“Lessons Learned” by DOJ Provide Further Guidance on Developing a Dynamic Compliance Program
The U.S. Department of Justice (“DOJ”) latest guidance demonstrates that DOJ is listening to its own advice—making adjustments to its own guidance documents based on what its prosecutors have learned from investigations, compliance presentations, and monitorships during the past year. DOJ’s (now periodic) updates to the Evaluation of Corporate Compliance Programs guidelines sets forth some important modifications, including specifically:
Adequate Resources: shifting from an assessment of implementation to an analysis of whether a company’s compliance program has adequate resources;
Dynamic Evaluation: encouraging prosecutors to conduct an analysis of a company’s compliance program’s evolution, rather than only examining a single snapshot;
Lessons Learned: requiring an assessment of whether a company has learned from the past and adjusted its compliance program based on issues arising from internal investigations and broader industry trends; and
Best Practices: emphasizing the importance of incorporating various advancements developed by the broader compliance community, including use of data and effective communication.
Hopefully, DOJ will continue in this vein and issue annual updates to the Guidance to ensure that all companies benefit from the lessons learned by DOJ during the prior year.
DOJ rarely speaks officially to provide formal guidance to companies that could be subject to criminal prosecution. However, in June 2020, DOJ released an update to its Evaluation of Corporate Compliance Programs,
As summarized in our April 2019 Client Alert,
Last year, DOJ updated its original guidance with the stated goal to “better harmonize the guidance with other Department guidance and standards while providing additional context to the multifactor analysis of a company’s compliance program”
Is the corporation’s compliance program well designed?
Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?
Does the corporation’s compliance program work in practice?
Using these three questions as guideposts, the 2019 Guidance further broke the evaluation into 12 sections:
Policies and Procedures
Training and Communications
Confidential Reporting Structure and Investigations Process
Third Party Management
Mergers and Acquisitions (M&A)
Commitment by Senior and Middle Management
Autonomy and Resources
Incentives and Disciplinary Measures
Continuous Improvement, Periodic Testing, and Review
Investigation of Misconduct
Analysis and Remediation of Any Underlying Misconduct
Legal and compliance professionals welcomed the 2019 Guidance, but expressed concerns about potentially unrealistic expectations for smaller companies and the lack of nuance in certain sections.
The 2020 Guidance retains the 2019 organization and all of the substantive content regarding the parameters of an effective compliance program. Indeed, the 2020 update does not represent any significant shift in DOJ’s guidance, but rather provides additional useful details that, taken together, indicate that DOJ is committed to providing helpful nuance to the previous guidance and acknowledging companies’ need to use their limited compliance resources effectively.
The most relevant changes include:
A focus on the adequacy of resources of a company’s compliance program, rather than an evaluation of whether the program historically had been implemented effectively;
DOJ’s efforts to encourage a dynamic evaluation of a company’s compliance program, rather than evaluating a single snapshot in time of the program;
a greater focus on evaluating whether a company has adjusted its compliance program based on issues arising from investigations and public disclosures of misconduct; and
advancing views on best practices, including reiterating the further importance of data analysis and effective communication.
In this Alert, we will focus on these changes and how they demonstrate the lessons that DOJ has learned and its evolving expectations for companies’ corporate compliance programs.
II. Adequate Resources
At the outset of the 2020 Guidance, DOJ revised the second “fundamental question” to remove the question of whether the program is “being implemented effectively,” and instead asks: “[I]s the program adequately resourced and empowered to function effectively?” This change could indicate that DOJ is moving away from its historical practice of judging how a company’s program is implemented in-fact and is shifting more clearly to an analysis of the company’s intent and efforts regarding implementation. This analysis would more closely align with the first half of DOJ’s second fundamental question, which asks whether the “program is being applied earnestly and in good faith.”
This change also signals two factors DOJ considers critical to what is effective implementation of a compliance program: resources for and empowerment of compliance personnel. With regard to resources, in the Autonomy and Resources section, the 2020 Guidance added that compliance programs may be unsuccessful if “under-resourced” and added questions about the “training and development of the compliance and other control personnel.” The 2020 Guidance also added a new subsection on “Data Resources and Access.” Specifically, prosecutors are to evaluate whether “compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions” and whether “any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments.”
Consequently, legal and compliance professionals should ensure that their management and supervisory board(s) understand DOJ’s expectations so that the legal and compliance teams are appropriately resourced and can have access to the relevant data to monitor and test the effectiveness of the compliance program.
III. Dynamic Evaluation
Further changes suggest that DOJ’s analysis of corporate compliance programs is shifting from a “snapshot in time” approach to focus on the evolution of the compliance program. In the Introduction section, the 2020 Guidance reiterates more prominently a point previously only made in 2019 under the third “fundamental question”—that prosecutors should evaluate the company’s compliance programs “both at the time of the offense and at the time of the charging decision and resolution.” Consequently, a company must be prepared to explain how it made decisions over time and why the company structured the program and resourced it in a certain way, then and now. With respect to a company’s structuring of its compliance department, prosecutors, in the Autonomy and Resources section, will ask for “the reasons for the structural choices the company has made.” DOJ appears to be expecting a narrative of why the program both allowed failures, leading to the criminal violations, and what the company has done over time to enhance and remediate the program that DOJ is seeing at the end of the investigation.
The 2020 Guidance includes a number of other revisions that reinforce this shift to a dynamic evaluation, including in the Risk Assessment section, which now ask prosecutors “to endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.” DOJ then added language specifically asking: “Is the periodic review limited to a ‘snapshot’ in time or based upon continuous access to operational data and information across functions?” Put another way, is a company able to access operational data and information across functions to conduct ongoing monitoring, review and risk assessments, or are those efforts limited to a discrete review conducted only at set intervals (e.g., every two years) and only based on interviews or surveys.
Further, the Policies and Procedures section now echoes this theme by noting that the evaluation should include not only the process for designing and implementing “new” policies and procedures, but also “updating existing” policies and procedures. Finally, in the Continuous Improvement, Periodic Testing, and Review section, the 2020 Guidance asks whether “the company reviews and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks,” reinforcing the focus on ongoing review and enhancement of compliance programs.
Consequently, companies must be prepared to commit to the ongoing review and enhancement of compliance programs. The DOJ’s embrace of this dynamic review includes that it will evaluate corporate compliance programs based on a “reasonable, individualized determination,” which considers not only the company’s internal characteristics—such as size, industry, geographic footprint, and regulatory landscape—but also factors “external to the company’s operations, that might impact its compliance program.” This apparent shift sends an important message to companies: effective compliance programs are not off-the-shelf products and cannot remain static. Compliance programs must be continuously tailored to the company’s operations and risks, as well as be shaped by what is happening in the industry and specific geographies, and companies must be prepared to provide a coherent narrative of the origins and reasons for their unique compliance structure.
IV. Responses to Lessons Learned
As indicated by additional revisions found in the 2020 Guidance, prosecutors will pay specific attention to a company’s response to lessons learned from, and enhancements driven by, investigative findings as well as public reports of misconduct. DOJ will only be evaluating a company’s compliance program if there was a significant criminal violation, and DOJ will want to ensure that any compliance gaps, which allowed the violation to occur, have been closed during the course of the investigation.
As part of their more dynamic evaluation of compliance programs over time, DOJ added an entirely new subsection in the Risk Assessment section focused on “Lessons Learned.” Prosecutors are now expected to ask if the “company [has] a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region.” Similarly, as noted above, in the Continuous Improvement, Periodic Testing, and Review section, DOJ asks prosecutors to review whether the “company review[s] and adapt[s] its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks.”
Consequently, companies must recognize that compliance programs must be more than just “one-and-done” programs, and must continue to evolve. In particular, companies must develop mechanisms to incorporate lessons learned from investigations and other sources into their risk assessment and program enhancement processes. Companies should document how they are considering not merely their own internal reviews, but also are appropriately benchmarking with their peers and analyzing media reports and DOJ’s public statements of misconduct in other charged cases. These analyses cannot be conducted in isolation, but instead must be part of a dynamic feedback loop that improves the company’s compliance program and controls by incorporating information and risks.
V. Best Practices
Beyond these themes, the remainder of the updates provide targeted guidance about various best practices, likely identified by DOJ as part of its investigation and monitoring activities in the past year or consolidated from other DOJ guidance. Taken together, the changes suggest a greater emphasis on collection and integration of data metrics and the importance of effective compliance communications throughout the Company.
Policies and Procedures: DOJ’s new questions in this section reflect more recent expectations for accessibility of policies and procedures, including whether they have “been published in a searchable format for easy reference” and whether the “company track[s] access to various policies and procedures to understand what policies are attracting more attention from relevant employees.” Both of these questions go beyond testing the assumption that employees will have ready access to electronic policies and procedures, and seek evidence—like data analytics—that the company monitors the access and usability of such policies.
Training and Communications: DOJ recognizes that significant portions of a compliance team’s energy (and budget) may be focused on training personnel, as well as how critical training is to the effectiveness of a compliance program. However, DOJ acknowledges that “[o]ther companies have invested in shorter, more targeted training sessions to enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management functions.” This could indicate that DOJ is encouraging companies to invest in “just-in-time” training sessions (i.e., training that is available when and how it is needed by employees). Beyond just the format of trainings, prosecutors should now ask about a process by which employees can ask questions “arising out of the trainings,” and, with respect to effectiveness of training, whether the “company evaluated the extent to which the training has an impact on employee behavior or operations.” While the DOJ does not specify how or what metrics might reflect the “impact” of trainings, both data analytics and qualitative evidence will factor into a company’s narrative.
Confidential Reporting Structure and Investigation Process: DOJ’s changes relating to reporting mechanisms reinforce its expectations that reporting channels be publicized not only to a company’s employees, but also to “other third parties.” Here, too, DOJ suggests a data analytics-driven evaluation of the effectiveness of the reporting structure, testing “whether employees are aware of the hotline and feel comfortable using it” and “the effectiveness of the hotline, for example by tracking a report from start to finish.”
Third Party Management: DOJ made notable changes related to Third Party Management. On its face, the first change appears small: the overview of this section now acknowledges that “the need for” appropriate due diligence may vary based on the specific factors of the company and third party. However, comparing the update to the prior, limited acknowledgment that only the “degree of” such due diligence could be affected by these factors, the update implies that circumstances may occasionally eliminate the need for any due diligence of certain third parties. DOJ’s second change signals an expectation for continued, risk-based monitoring and management of a third party relationship “throughout the lifespan of the relationship.”
Mergers and Acquisitions (M&A): Although post-close integration was covered in the 2019 Guidance questions and other DOJ guidance, DOJ has now explicitly added that compliance programs should include a “process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.” This includes the concept of “conducting post-acquisition audits, at newly acquired entities.” DOJ also acknowledges that pre-acquisition due diligence may not be possible and will evaluate whether “the company [was] able to complete pre-acquisition due diligence and, if not, why not.” Though this aligns with previous guidance from DOJ, these additions may indicate DOJ’s increased focus on this risk area, which is also an increasing concern in other jurisdictions. Considering the likely M&A activity to arise from the challenges of the current economic environment, DOJ is signaling that companies should prioritize effectively integrating a newly acquired company to ensure the cessation of misconduct or face the risks of successor liability.
Incentives and Discipline: Lastly, a new question has been added to the “Consistent Application” evaluation regarding whether “the compliance function monitor[s] its investigations and resulting discipline to ensure consistency.”
VI. Conclusion and Recommended Steps for Companies
While the updates in the 2020 Guidance do not represent a significant shift in DOJ’s evaluation process, companies must ensure they address the points identified in the new guidance. Based not only on the changes in the 2020 Guidance, but also that DOJ did not change the majority of its guidance, Companies should take the following concrete steps to best position themselves to convince DOJ that they have an effective compliance program:
Ensure the compliance department is adequately resourced for the company’s operations and risk profile, both in terms of budget and with respect to data access;
Confirm that both periodic and continuous aspects of risk assessment document the basis and rationale for the compliance program’s dynamically evolving enhancements;
Formalize processes to identify and digest lessons learned from within (e.g., from internal investigations and risk assessments) and from without (e.g., benchmarking and public disclosures of misconduct);
Document how and why decisions are made regarding corporate compliance and ensure that corporate decisions can be appropriately defended when problems inevitably arise; and
Implement enhancements aligned with best practices, as necessary and appropriate to the company’s risks and operations.
In the years to come, DOJ may continue to share its lessons learned with the corporate community to allow everyone to benefit from the hard work going into investigations and monitorships. Until then, legal and compliance professionals should continue to review and enhance their company’s compliance programs to most effectively deter misconduct or detect it quickly.