On April 30, 2019, the Criminal Division of the United States Department of Justice (the "Criminal Division") released updated guidance, entitled "The Evaluation of Corporate Compliance Programs," for federal prosecutors to use when evaluating corporate compliance programs "for purposes of determining the appropriate (i) form of any resolution or prosecution; (ii) monetary penalty, if any; and (iii) compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations)." The guidance, which updates the Criminal Division's Fraud Section guidance issued in February 2017, attempts to better harmonize the Criminal Division's guidance with the DOJ's other guidelines and standards. The updated guidance was compiled with input from across the Criminal Division, including the Office of the Assistant Attorney General, the Fraud Section, and the Money Laundering and Asset Recovery Section.
Whereas the 2017 guidance discussed 11 topic areas with multiple sub-questions for each, the updated guidance is organized around three overarching questions prosecutors should consider when evaluating a corporate compliance program: (i) is the program well-designed; (ii) is the program effectively implemented; and (iii) does the program actually work in practice?
I. Is the Compliance Program Well-Designed?
Part I provides a comprehensive analysis of the hallmarks of a well-designed compliance program, including its risk assessments; company policies and procedures; training and communications; confidential reporting structure and investigation process; management of third-parties; and due diligence of any merger or acquisition targets.
This section builds on the 2017 guidance and provides additional questions that prosecutors should ask in the following three focus areas:
- Risk Assessment: Prosecutors are to consider questions of "risk-tailored resource allocation," such as, whether the company devotes a "disproportionate amount of time to policing low-risk areas instead of highrisk areas." Prosecutors also should ask questions relating to "updates and revisions" to a corporate compliance program, such as, whether the company's risk assessment is "current and subject to periodic review;" whether there have been "updates to policies and procedures in light of lessons learned;" and whether the updates account for "risks discovered through misconduct or other problems with the compliance program."
- Policies and Procedures: Prosecutors also are instructed to consider a compliance program's "comprehensiveness," such as, efforts the company has made to "monitor and implement policies and procedures that reflect and deal with the spectrum of risks it faces, including changes to the legal and regulatory landscape."
- Confidential Reporting Structure and Investigation Process: The updated guidance also directs prosecutors to consider the company's "investigation response," such as, whether the company applies "timing metrics" to ensure responsiveness and/or has "a process for monitoring the outcome of investigations and ensuring accountability for the response to any findings or recommendations." Additionally, prosecutors should consider a company's "resources and tracking of results," such as, whether reporting and investigating mechanisms are "sufficiently funded;" how the company collects, tracks, analyzes, and uses the information; and whether the company "periodically analyze[s] the reports or investigation findings for patterns of misconduct or other red flags for compliance weaknesses."
II. Is the Compliance Program Effectively Implemented?
Part II details the elements of an effective compliance program, including the commitment by senior and middle management to the program; autonomy and adequate resources for those charged with implementing the program; and sufficient incentives and disciplinary measures to ensure robust compliance.
This section reinforces many of the same topics as the 2017 guidance while also directing prosecutors to examine questions of "structure," such as, where within the company the compliance function is housed; to whom the compliance function reports; whether the compliance function is run by a designated chief compliance officer; whether compliance personnel are dedicated to compliance responsibilities; and why the company has chosen its particular compliance structure.
III. Does the Compliance Program Work in Practice?
Part III discusses the metrics prosecutors should use to determine whether a compliance program is operating effectively, such as, exploring the program's capacity for continuous improvement, periodic testing, and review; investigation of misconduct; and analysis and remediation of underlying misconduct.
This section combines certain topics from the 2017 guidance and adds new questions relating to "culture of compliance," such as, directing prosecutors to consider how the company measures its culture of compliance; whether the company seeks input from all levels of employees to determine how they perceive senior and middle management's commitment to compliance; and what steps the company has taken in response to its measurement of the compliance culture.
The updated guidance demonstrates the DOJ's continued focus on evaluating corporate behaviors in a rigorous manner to ensure companies implement effective compliance programs to deter and detect misconduct and facilitate investigations. Companies should consider re-evaluating their compliance programs to ensure that the concepts contained in this recent guidance and related best practices are appropriately incorporated.