On February 8, 2017, the Fraud Section of the Criminal Division of the U.S. Department of Justice (the “Fraud Section”) issued valuable and detailed guidance regarding the evaluation of corporate compliance programs (the “2017 Guidance”).[1] The 2017 Guidance, entitled “Evaluation of Corporate Compliance Programs,” provides a road map of how the Fraud Section will assess corporate compliance programs, including the specific criteria it will use in the process. The 2017 Guidance identifies 11 topics and approximately 119 sample questions that seek to elicit information considered relevant in evaluating the effectiveness of a corporate compliance program. Accordingly, it demonstrates the rigor with which the government intends to assess companies’ compliance programs and provides insight into the government’s expectations.

The 2017 Guidance, which is the first official guidance issued under the Trump administration, expands on the DOJ’s existing framework. The “Principles of Federal Prosecution of Business Organizations,”[2] first published in 1999, enumerates the factors that federal prosecutors are expected to consider when deciding how to resolve cases involving corporate misconduct, including but not limited to (i) “the existence and adequacy of the corporation’s compliance program,” and (ii) “the corporation’s remedial actions, including any efforts to implement an effective corporate compliance program or to improve an existing one.” Further guidance about the factors to consider in determining appropriate resolutions of investigations of corporate wrongdoing was issued over the course of the next several years, and continued to include the effectiveness of a company’s compliance program as an important consideration.[3] However, until the issuance of the 2017 Guidance, the DOJ had provided only minimal direction regarding how such programs would be evaluated and how their effectiveness would be determined.

Akin to a “how-to” guide, the 2017 Guidance provides a useful and well-organized list of questions aimed at identifying information significant to a determination of the efficacy of a compliance program. The 2017 Guidance highlights the fact that when evaluating a corporate compliance program, the government will look beyond the corporation’s “paper program” (i.e. written policies) and focus on how the program operates in practice. The independence, authority and support afforded to compliance personnel will also be an area of focus. Moreover, the far-reaching and detailed nature of the 2017 Guidance suggests that corporations coming under the government’s scrutiny will have their compliance programs subjected to a rigorous evaluation. Accordingly, companies should carefully consider the 2017 Guidance in their efforts to ensure that their compliance programs are not only effective, but will meet the government’s strict criteria and expectations should the company find itself in the position of having to defend allegations of corporate wrongdoing.

Topics and Questions Highlighted in the 2017 Guidance

The 2017 Guidance organizes the 119 questions into the following 11 sections, which appear to be based on the ten “Hallmarks of Effective Compliance Programs” published in 2012 by the Criminal Division of the DOJ and the Securities and Exchange Commission (SEC) in the FCPA Resource Guide,[4] as well as existing federal sentencing guidelines and best practices published by the Organization for Economic Cooperation and Development (OECD)[5]:

  1. Analysis and Remediation of Underlying Conduct
  2. Senior and Middle Management
  3. Autonomy and Resources
  4. Policies and Procedures
  5. Risk Assessment
  6. Training and Communications
  7. Confidential Reporting and Investigation
  8. Incentives and Disciplinary Measures
  9. Continuous Improvement, Periodic Testing and Review
  10. Third Party Management
  11. Mergers and Acquisitions

Significance of the 2017 Guidance

The 2017 Guidance is noteworthy in several respects. First, the 2017 Guidance reveals the Fraud Section’s intention to subject corporate compliance programs to robust and fact-intensive evaluations when investigating and addressing alleged corporate wrongdoing. The 2017 Guidance sets forth a wide range of highly detailed questions that are intended to ascertain specific information regarding many different aspects of a company’s compliance program.[6] These questions will be used to determine how the company’s compliance program stacks up with respect to the particular criteria deemed relevant by the Fraud Section. The 2017 Guidance provides that the questions should be used and tailored for “each company’s risk profile” and acknowledges that each corporation warrants a “particularized” evaluation. Contrary to the more generalized guidance previously issued, the 2017 Guidance provides practical and meaningful tools - - in the form of targeted questions - - that a corporation can and should utilize to ensure that its compliance program is effective and will withstand government scrutiny.

Second, the 2017 Guidance highlights the government’s longstanding position that prosecutors should look beyond a company’s written compliance policies and procedures. Prosecutors are expected to engage in a fact-intensive analysis in order to determine whether a corporation’s compliance program is merely a “paper program,” or whether it is designed, implemented, reviewed, and revised, as appropriate, in an effective manner. That is, while a corporation may draft policies and procedures that purport to meet compliance expectations, the crux of the inquiry will focus on how the program operates in practice.

Third, the 2017 Guidance reveals the significance that the government attributes to the independence and empowerment of compliance personnel. The heightened focus on the roles and responsibilities of compliance personnel demonstrates the government’s view that the efficacy of a compliance program is based, in part, on the stature, authority, and autonomy of the responsible personnel. For instance, the 2017 Guidance poses a series of questions designed to evaluate a compliance officer’s “compensation levels, rank/title, reporting line, resources, and access to key decision-makers.” The sample questions also direct prosecutors to consider whether a compliance department has adequate support from the corporation. A compliance program is expected to be sufficiently funded and resourced at a level that is proportional to the risks that a particular corporation faces. In sum, the 2017 Guidance signals that prosecutors will consider whether compliance personnel have the experience, power, and means to implement and enforce compliance measures to address compliance concerns effectively.

Fourth, the 2017 Guidance indicates that corporate compliance programs are expected to adapt to a company’s changing business and risk profile. A strong compliance program is designed to respond to the varying risks faced by a particular corporation. This concern has become increasingly important as companies expand their businesses geographically and substantively. For example, the emphasis on third-party management is an acknowledgement that third parties pose compliance risks for companies operating abroad, and indicates an expectation that a compliance program should be designed to address such risks. In short, the 2017 Guidance indicates that when business-related changes occur, the compliance program must be part of that change, and that the company will be expected to reassess the corporation’s risk profile and enhance its compliance program to respond to any new risks faced by the company.

The 2017 Guidance demonstrates the Fraud Section’s intentions to conduct far-reaching and rigorous, fact-based evaluations of the compliance programs of companies facing allegations of corporate misconduct. Given the expected government scrutiny of corporate compliance programs, along with the government’s expanding enforcement efforts to combat corporate wrongdoing in both the criminal and civil arenas, and its increasing focus on holding both organizations and individuals accountable, companies cannot afford to ignore the valuable and detailed information provided by the 2017 Guidance. It is imperative that companies use the 2017 Guidance to assess the adequacy of their existing compliance programs, including whether the program is merely a “paper program” or is practically effective, and whether its compliance personnel have the requisite authority and resources to carry out compliance objectives. Companies should engage in the type of fact-intensive inquiries set forth in the 2017 Guidance in order to assess the effectiveness of their programs based on the specific criteria and questions identified by the government as relevant to the determination. While every company’s business and risk profile is different, only by carefully considering and applying the 2017 Guidance in reviewing their own compliance programs will companies be able to determine how the government would evaluate their programs, if they were to come under scrutiny. If a company’s compliance program falls short, as measured against the specific criteria set forth in the 2017 Guidance, appropriately tailored based on the company’s profile, the company should take immediate steps to improve its program in order to meet the government’s clearly stated expectations for an effective compliance program.