On June 1, 2020, the U.S. Department of Justice released a revision of its guidance on the Evaluation of Corporate Compliance Programs. Evaluation of Corporate Compliance Programs, U.S. Department of Justice, Criminal Division (June 2020) (the “Compliance Program Guidance”). The Compliance Program Guidance provides companies with general principles and factors to consider when designing, implementing, and updating their compliance policies and procedures. It also provides a useful basis for companies seeking to avoid or mitigate prosecution pursuant to the DOJ’s “Principles of Federal Prosecution of Business Organizations” and the U.S. Sentencing Guidelines, both of which require DOJ prosecutors to consider a company’s compliance program as a factor in their decisions to instigate a case and in terms of punishment. While the revisions to the Compliance Program Guidance generally represent incremental changes, there are sufficient updates that companies may still want to take this opportunity to reevaluate existing compliance programs to ensure that they are keeping step with evolving best practices.
We have broken the revisions down into several thematic categories. First, there are a number of revisions that appear geared toward providing more detail and nuance about the factors that the DOJ considers as part of its program evaluation, without actually altering the substance of what the DOJ has long emphasized. For example, the previous Compliance Program Guidance stated that prosecutors should make an “individualized determination” of compliance programs. The revised version explains these factors include “the company’s size, industry, geographic footprint, regulatory landscape” as well as “other factors, both internal and external to the company’s operations.” Those factors, as a practical matter, were already being considered by line prosecutors, but now the guidance is in writing.
Similarly, the revised guidance adds to previous guidance on how the DOJ evaluates the accessibility of a company’s policies and procedures, stating explicitly that they should be published “in a searchable format.” And, the revised guidance added several references to whether a company plans for and effectively implements post-acquisition or post-merger compliance program integration. These additions are by no means earth-shattering, but they provide clear, useful information and highlight minor changes that could improve a company’s compliance program.
Second, there are a number of revisions that appear to be geared towards evaluating whether a company itself evaluates and tracks its compliance program. These are, in our view, the most substantive changes that were made. For example, the revised Compliance Program Guidance indicates that the DOJ would consider whether a company:
- Tracks or measures access to its compliance policies and procedures to understand what policies are attracting more attention from employees;
- Engages in a “periodic review” of its risk assessment “based upon continuous access to operational data and information across functions” and whether the periodic review has led to updates in policies, procedures, and controls;
- Employs “a process for tracking and incorporating” lessons learned from “prior issues” of the company and “other companies operating in the same industry and/or geographical region”;
- Evaluates the impact of training on employee behavior;
- Tests the compliance program, including the hotline, in terms of employees’ knowledge and comfort in using it and in terms of “tracking a report from start to finish”; and
- Monitors “investigations and resulting discipline to ensure consistency.”
Put simply, these revisions further emphasize the DOJ’s previously stated expectation that compliance programs must be dynamic and constantly improving based on informed self-assessment and feedback. Accordingly, complying with these directives to companies to test, measure, and evaluate their compliance programs’ efficacy will be critical to implementing the most effective program and to demonstrating this fact to the DOJ with credibility.
Third, some of the DOJ’s revisions to the Compliance Program Guidance have the effect of reducing some of the arguably bright-line, determinative aspects of the previous version by adding language confirming that the DOJ recognizes that compliance programs are not one-size-fits-all. For example, in the previous guidance, the question of whether a compliance program is “being implemented effectively” becomes whether it is “adequately resourced and empowered to function effectively” in the new version. In terms of training, the DOJ makes it clear that longer is not always better, citing companies that use “shorter, more targeted” sessions as a positive example. The DOJ also adds that the “need for” due diligence of third parties—rather than just the degree of due diligence— “may vary based on size.” Finally, the DOJ acknowledges that a company’s compliance program outside the U.S. might be affected by local law, and it will consider the limitations and requirements of foreign law as part of its evaluation. On balance, we view all of these changes as positive, and they should make it easier for companies to engage in constructive dialogue regarding how their compliance programs should impact charging and sentencing decisions.
Companies would be wise to take this opportunity to reassess their compliance programs, or at least incorporate the new DOJ Compliance Program Guidance into their next periodic self-assessment. After all, while the overall message and impact of the Guidance largely stays the same, the revisions do provide helpful clarification. And being able to demonstrate that companies are trying to keep up with evolving best practices will serve them well if problems are later uncovered.