Underscoring once again the importance of a company's compliance program to the government's charging decisions, the Criminal Division of the U.S. Department of Justice (DOJ) has issued updated guidance for the evaluation of corporate compliance programs in charging and resolving criminal cases. Yesterday, during his comments at the Ethics and Compliance Initiative 2019 Annual Impact Conference in Dallas, Texas, Assistant Attorney General Brian A. Benczkowski announced the new guidance, noting that it would "serve to provide additional transparency in how [the DOJ] will analyze a company's compliance program." Specifically, Benczkowski emphasized that a prosecutor's assessment of the adequacy and effectiveness of a compliance program would be critical to determining (a) whether and how to bring a corporate criminal case, (b) a company's culpability score under the U.S. Sentencing Guidelines and resulting fine range, and (c) whether an independent monitor is required post-resolution
Reflecting changes of form more than substance--as much of the content of the updated framework can be found in the informal guidance issued by Fraud Section of the Criminal Division in 2017--the placing of the Criminal Division's official imprimatur on the guidance reflects the Department's nationwide commitment to compliance program scrutiny. Further, the updated guidance provides a more explicit roadmap of the type of questions prosecutors consider when determining the effectiveness of a company's compliance policies. Organized around "three fundamental questions" for assessing a corporate compliance program, prosecutors are directed to ask: is the compliance program "well-designed," is it "effectively implemented," and does it "actually work in practice." Despite these enumerated topics, AAG Benczkowski underscored that the updated topics and questions "are neither a checklist nor a formula" and that the DOJ makes "an individualized determination" of a program's efficacy based on "each company's risk profile."
Although, as previously noted, the updated guidance largely restates the previous 2017 guidance, it does set forth additional factors that sharpen the inquiry around the following aspects of a compliance program.
Commitment by Senior and Middle Management
The updated guidance reflects an increased focus on the roles of senior and middle management in enforcing a compliance program. Under the new framework, prosecutors will not only assess whether senior management encouraged a culture of compliance, but also will evaluate whether managers have tolerated "greater compliance risks in pursuit of new business or greater revenues." Indeed, DOJ will look for specific occasions where managers "encouraged employees to act unethically to achieve a business objective," or, on the positive side, for "concrete actions . . . to demonstrate leadership in the company's compliance and remediation efforts." The DOJ will also consider whether the company sought feedback from employees about the performance of senior and middle management to better understand the efficacy of the company's messaging on compliance.
Role of Internal Audit
Another noteworthy addition to the guidance is the emphasis on the need for companies to monitor the efficacy of, and make improvements to, their compliance programs to meet evolving risks. In that context, the new guidance specifically instructs prosecutors to assess whether a company's internal audit function is identifying issues relevant to the risks that should be addressed by the compliance program. To that end, the guidance instructs prosecutors to consider the process by which internal audit determines the location, frequency, and types of audits it conducts.
Training and Communications
The updated guidance suggests that companies can enhance their training programs by incorporating "practical advice or case studies to address real-life scenarios, and/or guidance on how to obtain ethics advice on a case-by-case basis as needs arise." The updated guidance looks to whether a company measures the effectiveness of compliance training and whether there is remediation for employees who fail to pass compliance tests that accompany training modules.
DOJ's "Three Fundamental Questions" and Key Factors for Assessing Corporate Compliance Programs
1. Is the Corporation's Compliance Program Well Designed?
A. Risk Assessment
B. Policies and Procedures
C. Training and Communications
D. Confidential Reporting Structure and Investigation Process
E. Third Party Management
F. Mergers and Acquisitions
2. Is the Corporation's Compliance Program Being Implemented Effectively?
A. Commitment by Senior and Middle Management
B. Autonomy and Resources
C. Incentives and Disciplinary Measures
3. Does the Corporation's Compliance Program Work in Practice?
A. Continuous Improvement, Periodic Testing, and Review
B. Investigation of Misconduct
C. Analysis and Remediation of Any Underlying Misconduct
Confidential Reporting Structure and Investigation Process
The new guidance reflects an increased interest in corporate anonymous reporting mechanisms. Noting that "[c]onfidential reporting mechanisms are highly probative of whether a company has `established corporate governance mechanisms that can effectively detect and prevent misconduct,'" the revised guidance specifically tasks the prosecutor with ascertaining whether a company has an anonymous reporting mechanism in place, and if not, why. If one does exist, the DOJ will further inquire as to whether the mechanisms have been utilized and whether the company has created "a workplace atmosphere without fear of retaliation" for reporting complaints.
The DOJ's updated guidance provides a clearer and more authoritative roadmap for companies to use in evaluating their compliance programs. Given the DOJ's focus on compliance programs as a "front line" of defense to corporate misconduct, companies would be advised to assess their programs through the lens of the updated guidance.