On April 30, 2019, the Assistant Attorney General for the Criminal Division, Brian A. Benczkowski, announced an update to the Department of Justice’s (“DOJ”) 2017 guidance document entitled Evaluation of Corporate Compliance Programs (“2019 Guidance”).1
In the announcement, delivered at the Ethics and Compliance Initiative 2019 Annual Impact Conference, AAG Benczkowski argued that the role played by compliance programs in the early detection and ultimate prevention of misconduct “cannot be overstated.” When misconduct has occurred, he explained, early detection and self-reporting help the DOJ investigate the company, prosecute individual wrongdoers, and demonstrate the company’s commitment to compliance. These factors, in turn, could affect the outcome of DOJ decisions with regard to: (1) charging, including whether a company receives a declination; (2) ultimate financial penalties, including the company’s culpability score under the US Sentencing guidelines; and (3) compliance obligations contained in a corporate criminal resolution, including whether an independent monitor will be appointed. The 2019 Guidance frames its examination of corporate compliance programs in the context of three fundamental questions: “(1) Is the corporation’s compliance program well designed? (2) Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively? (3) Does the corporation’s compliance program work in practice?”2
While prior compliance guidance was published in 2017 by the Fraud Section, which, among other things, has primary responsibility for prosecuting companies under the Foreign Corrupt Practices Act (“FCPA”), AAG Benczkowski noted that corporate crime is prosecuted by attorneys across the DOJ, including in the Fraud, Money Laundering and Asset Recovery, and Computer Crime and Intellectual Property Sections. The 2019 Guidance aims to “better harmonize the prior Fraud Section publication with other Department guidance and legal standards,” and it does so by incorporating compliance-related aspects of the US Sentencing Guidelines, and expanding on the “Corporate Compliance Program” attachments to Non-Prosecution and Deferred Prosecution Agreements. The 2019 Guidance applies beyond FCPA matters to the entire criminal division but in substance remains focused on heartland FCPA risk areas like third-party payments and travel and entertainment expenses.
The 2019 Guidance covers many of the same topics as its 2017 predecessor, but is twice as long, reorganizing and expanding on the earlier document. Below we highlight many of the noteworthy updates to the DOJ’s guidance within the framework of the DOJ’s three driving questions related to compliance.3
I. Is the Corporation’s Compliance Program Well Designed?
This section contains guidance on the following topics: Risk Assessment; Policies and Procedures; Training and Communications; Confidential Reporting Structure and Investigation Process; Third Party Management; and Mergers and Acquisitions. Noteworthy updates include:
- Stronger emphasis on risk assessments. In the 2019 Guidance, risk assessments are presented as “the starting point for a prosecutor’s evaluation of whether a company has a well-designed compliance program.” While the previous guidance noted that prosecutors might ask about the existence and use of a risk assessment, the 2019 Guidance is more prescriptive, allowing prosecutors to “credit” a risk-based compliance program that is focused on areas of highest risk, even if that program fails to prevent misconduct in low-risk areas. The new guidance also indicates that companies should periodically revisit risk assessments and update compliance programs as a company’s risk profile changes over time.
- Requirement that companies test the effectiveness of compliance trainings. Like the 2017 version, the 2019 Guidance encourages companies to tailor training to identified areas of risk, as well as to incorporate lessons learned from past misconduct into employee training and communication. The 2019 Guidance also suggests that companies proactively monitor outcomes, testing employees on what they learned in compliance trainings and responding with remedial measures if an employee fails all or a portion of the testing.
- Focus on investigations and responses to hotline reports or other complaints. The prior guidance posed broad questions about whether investigations were effectively scoped and undertaken. The 2019 Guidance focuses on investigations and the company’s response to complaints as an element of effective program design, as well as a metric to assess how effective the program is in practice. Under the 2019 Guidance, the DOJ will examine, for example, whether the reporting mechanism is publicized to employees and how a company determines which complaints or red flags warrant further investigation. The 2019 Guidance also introduces “timing metrics” for the first time as an indicator of whether the company’s response to complaints is effective, placing a premium on prompt and timely investigations.
- Scrutiny in practices surrounding third parties. The DOJ’s guidance in relation to third-party agents, consultants, and distributors remains largely unchanged, though the 2019 Guidance specifies that prosecutors will ask whether a company (1) keeps track of third parties who fail due diligence reviews or are terminated; (2) has systems in place to prevent third parties that have previously failed due diligence from being (re)hired at a later date; and (3) has and exercises “audit rights” on third parties.
II. Is the Corporation’s Compliance Program Being Implemented Effectively?
This section contains guidance on the following topics: Commitment by Senior and Middle Management; Autonomy and Resources; and Incentives and Disciplinary Measures. Noteworthy updates include:
- Elevating the responsibilities of middle management. While the prior guidance focused almost exclusively on senior managers, the 2019 Guidance targets the critical role of middle managers in reinforcing ethical standards laid out by the company, encouraging employees to commit to compliance, and modeling proper behavior for junior employees.
- Focus on the internal structure and staffing of the compliance function. The DOJ fleshes out its focus on the autonomy of, and financial and human resources dedicated to, the compliance function in the 2019 Guidance. The 2019 Guidance asks “[w]here within the company is the compliance function housed . . . .” While not saying so directly here, the DOJ previously has expressed a preference for independent compliance functions rather than those that report through legal or business functions. The DOJ may ask whether the compliance head has sufficient autonomy from management, such as a reporting line to the audit committee of the Board (where appropriate). Prosecutors will also review whether the compliance function is adequately staffed by examining financial resources, as well as the number and background of dedicated compliance personnel. While the 2019 Guidance notes that the structure and staffing of the compliance department may vary based on the size of the company, it also expresses a clear preference for personnel who are dedicated to compliance and do not split their time with another function, and expects that a company will review and revise its staffing to respond to investigation findings or as its risk profile changes over time.
III. Does the Corporation’s Compliance Program Work in Practice?
This section contains guidance on the following topics: Continuous Improvement, Periodic Testing, and Review; Investigations and Misconduct; and Analysis and Remediation of Any Underlying Misconduct. Noteworthy updates include:
- Identification of misconduct considered “strong indicator” that a compliance program is working. The 2019 Guidance notes that the existence of misconduct does not necessarily mean that a compliance program was ineffective and directs DOJ prosecutors to view a compliance function that identifies misconduct and allows the company to self-report and timely remediate that conduct as a “strong indicator” that the compliance function is “working effectively.”
- Spotlight on a company’s “culture of compliance.” The 2019 Guidance introduces the term “culture of compliance.” In assessing a company’s culture, the DOJ will review whether a company (1) measures its culture of compliance, including by seeking input from employees at all levels of the organization to assess perceptions of the commitment to compliance among senior and middle management; and (2) how it responds to the results of these surveys.
- Tension in squaring the DOJ’s positions on a company’s record on employee discipline. The DOJ’s questions on employee discipline remain unchanged in the 2019 Guidance. While the DOJ often states that it does not interfere in companies’ personnel decisions, the 2019 Guidance makes clear that the DOJ will inquire as to employee discipline related to identified misconduct and suggests that the DOJ may not provide full remediation credit if it believes that an insufficient number or inappropriate selection of employees have been disciplined. This is consistent with comments in several recent deferred prosecution and non-prosecution agreements.
The DOJ in recent years has signaled in its public statements and its settlement documents that it is willing to offer substantial credit, including declinations of prosecution, where, among other things, a company has demonstrated a firm commitment to, and effective implementation of, strong compliance measures. The Department’s new guidance is its most expansive effort to date to publicize and explain its views on effective compliance programs.
While much of the content may not be new to seasoned compliance professionals, there are some key areas where additional color and nuance have been provided relating to otherwise familiar topics. For these reasons, the 2019 Guidance is worthy of close consideration. Corporate compliance officers will be well served to analyze the guidance carefully and ensure that their programs incorporate the DOJ’s priorities or make sure that they have well-reasoned explanations for aspects of their programs that do not.