On April 30, 2019, the Department of Justice (DOJ) Criminal Division issued an updated version of the “Evaluation of Corporate Compliance Programs” guidance originally published by the Criminal Division’s Fraud Section in February 2017. The update is more of a consolidation of various compliance program evaluation sources under the broader Criminal Division umbrella than a sweeping change in policy or philosophy, but there some practical takeaways.

In announcing the release, Assistant Attorney General Brian A. Benczkowski noted that the revised guidance is intended to “better harmonize the prior Fraud Section publication with other Department guidance and legal standards.”

The key structural change in the new guidance was a reorganization of the “sample topics and questions” from the 2017 guidance under the rubric of three overarching questions for prosecutors to ask in evaluating compliance programs:

  1. Is the corporation’s compliance program well designed?
  2. Is the program being applied earnestly and in good faith? (i.e., is it implemented effectively?)
  3. Does the corporation’s compliance program work in practice?

The topics covered under the prior guidance are then expanded upon in narrative form, often with more nuanced questions to consider, along with illustrative examples of steps some companies have taken to enhance their compliance programs.

In addition to consolidating the Fraud Section’s prior guidance under the broader Criminal Division umbrella and simplifying its conceptual approach, the key thematic takeaway of this update is that DOJ expects compliance to be an iterative, ongoing process that is focused not just on what policies say or whether there is comprehensive training, but also on whether companies are learning from experience and adjusting accordingly. Much as a company would adapt its business plan to reflect changes in technology, trade relations, and/or geopolitical developments, DOJ expects compliance regimes, writ large, to adapt to evolving compliance challenges and standards.

In practical terms this means that compliance programs need to be updated to reflect actual experiences, both internal (e.g., incidents at the company) and external (e.g., infractions in a particular industry or geographic region). Whether those updates reflect changes in particular control functions, results of internal audits or investigations, enforcement actions in a particular industry or region, or simply better messaging, will vary from company to company. But the message from DOJ is that they are going to assess not only a company’s compliance policies and training records, but also records of how and why the compliance program evolved over time. Although not an entirely new approach, the focus on real world experiences and responses to those experiences is noteworthy.

Unsurprisingly, DOJ’s updated guidance on assessing corporate compliance programs makes clear that it is still intended to assist prosecutors on a wide range of determinations including charging decisions, resolution format, monetary penalties, and whether to impose compliance obligations as part of a resolution (e.g., a monitorship or reporting obligations). And, importantly, the guidance reaffirms that DOJ “does not use any rigid formula to assess the effectiveness of corporate compliance programs” and that it “recognize[s] that each company’s risk profile and solutions to reduce its risks warrant particularized evaluation.” It is not a one size fits all approach, to be sure, but companies under the spotlight should be prepared to defend their unique approach to compliance in a way that reflects their particular experience.