The Department of Justice (DOJ) doubled-down on emphasizing corporate compliance programs with new guidance from the Criminal Division Fraud Section with the “Evaluation of Corporate Compliance Programs” (Criteria). This document, released February 8 without much fanfare, contains a long list of benchmarks that DOJ says it will use to evaluate the effectiveness of an organization’s compliance program. The Criteria may publicize the factors Hui Chen, the Criminal Division’s 2015 compliance counsel hire, uses to evaluate compliance programs. The Criteria also provides practical guidance on how organizations can evaluate their compliance programs. This document operationalizes DOJ’s Principles of Federal Prosecution of Business Organizations (knows as the “Filip Factors”), which stated that the existence and effectiveness of a corporation’s preexisting compliance program is a factor that the DOJ will review in considering prosecution decisions.
The Guidance contains 11 topics that shift the analysis among examining how the alleged misconduct could have occurred, the organization’s response to the alleged misconduct, and the current state of the compliance program. One entire category, titled “Analysis and Remediation of Underlying Misconduct,” has an obvious focus. But, the other categories contain questions that touch on each of the three themes. For example, the “Policies and Procedures” category asks questions about the process for implementing and designing new policies, whether existing policies addressed the alleged misconduct, what policies or processes could have prevented the alleged misconduct, and whether the policies/processes of the company have improved today. Other categories examine the company’s historic and current risk assessment process and internal auditing, training and communications, internal reporting and investigations, and employee incentives and discipline. DOJ also discusses management of third parties acting on behalf of the company and, in the case of a successor owner, the due diligence process and on-boarding of the new company into the broader organization.
Many industries, especially healthcare, have traditionally looked to the HHS Office of Inspector General (OIG) for compliance guidance. Starting in the late 1990s, OIG issued a number of compliance program guidance documents (CPGs) that still hold up well today in terms of outlining compliance program elements and compliance risk areas. OIG has also issued, in collaboration with the American Health Lawyers Association and Health Care Compliance Association, guidance to boards of directors on how to exercise their fiduciary oversight duties. DOJ’s Criteria differ from past OIG guidance by drilling down to a granular level into how to examine the effectiveness and maturity of a contemporary compliance program.
Interestingly, there are some differences between the Guidance and the positions OIG has taken on some key structural compliance program issues. Perhaps most important, the Guidance does not specifically address the reporting relationship between the compliance officer and general counsel or whether the compliance officer and general counsel could be the same person. Instead, the Guidance emphasizes the compliance officer’s stature in the organization, access to resources, experience and qualifications, autonomy, independence, and direct access to the board. OIG’s longstanding position in industry guidance and Corporate Integrity Agreements has been that the compliance officer must be a member of senior management separate from, and not subordinate to, the general counsel.
Last year, OIG described having a compliance program as a “neutral factor” in its updated permissive exclusion analysis, with the Inspector General saying there are “no bonus points for having a compliance program.” We covered that updated guidance here [link to April 28, 2016 post]. OIG’s updated factors discussed four broad categories of issues: nature and circumstances of the conduct, conduct during the investigation, significant ameliorative efforts and history of compliance. OIG’s analysis mostly looks at the alleged past conduct that the defendant is settling in the False Claims Act case, with just one factor looking at whether significant resources were added to the compliance program in response to the alleged misconduct. With the Criteria, DOJ seems to indicate it takes a different approach from OIG for its purposes, which include both charging decisions as well as plea and settlement decisions.
DOJ’s Criteria are a useful addition to the library of governmental guidance documents on compliance programs by providing a detailed discussion of the questions DOJ would ask about the current state of a compliance program in evaluating its effectiveness. As a result, the Criteria provide a timely tool for organizations to evaluate their compliance program’s operations and structure.