On April 30, 2019, the U.S. Department of Justice (DOJ) Criminal Division issued updated guidance to prosecutors for assessing corporate compliance programs. The new “Evaluation of Corporate Compliance Programs” (Updated Guidance) replaces the February 2017 Guidance (Prior Guidance). The Updated Guidance provides structure to prosecutors’ charging, case disposition, sentencing, and monitoring decisions by encouraging prosecutors to examine three fundamental questions on compliance programs: (1) Is the program well-designed? (2) Is the program effectively implemented? (3) Does the program actually work in the real world? The Updated Guidance also provides insight to help corporations proactively assess their compliance programs.

In announcing the new guidance, Assistant Attorney General Brian A. Benczkowski underscored the importance of well-designed, effectively implemented, and regularly reviewed compliance programs to corporations: “Effective corporate compliance programs play a critical role in preventing misconduct, facilitating investigations, and informing fair resolutions.” He framed the update as part of DOJ’s “broader efforts . . . to help promote corporate behaviors that benefit the American public and ensure that prosecutors evaluate the effectiveness of compliance in a rigorous and transparent manner.”

While announcing no momentous policy departures, the Updated Guidance furnishes a more detailed and transparent road map. Triple the length of the Prior Guidance, which consisted chiefly of a summary checklist, the Updated Guidance offers a narrative on prosecutors’ analytical framework, diagnostic questions, instructive examples of compliance program features the DOJ considers effective, and cross-references to other DOJ guidance and legal standards.

The Updated Guidance is streamlined along the three key themes of design, implementation, and effectiveness:

Design

In evaluating whether a compliance program is well-designed, the DOJ will examine policies, procedures, training, internal reporting channels, and disciplinary procedures to assess whether the program is grounded in risk analysis based on the corporation’s industry, location, regulatory landscape, transactions with foreign governments, and other relevant factors. As part of this risk analysis, the DOJ will determine whether the corporation applies risk-based due diligence to third-party relationships, such as with consultants or distributors. Another focus is on how the corporation scrutinizes companies targeted for acquisition, including by identifying misconduct and evaluating its costs to be borne by the target.

Implementation

The DOJ will evaluate whether a compliance program is merely a “paper program” or whether it is implemented with real effectiveness in mind. A key question is whether the corporation dedicates adequate resources, including sufficient staff to track, audit, analyze, and utilize the results of compliance efforts. The DOJ will also evaluate whether corporate leadership just talks about a “culture of compliance” or if there is a commitment to such a culture that extends from senior leadership to middle management—whether management demonstrates support for and knowledge of compliance issues and models proper behavior. Another measure will be whether disciplinary actions have been applied consistently and fairly across the organization.

Effectiveness

The most pronounced departure from the Prior Guidance is in the third section, which asks how a corporation’s compliance program works in practice. Much of the answer lies in how thoughtfully and systematically a corporation evaluates its compliance program and incorporates what it learns so the program can “improve and evolve.” This greatly expanded section (formerly three lines of text) now maps with considerable clarity the kinds of steps companies can take to help avert future problems, and, where alleged misconduct is under investigation, possibly to favorably influence charging decisions, resolutions, or sentencing recommendations. Among the key questions the DOJ will ask in evaluating the effectiveness of a program are:

    • Does the corporation periodically conduct meaningful review of its compliance program?
    • Does it include internal audits at appropriate intervals, particularly in high-risk parts of corporate operations?
    • How often and how does the corporation measure its culture of compliance, and does it survey employee perceptions at all levels regarding management’s commitment to compliance?
    • Has gap analysis been performed to identify insufficiently addressed areas of risk?
    • Do assessments include pertinent third parties?

This Updated Guidance from the DOJ offers corporations a valuable tool to help them assess and strengthen their compliance programs.