DOJ Issues Further Guidance on Evaluation of Corporate Compliance Programs

Jay Holtmeier, Ronald Machen, Sara Maldonado, Kimberly Parker, Lillian Howard Potter, Erin Sloane, Emily Stark
WilmerHale
Contact
LinkedIn
Facebook
X
Send
Embed

On June 1, 2020, Assistant Attorney General for the Criminal Division, Brian A. Benczkowski, announced changes to the U.S. Department of Justice’s (“DOJ”) Evaluation of Corporate Compliance Programs (“2020 Guidance”), the third such iteration of guidance carrying the same name, which was first issued in March 2017 (“2017 Guidance”) and subsequently updated in April 2019 (“2019 Guidance”).    

In a statement announcing the issuance of the 2020 Guidance, AAG Benczkowski noted that the “revised guidance . . . reflects additions based on [the DOJ’s] experience and important feedback from the business and compliance communities.”1 While the 2019 Guidance covered many of the same topics as its 2017 predecessor, the 2019 version was twice as long, and reorganized and expanded on the earlier document; the changes between the 2019 and 2020 versions are more subtle and less expansive. Nonetheless, the updated 2020 Guidance sheds important light on the DOJ’s view of what constitutes a strong compliance program, both in terms of how the changes signal issues of new importance and how bedrock principles remain unaltered. 

Like the 2017 Guidance and 2019 Guidance before it, the 2020 Guidance frames its examination of corporate compliance programs in the context of factors and questions prosecutors should ask in conducting an investigation, determining whether to bring charges, and negotiating plea or other settlement agreements. It is the new formulation of some of these questions—the additions referenced by AAG Benczkowski—that provides insight into the DOJ’s evolving priorities when evaluating compliance programs. 

The most notable changes indicate enhanced focus on three areas:

Compliance Resources. Like the 2019 Guidance, the 2020 Guidance sets forth three “fundamental questions” a prosecutor should ask with respect to a particular program. 

1. Is the corporation’s compliance program well designed?
2. Is the program being applied earnestly and in good faith?
3. Does the corporation’s compliance program work in practice?

The three questions remain the same, however explanatory text following the second suggests a new focus on the importance to a strong program of resources and independence. This text, previously written as “In other words, is the program being implemented effectively?” now reads “In other words, is the program adequately resourced and empowered to function effectively? The 2020 Guidance goes on to state “[e]ven a well-designed compliance program may be unsuccessful in practice if implementation is lax, under-resourced, or otherwise ineffective”—the addition of “under-resourced” to this sentence is new to the 2020 Guidance. 

Additionally, a section of the 2020 Guidance specific to Autonomy and Resources now encourages prosecutors to ask “What are the reasons for the structural choices the company has made?” and “How does the company invest in further training and development of the compliance and other control personnel?”

Accordingly, the 2020 Guidance clarifies that the DOJ views sufficient, empowered resources as a key indication of whether a company is implementing its program “earnestly and in good faith,” or whether the program falls flat as the oft-denigrated paper program. 

Importance of Data Aggregation and Analysis. In several areas the 2020 Guidance directs prosecutors to assess the strength of a compliance program through the program’s collection and assessment of data. For example, with respect to policies and procedures, the new version adds: “Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?” Regarding the effectiveness of a company’s reporting mechanism, the 2020 Guidance now asks whether the company takes “measures to test whether employees are aware of the hotline and feel comfortable using it.” And with respect to periodic risk assessments, the 2020 Guidance asks: “Is the periodic review limited to a ‘snapshot’ in time or based upon continuous access to operational data and information across functions?”

The 2020 Guidance also adds a new paragraph in the section on Autonomy and Resources that queries: “Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?”  

While not every company will be expected to track the same metrics or analyze the same data, it is clear that the DOJ is placing increasing importance on the data-driven aspects of a compliance program and how the analysis of this data can identify and respond to risk. It is thus incumbent on companies to review their current programs and ensure appropriate, smart collection, analysis, and utilization of data most relevant to the company’s size, business model, and risk profile.      

Continuous Evolution and Enhancement. It has long been accepted that there is no such thing as a “one-size-fits-all” compliance program and that the first hallmark of a strong compliance program is that it must be risk-based. The 2020 Guidance carries these principles further and clearly articulates that a strong compliance program will also be one that evolves and responds to changes in the company, its business or industry, and its geographic footprint. Indeed, the 2020 Guidance makes explicit that, in answering the fundamental questions, prosecutors “may evaluate the company’s performance on various topics that the Criminal Division has frequently found relevant in evaluating a corporate compliance program both at the time of the offense and at the charging decision and resolution.”

The 2020 Guidance directs prosecutors to “endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.” Further, the 2020 Guidance adds a new paragraph on “Lessons Learned - Does the company have a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region?” The 2020 Guidance also queries whether the company “review[s] and adapt[s] its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks.”

The DOJ’s encouragement of companies to rely on data and lessons learned to inform change to their compliance programs also speaks to the DOJ’s expectation that evolution is responsive to data and past experiences. Accordingly, the demonstration of a strong compliance program now necessarily entails an explanation of how the program has matured in response to new or changing risk, as well as the availability of new tools or resources—tracing the development arc of the program is now an important element of the program itself.        

Additionally, while perhaps not suggestive of areas of enhanced focus, two other changes to the 2020 Guidance are noteworthy as they make explicit for the first time certain considerations the DOJ will employ when evaluating corporate compliance programs. 

Effective Third Party Management Does Not Stop at Onboarding. The 2020 Guidance adds a question to the Third Party Management section that reads: “Does the company engage in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?” With this addition, the DOJ is emphasizing that the risks presented by third parties do not stop after onboarding and that while robust, risk-based diligence at the inception of a relationship is essential, it alone is insufficient to demonstrate effective third party management. Of course, this principle—the need for third party management that spans the lifecycle of the relationship—is nothing new, but the DOJ’s express articulation of the expectation is.  

Foreign Law Implications. For the first time in its serial compliance guidance, the DOJ has acknowledged that a company—and thus its compliance program—may be subject to myriad non-U.S. laws and regulations. As noted above, the 2020 Guidance directs prosecutors to assess whether any impediments exist that limit access to relevant sources of data and, if so, how the company has addressed those impediments.  

Like the 2019 Guidance, the 2020 Guidance observes that the “sample topics and questions below form neither a checklist nor a formula” and that in a particular case, “the topics and questions set forth [in the Guidance] may not all be relevant, and others may be more salient given the particular facts at issue.” The 2020 Guidance, however, adds a clause to conclude the latter sentence “ . . . given the particular facts at issue and the circumstances of the company.” A new endnote follows the conclusion of that sentence; the endnote reads:

“Prosecutors should consider whether certain aspects of a compliance program may be impacted by foreign law. Where a company asserts that it has structured its compliance program in a particular way or has made a compliance decision based on requirements of foreign law, prosecutors should ask the company the basis for the company’s conclusion about foreign law, and how the company has addressed the issue to maintain the integrity and effectiveness of its compliance program while still abiding by foreign law.”

Thus, while the 2020 Guidance demonstrates that, like a good compliance program, the criteria through which the DOJ evaluates a corporate compliance program continues to evolve, certain unchanged aspects of the 2020 Guidance also merit attention. First, the 2020 Guidance reiterates that a company’s compliance program must be risk-based and uniquely tailored to that company. The 2020 Guidance expounds on the individualized attention required, noting that the DOJ makes “a reasonable individualized determination in each case that considers various factors including, but not limited to, the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.” Second, the basic elements—the bones of a strong compliance program—remain unchanged from period risk assessments; policies and procedures; training and communications; reporting, investigation, and discipline of misconduct; third party management; mergers and acquisitions; commitment to compliance; and periodic testing and review. Despite the DOJ’s apparent appreciation for the need of customized corporate compliance programs, there are certain fundamental aspects that it continues to expect from these programs.  

As with the two earlier iterations of DOJ guidance, compliance officers will be well served to analyze the 2020 Guidance carefully and ensure that their programs incorporate the DOJ’s priorities or make sure that they have well-reasoned explanations for aspects of their programs that do not.           

Footnotes - 
  1. Dylan Tokar, Justice Department Adds New Detail to Compliance Evaluation Guidance, THE WALL STREET JOURNAL (June 1, 2020).
Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© WilmerHale | Attorney Advertising

Written by:

WilmerHale
WilmerHale
Contact
more
less

WilmerHale on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide