2020 was a very significant year for every compliance practitioner and compliance program. Not only was it the year with the single highest anti-bribery fine ever and largest year in FCPA fines to-date but there were significant enforcement actions, fines and penalties assessed against corporations coupled with a large number of individual prosecutions. Yet, perhaps most significantly, there were two noteworthy releases of information by the federal government which directly impacted compliance professionals.

In June, the Department of Justice (DOJ) released its 2020 Update to the Evaluation of Corporate Compliance Programs – Guidance Document (2020 Evaluation) was released. It should be mandatory reading for every Chief Compliance Officer (CCO), compliance practitioner and professional or any other person interested in the latest thinking of the DOJ on what constitutes a best practices compliance program.

Key Themes

In the introduction, the DOJ now stated, “Because a corporate compliance program must be evaluated in the specific context of a criminal investigation, the Criminal Division does not use any rigid formula to assess the effectiveness of corporate compliance programs. We recognize that each company’s risk profile and solutions to reduce its risks warrant particularized evaluation. Accordingly, we make a reasonable, individualized determination in each case that considers various factors including, but not limited to, the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.” (all changes noted in italics)

This change makes clear that every policy will be evaluated on its own merits. The DOJ lays out some of the factors will it consider but such consideration will be tempered by a reasonableness standard. Borrowing language from the Antitrust Division, the 2020 Update adds that any compliance program under evaluation by the DOJ will be considered both at the time of the offense and at the time of the charging decision and resolution. The significance of this cannot be overstated as now you cannot simply remediate your compliance program and basically ask for forgiveness after the FCPA violation has occurred. This statement clarifies any confusion generated by the Benczkowski Memo that all you have to do is aggressively remediate and such post-event clean-up will lead to a declination.

Moreover, this point is further driven home by the addition to fundamental question Number 2 that prosecutors are required to ask, “Is the program being applied earnestly and in good faith?“ In other words, is the program adequately resourced and empowered to function effectively? By tying this new language to question Number 2, companies that want to cut back to a paper program and take away the ability of a CCO to effectively do their job will lose the credit going forward as this language clearly references both monetary resources and headcount.

The final addition in the introduction adds the following language, “In any particular case, the topics and questions set forth below may not all be relevant, and others may be more salient given the particular facts at issue and the circumstances of the company.” Here is an important part near and dear to my heart as it clearly equates to Document, Document, and Document. If you make changes to your program; if you lose headcount; if you are not allowed to have the most current tech solution then be prepared to explain why your company cannot do so.

From the changes in the tactical information presented in the 2020 Update, it is clear that the DOJ expects a continually evolving compliance program. It once again demonstrated that the days of a paper program are dead. There are multiple references throughout the 2020 Update for using a variety of compliance tools to garner information and then incorporating that information back into your best practices compliance program on an ongoing basis so that your compliance program is a living, breathing program and not a static program dependent on policies and procedures.

Just as a compliance program begins with a risk assessment, your continual improvement continues with your risk assessment, which now needs to move from once every three years to a much more robust time frame. But your risk assessment is much more than simply the starting point of your compliance program. It is the basis of how you design, create, implement and then update your compliance program and also serves as the basis to document the decisions you made and why you made them. The 2020 Update specified, “In short, prosecutors should endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.”

But information to update your compliance program comes from more than the risk assessment. You now need to use other information sources to engage in continuous improvement. Your policies should also be a guide to inform your compliance program. Not only should your policies and procedures now be in searchable formats but you must consider which policies are viewed with the most frequency and the attendant questions raised by employees as a part of your information to evolve your compliance regime. The 2020 Update stated, “Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?”

The second release was the DOJ and Securities and Exchange Commission (SEC) released the updated A RESOURCE GUIDE TO THE U.S. FOREIGN CORRUPT PRACTICES ACT SECOND EDITION (2020 FCPA Resource Guide). This was a most welcomed update to the seminal and original FCPA Resource Guide, released in 2012 and widely recognized as the single best volume on the FCPA. Some of the key changes for the compliance professional include the following. 

The first change to note is the expanded definition to the questions “Is it [a corporate compliance program] being applied in good faith” with the addition of the queries, “In other words, is the program adequately resourced and empowered to function effectively?” This language comes from the 2020 Update. This change clearly reflects the need for a company to do far more than have a paper compliance program in place which presaged many of the changes brought forward in the 2020 Update.

However, the biggest change is the addition of a new Hallmark, entitled “Investigation, Analysis, and Remediation of Misconduct”, which reads in full:

The truest measure of an effective compliance program is how it responds to misconduct. Accordingly, for a compliance program to be truly effective, it should have a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents. An effective investigations structure will also have an established means of documenting the company’s response, including any disciplinary or remediation measures taken. 

In addition to having a mechanism for responding to the specific incident of misconduct, the company’s program should also integrate lessons learned from any misconduct into the company’s policies, training, and controls. To do so, a company will need to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches. 

 There are many interesting aspects to this new Hallmark, not the least that it begins with “The truest measure of an effective compliance program is how it responds to misconduct.” This builds upon the language found in the “Confidential Reporting and Internal Investigations Hallmark, which stated, “once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response,”. Now beyond being properly funded, you must have a “well-functioning mechanism” for the “timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents.”

This clearly mandates that once an allegation or even suspicion comes to the attention of compliance, it must be properly triaged, your investigation protocol should kick in with a detailed and effective investigation that is completed in a reasonable time and provide a response to the investigative findings. Moreover, an investigation is not the ending point and should be followed with a robust root cause analysis.

The 2020 Resource Guide is a most welcomed document from the DOJ and SEC. It brings forward the top FCPA and compliance resource from the past decade into this decade.

[View source.]