On April 30, 2019, the Department of Justice Criminal Division released updated guidance on the Evaluation of Corporate Compliance Programs (the "Guidance"). The Guidance sets forth the non-binding factors that DOJ prosecutors utilize to evaluate a company's compliance program and consequently determine the "(1) form of any resolution or prosecution; (2) monetary penalty, if any; and (3) compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligation." The Guidance is, therefore, significant to companies seeking to understand what the DOJ considers to be best practices for compliance programs, as well as to mitigate against criminal penalties resulting from potential wrongdoing.
The Guidance builds upon a prior version released in February 2017 and does not indicate any major policy changes. Instead, this update provides further explanation of the factors DOJ uses to evaluate companies' compliance programs and contextualize those factors within the enforcement framework of the Justice Manual and Sentencing Guidelines.
Accordingly, the factors DOJ analyzes have largely remained unchanged but have been reorganized under three primary questions:
1. Is the program well-designed?
2. Is the program effectively implemented?
3. Does the compliance program actually work in practice?
Regarding whether a compliance program is well-designed, the Guidance discusses key elements such as risk assessments, policies and procedures, training and communications, confidential reporting structure and investigation process, third-party management, and mergers and acquisitions. The Guidance then details what it regards as effective implementation of a compliance program, including commitment by senior and middle management, autonomy and resources, and incentives and disciplinary measures. The Guidance also instructs prosecutors to explore a compliance program's actual effectiveness in practice, including by examining the capacity for continuous improvement, periodic testing and review, investigation of misconduct, and analysis and remediation of any underlying misconduct that may be discovered.
While these factors are generally consistent with prior DOJ guidance, the new Guidance emphasizes and features certain factors over others. For example, a company's prior risk assessments are now the entry point for a prosecutor's evaluation of whether a company has a well-designed compliance program, and the Guidance notes that "prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction in a low-risk area. In addition, the investigation of misconduct is now emphasized as its own factor instead of being integrated as a subcomponent of other factors in previous guidance.
The Guidance includes new subcomponents for several factors, with the net effect of placing more emphasis on compliance program integration, implementation, verification and continuous improvement than prior guidance. For example, the Guidance stresses the importance of an anonymous reporting mechanism for raising compliance concerns and of the need to measure the effectiveness of various compliance components. The Guidance also places more emphasis on the importance of fostering a culture of compliance in day-to-day operations through policies and procedures and commitment by management.
While the DOJ noted that there is no "rigid formula to assess the effectiveness of corporate compliance program" due to each company's unique structure and risk profile, the Guidance serves as a template for companies to self-evaluate and determine if their compliance programs would stand up to DOJ scrutiny.