The US Department of Justice’s (DOJ’s) Criminal Division published an update on June 1 to its Evaluation of Corporate Compliance Programs guidance, which is used by its prosecutors to assess the adequacy and effectiveness of corporate compliance programs in corporate criminal resolutions. The updated guidance retains nearly all of the language and questions contained in the previous guidance released in April 2019, but the new update provides clarifications and refinements in key areas, including with regard to access to compliance-related data.
As before, the updated guidance continues to focus on a program’s effectiveness, and the recent updates provide insights and useful clarifications that can aid legal and compliance departments. Read a redline comparison of the updated guidance.
Importantly, the updated guidance changes the inquiry on one of the three fundamental prosecutorial questions (“Is the program being applied earnestly and in good faith?”). Previously, the guidance directed prosecutors to look into whether a corporation’s compliance program was ‘being implemented effectively.’ The updated guidance provides more concrete information about what is at issue, requiring prosecutors to inquire into whether the program is being “adequately resourced and empowered to function effectively?”
In addition, the newest guidance makes the following notable updates:
- The importance of compliance functions having access to relevant data: For the first time, the guidance speaks to how compliance programs are able to access “relevant sources of data,” asking about whether data can be accessed in a timely way and whether impediments exist to such access.
- Emphasis on dynamic policies that can address misconduct immediately: The updated guidance emphasizes a company’s ability to track the effectiveness of its compliance program and poses questions focused on whether companies are updating existing policies to address the lessons learned from internal and/or industry misconduct.
- Greater focus on M&A post-acquisition due diligence and compliance integration: The new guidance speaks in greater depth to how companies address post-acquisition due diligence and integrate new acquisitions into existing compliance structures.
- Clarification on policy accessibility: The updated guidance gives additional clarification that compliance policies should be easily accessible to relevant employees, and advises companies to track the accessibility of their policies and the effectiveness of training.
- Expansion on third-party risk assessment: The updated guidance expands upon third-party management practices and now inquires as to whether companies engage in third-party risk management during the onboarding process or throughout the lifespan of the third party’s engagement.
- Importance of compliance engagement at all levels: The updated guidance emphasizes the need for compliance at all levels of the company, including the implementation of a culture of compliance at the middle management levels.
It is yet to be determined how this new guidance will be implemented, however, the DOJ’s clarification and expansion on specific topics provides useful insight into which corporate compliance programs the DOJ will deem effective. Although the updated guidance is not prescriptive, it does signal that companies and their internal legal and compliance departments should create dynamic and adaptable programs that are appropriately resourced, empowered to be effective and responsive to misconduct, and ever evolving to address dynamic risks.