On April 30, 2019, the US Department of Justice (DOJ) Criminal Division announced the publication of updated Guidance on Evaluating Corporate Compliance Programs (2019 Guidance). As discussed in our 2017 FCPA Mid-Year Review, the original guidance, published on February 8, 2017 (2017 Guidance), essentially set forth a list of 11 topics and over 100 detailed questions that the Fraud Section of the DOJ's Criminal Division stated it would consider when evaluating the effectiveness of a company's compliance program in the context of corporate criminal investigations. The DOJ's evaluation of the effectiveness of a company's compliance program has long been listed as a factor relevant to charging decisions under the Principles of Federal Prosecution of Business Organizations in the US Attorney's Manual (now known as the Justice Manual), as well as to a company's eligibility to receive a reduction in criminal fines calculated under the US Sentencing Guidelines (USSG); it is also important to the DOJ's assessment of whether a monitor is warranted.
The principles set forth in the 2019 Guidance do not significantly depart in substance from prior available compliance program guidance, but the 2019 Guidance re-organizes and expands in some respects upon the DOJ's 2017 Guidance. Importantly, while the 2017 Guidance applied only to the Criminal Division's Fraud Section, in which the FCPA Unit is housed, the 2019 Guidance appears to apply to the Criminal Division more broadly. In this and other respects, the 2019 Guidance appears to signal that the DOJ's assessment of corporate compliance programs will take on added importance in the resolution of a wider array of corporate criminal matters going forward.
Reorganization of Familiar Concepts, Ratcheted Up One Notch
After a discussion of "Analysis and Remediation of Underlying Misconduct," the 2017 Guidance was structured according to the familiar elements, or "hallmarks," of an effective compliance program derived from the USSG § 8B2.1, and fleshed out in more detail in the anti-corruption context in the 2012 DOJ/SEC FCPA Resource Guide. These elements include management commitment, autonomy and resources of compliance/control functions, policies and procedures, risk assessment, training and communications, confidential reporting and investigations, incentives and disciplinary measures, continuous improvement and periodic testing/review, and mergers and acquisitions.
The 2019 Guidance, in contrast, has been reorganized around three "fundamental" questions in the Justice Manual:
Is the program being applied earnestly and in good faith (a question the DOJ re-frames as whether the program is "being implemented effectively")?
Does the program work in practice?
Is the compliance program well designed?
The 2019 Guidance then sets forth factors relevant to the assessment of each element of an effective compliance program under three headings that correspond to these three "fundamental questions." In assessing whether a program is "well designed," for example, the 2019 Guidance provides that prosecutors will evaluate a company's risk assessment process, including how the compliance program has been tailored and updated to reflect identified risks (in particular, any revisions borne of "lessons learned"). Other elements assessed under the "design" of the program include:
training (including whether there is tailored training for high-risk, control, and supervisory personnel and how the effectiveness of training is measured);
reporting structures and investigation processes (with increased focus on resources for such investigations, timing metrics, and tracking/analysis of outcomes and patterns);
third-party management (with increased emphasis on tracking of responses to red flags and of decisions to decline or terminate third-party relationships);
mergers and acquisitions (calling for "comprehensive" due diligence and underlining the importance of compliance considerations during integration); and
policies and procedures.
In assessing whether the program is being implemented effectively, the 2019 Guidance states that prosecutors will continue to examine a company's "culture of compliance" (considering factors such as whether management has "tolerated greater compliance risks in pursuit of new business or greater revenues"), the autonomy of and resources devoted to compliance and control functions (including the structure, seniority and stature, experience and qualifications, funding and resources, and reporting/autonomy of compliance/control functions), and employee incentives and disciplinary measures (including "clear disciplinary procedures" that are fairly and consistently applied, reasoning for communicating or restricting information about disciplinary actions, and specific examples of incentives and rewards (such as promotions and bonuses) for compliance).
Finally, in assessing whether the program "works in practice," the 2019 Guidance provides that prosecutors will examine efforts undertaken by the company to continuously improve the compliance program (including through audits, periodic gap and risk assessments, employee surveys, and lessons learned from investigations), how investigations of misconduct are conducted, and how misconduct is assessed and remediated (including, specifically, how payment systems, vendor management, and other weaknesses identified in root cause and missed opportunity analyses have been remediated, as well as how the company has ensured accountability for misconduct).
This reorganization of familiar compliance program hallmarks under the Justice Manual's three "fundamental questions" is not a natural one, as the DOJ appears to recognize when noting that "some topics necessarily fall under more than one category." Indeed, arguably almost every compliance program element could be assessed under each of the three categories. It is not clear why the DOJ chose to reorganize the 2019 Guidance in this manner, except perhaps in an effort to tie it back more directly to the "three fundamental questions" in the Justice Manual and less closely to the framework adopted in the FCPA Resource Guide. Despite this potential effort to underline that the guidance applies beyond an FCPA context, both the 2017 and 2019 Guidance draw significantly from prior FCPA- and anti-corruption-focused guidance (including, for example, the FCPA Resource Guide and the OECD's Good Practice Guidance on Internal Controls, Ethics, and Compliance and Anti-Corruption Ethics and Compliance Handbook for Business). The 2019 Guidance also cites examples that appear particularly relevant in the context of an anti-corruption compliance program (such as in the section describing relevant factors when conducting a risk assessment and in managing third-party risks). Nevertheless, the extension of the 2019 Guidance to the whole of the DOJ's Criminal Division signals that the DOJ's assessment of the effectiveness of a corporation's compliance program will play an increasingly important role in the resolution of all corporate criminal matters moving forward.
Implications; Open Questions
While the 2019 Guidance does not define groundbreaking expectations for those actively engaged in the compliance profession (particularly those familiar with FCPA compliance expectations), the additional detail provided in this Criminal Division-wide Guidance suggests the DOJ is ratcheting up expectations for corporations, particularly outside of the FCPA context. Moreover, because the 2019 Guidance appears to go beyond setting baseline expectations and at times reads like "best practices" guidance, it raises several important questions about how the document will be used.
First, while the 2019 Guidance clearly states that it is not intended to serve as a checklist or formula in evaluating a compliance program, whether and to what extent DOJ prosecutors will tailor their expectations in practice to take account of the differing size and risk profiles of companies that come before the DOJ is uncertain. For example, the 2019 Guidance appears to be geared towards expectations for large companies with significant resources available for compliance. It will be important for the DOJ to recognize in practice, as it does in the text of the 2019 Guidance, that not all topics and questions covered in the document are relevant in each case. This will be particularly true for smaller companies with more limited resources and/or a lower risk profile.
Second, to what extent will other enforcement authorities, such as the US Securities and Exchange Commission (SEC), be influenced in their assessment of companies' compliance program by this DOJ guidance? In recent years, the SEC has taken the position that "an effective compliance program is a critical component of an issuer's internal controls" and has a history of negotiating settlements, particularly in the FCPA context, that treat perceived deficiencies in an issuer's compliance program as a violation of the FCPA's internal controls provision. The FCPA Resource Guide, issued in 2012, which detailed the elements of a compliance program, was a joint agency product. Because the 2019 Guidance sets high expectations for compliance programs, any effort by the SEC to apply the 2019 Guidance in SEC matters could potentially raise the bar as a practical matter for companies subject to the FCPA's internal controls requirements.
Third, it remains to be seen how the 2019 Guidance, which applies to the entire Criminal Division of the DOJ, will be considered in non-FCPA corporate criminal matters. To date, the USSG, and § 8B2.1 in particular, have served as the main source for compliance guidance for companies outside the context of the FCPA. Because the DOJ will almost certainly use the 2019 Guidance as a tool for assessing whether to agree to a three-point downward departure under USSG § 8C2.5(f) as part of a corporate plea, the Guidance may become the subject of judicial scrutiny at sentencing hearings as to whether its factors are aligned with the factors set forth in USSG § 8B2.1. The extent to which courts are informed by the 2019 Guidance in assessing the requirements of USSG §8B2.1 will thus be an issue both prosecutors and defense counsel will watch closely. Finally, this increased focus on compliance could signal that other divisions of the DOJ, such as the Antitrust Division's Criminal Section, that have not traditionally focused on companies' compliance programs may begin to do so when resolving matters. Through both public statements and recent plea agreements, the DOJ's Antitrust Division has appeared to be moving in this direction. Although the 2019 Guidance does not directly apply to the Antitrust Division, it will likely be reviewed closely by Antitrust Division lawyers as this Division moves towards incentivizing companies' compliance efforts.
Despite these lingering questions, the 2019 Guidance is nonetheless useful in consolidating expectations set forth in various compliance-related guidance materials (including the Justice Manual, USSG, FCPA Resource Guide, and OECD guidance, as well as more recent DOJ guidance on the selection of monitors) in one document, which compliance professionals can reference in formulating and evaluating corporate compliance programs. Because the 2019 Guidance assumes a very significant dedication of corporate resources to compliance, however, it will be important for the Criminal Division to take a risk-based approach – consistent with the risk-based approach it recommends companies take when developing a compliance program – when applying the Guidance to evaluate a company's compliance efforts, giving due consideration to the company's size, risk profile, available resources, and other relevant factors.