechanisms, or hotlines, that exist and if they accurately capture employee concerns. Prosecutors are to evaluate these programs not only by looking at whether the hotline works, but also at employee comfortability in using the hotline, how the company uses the information it gains from the hotline, and if the hotline is periodically tested. Simply having a hotline or reporting system without fully appreciating and maintaining it will raise red flags under this new guidance.
The updated guidance also asks prosecutors to determine whether compliance and control personnel have sufficient access to sources of data that allow for timely and effective compliance. In particular, prosecutors are to ask if “impediments exist that limit access to relevant sources of data” and, if they exist, what the company is doing to address them. Further, the guidance asks prosecutors to determine the accessibility of policies and procedures to employees. However, the guidance not only expects companies to have the policies and procedures accessible, but also to have them “published in a searchable format for easy reference.” Clearly, the updated guidance reflects that the DOJ believes a proper compliance program will have free access of data, including policies and procedures that can be easily referenced by compliance employees.
Third-Party Relations and Mergers
Third-party relations and mergers and acquisitions also fall under the purview of the updated guidance. In evaluating a company’s compliance relationship with third parties, prosecutors are directed to consider whether the company understands the business rationale for the relationship, any specific compliance risks posed by the third party, and whether “the company engages in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process.” In regards to mergers and acquisitions, the updated guidance not only asks whether companies have undergone comprehensive due diligence of any acquisition targets, but also whether the acquiring company has developed “a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.” The guidance states that proper due diligence and procedures are expected both pre and post transaction. Again, these updates stress that prosecutors will evaluate a compliance program not only on its daily function, but also its adaptability throughout the relevant time period, assessing whether the program sought to improve and evaluate itself on a continuous basis.
Overall, the updated guidance stresses that companies must have dynamic compliance programs. Dynamic programs, as understood from the guidelines, are those which not only function properly, but continuously seek to improve themselves, both by learning from mistakes and taking account of new data. Prosecutors, when determining whether to investigate potential wrongdoing, press charges, or agree to settlements, will take a deep look at whether the company has such a compliance program. Companies should ensure their compliance programs mirror the expectations of the updated guidelines, which will mitigate the effect of any DOJ action against them.