Recently, the Department of Justice (DOJ) updated its “ Evaluation of Corporate Compliance Programs” guidance — the third iteration of DOJ’s guidance on this topic. The update is intended to offer transparency as to how DOJ views compliance and cooperation in the context of government investigations. Much has been written about the fundamentals of the revised guidance since its publication in June and how companies should evaluate their compliance programs against the benchmark of DOJ’s guidance. But while most companies traditionally consider the importance of a compliance program in a defensive context — as a basis for cooperation credit or a mitigating factor in a damages analysis — DOJ’s guidance reminds us that prosecutors are also to consider the adequacy and effectiveness of a company’s compliance program in determining whether to bring charges. Companies following DOJ’s specific and increasingly detailed guidance in developing and operating effective compliance programs should be arguing that the existence of these programs negates the intent necessary for criminal or civil liability.

Put another way, in developing and updating such specific guidelines on cooperation and compliance, DOJ is communicating to industry that it places a premium on compliance. And implementing DOJ’s guidance requires significant cultural and financial investments. To that end, if a company proactively develops a robust, well-tailored, and well-resourced compliance program that aligns with DOJ’s guidance, DOJ should be willing to concede in those instances that such a program negates any intent to commit fraud and the company should not be criminally or civilly liable.

This position is most compelling in cases where a compliance program detects misconduct, and the company, in turn, discloses that misconduct to DOJ. In these scenarios, it seems antithetical to DOJ’s interest in incentivizing companies to develop robust compliance programs to turn around and seek to hold the company liable for its misconduct. The company has a strong argument that it did everything it could do, and everything that DOJ itself told it to do, in good faith to prevent fraud.

But, these arguments should not necessarily be limited to companies that detect and self-disclose their own misconduct. A company with an effective compliance program that only learns of misconduct through a subpoena or other means, such as a whistleblower complaint, should nonetheless be able to persuade DOJ that it implemented and operated a compliance program in good faith and should not face liability because it did what it could to prevent such misconduct. After all, the 2020 DOJ guidance specifically provides that “the existence of misconduct does not, by itself, mean that a compliance program did not work or was ineffective at the time of the offense.” “Prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction.”

As DOJ continues to offer guidance on how it evaluates corporate compliance programs, it should be more critical than ever for companies to demonstrate that they have modeled their compliance programs on DOJ’s guidance.

• Why and How? DOJ has recognized that there is no “one size fits all” for compliance programs and that it must make a “reasonable, individualized determination” as to the effectiveness of a compliance program in each case. There is no “rigid formula” that DOJ uses to evaluate the effectiveness of a specific program; rather it directs prosecutors to understand the “why and how” behind the development, structure, and evolution of a corporate compliance program. In designing and updating compliance programs, companies should be mindful of these key questions, document, and be prepared to explain how the program is designed to meet the company’s needs.

• The Duty to Evolve. Health care fraud enforcement is a rapidly changing environment, and DOJ has made clear that it expects companies’ compliance programs to evolve at the same pace. With this in mind, companies should look to the future and proactively use the DOJ’s 2020 compliance guidance as a measuring stick for evaluating their compliance programs. Even companies with the most resourced, sophisticated compliance programs must engage in periodic review to assess risk and update policies, procedures, and controls. That evolution should be data-driven — based on risk assessments, audits, and prior investigations — and tailored appropriately to higher-risk activities. Companies should implement a schedule for periodic review of compliance training, policies, and controls to ensure that the program is not “stale” and aligns with the most current risks facing the company and the industry.

• Actions Speak Louder Than Words: The 2020 compliance guidance emphasizes that DOJ is unlikely to consider a “paper program” sufficiently resourced and effective. Companies should consider all aspects of their compliance programs and whether they have designed processes and dedicated resources to follow through on the program’s critical elements. Do senior and middle leaders incorporate compliance into the company’s culture? Is compliance incorporated into the evaluation and compensation process? Are investigations independent, thorough, and prompt? Is misconduct met with appropriate consequences?

Regardless of how a compliance program is designed, compliance departments should be deliberate in developing and implementing them with an eye toward explaining how the program has been customized and how it has continuously evolved to meet the company’s changing risk profile. This approach may pay dividends in potential future interactions with DOJ.