On April 30, 2019, Assistant Attorney General Brian Benczkowski unveiled an update to the Department of Justice’s Evaluation of Corporate Compliance Programs during a speech in Dallas, Texas.^[1] In issuing the new document (the “Updated Guidance”), Benczkowski emphasized that “[t]he importance of corporate compliance cannot be overstated. My deputies and I spend a lot of time talking about what companies can do to achieve the best result once the company or the Department learns of misconduct. But a company’s compliance program is the first line of defense that prevents the misconduct from happening in the first place.”^[2]

Benczkowski’s comments and the Updated Guidance are the most recent in a long history of DOJ Criminal Division pronouncements stressing importance of corporate compliance programs, both in terms of preventing misconduct and reducing penalties should misconduct occur. While the Updated Guidance does not reveal changes in policy or suggest major developments, it is a significant improvement and offers a helpful window into how DOJ prosecutors will evaluate your company’s compliance program should the need arise.

Below we address some of the questions regarding the guidelines and how it clarifies DOJ’s expectations.

1. There is a lot of commentary out there. What are the fundamental questions DOJ prosecutors ask about compliance?

The Updated Guidance articulates three fundamental questions: (i) Is the corporation’s program well designed? (ii) Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively? and (iii) Does the corporation’s compliance program work in practice?

The remainder of the Updated Guidance elaborates on how prosecutors will evaluate these three fundamental questions.

2. There are compliance risks everywhere. How should we focus our limited compliance resources?

The Updated Guidance emphasizes that companies should take a risk-based approach to allocating compliance resources. The first step in a risk-based approach is ongoing assessment of risk: “For example, prosecutors should consider whether the company has analyzed and assessed the varying risks presented by, among other factors, the location of its operations, the industry sector, the competitiveness of the market, the regulatory landscape, potential clients and business partners, transactions with foreign governments, payments to foreign officials, use of third parties, gifts, travel, and entertainment expenses, and charitable and political donations.”

Prior guidance cautions companies against spending too much time or attention on lower-risk problems if doing so comes at the expense of addressing areas of greater risk. The Updated Guidance makes this point emphatically and repeatedly: “Does the company devote a disproportionate amount of time policing low-risk areas instead of high-risk areas, such as questionable payments to third-party consultants, suspicious trading activity, or excessive discounts to resellers and distributors?” Scarce resources should focus on high-risk transactions (such as “a large dollar contract with a government agency in a high-risk country”) rather than on “more modest and routine hospitality and entertainment.”

Finally, and importantly, the Updated Guidance emphasizes that risk assessments should not be “one-and-done” exercises. DOJ will check whether the company refreshed the risk assessment to keep it current through “periodic review.” Risks change, not only because companies grow and shift priorities, but also because an effectively operating compliance program will identify new risks from instances of misconduct and controls evasion. Such evolving risks require periodic updates to the company’s risk assessment.

3. We are an international company, and we have an exhaustive global ethics and compliance policy. Isn’t that enough?

No. It is of course essential to have a strong compliance program, including clear policies and procedures. But according to DOJ, those policies and procedures should be “accessible and applicable to all company employees,” and “incorporate the culture of compliance into its day-to-day operations.”

For example, in the past few years, both the DOJ and the SEC have criticized companies for not ensuring that the policies and procedures are accessible by foreign employees. Even the most elaborate policies will be useless if foreign employees are not aware of them, or if they cannot read them because they do not speak English. The policies and procedures should be “rolled out in a way that ensures employees’ understanding.”

4. Whom do we need to train, and how? We can’t train everyone, and people stop listening after a while.

Training should be provided based on risk and should include “all directors, officers, relevant employees, and, where appropriate, agents and business partners.” The training should also be delivered “in a manner tailored to the audience’s size, sophistication, or subject matter expertise,” and it should “give practical advice or case studies to address real-life scenarios, and/or guidance on how to obtain ethics advice on a case-by-case basis as needs arise.”

The Updated Guidance cautions that employees working in high-risk areas should receive training specific to their positions. In addition, companies should consider testing employees on what they have learned in training and maintaining certifications. Note that if companies choose to include testing, they also should address “employees who fail all or a portion of the testing.”

5. We run a whistleblower hotline. We almost never see any activity. That’s great, right?

While a lack of reports could be an indication that processes are functioning smoothly—that there is nothing to report—it could also mean that employees are not using the hotline for some reason. Mechanisms for reporting misconduct should be publicized to employees, and they should allow employees to maintain their anonymity in making reports.

But having a hotline in place is only the first step. There should also be a process to deal with complaints made through the hotline. Companies must take care to design a “process for handling investigations of such complaints, including the routing of complaints to proper personnel, timely completion of thorough investigations, and appropriate follow-up and discipline.” Finally, it is important to “periodically analyze the reports or investigation findings for patterns of misconduct or other red flags for compliance weaknesses.”

6. We realize that third parties are a risk area, and that’s why we run all prospective third parties through a reputational database and require third parties to certify compliance with our policies. Is that enough?

Many companies have established a screening process for on-boarding third parties, which is essential for any successful compliance program. The process usually includes a form that requires a description of the prospective third party’s qualifications and associations (for example, ties to government officials). But running the third parties through a background check and filling out a checklist as a matter of routine is not always sufficient. DOJ cautions companies to engage in a more searching inquiry, including discussions and analysis of “the business rationale for needing the third party” in the first place, whether there are contract terms that “specifically describe the services to be performed,” whether “the third party is actually performing the work,” and whether the “compensation is commensurate with the work being provided in that industry and geographic region.”

In other words, beyond the checklist, can you articulate why you are hiring the agent, what they will do, how they will do it, and how much you are paying them? And is there a process in place for ongoing monitoring of those issues? The Updated Guidance also prioritizes ongoing monitoring of third parties through the exercise of audit rights—specifically whether the company has “audit rights to analyze the books and accounts of third parties, and has the company exercised those rights in the past?”

It is important to keep track of third parties that do not make it through the company’s due diligence process. The fact that not all third parties make it through the process demonstrates that the process is functioning as intended to screen out unworthy parties. And in the absence of a mechanism for tracking third parties that previously failed the diligence process (or have been suspended or terminated), some will find a way to be hired or re-hired later.

7. We also conduct robust pre-acquisition due diligence on any M&A target. Does the DOJ provide any guidance on that process?

The Updated Guidance does address M&A diligence, noting that “pre-M&A due diligence enables the acquiring company to evaluate more accurately each target’s value and negotiate for the costs of any corruption or misconduct to be borne by the target. Flawed or incomplete due diligence can allow misconduct to continue at the target company, causing resulting harm to a business’s profitability and reputation and risking civil and criminal liability.”

This is perhaps one area where the Updated Guidance could go even further. Most companies understand the value in pre-acquisition due diligence and prioritize it accordingly. But in many cases, the information available prior to closing is necessarily limited and difficult to verify. Because of the realities of many transactions, the best opportunity for in-depth diligence is after the transaction closes. Of course, by that point the acquiring company has likely acquired the liabilities and whatever problems are ongoing, but it can also now conduct a robust post-acquisition investigation into high-risk areas, such as FCPA/anti-corruption and sanctions compliance. Following the acquisition, if there is a cancer growing, it is now growing on the acquiring company’s watch, and the acquirer must act quickly to identify any the problems and cure them.

8. The phrase “tone from the top” has become tired—every mature company can show that senior executives push a “do the right thing” ethic. Does DOJ really care about that?

“Tone from the top” may seem cliché, but DOJ rightly insists that companies demonstrate a commitment to ethical behavior that starts with leadership. “Prosecutors should examine the extent to which senior management have clearly articulated the company’s ethical standards, conveyed and disseminated them in clear and unambiguous terms, and demonstrated rigorous adherence by example. Prosecutors should also examine how middle management, in turn, have reinforced those standards and encouraged employees to abide by them.”

The focus will not just be on whether management has issued communications and slogans touting compliance, but will also be on how management has led by example. “Have managers tolerated greater compliance risks in pursuit of new business or greater revenues? Have managers encouraged employees to act unethically to achieve a business objective, or impeded compliance personnel from effectively implementing their duties?”

9. Our company completely overhauled our compliance program in 2009, with the assistance of outside counsel. What else, if anything, does DOJ expect?

The company’s efforts to revamp its program in 2009 are commendable, but 10 years have passed. DOJ expects to see ongoing evolution in compliance programs as they function. “Prosecutors should consider whether the program evolved over time to address existing and changing compliance risks.” The Updated Guidance encourages companies not to rest on their laurels, because “one hallmark of an effective compliance program is its capacity to improve and evolve.” Continuing analysis of the compliance program, including periodic deep dives into potentially risky or problematic areas, will help inform prosecutors when they “consider whether the company has engaged in meaningful efforts to review its compliance program and ensure that it is not stale.”

10. We hear about “culture of compliance.” But how do you measure such a thing, and how can we demonstrate that to DOJ if we find an isolated incident of misconduct?

There are many ways to measure culture of compliance. The first and most obvious is to observe and analyze instances of misconduct, including what went wrong and what went right. But perhaps the best way to measure culture is to listen to employees outside of the context of an investigation or other crisis. “Some companies survey employees to gauge the compliance culture and evaluate the strength of controls, and/or conduct periodic audits to ensure that controls are functioning well, though the nature and frequency of evaluations may depend on the company’s size and complexity.”

You don’t know if you don’t ask, and companies may do well to take a page from marketing experts: focus groups, anonymous surveys, town halls, and other such methods can be extremely effective in evaluating culture, identifying areas for improvement, and demonstrating a company’s commitment to compliance.

[1] “Evaluation of Corporate Compliance Programs,” U.S Department of Justice, Criminal Division, April 2019 Update, available at https://www.justice.gov/criminal-fraud/page/file/937501/download.

[2] Speech of AAG Brian Beczkowski, April 30, 2019, available at https://www.justice.gov/opa/speech/assistant-attorney-general-brian-benczkowski-delivers-keynote-address-ethics-and.