On April 30, 2019, the DOJ's Criminal Division published an updated Evaluation of Corporate Compliance Programs Guidance Document (“the Guidance”) for prosecutors to use in evaluating corporate compliance programs. This is an evolution from the Fraud Section's February 2017 guidance on the same topic and is broader and more detailed. Notably, the updated Guidance did not remove substantive context from the 2017 guidance, but rather, clarified, reorganized, and supplemented the guidance. Critically, it now applies to the entire Criminal Division—not just the Fraud Section, and demonstrates the significance that the DOJ places on corporate compliance programs.
In building on the prior guidance, this updated version organizes the topics identified in 2017 into a framework grounded in three fundamental questions that prosecutors must ask:
- “Is the corporation’s compliance program well designed?”
- “Is the program being applied earnestly and in good faith?” In other words, is the program being implemented effectively?
- “Does the corporation’s compliance program work” in practice?
The Guidance stipulates that prosecutors should consider these questions at three points in time: the time of misconduct, the time of a charging decision, and the time of a resolution.
By adding this framework, and contextual information addressing the relevance of each question and subtopic, the new Guidance reinforces a clear message. Compliance programs ought to be risk-based, tailored and subject to regular evaluation and evolution because prosecutors will assess them on an ongoing basis.
Practitioners familiar with the DOJ’s enforcement practices will already be familiar with that general message. However, looking past the reorganization, the new Guidance goes further to provide new insight into the considerations prosecutors must weigh when evaluating each element of a compliance program. A comparison of topics appearing in both the 2017 and 2019 Guidance documents, and the new contextual notes introducing those topics, shows that the 2019 Guidance contains a far clearer view into the DOJ’s current approach to corporate compliance. As discussed further below, the new Guidance is therefore important not only for defending companies under federal investigation, but also for corporate compliance and legal professionals designing, implementing, and benchmarking their own compliance programs. The new Guidance allows such professionals to ask the same fundamental questions prosecutors will ask, providing much more clarity as to current best practices.
I. Compliance Program Design
The Guidance stipulates that the design of a compliance program should include zero tolerance for misconduct, clear policies and procedures, appropriate responsibility allocations, training programs, and incentive and discipline structures. Each aspect of program design must be risk-tailored to the company’s individualized situation and adequately attentive to high-risk areas, rather than overly focused on low-hanging fruit. For example, “[a] well-designed compliance program should include comprehensive due diligence of any acquisition targets,” specifically in the pre-acquisition context.
Accordingly, the Guidance appears to reflect the practical focus seen in other recent DOJ announcements and emphasize that compliance programs should not be “one-size-fits-all.” Companies must conduct regular tracking and review of their compliance issues and implement changes to their programs based on the lessons learned. Moreover, the Guidance shows a clear expectation that compliance programs should be understandable to all employees, and lived out in practice.
To determine whether a company has appropriately tailored each aspect of its compliance program, the Guidance instructs prosecutors to consider relevant topics that appeared in the 2017 guidance. Key updates to those topics show that the evaluation of program design is now a more comprehensive analysis, much less rooted in whether the misconduct violated any existing policies or procedures. Prosecutors will now focus on the practical impact of policies and procedures, particularly with respect to third-party due diligence and management.
The key takeaways are summarized in the below charts; these charts reflect noteworthy additions to the updated Guidance, but do not provide a comprehensive summary of all changes from the 2017 guidance to the 2019 Guidance.
II. Compliance Program Implementation
The Guidance continues to emphasize the need not only for companies to have well-designed compliance programs, but also to ensure that those compliance programs are successful in practice, rather than being mere “paper programs.” Although the DOJ recognizes that what “effective implementation” means depends “on the size, structure, and risk profile of the particular company,” companies must always empower compliance personnel with the autonomy and resources to act with authority and independence. In designing an effective compliance program, companies should ensure that senior and middle management lead by example and communicate expectations surrounding compliance unambiguously. Finally, the Guidance continues to stress the need for companies to implement effective incentives and disciplinary measures, but recognizes that a one-size-fits-all approach is not appropriate in determining whether a deterrent- or incentive-based program better serves a given company. Key updates demonstrate a more searching evaluation of a company’s rationale driving the organization, implementation, and execution of all stages of its compliance program.
III. Does the Compliance Program Work in Practice?
The Guidance emphasizes that the mere occurrence of misconduct does not necessarily mean that a company’s compliance program was ineffective. However, the Guidance also acknowledges that effective identification of misconduct that allows the company to remediate and self-report will serve as a strong indicator of an effective compliance program. Prosecutors will analyze how a company detected, investigated, and remediated the misconduct in determining whether a compliance program was effective at the time of the misconduct.
In determining whether a company’s compliance program is effective at the time of a resolution, the Guidance emphasizes the importance of evaluating whether a company has continuously improved its compliance program in response to changing risks to “ensure it is not stale.” The Guidance continues to focus on whether the company undertook an “honest root causes analysis” to determine what led to the misconduct at issue and how to prevent such misconduct going forward.
Critically, the Guidance also includes a new topic assessing whether the company has a well-functioning and appropriately resourced mechanism for thorough and timely investigations into allegations of misconduct and other compliance concerns. This is separate from the consideration of investigative mechanisms relevant to compliance program design. These factors emphasize the continued need for a company to test its program through benchmarking and data analysis.
1. Compliance Must Be Continuous, for Companies of All Sizes
The Guidance emphasizes both that prosecutors evaluate compliance programs on an ongoing basis, and that ongoing compliance efforts are fundamental to the design, implementation and functioning of a compliance program. This two-pronged point is applicable even to small companies. The DOJ appreciates that the nature and frequency of a company’s evaluation of its current compliance program with an eye towards improvement “may depend on the company’s size and complexity,” but it appears unwilling to view compliance resources as an excuse for having a stale program in place.
2. Risk-Tailoring Must Be Realistic
The new Guidance significantly expands upon the importance of risk-tailored allocation of compliance resources. In particular, it cautions against devoting too many resources to what, for the particular company, are low risk issues, Notabely, “[p]rosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction in a low-risk area.”
3. Regular Review of Investigative Records to Identify Compliance Gaps May Be Appropriate
The new Guidance strongly confirms that information and metrics should inform all aspects of a company’s compliance program. Whereas this common-sense expectation was evident in the 2017 topic addressing risk assessment, the new Guidance reiterates it throughout. Most clearly, the new Guidance asks whether companies collect, track, and analyze information from internal reporting and investigative mechanisms, as well as whether they regularly rely on that information to identify system vulnerabilities, accountability lapses, and other potential compliance gaps for improvement.
Though not framed as a checklist or formula for compliance, the new framework adds to the DOJ’s previous compliance guidance and provides companies and their advisors with valuable insight into the DOJ’s current view of best practices. The Guidance is further evidence of the increasing importance of compliance programs to both charging and sanctions decisions. Fundamentally, the Guidance demonstrates that the DOJ expects ongoing forward progress towards more effective compliance programs. Companies will need to consider seriously whether the new Guidance will impact the way that they approach the design, implementation, monitoring, and enforcement of their compliance programs.