On Tuesday, the U.S. Department of Justice released perhaps the most comprehensive guidance to date on how prosecutors evaluate the design, implementation, and effectiveness of corporate compliance programs in making charging decisions, framing sentencing recommendations, and determining whether on-going corporate compliance obligations, such as the imposition of a monitor, may be necessary as part of any enforcement resolution. In announcing the release of the Criminal Division’s Evaluation of Corporate Compliance Programs guidance document (“Guidance”), DOJ Criminal Division, Assistant Attorney General Brian A. Benczkowski explained that the updated guidance is intended to align the Fraud Section’s 2017 guidance with other Department instructions and legal standards, and to provide greater transparency into prosecutors’ assessments. As reported previously, in October 2018, Benczkowski indicated that line prosecutors would have a greater role in evaluating companies’ compliance efforts in connection with determinations of whether to impose a compliance monitor, a change that coincided with the Department’s decision not to continue the role of a full-time compliance counsel. While the newly issued guidance serves largely to aggregate and update earlier guidance and lessons derived from enforcement settlements, and may not represent a true shift in Department’s practice, the 18-page document provides additional detail around the questions prosecutors consider when evaluating corporate compliance programs, and serves as a useful guide for all companies, whether currently under DOJ scrutiny or implementing a compliance program for the first time, as companies can now expect prosecutors to be trained on this more harmonized guidance.
The Guidance states at the outset that the Department recognizes that each company’s risk profile is unique, and as a result, there can be no formulaic approach to assessing compliance programs. Despite this, the Justice Manual has long contained three “fundamental questions” that a prosecutor should consider when evaluating a program that serve as the framework for the updated Guidance: (1) Is the program well designed; (2) is the program being applied earnestly and in good faith (is it more than a “paper program”); and (3) does the corporation’s compliance program work in practice? JM § 9-28.800. Below we provide highlights from the Guidance in each of these three fundamental areas of evaluation.
In asking first whether a program is well-designed, the Guidance instructs prosecutors to consider whether the compliance program is comprehensive. Does the program contain clear communication, policies, procedures, training, incentives, and discipline, that will ensure that the program is fully embedded in the company’s operations, rather than relegating compliance responsibilities to a stand-alone unit?
- In order to design an effective program, it is necessary to first conduct a risk assessment, and the Guidance encourages prosecutors to consider whether the company has analyzed risk across operations, within the relevant market, among the customer and partner base, and particular activities such as use of third parties and travel and entertainment. Prosecutors are to consider whether the company tailored its program and assigned resources to higher risk activities, transactions, and partners, and whether the company periodically updates its risk assessment process to ensure continued and appropriate allocation of resources.
- Prosecutors will also look to determine whether a company’s policies and procedures are regularly updated to address new risks, whether they are accessible to the organization, whether policy instructions are reinforced, and whether those responsible within the organization for driving compliance and detecting issues (“gatekeepers”) received dedicated training. Training will be scrutinized, with consideration given to whether periodic training is offered to officers, directors, employees, and if appropriate, agents and business partners. Companies are encouraged to tailor training, recognizing that not all audiences will present with the same level of sophistication or understanding of the compliance topics. Prosecutors are also asked to consider whether training covers prior incidents or breaches, meaning, that companies should consider including some form of instruction and communication on prior breaches, however anonymized the facts may need to be.
- While anonymous reporting has long been a recommended component of a corporate compliance program (and indeed is legally required for some), the Guidance encourages prosecutors to consider whether the company acts proactively to create an atmosphere where employees feel comfortable reporting issues without fear or retaliation. Prosecutors will also look to metrics and other reports to determine whether a company’s reporting mechanisms are being used and how quickly the company reacts and responds to significant reports.
- Due diligence of third parties remains an important piece of any robust compliance program, and the Guidance encourages prosecutors to consider not only the diligence steps taken, but whether the company fully understands the business rationale for engaging a particular third party. Prosecutors also are instructed to consider the mechanisms in place to monitor third parties post-engagement, including asking whether the company has exercised audit rights, and whether a company tracks any red flags identified during the diligence process and any third parties who fail to pass scrutiny under the diligence program. Diligence is not limited to third party engagements, and the Guidance includes criteria for evaluating diligence procedures in connection with mergers and acquisitions, including asking whether the company relies on a defined process for ensuring effective implementation of its compliance program post-acquisition.
The Guidance instructs prosecutors to consider whether they are faced with an effective compliance program or a mere “paper program.” Factors that they will consider include:
- More than just “tone at the top,” prosecutors are asked to consider the concrete actions that are taken by senior leaders throughout the organization, whether middle-management has demonstrated a commitment to compliance such as being involved in remediation efforts, and whether there is appropriate expertise on and communication with the company’s Board of Directors.
- Prosecutors will evaluate the structure of a compliance program, considering whether senior and sufficient resources are allocated, and whether there is appropriate autonomy and independence for the compliance function. Prosecutors will consider compensation levels, reporting lines, and titles, for compliance professionals as a gauge for determining whether compliance is on equal footing with other strategic functions.
- Prosecutors will consider incentives and discipline, asking whether companies publicize disciplinary action if appropriate, advertise incentives and compliance metrics for bonuses and other compensation. The Guidance also indicates that whether human resources is involved in disciplinary actions and the consistency of the company’s disciplinary actions will be considered.
Effectiveness in Practice
The Guidance notes that, given the hindsight nature in which prosecutors evaluate corporate compliance programs, determining whether a program is or was effective is one of the hardest questions to answer – particularly where a program may have failed to immediately uncover misconduct. The Guidance provides that, in attempting to answer, prosecutors will consider:
- The extent to which a compliance program allowed a company to detect, respond to, and report an issue.
- Whether a program has improved over time, including whether a company has made significant investments to improve internal controls and compliance functions.
- Whether companies can demonstrate periodic testing, including proactively auditing compliance functions and high risk transactions, and explain how the results of such testing are used to continuously improve controls.
- Whether and to what extent a company attempts to test its culture of compliance, including by seeking input from all levels of employees and management.
- Whether compliant response and investigation procedures ensure that the company has engaged qualified personnel, has processes in place to allow the company to effectively respond to complaints, identify root cause analysis, and report on any necessary remediations.
- Finally, whether a company conducted a thorough root cause analysis of the misconduct that brought them before the Department to determine what remedial actions and program enhancements needed to be undertaken.
The Guidance reiterates that the existence of misconduct does not necessarily imply that a compliance program did not work or was ineffective.
The newly minted Guidance provides a useful summary and expansion on prior Department recommendations in connection with corporate compliance programs, and offers detailed insight into the types of questions that companies should expect to have to answer when they come before the Department. Perhaps more importantly, however, the Guidance serves a reminder to companies that U.S. regulators expect continuous evaluation and enhancement of compliance programs. For companies just venturing into compliance, the Guidance provides a helpful framework for identifying risk areas and program components necessary to design an initial program. In contrast, companies in highly regulated markets and industries with long-standing compliance programs, are well-advised to consider the criteria that prosecutors will consider when determining whether a program has been effectively implemented, and consider whether now may be the time to re-evaluate and re-assess program components, practices, and communication.