Last week, the US Department of Justice (DOJ) released its updated guidance on how prosecutors should evaluate corporate compliance programs.1 The revised guidance reiterates and expands on the hallmarks of successful corporate compliance programs previously enumerated in the 2017 guidance.
The updated guidance reorganizes those familiar principles under three primary questions and provides clarification and context that the government—and corporations—should use to evaluate corporate compliance programs. The revised guidance builds on the DOJ’s increased emphasis on transparency and unequivocally ties the guidance to the Justice Manual, the FCPA Corporate Enforcement Policy—which was just updated in March 2019—and the 2018 Selection of Monitors in Criminal Division Memo (the “Benczkowski Memorandum”) that addresses the selection and imposition of compliance monitors.
As with the 2017 guidance, the updated document reiterates that there is no checklist or formula for a perfect compliance program. The guidance lists twelve fundamental hallmarks for any corporate compliance program:
1. Risk Assessment
2. Policies and Procedures
3. Training and Communications
4. Confidential Reporting Structure and Investigation Process
5. Third Party Management
6. Mergers and Acquisitions
7. Commitment by Senior and Middle Management
8. Autonomy and Resources
9. Incentives and Disciplinary Measures
10. Continuous Improvement, Periodic Testing, and Review
11. Investigation of Misconduct
12. Analysis and Remediation of Any Underlying Misconduct
Whereas the 2017 guidance merely set forth questions to consider for each hallmark—most all of which are included in the revised document—the updated guidance further explains, in no uncertain terms, the purpose for each of the factors, the hallmarks of effective compliance programs, and how each factor contributes to and facilitates an effective compliance program. The narrative provided for each hallmark will assist prosecutors in evaluating the effectiveness of compliance programs. It will also assist corporations in evaluating their compliance programs and closing identified gaps as necessary.
To further assist in this clarification, the 2019 guidance reorganizes the established principles under three central questions:
1. Is the corporation’s compliance program well designed?
2. Is the program being applied earnestly and in good faith?
3. Does the corporation’s compliance program work?
Under the first focal question—whether a corporation’s compliance program is well designed—prosecutors are encouraged to assess whether the compliance program is appropriately designed to prevent and detect wrongdoing by evaluating: (1) risk assessment; (2) policies and procedures; (3) training and communications; (4) confidential reporting structure and investigation process; (5) third-party management; and (6) mergers and acquisitions. Compliance programs should be designed to detect the particular types of misconduct most likely to occur within the company, including assessing the locations of a company’s operations, market competitiveness, regulatory landscape, business and entity partners, and interactions with foreign governments and foreign officials that are necessary to conduct business.
Under the second category—program application—determination of whether a company is applying a program earnestly and in good faith includes: (1) commitment by senior and middle management; (2) autonomy and resources; and (3) incentives and disciplinary measures. These seek to root out companies that simply have “paper programs” and lack commitment—particularly from senior and middle management—to implement, encourage, and enforce a culture of compliance.
The third question aims to ensure that a compliance program is effective in detecting misconduct and identifying company-specific compliance risks. It includes the hallmarks: (1) continuous improvement, periodic testing, and review (including an emphasis on internal audit); (2) investigation of misconduct; and (3) analysis and remediation of any underlying misconduct. The guidance emphasizes the need for continuous monitoring and testing to ensure that a corporation’s compliance program is able to adapt to and evolve with changes in industry and business environments. Swift and thorough investigations into potential misconduct by qualified personnel are an integral part of an effective compliance program. This includes identifying the misconduct and the root causes of that misconduct and taking action to remediate and close those gaps.
The DOJ’s focus on effectiveness is further supported by the guidance’s focus on remediation, which may be instructive for companies seeking to avoid imposition of a monitor as part of a settlement with the DOJ.2 The revised guidance is expressly tied to the Benczkowski Memorandum, which called for the DOJ to be cognizant of the cost of a monitor and the monitor’s impact on a corporation’s operations and to limit the imposition and scope of monitors to what is necessary to prevent future misconduct. In deciding whether to impose a monitor, the DOJ has consistently noted a company’s progress in implementing and testing its compliance program. Monitors use substantively the same criteria as those listed in the guidance to determine whether a company’s compliance program is reasonably designed and implemented to prevent and detect future violations. It may be beneficial for corporations to consider the revised guidance in remediating the compliance program ahead of a settlement or in preparation for a monitor.
The added attempt at transparency and the newly added context and incorporation of the Justice Manual, the FCPA Corporate Enforcement Policy, and the Benczkowski Memorandum appear to be another step by the DOJ to harmonize its various goals in the space of anti-corruption and anti-bribery. While intended for use by prosecutors, the updated guidance is a meaningful tool for compliance departments seeking to ensure that their companies are best-positioned to avoid becoming the subject or target of a DOJ investigation or to mitigate sanctions.