On June 1, 2020, the Criminal Division of the U.S. Department of Justice (DOJ) released updates to its Evaluation of Corporate Compliance Programs guidance (Guidance), last revised in April 2019. The updated Guidance clarifies certain subjects and emphasizes the DOJ’s expectation that corporate compliance programs adapt and evolve on an ongoing basis as a result of regular risk assessments and in response to lessons learned from identified misconduct. The updates also emphasize that a company’s monitoring and evaluation of its compliance program should be data-driven and continuous, and that prosecutors should conduct an individualized analysis of the compliance program in light of the risks and circumstances applicable to a particular company. Accordingly, companies should expect prosecutors to ask questions aimed at understanding the reasons for the manner in which their compliance programs have been structured and implemented, and “why and how the company’s compliance program has evolved over time.”
A company’s investment in its compliance program will also be relevant to the DOJ’s review. Where the Guidance previously asked prosecutors to determine if a compliance program had been “implemented effectively,” it now asks whether a compliance program has been “adequately resourced and empowered to function effectively.” Prosecutors will seek to understand whether the company dedicated resources commensurate with the risks confronting the company, and whether management provided the compliance function sufficient authority and information to perform its task.
In addition, the Guidance clarifies that prosecutors should consider whether a company’s processes for reviewing and assessing its program provide compliance employees with the data necessary (1) to properly assess whether and how the compliance program works in practice, and (2) to develop and enhance the compliance program going forward in response to the company’s risk factors and experience. Many of the updates focus on questions designed to evaluate whether the company is drawing from as many areas as is possible in order to identify potential improvements to the program. Another update notes that prosecutors should evaluate programs “both at the time of the offense and at the time of the charging decision and resolution.” This approach appears consistent with language in other DOJ resources indicating that prosecutors should take such improvements to a compliance program into account when making charging and resolution decisions.
Below we discuss in more detail the recent updates to the Guidance.
The DOJ Will Consider Company-Specific Factors in Assessing the Effectiveness of a Company’s Corporate Compliance Program
The Guidance directs prosecutors to make a “reasonable, individualized determination” in evaluating a company’s compliance program. This should take into account a company’s specific risk profile. Prosecutors are guided to review a number of company-specific factors, including a company’s size, industry, geographic footprint, regulatory landscape, and other internal and external factors that may impact its compliance program. In this context, the updates appear to recognize that compliance programs are not “one-size-fits-all,” but that companies, even if similarly situated, may take different but reasonable and acceptable approaches to compliance based on their specific risk profiles. Prosecutors are advised to “endeavor to understand why the company has chosen to set up the compliance program the way that it has,” as well as the reasons for changes to the program over time, in light of the risks that particular company faces.
Other edits indicate that the DOJ may be working to clarify that prosecutors should have a certain degree of flexibility in assessing whether a compliance program is effective for that particular company. For example, the section on third-party management now notes that the “need for” third-party due diligence may vary based on factors beyond just the “degree of” diligence. The mergers and acquisitions section now includes reference to both pre- and post-acquisition diligence, and notes that pre-acquisition diligence may not always be possible. In a new footnote, the Guidance also recognizes that certain aspects of a compliance program, including access to certain data, may be impacted by foreign law, though the Guidance makes clear that the DOJ will place the onus on companies to explain any limitations resulting from the application of foreign laws.
The Effective Implementation of a Compliance Program Requires Adequate Resources and Access to Relevant Data
The updates to the Guidance point prosecutors not just to the structure of the compliance program but also to whether there is evidence that the company intends the program to function well in practice, and whether it seeks to understand if and how it does or does not do so. DOJ prosecutors will review whether even a well-designed program is lax, ineffective, or, in a new addition, under-resourced.
New additions to this section of the Guidance ask whether a company has fostered a culture of ethics and compliance with the law “at all levels of the company,” including middle management. To foster such a culture, the DOJ has previously emphasized the importance of clearly established incentives for compliance and disincentives for noncompliance. In the updates, prosecutors are now guided to ask whether the compliance function monitors its investigations and resulting disciplinary measures to ensure consistent application across the organization.
With respect to a compliance function’s autonomy and resources, the updates guide prosecutors to seek to understand the reasons for the choices the company has made with respect to organization, reporting lines and other structural aspects of the compliance program, and ask how the company invests in further training and development of the compliance and other control personnel.
Another update asks prosecutors to evaluate whether compliance and control personnel have sufficient access to relevant sources of data in order to conduct “timely and effective monitoring and/or testing of policies, controls, and transactions,” and what the company is doing to address any impediments that may limit that access. That the updated Guidance places additional emphasis on data analytics is unsurprising; DOJ officials have been pushing the use of data and metrics to demonstrate impact on employee behavior for many years. If a company cannot demonstrate its compliance program’s effectiveness through data, it will need to explain why not, and whether compliance personnel were provided with the opportunity to review and analyze relevant data.
Companies Should Regularly Assess Whether Their Compliance Programs Are Designed to Work in Practice and Make Periodic Adjustments
To assess whether a compliance program is well-designed and effective, prosecutors will evaluate not only how it was set up and why, but also whether a company’s periodic risk assessments consider more than just a “snapshot” in time and its compliance program review is based on “continuous access to operational data across functions.” Under the Guidance, prosecutors will look to determine how responsive a company has been to both internal and external risks as well as to identified issues that have arisen at the company. The Guidance suggests that prosecutors ask whether:
(1) “the periodic review led to updates in policies, procedures and controls” that also account for risks discovered through misconduct or other problems with the compliance program; and
(2) the company has “a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region.”
The updated Guidance also emphasizes understanding how employees actually use the compliance program in practice in determining whether the program is well-designed and effective. Newly added questions for prosecutors to consider include: (1) whether policies and procedures have been published in a searchable format for easy reference, (2) whether the company tracks access to various policies and procedures to understand what policies are attracting more attention from relevant employees, (3) whether the company has evaluated the extent to which training actually has an impact on employee behavior or operations, and (4) whether the company tests employee awareness and comfort with the reporting hotline.
Relatedly, in assessing whether a company is ensuring that its policies and procedures have been integrated into the organization effectively and are being applied correctly by its employees, the updated Guidance suggests that, depending on a company’s size, sophistication or subject matter expertise, “shorter, more targeted training sessions” may be effective in helping employees identify and raise issues in a timely fashion. The updated Guidance also emphasizes that employees should be given the opportunity and means to ask questions arising out of trainings.
With respect to the DOJ’s evaluation of confidential reporting structures, the updates also guide prosecutors to ask how the reporting mechanism is publicized by the company to third parties, in addition to employees, and whether the company periodically tests the effectiveness of the reporting mechanism, for example by tracking a report from start to finish.
Third-Party Risk Management and Integration of Acquired Entities
In addition to the already existing guidance concerning the evaluation of risk-based and integrated processes with respect to third-party relationships, appropriate controls and responsiveness to red flags or misconduct, the updates guide prosecutors to consider third-party “management” more broadly by asking whether the company focuses on “risks posed by third party partners” and engages “in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process.”
With respect to mergers and acquisitions, the Guidance suggests that prosecutors not only consider whether a company conducted thorough pre-acquisition due diligence but also whether it has put in place a process “for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.” The updates also guide prosecutors to look for “flawed or incomplete pre- or post-acquisition due diligence and integration” and to ask whether “the company [was] able to complete pre-acquisition due diligence and, if not, why not.” The updates appear to recognize that, in practice, thorough pre-acquisition due diligence may not always be possible, or that certain situations or risk factors may not be able to be addressed in the pre-acquisition phase. However, companies should interpret these updates as a reminder to carry out appropriately tailored pre-acquisition due diligence and remediation where possible, coupled with post-acquisition due diligence and integration, as well as periodic audits and reviews of the acquired entities.
* * *
The DOJ continues to focus on ongoing assessment and enhancement of compliance programs and on practical and risk-based approaches to developing agile controls that are regularly adapted to new or changing risks or information. Companies should therefore be prepared to provide prosecutors with detailed information concerning their compliance efforts as part of any DOJ investigation; a company’s ability to demonstrate the adequacy and effectiveness of its compliance program could significantly and positively impact the outcome. In this respect, companies should consider the “Evaluation of Corporate Compliance Programs” guidance as a helpful tool for use in reviewing and developing their own programs.
This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.