This week, Assistant Attorney General Brian A. Benczkowski announced a significant rewrite of the Department of Justice’s (DOJ) guidance document “Evaluation of Corporate Compliance Programs” (Compliance Guidance) with the stated intent of providing “additional transparency” and “additional insight” into DOJ’s thinking on this topic of increasing importance for companies large and small. Because the DOJ is a primary regulator for companies of all sectors and sizes as well as the most complex statutory schemes, including federal anti-corruption, securities, false claims, anti-money laundering, sanctions, export controls, and environmental laws, the DOJ’s updated guidance on evaluating effective compliance programs carries extra weight.
The new guidance is intended to be comprehensive. Companies and prosecutors often look to multiple guidance sources to frame their analysis of compliance programs: the Justice Manual’s “Filip Factors” in connection with charging decisions; the US Sentencing Guidelines section on effective compliance programs in connection with computation of potential criminal fines; and a combination of these and other guidance in connection with discussions of potential monitorships.
While it remains an open question as to how the DOJ and the US Attorney’s Offices will use the revised Compliance Guidance in practice, the guidance states that it should be used to assist prosecutors in all three of these stages of enforcement: (i) the charging decision; (ii) the penalty calculation; and (iii) the monitorship determination. In theory at least, the new Compliance Guidance should cover it all. Importantly, however, the Compliance Guidance provides a good roadmap for corporations seeking to develop and implement effective compliance programs before facing potential DOJ scrutiny.
Notably, DOJ’s new Compliance Guidance differs in several key respects from the 2017 guidance document it replaces. First and foremost, the revised guidance is more instructive; it supplements previously published lists of questions with more concrete statements about what the DOJ considers an “effective” compliance program. For example, the revised Compliance Guidance states that an effective compliance program “should include comprehensive due diligence of any acquisition targets” and “risk-based due diligence [on] third-parties.” It places greater emphasis on program elements like “[t]he effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment” and whether the company’s risk assessment criteria are “periodically updated.” The new Compliance Guidance is discussed more fully below.
Evaluation of corporate compliance programs
Benczkowski observed that, if done right, a compliance program “has the ability to keep the company off [the DOJ’s] radar screen entirely.” But beyond prevention of misconduct, Benczkowski noted that a compliance program factors into the DOJ’s investigation and resolution of corporate cases in several critical ways. He specifically highlighted that an effective compliance program allows companies to detect misconduct at an early stage, allow “the government to more effectively investigate and prosecute [individual] wrongdoers,” and minimize the risk of future violations.
The Compliance Guidance formalizes the factors that Federal prosecutors should consider in assessing a company’s compliance program’s effectiveness and exercising prosecutorial discretion in connection with charging, penalties, and monitorship decisions. The Compliance Guidance instructs that three “fundamental questions” should frame these inquiries: (1) is the compliance program well-designed; (2) is the compliance program effectively implemented; and (3) does the compliance program actually work in practice. Corporations developing or evaluating their compliance programs should ask these same questions and consider the lessons in the Compliance Guidance in order to minimize the risk of potential issues and maximize the likelihood that the DOJ will conclude that their compliance program is effective.
“Is the compliance program well designed?” The critical factor in assessing a compliance program’s design is whether the program is designed to prevent and detect wrongdoing and whether management is enforcing the program. In making this determination, the Compliance Guidance directs prosecutors to consider: (1) Risk assessment - whether the program is appropriately designed to detect the types of misconduct most likely to occur in the corporation’s business and regulatory environment; (2) Policies and procedures – whether the company has an adequate set of policies that establishes the company’s commitment to compliance with federal laws; (3) Training and communications – whether the company ensures that its policies and procedures have been integrated into the organization, including through periodic training; (4) Confidential reporting structure and investigation process – whether the program includes mechanisms for employees to anonymously or confidentially report breaches of the company’s code of conduct or policies or other misconduct; (5) Third-party management – whether the program includes, where appropriate, due diligence practices to minimize the risk that employees use the company’s third party vendors, including agents, consultants, and distributors, to engage in misconduct; and (6) Mergers and acquisitions – whether the program includes a comprehensive due diligence process for any acquisition targets that helps identify any of the target’s corrupt practices or misconduct.
“Is the compliance program effectively implemented?” This inquiry effectively requires prosecutors to determine whether the compliance program is a “compliance program” in name only or one that is actually implemented and enforced. Effective implementation requires that the company’s top leaders establish a culture of compliance and set the tone for the rest of the company. A culture of compliance is evidenced by management’s articulation of the company’s standards and broad communication of and enforcement of those standards. Additionally, prosecutors will assess whether the company’s compliance team has sufficient autonomy and resources to investigate and enforce the company’s program. Finally, the Compliance Guidance instructs that an effective compliance program establishes incentives for compliance and clear disciplinary procedures for violations of the program with a concomitant track record of disciplining non-compliant individuals.
“Does the compliance program work in practice?” The final inquiry is meant to help assess whether the compliance program can minimize the risk of future misconduct. One hallmark of an effective program is the company’s commitment to continuously improve, test, and review the program to ensure that it can respond to previously unidentified issues. Another hallmark of an effective program is the existence of an adequately-funded mechanism to timely and thoroughly investigate allegations of misconduct. Finally, an effective compliance program requires that a company can conduct a comprehensive root cause analysis of the misconduct and timely and appropriately remediate to address the root cause.
As regulatory complexity increases, particularly in business operations and transactions that cross international borders, the DOJ and other U.S. and foreign law enforcement agencies increasingly rely on a company’s ability to self-police and prevent misconduct from the outset through effective compliance programs. In recognition of the importance of compliance, the DOJ has made tangible the benefits a company can receive for designing and implementing an effective compliance program. The DOJ’s newly-revised Compliance Guidance reinforces those principles.
Compliance programs come in all shapes and sizes and their design depends largely on the nature of a company’s business, risk profile, size, and geographic reach. Each company’s compliance needs are unique. However, all compliance programs have this in common: they should be well-designed, effective, and practical. Companies that do not have compliance programs should consider designing and implementing them and those that already have compliance programs should make it a habit to review their compliance programs with experienced counsel on a regular basis to ensure that they are evolving alongside the company’s risk profile.