Earlier this month, the Fraud Section of the US Department of Justice (DOJ) published its Evaluation of Corporate Compliance Programs (Evaluation Guidance).[1] Although issued without fanfare,[2] the Evaluation Guidance represents the latest in a series of important communications by the Fraud Section outlining the DOJ’s expectations for effective corporate compliance programs. The document includes 11 key compliance program evaluation topics, with a corresponding set of “common questions” that the DOJ considers relevant in assessing compliance programs within the context of a criminal investigation.[3]

As the Evaluation Guidance acknowledges, many of the topics it covers are not novel and have been expressed previously in policy statements made by the US Government and other sources.[4] Importantly, however, it is the most recent public statement by the Fraud Section demonstrating the increased sophistication of the DOJ’s compliance expertise, which commenced with the hiring of Ms. Hui Chen as dedicated compliance counsel in late 2015[5] and has since been dubbed the “Compliance Initiative.”[6]

While the Evaluation Guidance does not necessarily break new ground, it advances the DOJ’s oft-stated commitment to periodically delivering meaningful guidelines for companies with respect to its expectations for effective compliance programs. With its emphasis on specific topics and explicit program assessment questions, the Evaluation Guidance expands upon the valuable compliance program information contained in both Step 3 of the FCPA Pilot Program[7] and the section entitled “Hallmarks of Effective Compliance Programs” in A Resource Guide to the US Foreign Corrupt Practices Act.[8] To date, it represents the most universally applicable and clearly articulated statement of the Fraud Section’s primary focus areas when determining the efficacy of corporate compliance programs.

For these reasons, the Evaluation Guidance will serve as a welcome articulation of compliance program “ground rules” for companies before the Fraud Section as the subject of a federal investigation or prosecution. Likewise, it provides an instrumental checklist for all corporations designing, enhancing, or implementing compliance programs with an eye towards more clearly understanding the DOJ’s expectations.

Overview of Topic Areas

The Fraud Section acknowledges that it cannot effectively assess every company’s compliance program by mechanically applying a template checklist or formula. Instead, its determination of the sufficiency of each program involves an individual analysis considering, among other things, each company’s unique risk profile. With this caveat, the Evaluation Guidance sets out the following 11 “important” program review topics and, within each, “common questions” that are frequently relevant in program evaluations:[9]

1. Analysis and Remediation of Underlying Misconduct

The questions here are aimed at determining the root cause of the misconduct subject to prosecution and identifying any early signs that should have put the company on notice of possible misconduct, as well as any remediation measures implemented by the company after discovering the misconduct.

2. Senior and Middle Management

These questions focus on management’s actions and statements demonstrating their leadership efforts in the company’s compliance and remediation efforts. The Fraud Section also indicates here that it expects companies to provide examples of the collaborative efforts between senior leaders and other stakeholders in a “shared commitment” to promote compliance.

3. Autonomy and Resources

Inquiries included in this topic area seek to illuminate how independent, experienced, qualified, and well-funded a company’s compliance function is.

4. Policies and Procedures (a. Design and Accessibility; b. Operational Integration)

These questions emphasize the importance of adopting effective compliance policies and procedures and integrating them into the existing operational framework. Specific questions ask the company to identify the employee responsible for integrating corporate compliance policies and to reveal any other positions or departments consulted during this process.

5. Risk Assessment

This topic incorporates questions targeting the company’s risk management process, including its procedures for regularly identifying industry, geographic, and other company-specific risks, and effectively addressing these risks through the compliance program

6. Training and Communications

The questions here relate to employee training programs and their effectiveness, as well as senior management communications to employees made in response to misconduct. Certain inquiries explore whether companies provide customized training to higher-risk employees and what analysis is undertaken to determine who should be trained and on what subjects. This topic also includes questions about the resources available to employees to obtain guidance on compliance concerns.

7. Confidential Reporting and Investigation

The inquiries under this topic area focus on the mechanisms available for company employees to report potential misconduct, the company’s procedure for investigating reported issues, and how precisely a company responds to investigative findings. The Fraud Section is also seeking to learn here whether internal investigations are properly staffed and scoped.

8. Incentives and Disciplinary Measures

These questions seek responses about policies used to incentivize employees on compliance and ethical behavior and the disciplinary actions employed by companies to address compliance failures (e.g., withholding bonuses or promotions, warning letters, termination). The questions indicate that the Fraud Section commonly inquires about fairness and consistency in disciplinary decisions.

9. Continuous Improvement, Periodic Testing and Review

Here, the Fraud Section seeks to understand the type and frequency of internal audits, testing, and monitoring leveraged by companies to ensure that compliance programs are being followed, are effective, and are regularly enhanced as issues or weaknesses are identified in the program.

10. Third Party Management

This topic explores the company’s procedures around the engagement, screening, monitoring, and management of third parties based on risk profile and any attendant red flags. The DOJ is also looking to determine here whether relationship managers are trained on third-party compliance risks. Key questions are designed to test whether mechanisms are in place to ensure that work by third parties is actually performed and whether compensation is commensurate with the services rendered.

11. Mergers and Acquisitions

This section includes questions about policies and procedures related to identifying compliance risks in merger and acquisition transactions, as well as the compliance function’s involvement in the due diligence and compliance program integration processes.

Key Highlights 

While the general framework of the Evaluation Guidance is consistent with prior statements by the Fraud Section on effective compliance programs, the new release provides more nuanced direction on the granularity with which the DOJ assesses how companies implement compliance programs. It spotlights the factors considered by the DOJ in examining the design and day-to-day application of a company’s program, and emphasizes the Fraud Section’s focus on gauging a company’s commitment to implementing a program that meaningfully integrates compliance into the fabric of its leadership and operations.

For example, the DOJ addresses, in detail, the type of misconduct remediation it expects a company to undertake, with good insight on how the Fraud Section believes a company should respond to internal reviews and investigations.[10] Specifically referencing the notion of a “root cause analysis,” the Evaluation Guidance underscores the importance of identifying the systemic issues that allowed any underlying misconduct to occur and asks who in the company was involved in such analysis. The document also focuses on whether there were prior opportunities to detect the misconduct and, importantly, a company’s “analysis of why such opportunities were missed.” It similarly includes a question about the specific remediation implemented to address issues identified in the root cause and missed opportunity analysis.[11]

With respect to a company’s commitment to implementing effective compliance, the Evaluation Guidance also provides details (within the context of probing questions) about the program leadership and resourcing characteristics the DOJ expects to see in an effective compliance program.[12] Of particular note is the document’s somewhat novel reference to “conduct at the top,” as opposed to the more common phrase, “tone at the top,” suggesting increased attention on whether the actions and decisions of company leadership reflect a sincere commitment to effective compliance.[13]

The Evaluation Guidance also includes “sample” questions on how a company monitors its senior leadership’s behavior, how senior leadership has “modelled proper behavior to subordinates,” and what “specific actions” senior leaders and managers, including business and operational managers, have taken to “demonstrate their commitment to compliance, including their remediation efforts.”[14] With respect to board oversight, the Evaluation Guidance asks whether members have held “executive or private sessions with the compliance and control functions” and what type of information board members and senior management examined in their exercise of oversight in the areas where misconduct occurred.[15]

Another key highlight of the Evaluation Guidance relates to the autonomy and resources provided to compliance personnel. For instance, the document includes questions addressing whether compliance personnel were involved in training and decisions relevant to the misconduct at issue, and whether compliance raised a concern in the area where the misconduct occurred.[16] It also inquires into the compensation, rank, title, and reporting lines for compliance workers, along with their “access to key decision-makers” and the role compliance plays in “strategic and operational decisions.”[17]

The Evaluation Guidance also covers how decisions are made “about the allocation of personnel and resources” for compliance, including whether any requests for resources have been denied and the basis for such a decision.[18] Regarding “empowerment” of compliance personnel, the Evaluation Guidance asks whether there have been “specific transactions or deals that were stopped, modified, or more closely examined as a result of compliance concerns.”[19]

Lastly, the Evaluation Guidance spotlights the area of “Operational Integration,” including detailed lines of inquiry in the “Policies and Procedures” topic area relating to how compliance policies and procedures are effectively assimilated into a company’s payments systems, approval processes, and controls matrix.[20]

Conclusion: Aligning Best Practices 

Although written in the context of the US Government’s evaluation of compliance programs for the purpose of determining an appropriate resolution in criminal investigations, the Evaluation Guidance provides helpful compliance program guidance and benchmarking for companies looking to design, enhance, and implement strong programs, even without the specter of an active US enforcement action.

In our experience, the Fraud Section’s careful pairing of key program assessment topic areas with customized questions in the Evaluation Guidance provides a window into compliance best practices both in the United States and globally--across the increasing number of jurisdictions for which the enforcement of corporate criminal matters has become a priority for regulators. Indeed, Baker & McKenzie employs a very similar organizational structure when assessing, designing, enhancing, and defending compliance programs across the globe, as embodied in our Five Essential Elements of Corporate Compliance:[21]

Please click here to view table

The unique topic-and-question format of the Evaluation Guidance represents the next logical step by the Fraud Section in its efforts to guide companies seeking to design and implement unique, customized, and risk-profile-based programs in conformity with the expectations of the DOJ. The prevailing message from the Evaluation Guidance, however, is that companies themselves must take ownership of their programs, adequately resource them, properly tailor and integrate them into their business, and regularly update and enhance them. The Fraud Section is becoming increasingly refined in its ability to evaluate compliance programs and test whether the programs are functioning as expected. We expect this trend to continue.