The U.S. Department of Justice, through its Fraud Section of the Criminal Division, (the “DOJ”) recently released a memorandum entitled Evaluation of Corporate Compliance Programs (“Compliance Memo”) as part of its ongoing focus on compliance. In the Compliance Memo, the Fraud Section sets out “sample” topics and questions that it considers when evaluating a compliance program. The strength of a corporation’s compliance program is a critical factor that prosecutors consider when determining whether to bring charges against a corporation, as explained in The Principles of Federal Prosecution of Business Organizations in the United States Attorney’s Manual.
The DOJ’s focus on compliance programs is not new. In November 2015, it hired a full-time compliance attorney whose responsibilities include providing guidance to prosecutors concerning the efficacy of compliance programs. While each case is fact-specific, the Compliance Memo explains that the DOJ will generally evaluate the following:
- Analysis and Remediation of Underlying Misconduct. The “root cause” of the misconduct and the company’s remediation efforts for future misconduct.
- Senior and Middle Management. Management’s demonstrated commitment to and oversight of the compliance program.
- Autonomy and Resources. Compliance personnel’s role within the company, compensation, experience and qualifications, autonomy, and previous compliance actions.
- Policies and Procedures. The design and accessibility of the policy and procedures and the operational integration.
- Risk Assessment. The risk management process and how the company’s risk assessment process takes into account manifested risks.
- Training and Communications. The company’s risk-based training, including its format, content, and efficacy for the intended audience, and availability.
- Confidential Reporting and Investigation. The company response to, and investigation of, reports of misconduct and prevention of similar future misconduct.
- Incentives and Disciplinary Measures. Accountability for misconduct, human resources’ process for violations, consistency of disciplinary actions, and incentive programs.
- Continuous Improvement, Periodic Testing and Review. The company’s internal audit process and how that process is tested and updated as risks evolve.
- Third-Party Management. The third-party management process that accounts for company-specific risks, controls implemented, due diligence performed, and consequences for third parties.
- Mergers and Acquisitions. The company’s due diligence process, the integration in the M&A process, and the process connecting due diligence to implementation.
As the DOJ notes in the Compliance Memo, these factors listed above have previously appeared in several publications by the DOJ, Securities and Exchange Commission, and Organisation for Economic Co-Operation and Development (OECD). While these topics and questions are not novel or new, the DOJ’s collecting and publishing of the Compliance Memo underscores the critical and ever-growing importance that the DOJ continues to place on compliance programs.