The United States Department of Justice’s Fraud Section recently released a guidance document entitled Evaluation of Corporate Compliance Programs (“Evaluation Guidance”), which sets forth a list of common questions that the Fraud Section may ask in evaluating corporate compliance programs in the context of a criminal investigation. The Evaluation Guidance does not provide benchmarks, specific factors or requirements for corporate compliance programs to meet. Rather, it sets forth 119 “common questions that the Fraud Section may ask in making an individualized determination” regarding corporate compliance programs.
Release of the Evaluation Guidance fulfills a promise made a year earlier by Andrew Weissmann, Chief of the Fraud Section, to make public a list of questions the Fraud Section may ask a company when assessing the quality of its compliance program. It is the latest in a line of DOJ guidance documents, speeches and actions that emphasize the importance of corporate compliance programs. A Resource Guide to the Foreign Corrupt Practices Act (“Resource Guide”), released jointly by DOJ and the U.S. Securities and Exchange Commission in 2012, for example, described the importance of a “risk-based” compliance program that focuses appropriate resources on areas where misconduct is most likely to occur. More recently, in November 2015, DOJ hired Hui Chen, a former prosecutor with extensive in-house compliance experience, as a full-time compliance expert. And in April 2016, DOJ launched a pilot program primarily designed to motivate companies to voluntarily self-disclose FCPA-related misconduct. In the memorandum announcing the pilot program, the Fraud Section identified eight factors that will guide its evaluation of the effectiveness of corporate compliance programs: (1) whether a company has established a culture of compliance; (2) whether a company dedicates sufficient resources to the compliance function; (3) the quality and experience of the compliance personnel; (4) the independence of the compliance function; (5) whether a company’s compliance program is tailored to an effective risk assessment; (6) compliance personnel’s compensation and standing relative to other employees; (7) regular audits of the compliance program to assure its effectiveness; and (8) the reporting structure of compliance personnel within the company. In addition to the above guidance, the Fraud Section regularly seeks to provide guidance regarding its evaluation of compliance programs in the context of announcing prosecution decisions.
Many of the questions in the newly released Evaluation Guidance build on factors identified in prior DOJ and other guidance such as some of those described above, as well as the U.S. Sentencing Guidelines and the OECD’s Good Practice Guidance on Internal Controls, Ethics, and Compliance. The questions are grouped into the following eleven topics:
- Analysis and Remediation of Underlying Misconduct: What is the company’s root cause analysis of the misconduct at issue? What specific changes has the company made to reduce the risk that the same or similar issues will not occur in the future?
- Senior and Middle Management: How have senior leaders, through their words and actions, encouraged or discouraged the type of misconduct in question? What specific actions have senior leaders and other stakeholders (e.g., business and operational managers, Finance, Procurement, Legal, Human Resources) taken to demonstrate their commitment to compliance, including their remediation efforts? What compliance expertise has been available on the board of directors?
- Autonomy and Resources: Have the compliance and relevant control functions had direct reporting lines to anyone on the board of directors? How have decisions been made about the allocation of personnel and resources for the compliance and relevant control functions in light of the company’s risk profile? How has the compliance function compared with other strategic functions in the company in terms of stature, compensation levels, rank/title, reporting line, resources and access to key decision-makers?
- Policies and Procedures: Has the company had policies and procedures that prohibited the misconduct? How has the company communicated the policies and procedures relevant to the misconduct to relevant employees and third parties? Who has been responsible for integrating policies and procedures? How have they been rolled out (e.g., do compliance personnel assess whether employees understand the policies)?
- Risk Assessment: What methodology has the company used to identify, analyze and address the particular risks it faced?
- Training and Communication: What training have employees in relevant control functions received? Has the company provided tailored training for high-risk and control employees that addressed the risks in the area where the misconduct occurred?
- Confidential Reporting and Investigation: How has the company collected, analyzed and used information from its reporting mechanisms? How has the company ensured that the investigations have been properly scoped, and were independent, objective, appropriately conducted and properly documented?
- Incentives and Disciplinary Measures: What disciplinary actions did the company take in response to the misconduct and when did they occur? Were managers held accountable for misconduct that occurred under their supervision? How has the company incentivized compliance and ethical behavior?
- Continuous Improvement, Periodic Testing and Review: Has the company reviewed and audited its compliance program in the area relating to the misconduct, including testing of relevant controls, collection and analysis of compliance data, and interviews of employees and third-parties? How often has the company updated its risk assessments and reviewed its compliance policies, procedures and practices?
- Third-Party Management: How has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes? How has the company incentivized compliance and ethical behavior by third parties?
- Mergers and Acquisitions (M&A): How has the compliance function been integrated into the merger, acquisition and integration process? What has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process?
Although the Evaluation Guidance does not indicate that there are any “right” or “wrong” answers to such questions, the questions reveal some insight into the Fraud Section’s views on the components of an effective compliance program:
Integration. To be effective, a compliance program must be fully integrated into the operations of the company. The compliance function should not be siloed. Compliance policies and procedures should be effectively incorporated into a company’s financial systems and approval processes.
Culture. Senior management should set a clear and consistent message instilling a compliance culture in the business. Business leaders and other key stakeholders should demonstrate a shared commitment to promoting compliance, not only through words but through actions. The Evaluation Guidance focuses on “conduct at the top” and not merely on “tone at the top.”
Authority and Resources. The compliance function requires independence and adequate resources to be effective. The level of resources dedicated to compliance should be calibrated to the particular size, complexity and risks of the business.
Accountability. Alleged misconduct should be investigated appropriately and when allegations are substantiated those responsible, including managers, should be held accountable. In addition, incentives should be created for positive behavior. Notably, this focus on individual accountability is consistent with DOJ’s recent emphasis on investigating and prosecuting underlying individual wrongdoing in all corporate investigations as set forth in the Yates Memorandum.
Concrete Action. A compliance program should be able to show tangible results on the business. For example, the Evaluation Guidance asks for examples of “specific transactions or deals that were stopped, modified, or more closely examined as a result of compliance concerns.”
Dynamism. The Evaluation Guidance emphasizes continuous monitoring and enhancement. Risk assessments, testing and auditing should be performed regularly and adjustments to the compliance program should be made as a business grows or changes, for example through mergers and acquisitions, and as external risk factors develop and evolve.
Because the Fraud Section recognizes that each company’s risk profile and the solutions it designs and implements to mitigate its risks are different, the Evaluation Guidance eschews rigid formulae and makes clear that not all of the topics and questions will be relevant in all cases. While the questions shed helpful insight into DOJ’s evaluation of compliance programs, it is worth noting that many of the questions appear to be targeted to larger companies with significant resources. It will be interesting to see whether DOJ will apply the same set of questions to small- and medium-size companies, in light of its own prior statements in the Resource Guide that “small- and medium-size enterprises likely will have different compliance programs from large multi-national corporations.”
The Evaluation Guidance is a helpful resource to prepare companies under investigation for the inevitable questions they may be asked. But the list of topics and questions is also an equally useful tool for management and corporate boards of all companies to use proactively to evaluate the effectiveness of their compliance programs and identify opportunities for improvement.