On May 1, 2019, the Criminal Division of the U.S. Department of Justice (DOJ) released updated guidance for prosecutors to utilize in assessing whether an organization had in place “an adequate and effective corporate compliance program.”

The guidance is meant to help DOJ prosecutors during a criminal investigation assess the effectiveness of a company’s compliance program when determining the type of remedial action the company should take and assessing fines. Such insight into how a prosecutor will evaluate an employer for potential prosecution and penalties for possible misconduct can assist companies in determining whether their compliance program would stand up to such scrutiny.

The guidance document emphasizes that each investigation is handled individually to account for corporations’ differing risk profiles, but the DOJ guidance sets forth three main questions for prosecutors to consider during a criminal investigation:

1. Was there a well-designed compliance program?

2. Was the compliance program effectively implemented?

3. Did the compliance program work as intended?

Question 1: Was there a well-designed compliance program?

The DOJ lists multiple considerations to help prosecutors determine whether a corporate compliance program is well-designed. The first factor is whether the company has undertaken an accurate and thorough risk assessment. Prosecutors are advised to consider whether corporations use appropriate methodology to identify and detect risks that are likely to occur in their particular industry or business. DOJ prosecutors are advised to look for appropriate resource allocation based on the amount of risk faced in various areas and whether these risks were periodically reviewed and updated.

The next two factors deal with policies, training, and communication surrounding compliance. Prosecutors are asked to assess whether policies were sufficiently strong to encourage a culture of compliance and responsibility. The training and communications surrounding these policies also need to be strong and well-tailored to the risks and situations employees are likely to face to show compliance.

The guidance next focuses on a company’s reporting process and procedures. The reporting process needs to emphasize disclosure of suspected misconduct and dissuade any fear of retaliation. There is also a focus on confidential reporting options, stating “[c]onfidential reporting mechanisms are highly probative” that a company has a process that will detect and deter wrongdoing. The guidance stresses the need for qualified personnel to assess any reports to determine which merit further investigation or action. These intake personnel should also be cautious that any further steps are properly “scoped” to determine whether a larger investigation should be undertaken.

The last two matters considered under this first question both zero in on corporate interactions with other actors, like third-party partners or targets of acquisition. Third parties like agents, consultants, and distributors must be included in a thorough risk assessment to understand where added dangers may lurk in such representative dealings. Similarly, during a merger or acquisition process, corporations need to undertake due diligence on potential acquisitions to uncover any corruption or misconduct within the target company.

Question 2: Was the Compliance Program Effectively Implemented?

Corporate compliance prosecutors are instructed to investigate whether a company’s compliance program is a “paper program” only or whether it is appropriately implemented and staffed. Specifically, prosecutors are directed to look for evidence of three distinct measures of proper implementation. First, the DOJ emphasizes that upper and middle management should set the appropriate tone for the company, which serves as evidence of a corporate culture that will foster compliance and reporting. Prosecutors will look at communications, training, and reinforcement of compliance policies to see whether leadership has encouraged appropriate compliance with their words and actions. Prosecutors are also checking to see that appropriate oversight is in place, including some level of expertise in the compliance measures needed.

The second factor under question two is whether the program has sufficient resources to function properly. For example, the compliance program needs to have appropriate staff, seniority, autonomy, and funding.

The third part of this consideration is evidence of whether incentives and disciplinary methods are consistently applied to drive reporting and dissuade wrongdoing.

Question 3: Does the Corporation’s Compliance Program Work in Practice?

The last question in the DOJ guidance is aimed at questioning the practicality of the compliance program to ensure that it functions as intended. The guidance takes pains to point out that misconduct does not, on its face, show that corporate compliance measures were not sufficient. Rather than taking misconduct as a failure of compliance, prosecutors will be looking for continuous testing, improvement, and review of the compliance program. If prosecutors find any misconduct, they will examine the analysis and remediation efforts within the company. Specifically, root cause analysis and mitigation of underlying causes would be evidence of compliance. Internal audits and updates or enhancements to the program would also be evidence of this factor. Further, investigators will seek some recognition of the seriousness of any misconduct and an acceptance of responsibility, along with changes that should reduce the risk of another failure in the future.

Summary

The DOJ guidance document is a helpful tool any organization or employer can use to conduct an evaluation of its ethics and compliance program. While the framework of this guidance is similar to previous DOJ pronouncements, there were three areas that received more weight and focus than in the past (1) the importance of an anonymous reporting process and well-designed investigation process; (2) effective oversight and management of third parties; and (3) comprehensive vetting of an acquisition target. While the guidance recognizes the importance of tailoring a program around an organization’s risk profile, the DOJ guidance emphasizes the above three factors should be in place and working if the organization wants to positively influence a regulator’s opinion of the organization’s compliance and ethics program.