On April 30, the Criminal Division of the U.S. Department of Justice (DOJ) released a new guidance document titled “The Evaluation of Corporate Compliance Programs,” which updates a prior version of the guidance first issued in February 2017 (previously analyzed here). The new guidance provides additional insights into how DOJ will assess the effectiveness of a company’s overall compliance program in an enforcement action, focusing on the program’s design, implementation and effectiveness.
Under DOJ’s Justice Manual (formerly called the U.S. Attorney’s Manual), federal prosecutors will consider several principles when investigating and deciding whether to charge corporate entities. These factors, commonly known as the Filip Factors, include two that focus on a company’s compliance program: (1) “the adequacy and effectiveness of the corporation’s compliance program at the time of the offense, as well as at the time of a charging decision,” and (2) the company’s remedial efforts “to implement an adequate and effective corporate compliance program or to improve an existing one.” The intent of the new guidance — which is a DOJ policy and not a binding law or regulation — is to provide more detail on how federal prosecutors will probe a company’s compliance program under these factors in the process of investigating and resolving an enforcement matter. More specifically, the guidance is intended “to assist prosecutors in making informed decisions as to whether, and to what extent, the corporation’s compliance program was effective at the time of the offense, and is effective at the time of a charging decision or resolution, for purposes of determining the appropriate (1) form of any resolution or prosecution; (2) monetary penalty, if any; and (3) compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations).”
The new guidance largely focuses on the same topics that the previous version had included as relevant in evaluating a corporate compliance program. Of note, however, the new guidance is twice the length of the February 2017 version and was compiled with input from across DOJ unlike the previous version, which was released by only the Criminal Division’s Fraud Section. Additionally, the new guidance is structured around three overarching questions that prosecutors are expected to ask in evaluating compliance programs:
- (1) Is the compliance program well designed? This part of the guidance discusses various hallmarks of a well-designed compliance program relating to risk assessment, written policies and procedures, training and communications, confidential reporting structure and investigation process, third-party management, and mergers and acquisitions.
- (2) Is the compliance program effectively implemented? The second part details features of effective implementation of a compliance program, including commitment by senior and middle management, autonomy and resources, and incentives and disciplinary measures.
- (3) Does the compliance program actually work in practice? This final part of the DOJ guidance discusses metrics of whether a compliance program is in fact operating effectively, exploring a program’s capacity for continuous improvement, periodic testing, review, investigation of misconduct, and analysis and remediation of underlying misconduct.
Because it provides general insight into the government’s expectations of how a corporate compliance program should operate in practice, the guidance has broader utility than just applying to ongoing enforcement actions, including for companies that have not presently identified a problem. Indeed, Assistant Attorney General Brian A. Benczkowski, who announced the updated guidance, explicitly stated in his announcement: “[A] company’s compliance program is the first line of defense that prevents the misconduct from happening in the first place. And if done right, it has the ability to keep the company off our radar screen entirely.” Companies should review the guidance and evaluate their compliance programs in light of it to ensure that they are prepared before a problem arises, including to prevent misconduct or, at minimum, detect it at an early stage.