DOJ Updates Corporate Compliance Guidance, Continues Focus on Risk, Reporting, and Training

ArentFox Schiff

Arent Fox

Earlier this week, the US Department of Justice published updated guidance on how it evaluates corporate compliance programs when conducting investigations, making charging decisions, and negotiating pleas or other agreements.

The document, entitled “Evaluation of Corporate Compliance Programs,” was first released in February 2017. Before this week’s update, the guidance was last published in April 2019.

Lest you were expecting the DOJ to soften its tone around corporate compliance, the substance of the guidance remains largely unchanged. As Assistant Attorney General Brian Benczkowski reportedly said in a statement, “the updates we have made are in keeping with our continued efforts as prosecutors to improve our own policies and practices to ensure transparency and the effective and consistent enforcement of our laws.”

The latest revisions to the guidance primarily add details that focus on ensuring compliance programs are not static, but rather, are periodically reviewed, tested, and adapted to fit changing circumstances. The updated guidance also emphasizes that for a compliance program to be applied “earnestly and in good faith,” it should be “adequately resourced and empowered to function effectively.” The focus on “empowerment” seems designed to avoid the troubling, yet recurring situation where concerns voiced by in-house lawyers and compliance professionals regarding problematic transactions are ignored by business leaders.

Other notable changes to the guidance include the following:

  • DOJ expects compliance and control personnel to have “sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions[.]” In two instances, the updated guidance adds language to make clear that DOJ will look closely at corporate assertions of impediments based on foreign regulation, including as it relates to impediments to data transfer.
  • The guidance highlights that when managing third-party relationships, companies should not stop at assessing risk during the onboarding process but continue risk management throughout the lifespan of the relationship.
  • With respect to acquisitions, DOJ now elaborates that comprehensive pre-acquisition due diligence of targets should be followed by “timely and orderly” post-acquisition compliance integration and compliance audits of newly acquired entities.
  • Simply making compliance policies and procedures accessible online is no longer sufficient to satisfy DOJ, which also expects companies to monitor the use of policies and procedures by employees “to understand what policies are attracting more attention from relevant employees.”
  • Building on prior guidance regarding compliance training, DOJ now suggests that companies consider “more targeted training sessions” designed “to enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management functions.”
  • To establish that reporting mechanisms such as hotlines work, DOJ wants companies to be prepared to show on-going efforts to test employees’ awareness of and comfort using them, suggesting that companies should test hotlines, “for example by tracking a report from start to finish.”

You can view a redline comparison showing all the changes in the June 2020 version of the document against the April 2019 version here.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© ArentFox Schiff | Attorney Advertising

Written by:

ArentFox Schiff

ArentFox Schiff on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.