Since the Department of Justice’s (“DOJ”) announcement of its new compliance counsel expert in November 2015, many have been waiting patiently for additional insight into the DOJ’s emphasis on corporate compliance programs. In April 2016, the DOJ issued its Federal Corrupt Practices Act Pilot Program, again highlighting its intense focus on effective compliance programs by focusing on remediation as a factor to avoid prosecution. The Pilot Program provided criteria of an effective compliance and ethics program that would be considered during an investigation, setting benchmarks against which a company’s program would be assessed. Last week the DOJ provided more information in its “Evaluation of Corporate Compliance Programs,” revealing critical insight about how the DOJ’s Fraud Section may evaluate a corporate compliance program during an investigation.
On Nov. 3, 2015, the Fraud Section retained Hui Chen as its full-time compliance expert, reporting to Andrew Weissmann, the Chief of the Fraud Section, and Dan Braun, the Acting Chief of the Strategy, Policy, and Training Unit in the Fraud Section. Ms. Chen’s duties include, among other things, providing expert guidance to Fraud Section prosecutors as they consider the enumerated factors in the United States Attorneys’ Manual (“USAM”) concerning the prosecution of business entities, assisting prosecutors in developing appropriate benchmarks for evaluating corporate compliance and remediation measures, and assisting prosecutors and monitors in evaluating whether the implementation of such measures is effective. In an interview in February 2016, Ms. Chen stated that she was focused on contributing to the DOJ’s vision of bringing corporate compliance to a different level “in a way where companies understand that before the Department of Justice, there is an expectation that corporate compliance programs will demonstrate tangible and operational shared commitment from the leadership and all stakeholders.”
With this expectation of “shared commitment” in mind, the DOJ’s new guidance in its Evaluation of Corporate Compliance Programs provides important areas of focus and sample questions the Fraud Section has frequently found relevant in evaluating a corporate compliance program. Before reaching these common questions, however, the Evaluation of Corporate Compliance Programs warns that the Fraud Section does not use any rigid formula to assess the effectiveness of corporate compliance programs. Rather, individualized determinations are necessary because different companies face different risks, and risk reduction solutions that work for one company may not work for another. The DOJ will evaluate a company’s compliance program within the specific context of the criminal investigation. The topics and questions provided are intended to “form neither a checklist nor a formula.” Some topics and questions may be more salient, and not all will be relevant in a particular case. The new guidance draws from existing resources, both domestic and international, including the USAM; the United States Sentencing Guidelines; the DOJ and Securities and Exchange Commission’s FCPA Resource Guide; the Good Practice Guidance on Internal Controls, Ethics, and Compliance adopted by the Organization for Economic Cooperation and Development (“OECD”) Council; and the Anti-Corruption Ethics and Compliance Handbook for Business published by the OECD, United Nations Office on Drugs and Crime, and the World Bank.
The Evaluation of Corporate Compliance Programs is broken down into 11 categories:
- Analysis and Remediation of Underlying Misconduct
- Senior and Middle Management
- Autonomy and Resources
- Policies and Procedures a. Design and Accessibility b. Operational Integration
- Risk Assessment
- Training and Communications
- Confidential Reporting and Investigation
- Incentives and Disciplinary Measures
- Continuous Improvement, Periodic Testing and Review
- Third Party Management
- Mergers and Acquisitions (M&A)
Each category includes a list of questions the DOJ may consider when evaluating a company’s compliance program. An important concept underlying these questions is whether the company has created sufficient opportunities for misconduct to be identified, as well as an effective remediation protocol that permits the company to address the “root causes” of the misconduct. Thus, both generally and within the specific context of the criminal investigation that triggered the DOJ’s investigation, the prosecutor may be particularly interested in whether the corporate compliance program is designed to empower and hear a whistleblower; whether there are adequate reporting mechanisms to collect, analyze and use the reported information to identify root causes, system vulnerabilities and accounting lapses; and whether the findings will reach the company’s senior management and result in trainings and communications to prevent future misconduct. While many of these concepts are not necessarily novel by themselves, the new guidance provides insight into the DOJ’s position on the elements necessary for an effective compliance program and can be an invaluable tool for those in the business of designing, evaluating or perhaps defending corporate compliance programs.
This new guidance from the DOJ comes at a time when all eyes are closely watching the new administration to see if the new leadership at the DOJ will yield significant changes in the DOJ’s priorities. The release of this information at this time, without a formal press release or comment from the DOJ, could indicate business as usual under the new administration, though it might be too soon to tell. What is certain from this guidance is that the DOJ does not seem to be moving away from its efforts to thoroughly evaluate compliance programs during corporate investigations.
Companies now have a physical list of topics and questions to review in their efforts to design and continue to improve their compliance programs. Proactive companies should take this opportunity to consult with experienced counsel and use the DOJ’s new guidance to reevaluate their compliance programs to ensure they are effective in detecting and preventing misconduct. By making immediate improvements to their compliance program, companies can take steps to prevent future violations, and at the end of an investigation, the company can demonstrate a track record of having an effective program that is working to prevent violations.
In reevaluating compliance programs in light of the new guidance from the DOJ, companies should be sure to focus on the following:
- The conduct and oversight of senior leadership, including concrete actions to demonstrate the company’s compliance and remediation efforts.
- The content and effectiveness of training programs, including the availability of resources to employees seeking guidance on the corporate compliance policy.
- The availability of funding, resources, experienced personnel, and appropriate autonomy for compliance officers and the program.
- The effectiveness of the risk assessment process, including methods and metrics for information gathering and analysis. In addition, the effectiveness of the reporting mechanisms through which the company may assess allegations of misconduct.
- The methods for internal audits, control testing and continuing review of compliance policies, procedures and practices.