On April 30, 2019, the U.S. Department of Justice’s Criminal Division (“DOJ”) released an updated version of its Evaluation of Corporate Compliance Programs, which provides guidance to prosecutors in how to evaluate a company’s compliance program in the context of a criminal investigation.  The 2019 document (“2019 Evaluation Guidance”) updates guidance that DOJ published in February 2017 (“2017 Compliance Questions”).
Many viewed the 2017 Compliance Questions, which built upon the Ten Hallmarks of Effective Compliance Programs outlined in 2012, as providing much-needed insight into the manner in which DOJ judged the effectiveness of corporate compliance programs, particularly in the context of an active investigation or enforcement cycle. For others, the 2017 guidance— - while useful— – raised a number of questions, as it did not cite to other DOJ guidance and failed to provide benchmarks or specific requirements. Consequently, companies were often left wondering about the legal foundation for the 2017 guidance, and whether federal prosecutors might see their programs as well-designed and effective.
DOJ’s stated goal in its recent update was to “better harmonize the guidance with other Department guidance and standards while providing additional context to the multifactor analysis of a company’s compliance program.”  DOJ also noted that the 2019 Evaluation Guidance was part of the Department’s effort “to help promote corporate behaviors that benefit the American public.” Notably, when the 2019 Evaluation Guidance was released, Assistant Attorney General Brian A. Benczkowski, the Head of DOJ’s Criminal Division, said in a speech that the update was intended to aid not only prosecutors, but also companies, giving them deeper insight into what the government will demand of compliance programs.
The announcement and publication of the 2019 Evaluation Guidance, while anticipated by many, came with no advance warning by DOJ, similarly to the February 2017 release. As such, the question remains: does the new guidance provide additional clarity or just increase confusion with regard to how federal prosecutors will evaluate corporate compliance programs?
Upon close review, our assessment is that DOJ’s efforts with the 2019 Evaluation Guidance are an important next step in providing clarity and a structure to understand how DOJ views an effective compliance program. Importantly, the 2019 Evaluation Guidance provides transparency to those in the business, legal, and compliance communities seeking to develop, implement, and maintain effective compliance programs that can both protect their companies and serve as an adequate defense should a problem occur.
I. 2012 FCPA Resource Guide (Updated in 2015)
DOJ’s first effort to define its expectations of corporate compliance programs was published in November 2012, as part of the FCPA Resource Guide, a joint publication with the U.S. Securities and Exchange Commission, laying out legal issues related to enforcement of the Foreign Corrupt Practices Act.  In the Resource Guide, DOJ explained in detail the importance of compliance and the primary areas considered by DOJ. In explaining how federal prosecutors evaluated corporate compliance at the time, DOJ provided details on the Ten Hallmarks of Effective Compliance Programs and cited guidance on compliance and international best practices.  DOJ’s distillation of these issues into the “Ten Hallmarks” was subsequently used by many companies to evaluate whether their compliance programs were effectively designed and sufficiently resourced. As we will explain below, DOJ repeated many of these original Ten Hallmarks in the 2017 Guidance and expanded them in the newly issued 2019 Evaluation Guidance.
II. 2017 Compliance Questions
The compliance questions released in February 2017 by the Fraud Section provided insight into how federal prosecutors evaluated the adequacy of a compliance program. DOJ did not offer a checklist or formula for an effective compliance program or dictate what would constitute an effective compliance program as part of appropriate remediation under the then-pilot FCPA Enforcement Plan and Guidance. However, the 2017 guidance did provide 119 “common questions that the [DOJ] may ask in making an individualized determination” regarding corporate compliance programs, including the importance of root cause analysis and the role of the board. Those questions were set forth in a series of eleven topics including, among others, risk assessment, training and communication, third-party management, and mergers and acquisitions.
These topics were consistent with the “Hallmarks of an Effective Compliance Program” as previously described in the FCPA Resource Guide, and the compliance community had long considered these areas as fundamental features of an effective compliance program. Nonetheless, DOJ’s publication of the topics and associated questions provided a roadmap for those seeking to develop, improve, and implement compliance initiatives, testing their effectiveness or anticipating potential criticisms from prosecutors.
III. 2019 Evaluation Guidance
The 2019 Evaluation Guidance, at 18 pages, expands on the original Hallmarks and sample questions and topics. It provides greater detail about what prosecutors (as well as business executives and compliance professionals) should consider when evaluating a compliance program, including with regard to training, investigations, and management commitment.
DOJ, once again, is not prescriptive and does not provide a checklist or formula to assess the effectiveness of a corporate compliance program. Rather, DOJ provides principles and “fundamental questions” upon which a prosecutor should base her evaluation of a company’s compliance program. DOJ’s rationale for its reluctance to provide a rigid formula is that the government must evaluate each corporate compliance program in the specific context of that company’s business, including its industry and size, geographic footprint, as well as the context of the particular criminal investigation. DOJ mandates that prosecutors make individualized determinations in their review of corporate compliance programs, and DOJ contends that requiring specific requirements would fail to recognize the complexity and heterogeneity of effective compliance programs. The 2019 Evaluation Guidance does, however, provide a valuable look into the “fundamental questions” considered by prosecutors:
A. Is the Program Well Designed?
According to the 2019 Evaluation Guidance, the first fundamental question that federal prosecutors should ask is whether the company’s compliance program is well designed. As such, Part I of the 2019 Evaluation Guidance “discusses various hallmarks of a well-designed compliance program relating to risk assessment, company policies and procedures, training and communications, confidential reporting structure and investigation process, third-party management, and mergers and acquisitions.” Much of the language and guidance in this section is familiar to long-time compliance professionals, but having DOJ spell out its thoughts on the components and development of a well-designed corporate compliance program is nonetheless helpful and will be critical to compliance professionals in companies looking for validation when advocating for change within their organization. Key areas of coverage include:
1. Risk Assessment
The 2019 Evaluation Guidance makes clear that the “starting point for whether a prosecutor’s evaluation of whether a company has a well-designed compliance program is to understand…how the company has identified, assessed and defined its risk profile.”  The updated guidance states that prosecutors will consider whether the company has analyzed risks presented by the “location of its operations, the industry sector, the competitiveness of the market, the regulatory landscape, potential clients and business partners, transactions with foreign governments, payments to foreign officials, use of third parties, gifts, travel and entertainment expenses, and charitable and political donations.” The updated guidance further notes that prosecutors will examine a company’s risk management process, risk-tailored resource allocation, and updates and revisions to its risk assessment and guidance documents.
2. Policies and Procedures
As expected, in the 2019 Evaluation Guidance, DOJ affirms its position that a “well-designed compliance program entails policies and procedures that…aim to reduce risks identified by the company as part of its risk assessment process.” Notably, the updated guidance provides a framework of five areas that federal prosecutors should consider in assessing the quality of a company’s policies and procedures, including: Design, Comprehensiveness, Accessibility, Responsibility for Operational Integration, and Gatekeepers. While these five focus areas have long been regarded as key to the drafting, implementation, and effectiveness of a compliance program, having DOJ confirm their importance is significant.
3.Training and Communications
The 2019 Evaluation Guidance notes that a “hallmark of a well-designed compliance program is appropriately tailored training and communications.”  It demands that prosecutors assess the company’s efforts to provide periodic training, whether the company provides training in a manner tailored to the company’s size and stature, whether employees are provided practical advice or case studies to address real-life scenarios, and whether the training covers prior compliance incidents. DOJ also provides four key focus areas for the evaluation of whether training is effective: Risk-Based Training, Form/Content/Effectiveness of Training, Communications about Misconduct, and Availability of Guidance.
4.Confidential Reporting and Investigation Process
The 2019 Evaluation Guidance asks prosecutors to determine whether a corporate compliance program has a “trusted mechanism by which employees can anonymously or confidentially report allegations of a breach of”  the company’s policies or suspected misconduct. The new guidance puts businesses on notice that DOJ will be evaluating the effectiveness of the company’s reporting mechanism, the company’s investigation response process, whether the company is conducting properly scoped investigations by qualified personnel, and the resources devoted to the program and tracking of results.
5. Third Party Management
DOJ’s updated guidance reinforces that companies should use a risk-based approach to due diligence on their third-party relationships. Moving forward, DOJ wants prosecutors to assess the extent to which companies have an “understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct.”  The 2019 Evaluation Guidance sets forth considerations when DOJ assesses a company’s third party program: (1) does the company have risk-based and integrated processes, (2) does the company have in place appropriate controls, (3) how does the company manage its relationships, and (4) does the company commit to real actions and consequences with regard to third parties?
6. Mergers and Acquisitions
The 2019 Evaluation Guidance advises that a well-designed compliance program should “include comprehensive due diligence of acquisition targets.” It goes on to note that “flawed or incomplete due diligence can allow misconduct to continue at the target company.”  It asks DOJ prosecutors to strongly consider, in their evaluations of a company’s compliance program, whether the company is applying appropriate scrutiny to potential acquisitions.
B. Is the Program Effectively Implemented?
Part II of the 2019 Evaluation Guidance focuses on the effective implementation of corporate compliance programs. DOJ has been focused for some time on discouraging “paper programs,” advising prosecutors to focus on whether a program has been appropriately implemented. The 2019 Evaluation Guidance makes clear that a well-designed corporate compliance program can be “unsuccessful in practice if implementation is lax or ineffective.” The updated document lists three areas where prosecutors and businesses alike should focus:
1. Commitment by Senior and Middle Management
The updated guidance notes that an effective compliance program requires “a high-level commitment by company leadership to implement a culture of compliance at the top.” It adds that prosecutors should “examine the extent to which senior management have clearly articulated the company’s ethical standards, conveyed and disseminated them in clear and unambiguous terms, and demonstrated rigorous adherence by example.”  Notably, it also focuses on the role of middle management, highlighting the role of such employees in encouraging employees to abide by compliance standards.
2. Autonomy and Resources
The 2019 Evaluation Guidance demands that a comprehensive review of a compliance program also include an evaluation of the structure of the program and an assessment of whether those responsible for compliance have: (1) sufficient seniority; (2) sufficient resources; and (3) sufficient autonomy. DOJ acknowledges in the updated guidance that the sufficiency of each factor depends on the “size, structure, and risk profile of the particular company,” but notes that for a compliance program to be truly effective, the key personnel must be empowered within the company. Notably, the 2019 Evaluation Guidance places an emphasis on the role of the internal audit function, directing prosecutors to determine whether “internal audit functions [are] conducted at a level sufficient to ensure their independence and accuracy.” 
3. Incentives and Disciplinary Measures
The new guidance emphasizes the importance of a company’s commitment to implementing clear disciplinary procedures with regard to non-compliance and the enforcement of those procedures consistently across the organization. The 2019 Evaluation Guidance directs prosecutors to assess “the extent to which the company’s communications convey to its employees that unethical conduct will not be tolerated and will bring swift consequences, regardless of the position or title of the employee who engages in the conduct.”  Incentives for compliance and disincentives for non-compliance are critical.
C. Does the Compliance Program Actually Work in Practice?
Lastly, Part III of the 2019 Evaluation Guidance asks that prosecutors, in evaluating a corporate compliance program, determine whether the compliance program works “in practice.” Specifically, this section of the updated guidance focuses on whether, at the time of the misconduct that led to the criminal investigation, the company had a compliance program in place that was working effectively.
Notably, DOJ recognizes here that “the existence of misconduct does not, by itself, mean that a compliance program did not work or was ineffective at the time of the offense.”  The guidance asks that prosecutors, in assessing whether the compliance program was effective at the time of the offense, consider whether and how the misconduct was detected, what investigation resources were in place to investigate suspected misconduct, and the nature and thoroughness of the company’s remedial efforts. In making this determination, DOJ looks at the following:
1. Continuous Improvement, Periodic Testing, and Review
In determining whether compliance programs work in practice, the 2019 Evaluation Guidance asks that prosecutors (and the business community) assess whether companies are engaging in meaningful efforts to review compliance programs to “ensure that [they are] not stale.” It suggests that companies should be actively gauging their compliance culture via survey, evaluating the strength of their controls, and conducting periodic audits to ensure that controls are functioning effectively. Moreover, the guidance notes that prosecutors may reward efforts to promote improvement and sustainability.
2. Investigation of Misconduct
DOJ also reiterates the importance of a functioning, well-funded mechanism for the timely investigation of allegations of misconduct. The updated guidance sends a strong message that an effective compliance program will have a robust investigations function and notes that an effective investigation structure will have an “established means of documenting the company’s response, including any disciplinary or remediation measures taken” and analyzing results for patterns or compliance gaps. 
3. Analysis and Remediation of Any Underlying Misconduct
The 2019 Evaluation Guidance ends by emphasizing that a company with an effective compliance program will be able to “conduct a thoughtful root cause analysis of misconduct,” and be able to “timely and appropriately remediate to address root causes.”  Prosecutors are advised to ask the questions—“What is the company’s root cause analysis of the misconduct? Were there prior opportunities to detect misconduct? What controls failed?”
Where there is identified misconduct, prosecutors will consider, among other factors, the extent and pervasiveness of the criminal misconduct, the number and level of corporate employees involved, and any remedial actions taken by the company. 
IV. Key Takeaways
As noted previously, our assessment is that with the 2019 Evaluation Guidance, DOJ has improved its previous statements with regard to the evaluation of corporate compliance programs. While 2012’s Ten Hallmarks of Effective Compliance Programs and 2017’s Compliance Questions have been useful tools since their publication, we have observed five improvements and key takeaways in DOJ’s most recent edition:
The 2019 Evaluation Guidance, as promised in DOJ’s press release and associated speeches by key figures at the agency, provides additional detail with regard to what DOJ expects in a well-designed compliance program. In each of the three areas of the updated guidance, DOJ has bolstered its descriptions and discussion of the requirements for an effective corporate compliance program and grounded its analysis in the legal foundations of other DOJ guidance. Companies will be better served by understanding the legal principles upon which DOJ is providing the guidance.
The language of the 2019 Evaluation Guidance provides evidence that DOJ is becoming, and expects the compliance, legal, and business community to become, more sophisticated with regard to the nuances of compliance programs and the use of data and data analytics, including significant discussion with regard to the collection, tracking, measurement, and analysis of data. Companies should recognize the shift in emphasis and invest appropriately in designing programs capable of measurement.
The updated document is designed to be understood not only by those deeply invested and experienced in compliance culture, but also by the typical prosecutor— – or business person— – seeking to gain a basic understanding of the fundamental components of an effective compliance apparatus.
DOJ’s use of the three overarching questions to organize its evaluation of compliance programs will be extremely helpful for companies trying to identify the next steps to improve their programs. Moving forward, compliance professionals and business executives will be able to better develop and enhance, in a targeted fashion, compliance programs that are well-designed, implemented effectively, and work in practice, guided by those basic questions and the numerous categories within each of the basic questions.
For many of those in the legal and compliance communities that are close observers of the guidance published by the DOJ’s Criminal Division, the publication of the 2019 Evaluation Guidance came as a welcome surprise in the midst of an ongoing dialogue between the compliance, legal, and enforcement communities about the need for further explanations from DOJ. While it was designed for prosecutors who may not have a compliance background, the more detailed and thoughtful analysis will be useful for companies searching for ways to use limited compliance resources efficiently. It remains to be seen how much of an impact the publication of this guidance will have on a prosecutor’s discretion and in the negotiations over what is, and is not, a fair resolution of a given matter. Nevertheless, the additional language and context provided by DOJ puts businesses on notice once again of the importance of implementing a well-designed, effective, and appropriate resourced compliance program.
V. Questions Outstanding
Despite the benefits of this new guidance, DOJ has left some key questions unanswered:
- First, DOJ has indicated it would not replace the Compliance Counsel position that had previously been focused on corporate compliance initiatives and remediation analysis for prosecutors in the Fraud Section. Instead, DOJ noted that it would invest more in compliance training for its prosecutors, and seek to hire new prosecutors with compliance backgrounds.  The compliance and business community could benefit from further transparency on DOJ’s initiative and how prosecutors will be informed about the nuances of complex compliance programs, which they will be evaluating based on the guidance.
- Second, this guidance places new emphasis on companies’ management and assessment of the effectiveness of their compliance programs. While that emphasis is no doubt important and well-placed, DOJ does not offer any practical guidance as to how companies might in fact demonstrate such effectiveness. In our experience, assessing effectiveness is not a straightforward exercise for most companies, and only the most sophisticated companies have robust and reliable metrics that defensibly measure such effectiveness, especially when subject to inquiries at the end of a complex criminal investigation. Further updates from DOJ on how they will be evaluating effectiveness would be especially appreciated.
No doubt, the publication of this guidance will spawn useful additional discussion in the compliance legal and enforcement community intimately involved in these issues, resulting in ever-more calls for additional guidance from DOJ in the years to come.