On June 1, 2020, the U.S. Department of Justice (DOJ) Criminal Division updated its Evaluation of Corporate Compliance Programs (the Evaluation Guidance). The Evaluation Guidance directs federal prosecutors to consider the strength or weakness of an offending organization’s corporate compliance program when making prosecution decisions, calculating penalties and determining whether to impose additional ongoing compliance obligations such as appointing third-party compliance monitors or imposing ongoing reporting requirements. The Evaluation Guidance has existed since 2017 and recently underwent significant revisions in April 2019.
In a statement quoted by the Wall Street Journal, Assistant Attorney General Brian Benczkowski explained that these most recent Evaluation Guidance revisions reflect “additions based on [the DOJ’s] own experience and important feedback from the business and compliance communities.” The DOJ’s most recent revisions do not make any fundamental changes but instead center around three key points: (i) allocation of resources to the corporate compliance function, (ii) ongoing improvement to an organization’s compliance programs, and (iii) compiling compliance data in order to evaluate the compliance program’s performance.
Allocation of resources
Previously, the Evaluation Guidance directed federal prosecutors to consider “is the program being implemented effectively?” as one of three “fundamental questions” when evaluating an organization’s compliance program. These most recent revisions have now revised that question to state “is the program adequately resourced and empowered to function effectively?” (emphasis added). The revised Evaluation Guidance now warns against “under-resourced” programs and directs federal prosecutors to consider organizations’ investment “in further training and development of the compliance and other control personnel.” Additionally, the DOJ has expanded the Evaluation Guidance to now recommend that “all levels of the company” including “middle” company leadership must take responsibility for an organization’s compliance culture (previously, this recommendation was limited to only “top” company leadership).
Ongoing improvements to compliance programs
The Evaluation Guidance continues to recommend that organizations perform ongoing risk assessments to measure the effectiveness of their compliance programs. These recent revisions further emphasize this point by now expressly directing federal prosecutors to consider “why and how [a] company’s compliance program has evolved over time” and to evaluate an organization’s compliance program “both at the time of the offense and at the time of the charging decision and resolution.” This indicates that organizations can potentially receive credit for program improvements initiated after discovering their own misconduct, but conversely also indicates that organizations will face greater penalties for failing to adopt compliance program improvements in a timely manner. The revised Evaluation Guidance also recommends that companies should be more proactive in surveying their respective compliance landscapes. Rather than considering only their own prior compliance issues, the Evaluation Guidance now directs companies to also adjust their compliance programs as necessary to address compliance missteps by “other companies facing similar risks” as well as “other companies operating in the same industry and/or geographic region.”
Data compilation and review
The DOJ added a completely new consideration to the Evaluation Guidance under the sub-heading “Data Resources and Access.” It reads:
Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?
Other revisions to the Evaluation Guidance further expand this concept. One new recommendation encourages companies to “track access to various policies and procedures to understand what policies are attracting more attention from relevant employees.” Another addition now recommends that companies conduct evaluations to determine “the extent to which [compliance] training has an impact on employee behavior or operations.” Additionally, the Evaluation Guidance now recommends that organizations “monitor [their] investigations and resulting discipline to ensure consistency.” Organizations cannot meet this consistency expectation unless they are adequately documenting their compliance efforts. Therefore, although internal documentation and data compilation were already important tasks under the pre-existing Evaluation Guidance, they will be even more important going forward under the revised Evaluation Guidance.
Other miscellaneous revisions
In addition to the key themes discussed above, the DOJ also revised the Evaluation Guidance to address the following miscellaneous topics:
- The Evaluation Guidance now clarifies that the DOJ should consider subjective factors such as “the company’s size, industry, geographic footprint, regulatory landscape and other factors, both internal and external to the company’s operations” when evaluating a company’s compliance program.
- The revised Evaluation Guidance observes that in some instances it would be appropriate for companies to conduct “shorter, more targeted training sessions to enable employees to timely identify and raise issues to appropriate compliance, internal audit or other risk management functions.” Another modification recommends that training sessions feature “a process by which employees can ask questions arising out of the training.”
- The Evaluation Guidance continues to recommend that companies maintain an anonymous reporting mechanism to receive reports of alleged violations, but the revisions now also recommend that companies should periodically test the effectiveness of these mechanisms and expand them to also accept reports from third parties besides their own employees.
- The Evaluation Guidance’s sub-section on Mergers and Acquisitions has been expanded to emphasize the importance of “orderly integration of [any] acquired entity into existing compliance program structures and internal controls” and conducting post-acquisition audits at newly acquired entities.
- Last but not least, the DOJ has added a new footnote which requires prosecutors to “consider whether certain aspects of a compliance program may be impacted by foreign law.” If foreign jurisdictions impose restrictions which prevent an organization from fully implementing the Evaluation Guidance’s recommendations, the revised Evaluation Guidance directs prosecutors to ask “how the company has addressed the [foreign restriction] to maintain the integrity and effectiveness of its compliance program while still abiding by foreign law.”