In a little-noticed move yesterday, the U.S. Department of Justice (“DOJ” or “Department”) quietly amended its most important guidance document on corporate compliance. While the updates are far from a dramatic overhaul, they signal that prosecutors will be looking more closely at whether compliance programs (1) are adequately resourced, (2) have formalized processes in place to continually evaluate their effectiveness, (3) have effectively incorporated the use of data analytics, and (4) adequately address cross-border implications.
While these are important updates and much attention will be devoted to analyzing the changes, compliance officers and audit committees should not let what is new distract attention away from what remains unchanged. The overarching point of the guidance remains the same: companies should adopt a risk-based compliance program, based on a thoughtful and rigorous assessment of the company’s risk profile, embed preventative and detective controls tailored to those particular risks, and then be data driven in monitoring the effectiveness of those controls. Therefore, if a company has not yet implemented a robust and recurring risk assessment process as part of its compliance program, that should be the first priority, and a data analytics program can wait.
Originally published in April 2019, the DOJ’s Evaluation of Corporate Compliance Programs, is the Department’s most comprehensive guidance on how prosecutors evaluate the design, implementation, and effectiveness of corporate compliance programs. That evaluation is essential when prosecutors make charging decisions, frame sentencing recommendations, and determine whether on-going corporate compliance obligations, such as the imposition of a monitor, may be necessary as part of any enforcement resolution.1 Given the importance of the guidance, it is encouraging to see the Department provide this update, which undoubtedly reflects how its more recent experiences have shaped its current approach to evaluating corporate compliance programs.
Key Updates and Takeaways
Under the old guidance, one of the Department’s fundamental questions regarding a compliance program was whether it was “being implemented effectively.” The updated guidance ups the ante for companies by asking, more specifically, whether the program is “adequately resourced and empowered to function effectively.” The Department has likely seen too many companies skimping out, and now wants to see adequate financial resources dedicated to compliance programs. It is likely a fortunate coincidence that this new emphasis comes in the midst of the global COVID-19 pandemic, when companies are under immense pressure to cut costs where possible. While compliance departments are often some of the first resources to be cut during challenging economic times, the updated guidance suggests that the DOJ already perceives many programs to be under-resourced and, therefore, further compliance cuts could be a risky proposition. General counsel, compliance officers, audit committees, and CFOs should carefully consider whether cutting the compliance program budget in this environment, and immediately after the publication of this guidance, is prudent.
Process On Par with Outcome
While the overall effectiveness of a compliance program is still a primary consideration of the Department’s analysis, in several places the updated guidance suggests that prosecutors will be more focused on whether companies have formal processes in place to continually evaluate and update their compliance programs. Prosecutors will not only want to see that continual internal evaluation takes place, but also a more formalized and data-driven approach to the process. For example, the guidance no longer offers credit for merely updating policies and procedures “in light of lessons learned.” Instead, the guidance now asks whether a company’s internal review of its compliance program is “based upon continuous access to operational data and information across functions,” and whether the company has a formalized process of tracking its own, and industry wide, compliance developments.
Other updated sections ask whether a company’s policies and procedures are published in a searchable format for easy reference, and whether the company has the ability to track which of its policies attract the most attention from relevant employees. Prosecutors will want to see processes in place for evaluating the effectiveness of compliance trainings, and processes by which employees can ask follow-up questions or raise issues. In the mergers and acquisitions context, the Department wants to see companies conducting post-acquisition compliance audits at newly acquired entities.
Given the increased emphasis on “process,” companies will need to be prepared to demonstrate how they have developed appropriate processes to continually evaluate and update their compliance programs based on a more comprehensive internal review than before.
Got Data Analytics?
Hand-in-hand with the initiatives above, the updated guidance specifically emphasizes that compliance and control personnel need to have sufficient access to relevant data sources in order to allow for “timely and effective monitoring and/or testing of policies, controls, and transactions.” This reflects a growing appreciation by DOJ that effective programs, like everything else in the 21st century, must be data-driven. In fact, many of the specific compliance processes that prosecutors will be looking for may simply be impossible without adequate data analytics. Therefore, companies that have not already explored how to incorporate data analytics into their compliance programs may want to consider doing so.
Compliance Across Borders
An important footnote has been added to the guidance that instructs prosecutors to not only consider how a compliance program may be impacted by foreign laws, but also to specifically ask companies about the basis for any compliance decisions they have made in light of foreign laws. In today’s increasingly borderless world, global companies must grapple with how to structure compliance programs in light of the different laws and circumstances in each of the countries they operate. The updated guidance signals that companies must be prepared to defend their compliance decisions in light of those complexities, and explain how those decisions “maintain the integrity and effectiveness” of their compliance program.
Don’t Forget the Fundamentals
While there will be understandable emphasis in the coming days and weeks on what is new in the document, companies should not lose sight of the most fundamental aspects of the Department’s guidance. On the whole, the most important step for a company to take is still to adopt a thoughtful risk-based program, based on a rigorous risk assessment process.