On April 30, 2019, Brian A. Benczkowski, the assistant attorney general for the Criminal Division of the United States Department of Justice, announced the release of an updated version of the Criminal Division’s guidance for the Evaluation of Corporate Compliance Programs. This document is intended “to assist prosecutors in making informed decisions” in corporate investigations relevant to “determining the appropriate (1) form of any resolution or prosecution; (2) monetary penalty, if any; and (3) compliance obligations contained in any corporate criminal resolution,” including monitorships and/or reporting obligations. It does this by listing “sample topics and questions” on a variety of issues within corporate compliance that prosecutors should use to evaluate a corporation’s compliance program, although the document is “neither a checklist nor a formula.” Corporations, too, may want to take a fresh look at their compliance programs in light of this new guidance.
The DOJ last issued guidance on corporate compliance in February 2017. The April 2019 guidance expands upon and reorganizes this guidance in several important ways.
First, the guidance is now organized around three “fundamental questions” that a prosecutor should ask when evaluating corporate compliance:
- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?
- Does the corporation’s compliance program work in practice?
The first question examines the program’s attention to risk assessment, policies and procedures, training and communications, confidential reporting and investigation of these reports, potential third-party misconduct, and potential misconduct within targets of mergers and acquisitions.
The second question looks at whether senior and middle management are committed to compliance, the program’s autonomy and resources, and incentives and disciplinary measures.
The third question focuses on continuous improvement, testing and review of the program; the investigation of misconduct; and the company’s efforts to analyze and remediate misconduct.
Aside from reorganization, the April 2019 guidance also expands on several of the topics that were not covered as thoroughly in the 2017 version.
On the subject of risk management, prosecutors will now look at whether a company’s compliance program prioritizes policing and examining high-risk areas and transactions such as “questionable payments to third-party consultants” or “suspicious trading activity,” or else devotes “a disproportionate amount of time to policing low-risk areas” such as hospitality and entertainment.
The updated guidance also pays additional attention to the structure of a company’s compliance function: whether it is independent or housed in the legal department or a business department, to whom the compliance officers report, and whether compliance officers also have other functions within the company.
Finally, several additions to the guidance emphasize measuring and analyzing past performance and thereafter making adjustments to the compliance program. For example, the guidance on risk management now asks whether the risk assessment process is “current and subject to periodic review” and accounts for “risks discovered through misconduct or other problems with the compliance program.” Likewise, the guidance asks whether compliance policies and procedures deal with “changes to the legal and regulatory landscape.” Finally, the guidance asks whether companies track and analyze patterns in anonymous reporting of misconduct to identify weaknesses in their compliance programs.
From the new additions to the April 2019 guidance and the document as a whole, several themes emerge:
Learning from your past mistakes. The new guidance repeatedly emphasizes learning from past misconduct and compliance program failures. In addition to the new sections discussed above, prosecutors will look at:
- Whether compliance training addresses types of misconduct that have already occurred
- Whether companies track misconduct from third parties and cease doing business with them
- Whether and how companies review the performance of the compliance function itself
- Whether companies use past instances of misconduct to identify and fix root causes of that misconduct
Being able to defend your decisions. The guidance also asks prosecutors to look at a company’s rationale for making particular choices with respect to compliance, including:
- Whether the company can justify its decision to offer compliance training online versus in person
- The business rationale for using third parties that later became involved in misconduct
- Whether the company can justify its decisions with respect to the structure of the compliance department, such as deciding whether the department is independent or contained within another department
- Why the company may have treated two similar cases of misconduct differently
- The rationale behind a company’s decision to undertake internal audits
Communication and the flow of information. Finally, several topics within the guidance focus on the way information about compliance and misconduct is communicated within a company, including:
- Whether guidance relating to compliance policies has been made readily available to the company’s employees
- Whether anonymous complaints are routed effectively to the proper personnel
- Whether the company seeks feedback from all levels of employees to determine whether they perceive that management is committed to compliance
The DOJ will look favorably upon a company’s compliance program where, among other things, the company learns from its mistakes, can defend its structural decisions, is using and collecting data in a manner designed to enhance the program, and effectively communicates and processes relevant information. Going forward, corporations would do well to keep this new guidance in mind, both to prevent misconduct and to ensure that prosecutors appreciate their compliance efforts in case misconduct does, despite their best efforts, occur.