On June 1, 2020, the Department of Justice (DOJ) published an updated version of its guidance for “Evaluation of Corporate Compliance Programs,” originally published in February 2017. The guidance is intended to assist federal prosecutors, but it also shines light on how corporate compliance teams should be organized.
The following are key actions corporate compliance teams should take as a result of the revised guidance.
- Companies must act to ensure compliance teams are adequately resourced and must make investments into compliance programs.
A compliance program must be “adequately resourced and empowered to function” effectively. Companies should invest in compliance by training and incentivize compliance management. Compliance officers should be given access to the management of a corporation or granted enough power to conduct investigations without interference. Prosecutors will look at the resources allocated and positions held by the compliance team to determine the earnest and good faith efforts of a corporation to be compliant.
- Compliance teams should be given access to appropriate data on a frequent basis instead of intermittent snapshots of data.
The new language encourages companies to ensure their programs are always receiving new information and not looking at a “snapshot.” Revisions to the guidance emphasize a theme of dynamic and changing data and analysis expected of compliance programs. These revisions complement the emphasis placed on the individualistic nature of each compliance program and the need to evaluate programs both at the time of an offense and also at the time of a charging decision.
- Compliance teams should stay abreast of industry and regional news, as well as consistently monitor how their internal risk assessments can be incorporated into their programs.
The guidance reveals teams are expected to incorporate “lessons learned” from their own risk assessments, misconduct within the company, as well as misconduct by companies in the same industry or region. Compliance teams need to ensure they stay abreast of relevant industry or regional news in order to adjust their programs accordingly.
- Companies should monitor third party vendors frequently and should incorporate newly-acquired M&A targets into their existing compliance program.
Companies should perform audits on newly-acquired targets. As the guidance acknowledges, full and complete compliance analysis and due diligence may not be completed before acquisition of a target, making post-acquisition compliance essential. Additionally, third party vendors should be monitored and reviewed frequently instead of only at the beginning of a relationship because the guidance notes that third party vendors increase compliance risk in many cases.