On April 30, 2019, the Assistant Attorney General (AAG) for the U.S. Department of Justice’s Criminal Division, Brian Benczkowski, announced the release of an updated version of the “Evaluation of Corporate Compliance Programs” guidance (the “revised Guidance”)—a document that provides guidance on how prosecutors conducting corporate investigations should assess a company’s compliance program. The revised Guidance doubled the length of the original document and broadened applicability to the Criminal Division more generally (as opposed to just the Division’s Fraud Section).
Much like its original iteration, many of the areas discussed in the revised Guidance have been discussed in other sources, including A Resource Guide to the U.S. Foreign Corrupt Practices Act (“FCPA Guide”), published by DOJ and the U.S. Securities and Exchange Commission in November 2012, and the Justice Manual’s Principles of Federal Prosecution of Business Organizations. That said, the revised Guidance adds more detail and offers insights into how prosecutors will be thinking about compliance programs when conducting or resolving a corporate investigation. The revised Guidance is also useful in that it affords companies more information as they benchmark their own program, against DOJ’s expectations. Perhaps most notably, it underscores certain key principles when it comes to corporate compliance programs—first, ensuring the program is well designed; second, assessing whether the program is being implemented effectively; and third, asking whether the company’s compliance program works in practice.
The Original Guidance
In February 2017, the Fraud Section in DOJ’s Criminal Division released the original “Evaluation of Corporate Compliance Programs” Guidance (the “Original Guidance”). Although released quietly on the Fraud Section’s website, with little or no press (and not even on DOJ letterhead), the stated purpose of the February 2017 document was to provide a list of “some important topics and sample questions that the Fraud Section has frequently found relevant in evaluating a corporate compliance program” and included a list of 11 topics (and 119 questions) to that end. The Original Guidance received a generally positive reception from the legal and business communities because it increased transparency into the Fraud Section’s compliance expectations. As we said at the time, the Guidance “can provide useful direction for companies not only undertaking or responding to investigations but also designing or enhancing compliance programs, or simply wishing to benchmark an existing compliance program against the government’s expectations.”
The Revised Guidance
Unlike the original Guidance, which was released by and applied only to the Criminal Division’s Fraud Section, the revised Guidance expressly applies to the entire Criminal Division. Moreover, while the original Guidance was essentially a series of topically-organized questions, the revised Guidance integrates the topics and questions into a broader discussion of Justice Manual policies. Indeed, the revised Guidance uses the three key questions that the Justice Manual instructs prosecutors to consider when evaluating a compliance program—is the program well designed, is the program being implemented effectively, and does the program actually work in practice—as a framework for categorizing relevant topics for considering whether a program is effective. Slotted within these categories are 11 different topic areas. Each subsection contains a discussion of the relevant policy background, with citations to the Justice Manual and, to a lesser extent, the U.S. Sentencing Guidelines, as well as questions that a prosecutor may consider when evaluating the particular area.
Below we discuss some of the key aspects of the revised Guidance.
- Risk-Based Approach to Compliance. The revised Guidance makes clear that prosecutors must evaluate how well a company has not only evaluated its risk profile but also used that evaluation to create a program that best allocates resources and attention to areas that pose the highest risk. DOJ has long said that there is no “one-size-fits-all” approach when it comes to creating a compliance program, and the revised Guidance underscores that point. Referencing principles outlined in the Justice Manual, the revised Guidance explains how prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction in a low-risk area. It goes on to state that prosecutors should therefore consider, as an indicator of risk-tailoring, revisions to corporate compliance programs in light of “lessons learned.” Further highlighting the importance of this point, the revised Guidance includes new questions related to risk-tailored resource allocation as well as questions aimed at understanding the updates and revisions that have been made to ensure the program remains practical as-applied. As these additions highlight, the revised Guidance is focused on ensuring a nimble compliance environment—one that can successfully react and “deal with the spectrum of risks [the company] faces, including changes to the legal and regulatory landscape” in which the company operates.
- Risk-Based Third Party Management and Ongoing Monitoring. Third parties are the number one risk area for FCPA violations—indeed, over 90% of FCPA cases in the last ten years involved third parties—and the revised Guidance understandably emphasizes that a well-designed program should apply risk-based due diligence to the company’s third party relationships. In terms of appropriate controls, the revised Guidance asks prosecutors to consider how a company ensures that there are appropriate business rationales for the use of a particular third party. Prosecutors will also ask how a company tracks third parties that do not pass due diligence and/or are terminated and how the company ensures these entities are not hired in the future. For any third party implicated in potential misconduct, prosecutors will ask what the business rationale was for hiring the third party, whether there were red flags identified during the company’s due diligence, and what the company did to gain comfort before engaging the third party.
- Tailored Training and Communication. Further underscoring the focus on an appropriately tailored compliance program, the revised Guidance emphasizes that prosecutors should assess whether the company has relayed anti-corruption information, including the company’s anti-corruption policies and procedures, in a manner “tailored to the audience’s size, sophistication, or subject matter expertise.” The revised Guidance offers examples of ways a company can accomplish this, for example, by providing case studies that address real-life scenarios. Moreover, the revised Guidance again underscores the need for a company to incorporate feedback and acquired knowledge from any prior misconduct by directing prosecutors to consider to what extent a company’s training program incorporates lessons learned from prior compliance incidents. While DOJ has long emphasized the importance of compliance training, calling out the importance of incorporating lessons learned and other feedback from prior events is a useful suggestion to companies looking to enhance their training programs.
- Strong Example from Leaders and No “Paper Programs.” The revised Guidance emphasizes the importance of creating and fostering a culture of ethics and compliance, which comes from both senior and middle management. It is explicit on this point, stating that prosecutors should examine the extent to which senior management has clearly articulated the company’s ethical standards, conveyed and disseminated them in clear and unambiguous terms, and demonstrated rigorous adherence by example and how middle management has reinforced those standards and encouraged employees to abide by them. “Tone at the top” and “mood at the middle” have long been part of the rubric for an effective compliance program, but the revised Guidance’s emphasis on these rubrics—and the reformulated “conduct at the top” rather than simply “tone at the top”—further underscores their importance. A theme taken from the revised Guidance in general is that DOJ is looking to probe whether a compliance program is effective in practice or merely a “paper program.” The tone from leadership (at all levels) is a central component to this assessment because the leaders are responsible not only for establishing a culture of zero tolerance for bribery or corruption, but also for leading by example.
- Emphasis on the Proper Allocation of Resources. The revised Guidance asks prosecutors to consider whether the reporting and investigating mechanisms at a company receive sufficient funding. Although prior compliance program guidance discussed resource allocation for compliance as compared to other areas within a company, the revised Guidance pinpoints specific aspects within the compliance program that companies should ensure receive sufficient resources. Indeed, the revised Guidance notes that a hallmark of a program that is working effectively is one that has well-functioning and appropriately resourced reporting and investigation mechanisms. That said, resources alone do not create an effective program—the revised Guidance explicitly states that in order to be truly effective, compliance personnel must also be empowered by the company.
- There is no “one-size-fits-all” approach to compliance. While the revised Guidance is more specific in targeting things a company should consider when creating (or enhancing) a compliance program, DOJ has also emphasized that the revised Guidance should not be used as a checklist or a formula. That said, a company looking to benchmark its program against DOJ’s expectations should review the revised Guidance to stress test its program and gain insight into the types of questions and considerations that a prosecutor will have in mind when evaluating the efficacy of the program.
- The revised Guidance comes in the wake of the Criminal Division’s decision not to hire a dedicated compliance counsel and to instead train all of its prosecutors on compliance issues. In October 2018, AAG Benczkowski had previewed that the Criminal Division planned to roll out Division-wide training programs to enhance prosecutors’ understanding of compliance; on the same day he announced the revised Guidance, he added that the first of these sessions was taking place in Washington, D.C. that day. While the business community has expressed mixed feelings about the elimination of the compliance counsel position, the Criminal Division maintains that building compliance knowledge across all of its prosecutors (as opposed to hiring a single compliance counsel) will help ensure a more rigorous and informed analysis for companies that are under scrutiny.
- In general, the revised Guidance is a positive development because it is another example of DOJ’s efforts to be more transparent, specifically in terms of what a company can do to better position itself if it is ever facing a DOJ investigation. The revised Guidance comes in the wake of DOJ’s March revisions to its FCPA Corporate Enforcement Policy—changes that appear to have been made (at least in part) in response to concerns posed by the business community looking to comply with the policy. Updates like these demonstrate that DOJ is keen to provide companies with the tools they need to prevent and detect misconduct and ensure their compliance programs meet DOJ’s expectations. AAG Benczkowski ended his remarks this month noting that “the interests of the Department and private industry to root out corporate crime are very much aligned”—in keeping with that premise, the revised Guidance is another source to help put the business community and prosecutors on the same page when it comes to corporate compliance programs.