On April 30, 2019, the U.S. Department of Justice (“DOJ”) updated its guidance on evaluating corporate compliance programs (the “Update”). The original guidance, titled “Evaluation of Corporate Compliance Programs,” (the “DOJ Guidance”) was released by the Fraud Section in February 2017. While the DOJ Guidance and the Update are styled as guidance for prosecutors, they also provide meaningful insights for companies assessing the efficacy of their compliance programs. The Update also enables the DOJ to harmonize compliance guidance from various sources and “provid[e] additional context to the multifactor analysis of a company’s compliance program.” As a practical matter, the Update is a step in the right direction, but it falls short of clearly stating how prosecutors (or companies) should prioritize among competing compliance objectives.
A. Evaluation of Corporate Compliance Programs
The DOJ considers a company’s compliance program the “first line of defense that prevents [corporate misconduct] from happening in the first place.” Recognizing the importance of effective compliance programs, the DOJ has made a concerted effort in recent years to set clear standards for companies and prosecutors to follow. The most significant of these efforts came in the form of the DOJ Guidance, issued on February 8, 2017. Drawing on a number of existing resources, the DOJ Guidance consists of a list of topics and questions the DOJ may consider when evaluating a corporate compliance program in the context of making a determination with respect to a company under criminal investigation. The DOJ Guidance’s core areas are:
- Analysis and remediation of underlying conduct
- Senior and middle management
- Autonomy and resources
- Policies and procedures
- Risk assessment
- Training and communications
- Confidential reporting and investigation
- Incentives and disciplinary measures
- Continuous improvement, periodic testing and review
- Third-party management, and
- Mergers and acquisitions
B. Key Changes to the DOJ Guidance
Although the DOJ Guidance made clear that a company should have a continuing commitment to compliance at all levels, it did not provide insight into how prosecutors would assess whether a company has demonstrated such commitment.
In a keynote address at a recent conference, Assistant Attorney General Brian A. Benczkowski announced the Update, explaining its purpose as of “provid[ing] additional transparency in how [the DOJ] will analyze a company’s compliance program.” The Update provides “additional transparency” through the inclusion of three questions borrowed from the “Principles of Federal Prosecution of Business Organizations” in the Justice Manual (Which is the comprehensive collection of major DOJ policies and procedure):
- Is the corporation’s compliance program well designed?
- Is the program well implemented?
- Does the program work in practice?
In addition to the 11 overarching topics from the DOJ Guidance, the Update added a twelfth topic – “Investigation of Misconduct.” The Update provides criteria for DOJ to evaluate a company’s internal investigations of misconduct, including, but not limited to, whether it provides adequate funding and responds promptly to reports of misconduct.
i. Autonomy and Resources
The Update provides further transparency by expanding on certain topics and themes not addressed in the DOJ Guidance. Under the heading “Autonomy and Resources,” for example, the Update explains that the structure of a company’s compliance program is a “threshold matter” evaluated by prosecutors, and that “prosecutors should address the sufficiency of personnel and resources within the compliance function.” Specifically, the Update identifies three factors for consideration: “(1) sufficient authority within the organization; (2) sufficient resources, namely, staff to effectively undertake the requisite auditing, documentation, and analysis; and (3) sufficient autonomy from management, such as direct access to the board of directors or the board’s audit committee.” These factors carry different weight depending on the “size, structure, and risk profile of a particular company,” and the sufficiency of each factor is determined on a case-by-case basis. Whether implementing a compliance program for the first time or updating an existing program, companies should consider whether those charged with compliance responsibilities are adequately empowered to do their jobs.
ii. Commitment by Senior and Middle Management
The Update also re-emphasizes tone from both the top and middle of an organization. The Update explains that the “effectiveness of a compliance program requires high-level commitment by company leadership to implement a culture of compliance from the top.” In particular, the Update states that “[p]rosecutors should examine the extent to which senior management have clearly articulated the company’s ethical standards, conveyed and disseminated them in clear and unambiguous terms, and demonstrated rigorous adherence by example.” The Update also makes clear that this emphasis does not stop with senior management. “[P]rosecutors should also examine how middle management, in turn, have reinforced those standards and encouraged employees to abide by them.”
How Dechert Can Assist
Companies looking to implement a new corporate compliance program, or assess and improve an existing one, should consider whether they have accounted for the specific factors the DOJ considers when making charging decisions. Dechert assists clients in developing effective corporate compliance programs and in identifying and managing risks efficiently and effectively. When clients detect potential violations, we assist them in investigating, remediating, and, where appropriate, disclosing such violations to governmental authorities.