DOJ Criminal Division Releases Guidance on Evaluation of Corporate Compliance Programs

The Criminal Division of the United States Justice Department (DOJ) recently released a guidance document for its prosecutors as an adjunct to the agency’s Justice Manual. The Manual provides direction to prosecutors on the factors they should consider when conducting an investigation into alleged corporate wrongdoing. The adequacy and effectiveness of a corporation’s compliance program is one of the factors to be examined. The “Evaluation of Corporate Compliance Programs” Guidance is meant to “assist prosecutors in making informed decisions as to whether, and to what extent, the corporation’s compliance program was effective at the time of the offense, and is effective at the time of a charging decision or resolution” for purposes of determining DOJ’s future course of action regarding any wrongdoing at the company. 

While geared specifically to prosecutors, the head of DOJ’s criminal division, Brian Benczkowski, stated during prepared remarks earlier this week, “In drafting the updated version of the document, we have sought to provide additional transparency in how we will analyze a company’s compliance program.” 

The Guidance is broken down into three parts, focusing on three “overarching questions” that prosecutors should consider when evaluating compliance programs: 

• Is the program well designed?

• Is the program effectively implemented?

• Does the compliance program actually work in practice?

I. Is the compliance program well designed? 

Section I of the Guidance focuses on some of the criteria that should be considered during an evaluation of the compliance program itself. 

Prosecutors will evaluate whether or not a company has sufficiently and thoroughly considered its risks based upon its particular line of business, including the process used in assessing those risks, how resources are allocated to address those perceived risks and how the risk assessment is kept updated – particularly in regard to “lessons learned” from instances of misconduct. 

Other areas covered in section I of the Guidance discusses compliance policies and procedures (essentially a code of conduct), training and communication regarding those policies and procedures, reporting and investigation processes and the management of risks associated with third parties and related due-diligence based on the nature of those relationships and the potential risks. Due diligence related to mergers and acquisitions are also addressed in this section.

II. Is the Corporation’s Compliance Program Being Implemented Effectively?

Prosecutors will also look to whether or not even a well-designed compliance program is implemented in a way that, in practice, offers more than just a commitment on paper. Section II suggests that prosecutors evaluate the program by looking for “high-level commitment” by company leadership, including oversight, evidence of an adequately staffed compliance team (seniority, authority, experience, funding), and a process for disciplinary action (or incentives) that is managed consistently across the organization. 

III. Does the Corporation’s Compliance Program Work in Practice?

As noted in the Guidance, one of the most difficult tasks that prosecutors face is the “backwards looking” task of assessing a compliance program’s effectiveness at the time of the offense. Therefore, this phase of the assessment entails consideration of how the misconduct was initially detected, what resources were in place to investigate any suspected misconduct and the nature of the company’s remedial efforts. Prosecutors will look for evidence of internal audits, investigations that are “properly scoped” and run by qualified personnel and, very importantly “root cause” analysis and efforts at remediation, including an assessment of why existing policies and procedures failed.

The Guidance recognizes that each company is different, and that no criminal investigation can be conducted by a “one size fits all” approach. However, the document does present companies with very clear guideposts as to what they should be doing in terms of constructing and implementing a compliance program that would pass muster should they ever be the object of a DOJ criminal investigation.