On June 1, 2020, the Criminal Division (the “Criminal Division”) of the Department of Justice (the “DOJ” or “Department”) issued revised guidance (the “June 2020 Guidance”) about how it will evaluate corporate compliance programs.[1] The June 2020 Guidance builds upon the Criminal Division’s “Ten Hallmarks of Effective Compliance Programs” issued in 2012, and elaboration on that guidance in February 2017, which was then updated in April 2019 (the “April 2019 Guidance”). The June 2020 Guidance provides additional details about the types of considerations that prosecutors will weigh when determining “whether, and to what extent, the corporation’s compliance program was effective at the time of the offense, and [whether it] is effective at the time of a charging decision or resolution, for purposes of determining the appropriate (1) form of any resolution or prosecution; (2) monetary penalty, if any; and (3) compliance obligations contained in any corporate criminal resolution.”

Below is a brief summary of the key revisions in the June 2020 Guidance and, for reference, a redline that identifies all of the changes the DOJ made to its April 2019 Guidance. According to Assistant Attorney General Brian Benczkowski, the “revised guidance on the Evaluation of Corporate Compliance Programs reflects additions based on [the DOJ’s] experience and important feedback from the business and compliance communities.”[2]

• All companies are different and context matters. The April 2019 Guidance provides that “corporate compliance program[s] must be evaluated in the specific context of a criminal investigation” and the Department will “not use any rigid formula to assess the effectiveness of corporate compliance programs” because “each company’s risk profile and solutions to reduce its risks warrant particularized evaluation.” The June 2020 Guidance lists specific factors that the DOJ will use to make individualized determinations of the effectiveness of corporate compliance programs, “including but not limited to, the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.” By identifying the various factors that it may consider, the June 2020 Guidance makes clear that companies cannot take a one-size-fits-all approach to their corporate compliance programs.
• Meaning of a compliance program being applied earnestly and in good faith. The prior DOJ guidance identified three fundamental questions that prosecutors should ask about a corporation’s compliance program: (1) is the corporation’s compliance program well designed; (2) is the program being implemented earnestly and in good faith; and (3) does the corporation’s compliance program work in practice. The June 2020 Guidance provides additional insight into the Department’s considerations with respect to the second question. The new guidance states that when determining whether a corporate compliance program is applied earnestly and in good faith, the Department will specifically look at whether the program is “adequately resourced and empowered to function effectively.” Notably, the new guidance also states that it is “important for a company to create and foster a culture of ethics and compliance with the law at all levels of the company” and that leadership “from the middle and the top” is responsible for implementing a company’s culture of compliance. These elaborations underscore for companies the importance of allocating resources, including adequate staffing, funding, and data resources, to their corporate compliance programs. This is particularly important for companies to keep in mind as many consider and implement austerity measures in light of the financial crisis caused by the COVID-19 pandemic, which history suggests will likely give rise to many future government investigations. Read BakerHostetler’s prior alert on this topic.
• Evolution of compliance programs. The June 2020 Guidance emphasizes that a company’s compliance program should change and evolve over time. With respect to assessing risks, the DOJ now will consider whether there “[i]s a periodic review” of the program that is “limited to a ‘snapshot’ in time or based upon continuous access to operational data and information across functions.” The Department will also consider whether the company’s ongoing risk review has “led to updates to policies, procedures, and controls.” Specifically, the Department will look at whether the company has “a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region.” Additionally, the DOJ added that it will consider whether the “company review[s] and adapt[s] its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks.”
• Tracking and utilizing data. The June 2020 Guidance highlights the importance of tracking and utilizing data to measure a compliance program’s effectiveness. In connection with whether the compliance program is adequately resourced, the guidance adds a new subsection on “Data Resources and Access.” Prosecutors will evaluate whether “compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions” or whether there are “impediments . . . that limit access to relevant sources of data, and, if so, what the company [is] doing to address the impediments.” The new guidance also states that the Department will consider whether the company “track[s] access to various policies and procedures to understand what policies are attracting more attention from relevant employees” and “periodically test[s] the effectiveness of the hotline, for example, by tracking a report from start to finish.”
• Training. The June 2020 Guidance shows an increased focus on corporate compliance training programs. In further indication of what it expects training programs to look like, the DOJ added new language that some “companies have invested in shorter, more targeted training sessions to enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management functions.” The new guidance asks whether the company has a mechanism that allows employees to ask questions arising out of the training and whether the company has taken measures to test whether employees are aware of how, and feel comfortable to, report compliance issues. The June 2020 Guidance also asks whether “the company evaluated the extent to which the training has an impact on employee behavior or operations.” In addition, prosecutors will now inquire into how “the company invest[s] in further training and development of the compliance and other control personnel.”
• Third-party diligence. The June 2020 Guidance provides meaningful updates to the DOJ’s expectations of a company’s third-party diligence practices. The new guidance adds that prosecutors should assess whether the company knows “the risks posed by third-party partners.” Prosecutors also will now evaluate whether the company “engage[s] in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process.”
• Mergers and acquisitions. The prior guidance stated that a well-designed compliance program should include comprehensive due diligence of any acquisition targets. The June 2020 Guidance adds that compliance programs should have “a process for timely and orderly integration of the acquired entity into the existing compliance program structures and internal controls.” Prosecutors also will now ask for the company’s process for conducting post-acquisition audits at newly-acquired entities.

The Criminal Division’s June 2020 Guidelines do not apply Department-wide; however, additional divisions may update their guidance to mirror the Criminal Division’s June 2020 Guidance. For example, the DOJ’s Antitrust Division for the first time issued its own “Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations,” in July 2019.[3] Read BakerHostetler’s prior alert on this topic. The Antitrust Division’s compliance guidance mirrored many of the same core principles as the Criminal Division’s April 2019 Guidance, with a particular focus on antitrust issues and preventing anticompetitive collusion among competitors. The Criminal Division’s June 2020 Guidance is largely consistent with the Antitrust Division’s guidance. However, one notable difference is that the revised Criminal Division guidance’s new focus on “Data Resources and Access” is not currently reflected in the Antitrust Division’s guidance. It is likely that the Antitrust Division will update its own guidance to reflect the new focus on data and resources seen in the Criminal Division’s June 2020 Guidance, and make other antitrust-specific changes based on lessons learned over the past year.

***

The Criminal Division’s June 2020 Guidance identifies for companies what the Department considers to be best practices with respect to implementing robust and effective compliance measures that are specifically tailored to reduce the risks faced by their specific businesses. Companies should consult with experienced counsel to review their compliance programs in light of the June 2020 Guidance and consider whether they should implement additional policies, procedures, or controls to further reduce legal and compliance risks, in line with the Department’s best practices.

[1] U.S. Dep’t of Justice, Criminal Div., Evaluation of Corporate Compliance Programs (June 2020), available at https://www.justice.gov/criminal-fraud/page/file/937501/download.
[2] D. Tokar, “Justice Dep’t Adds New Detail to Compliance Evaluation Guidance,” The Wall Street Journal (June 1, 2020), available at https://www.wsj.com/articles/justice-department-adds-new-detail-to-compliance-evaluation-guidance-11591052949.
[3] U.S. Dep’t of Justice, Antitrust Div., Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations (July 2019), available at https://www.justice.gov/atr/page/file/1182001/download.