On February 8, 2017, the Fraud Section of the U.S. Department of Justice (the “DOJ”) published a guide for companies called “Evaluation of Corporate Compliance Programs” (the “Guidance”). The Guidance is composed of common questions that the DOJ asks when evaluating a company’s compliance program. While the Guidance questions are largely based on familiar sources, such as the United States Sentencing Guidelines and the “Principles of Federal Prosecution of Business Organizations” in the United States Attorney’s Manual,1 the questions provide a greater degree of detail and insight into the DOJ’s process for evaluating compliance programs.
The Guidance focuses on three overarching areas: (1) company culture, (2) compliance structure and resources, and (3) the effectiveness of company policies and procedures.
Regarding company culture, the Guidance questions focus on the behavior of senior and middle management. The Guidance asks whether management and company leaders have encouraged or discouraged the misconduct in question, and whether their actions have demonstrated a commitment to ensuring compliance. Further, the Guidance inquires into the responsiveness of management to compliance concerns and the remedial steps taken after misconduct was discovered. The Guidance also asks whether management has incentivized compliance and ethical behavior, and whether the company has considered any potential negative compliance implications of its business model and incentive structure.
Second, the Guidance lists questions related to the company’s compliance structure and resources. The Guidance inquires into the lines of communication that employees may use to convey compliance concerns to the board of directors and senior management, as well as the compliance structure’s role in the company’s strategic and operational decisions. Moreover, the Guidance clearly expects companies to employ experienced and qualified compliance personnel and allocate appropriate resources and funding to compliance-related items, such as internal audits, periodic control testing, and frequent updates to assessment procedures.
Last, the Guidance engages with the company’s compliance policies and procedures. The Guidance asks detailed questions about the design, accessibility, and integration of the company’s policies. The Guidance also evaluates how employees are trained on company policies and procedures, and how the policies operate to ensure compliance in the context of mergers, acquisitions, and third-party management. Ultimately, the Guidance takes a multi-dimensional look at the effectiveness of the company’s policies and procedures, rather than how they are written or crafted.
Although the content of the Guidance is largely familiar to practitioners, it does give a clearer picture of the DOJ’s current approach to corporate compliance. The issuance of the Guidance underscores the DOJ’s renewed focus on the operation, rather than the appearance, of corporate compliance programs.
Additionally, while the document is framed as guidance for companies, as opposed to a checklist or formula for compliance, the clear import of the Guidance is that companies will be asked detailed and challenging questions regarding the scope and effectiveness of their compliance programs. Accordingly, companies will need to seriously consider how their programs will withstand such scrutiny, or risk the possible consequences of loss of credit for their compliance programs, higher penalties, or even separate violations for inadequate internal controls.