Amid all of the drama surrounding the disclosure of the Mueller Report and Attorney General Barr's testimony before Congress, the DOJ's Criminal Division published a new Evaluation of Corporate Compliance Programs on April 30. The Guidance is the DOJ's most detailed to date, 18 pages of narrative and questions that line prosecutors will use as factors to evaluate the effectiveness of a corporate compliance program.

In 2017, the DOJ circulated a similar document without any fanfare, authored by Hui Chen, which consisted of a series of 46 questions (with check boxes). Intended to be an internal document, the 2017 version was published and became a valuable resource for compliance professionals. The 2019 Guidance seems to be, as the FCPA Professor Mike Koehler phrased it, “more of the same” with “little new substantive information.” Nevertheless, compliance professionals will need to be aware of how the DOJ will evaluate their programs if they are to try and mitigate any penalties associated with alleged violations.

The new Guidance asks three fundamental questions:

  • Is the corporation’s compliance program well designed?
  • Is the program being applied earnestly and in good faith? (In other words, is the program being implemented effectively?)
  • Does the corporation’s compliance program work in practice?

Under the first question, the Guidance sets forth six subparts with specific questions that essentially summarize the Elements of an Effective Compliance Program set forth in the Sentencing Guidelines, including the following areas.

  • Risk Management. The starting point for any company's compliance program. It means conducting an initial risk assessment and having a pre-determined “investigations playbook” that addresses how a company determines which issues merit further investigation and who should conduct an investigation.
  • Policies and Procedures. Clear, known, and accessible to employees and third-party partners including any incentive or disciplinary programs.
  • Resources. Appropriately allocated depending on the size of the company. The general rule of thumb is the larger the organization, the more formal its compliance operation should be.
  • Training and Communication. Integrated through periodic training and certification of all directors, officers, relevant employees, and third-party partners. DOJ may credit the quality and effectiveness of a risk-based compliance program even if it ultimately fails to prevent an infraction.
  • Confidential Reporting Structures. A new addition from the DOJ's 2017 guidance. It is a system to allow employees to anonymously or confidentially report allegations of misconduct or other breaches of a company's policies, procedures, or code of conduct.
  • Managing Third Parties. Applying a company's risk-based due diligence to its relationships with outside partners, agents, consultants, and distributors.
  • Mergers & Acquisitions. The due diligence of any acquisition targets should include the company's compliance program to identify any potential misconduct that could harm profitability, reputation, or risk civil or criminal liability.

For the second question, the Guidance discusses (i) Commitment by Senior and Middle Management (“tone at the top”); (ii) Autonomy and Resources; and (iii) Incentives and Disciplinary Measures. Again, these elements and sub-questions are taken directly from the Federal Sentencing Guidelines.

Finally, under the third question, the Guidance sets forth the remaining elements: (i) Continuous Improvement, Periodic Testing and Review; (ii) Investigation of Misconduct; and (iii) Analysis and Remediation of Any Underlying Misconduct.

Compliance programs need to keep apace as technology modernizes. During the release of the Guidance, Assistant Attorney General Brian Benczkowski, head of the Criminal Division, clarified the policy around ephemeral communications. Recall that in the 2017 Corporate Enforcement Policy, the DOJ set an expectation that to be able to obtain cooperation credit, companies needed to fully disclose all relevant communications, including WhatsApp and other similar communications. Therefore, while the DOJ is not prohibiting the use of WhatsApp and similar applications, the retention of these records must be aligned with the company’s overall document retention policy if company policy allows for their use.

Corporations face increasingly complex and dynamic legal and regulatory obligations imposed by the federal government, states, and foreign governments. Although most companies are aware and have been developing compliance programs based on these questions, it is always refreshing to have the DOJ confirm that these are indeed best practices. Using the Guidance to design or modernize compliance programs is a good way to stay ahead of the regulatory and enforcement curves.