INTRODUCTION

On June 1, 2020, the U.S. Department of Justice (“DOJ”) released updated guidance entitled “Evaluation of Corporate Compliance Programs” (“Updated Guidance”), which provides the DOJ Criminal Division’s views on what comprises an effective compliance program. The Updated Guidance emphasizes the Government’s focus on whether a company’s compliance program actually works “on the ground.” In doing so, the Updated Guidance challenges companies to consider – among other things – whether their compliance program addresses the company’s particular compliance risks, does it do so in a way that develops with access to new data, and do employees understand the compliance requirements and where to go if they need help?

The updates highlight that the Government is well-positioned to pressure test these questions by evaluating a corporate compliance program at a granular level. At the same time, the Updated Guidance suggests that the Government is willing to entertain the argument that the same multi-million-dollar compliance program that may be appropriate for a Fortune 100 company is not necessarily what is required for a private regional enterprise.

While the Updated Guidance allows compliance programs room for error, it remains clear that DOJ expects companies to evaluate their compliance risks regularly, test their programs using methods appropriate for the companies’ size and risks, and continuously refresh and revisit this process based on new data.

1. Right-Sized Compliance

An effective compliance program must be tailored to a company’s specific risks. The Updated Guidance reiterates DOJ’s approach that there is no “one size fits all” program but adds clarity and describes to how DOJ will assess whether the compliance program was thoughtfully designed.

It emphasizes that prosecutors will carefully evaluate (1) the decisions the company made in setting up the compliance program, (2) the resources afforded to address compliance issues, and (3) the evolution of the compliance program as additional internal and external data become available.

How your compliance program is set up matters. The Updated Guidance instructs prosecutors to consider why a company has “chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time,” as well as “the reasons for the structural choices the company has made.” While the Updated Guidance describes a flexible approach tailored to each company’s needs, companies must carefully consider their compliance program design and be able to demonstrate, if needed, the information and thought processes informing the creation and development of the program.

A company’s risk profile should naturally map to the compliance choices a company makes. In fact, a tell-tale sign to prosecutors of an ineffective program is a set of generic policies and procedures that are not based on the best information available regarding the company’s particular compliance risks. This signals not only that the compliance policies and procedures are not appropriately specific, but also that they are likely not consulted (and potentially not even read) by the company’s employees.

Compliance training must also be tailored. The Government realizes that employees’ attention spans and retention capacities are limited. Accordingly, companies need to be capable of demonstrating that they spent their employees’ intellectual capital on comprehensible training that addresses high-risk areas employees may encounter in the course of performing their duties. In addition, the Updated Guidance asks the common-sense question of whether there are avenues by which employees can ask questions prompted by compliance training and receive meaningful responses. As anyone practicing in this area can attest, the death knell of any plea for Government leniency on the basis of a company’s compliance efforts is a pattern of compliance issues that emerge but are ignored by management.

How your compliance program is resourced matters. One of the major subsection titles of the DOJ guidance previously read, in part, “[I]s the [compliance] program being implemented effectively?” The Update Guidance reworks the title to now read, “[I]s the [compliance] program adequately resourced and empowered to function effectively?” Clearly, the amount of resources dedicated to compliance makes a difference to the Government.

In practice, prosecutors evaluating a compliance program will often ask what the Compliance Department has asked for during the past several years that it has been denied. Prosecutors may evaluate whether the requests from Compliance addressed clear areas of potential risk, and whether any denials from management were reasonable under the circumstances. If the area is one that led to a compliance failure, prosecutors may be skeptical that the company took compliance seriously enough to “put its money where its mouth is” and appropriately fund a program capable of preventing, detecting, and remediating misconduct.

The Government will also ask whether Compliance has a seat at the table in the management and governance of the company. Prosecutors may inquire whether Compliance personnel are involved in discussions about policy decisions, product innovation, and potential transactions. If not, the Government may view skeptically any claim that the Compliance Department is an active participant in the critical functioning of the company.

2. Whether Your Program Is Evolving Matters

The Updated Guidance places new emphasis on examining how companies update their compliance programs over time to adapt to new information and changing risks. The Updated Guidance makes clear that the Government believes it is not solely a company’s individual experience that matters in the development of a compliance program. Instead, the actions taken by Government enforcers and regulators in the same or similar industries matter as well. An awareness of compliance issues faced by peer companies should inform a company’s view of its own compliance risks as well as prompt additional mitigation in appropriate circumstances.

Data, Data, Data. The Updated Guidance includes a new subsection dedicated to “Data Resources and Access.” In keeping with the themes described above, the Updated Guidance asks (1) whether the Compliance Department has access to relevant data that is sufficient to allow Compliance to monitor and test policies, controls, and transactions, and (2) whether any impediments exist to the Compliance Department’s access to data, and if so, what the company is doing to address those impediments.

The emphasis on relying on data to drive compliance applies not only to isolating risk areas and detecting potential misconduct, but also to evaluating the effectiveness of a company’s policies and training. One practical use of data suggested by the Updated Guidance is examining whether and how often relevant employees have accessed specific policies, and whether compliance training sessions impact employee behavior. For example, a company might evaluate whether compliance training is followed by an uptick in employees accessing relevant policies or reporting potential issues.

Data modeling and analytics can inform and enhance prevention, detection, and remediation of potential misconduct. However, DOJ likewise realizes each company’s need to tailor its use of data – including the resources required to build data-driven compliance resources – to size, industry, and specific risk profile. Where data analysis is theoretically possible but either unnecessary in the circumstances or cost prohibitive, companies should be able to demonstrate that they proceeded reasonably and had a solid, risk-informed basis for the choices they made.

The Updated Guidance is also concerned on whether Compliance Departments have access to data. This focus likely stems from how often the Government encounters situations in which the Compliance Department may not be aware of data being collected or distributed within the business that has clear compliance implications. Without visibility into on-the-ground business activities, compliance professionals can be left in the dark when it comes to compliance risks and potential misconduct. The Government will ask whether a company empowered or blindfolded its Compliance Department, and the answer can significantly impact the Government’s evaluation of the program.

3. Compliance Credit Is Achievable

The Updated Guidance extends the possibility of crediting companies for their compliance program “even if it fails to prevent an infraction,” and removes a qualifier that had appeared in the previous version of the guidance that stated the infraction must have occurred “in a low risk area.” Even an effective compliance program is not immune to infractions, and credit for a good-faith program is not off the table even if misconduct has occurred.

In a similar vein, the Updated Guidance emphasizes in the mergers and acquisitions area that prosecutors will ask – in the context of a company that acquires another entity with respect to which compliance issues are identified – whether the “company [was] able to complete pre-acquisition due diligence and, if not, why not?” The addition of this language appears to recognize that there are circumstances in which a company may not be able to do adequate pre-acquisition due diligence. In such circumstances, the Government will investigate the company’s justification for not completing such due diligence and will likely also ask whether an investigation was promptly completed after the acquisition. This is another indication that the Government is seeking to be reasonable in the context of an acquirer’s on-the-ground circumstances and may offer compliance credit even where pre-acquisition due diligence was not feasible. This is consistent with DOJ’s Foreign Corrupt Practices Act Corporate Enforcement Policy, which makes clear that credit is available for companies that identify, disclose, and remediate misconduct at a merged or acquired entity either through timely due diligence “or, in appropriate circumstances, through post-acquisition audits or compliance integration efforts.”

CONCLUSION

We are long past the days when making a compliance-related argument for leniency to the Government meant unloading a stack of policies and procedures manuals and calling it a day. The Updated Guidance makes clear that the Government is ready, willing, and able to examine the details of the structure, design, and resourcing of a company’s compliance program, as well pressure test its effectiveness. It is helpful that the Updated Guidance continues a trend of DOJ being willing to consider a company’s justification for compliance decisions and allocations and accepting that even effective programs are not immune to infractions. However, it is unlikely that this understanding and acceptance would extend to companies with programs that have not been implemented in good faith, developed based on reasonable data, and resourced with appropriate funds and personnel. Companies seeking compliance credit in Government investigations must be able to explain themselves, in increasing detail and to prosecutors who have a growing level of compliance sophistication. Whether a company can achieve compliance credit will depend in large part on a company’s attention to its compliance program before, during, and after an issue is identified, and how well the company can justify the compliance decisions it has made.