The Fraud Section of the Criminal Division of the U.S. Department of Justice ("DOJ") recently released new guidance titled "Evaluation of Corporate Compliance Programs." The guidance draws from previously published sources, including the Principles of Federal Prosecution of Business Organizations published in the United States Attorneys' Manual, the Resource Guide to the U.S. Foreign Corrupt Practices Act issued in 2012 by the DOJ and SEC, and the U.S. Sentencing Guidelines, to assemble a list of factors the Department may consider in evaluating the effectiveness of a corporation's compliance program. The guidance undoubtedly reflects the input of the Fraud Section's compliance expert, Hui Chen, and continues DOJ's emphasis on examining the efficacy of corporate compliance programs when assessing corporate criminal liability. The guidance does not provide fixed metrics or new insight into compliance practices, but rather provides a roadmap of the type of questions the DOJ believes companies should be considering.
The guidance provides eleven "sample topics and questions" that may be reviewed by the Fraud Section in each corporate case. These topics are:
1. Analysis and Remediation of Underlying Misconduct
2. Senior and Middle Management's Roles and Oversight
3. Autonomy and Resources of the Compliance Function
4. Policies and Procedures
5. Risk Assessment
6. Training and Communication
7. Confidential Reporting and Investigation
8. Incentives and Disciplinary Measures
9. Continuous Improvement, Periodic Testing and Review
10. Third Party Management
11. Mergers and Acquisitions
Although these topics have been previously addressed through various official policy statements and highlighted as relevant factors in various corporate resolutions by both DOJ and SEC, some points emerge from the guidance that merit highlighting.
The Role of the Board and Senior Management
DOJ will evaluate how effective a company's board was in monitoring the company's compliance program, including whether there was a procedure in place for the board to meet in private sessions with the compliance and internal control functions. Relatedly, DOJ will inquire whether compliance officers and others in "relevant control functions" (which the guidance identifies as including legal, finance and audit) have direct reporting to the board. DOJ will also evaluate the extent to which senior management, business operational management, and finance, procurement, legal and HR management, have promoted compliance within the organization. DOJ will also examine the type of information available to the board and senior management in exercising their oversight (such as audit findings), including whether there were "prior opportunities to detect" and remediate the type of misconduct giving rise to liability from "audit reports identifying relevant control failures or allegations, complaints, or investigations involving similar issues."
The Compliance Function
DOJ will look into whether the compliance department had sufficient independence to perform its function, whether it was involved in strategic and operational decisions, and whether it had sufficient staffing and resources. The guidance indicates that DOJ will even assess whether compliance personnel are appropriately compensated as compared to their peers in other "strategic functions," and whether the company hired compliance personnel with appropriate experience and qualifications.
Training and Accountability
The guidance indicates that DOJ expects companies to provide "tailored training for high-risk and control employees." DOJ will also examine whether managers were held accountable for misconduct that occurred under their supervision. The guidance also indicates that DOJ will examine whether a "company incentivized compliance and ethical behavior," for example, by rewarding ethical conduct, or, conversely, whether the company's incentives have "potential negative compliance implications."
Mergers and Acquisitions
DOJ will focus on the due diligence process in mergers and acquisitions, including an acquirer's postacquisition efforts to identify and remediate misconduct and other risks and to integrate the acquired entity into its compliance functions post-acquisition.
The guidance signals that, for the foreseeable future, DOJ will continue to conduct robust examinations of compliance programs in corporate cases. Even for companies that presently are not before DOJ, the guidance underscores the need for companies to continuously monitor and assess the efficacy of their compliance programs and internal control functions, and the guidance provides a helpful set of issues and questions to consider when doing so.