Clarity or Confusion: New DOJ Guidance for Evaluating Corporate Compliance Programs
On April 30, 2019, the U.S. Department of Justice’s Criminal Division (“DOJ”) released an updated version of its Evaluation of Corporate Compliance Programs, which provides guidance to prosecutors in how to evaluate a company’s compliance program in the context of a criminal investigation.
Many viewed the 2017 Compliance Questions, which built upon the Ten Hallmarks of Effective Compliance Programs outlined in 2012,
DOJ’s stated goal in its recent update was to “better harmonize the guidance with other Department guidance and standards while providing additional context to the multifactor analysis of a company’s compliance program.”
The announcement and publication of the 2019 Evaluation Guidance, while anticipated by many, came with no advance warning by DOJ, similarly to the February 2017 release. As such, the question remains: does the new guidance provide additional clarity or just increase confusion with regard to how federal prosecutors will evaluate corporate compliance programs?
Upon close review, our assessment is that DOJ’s efforts with the 2019 Evaluation Guidance are an important next step in providing clarity and a structure to understand how DOJ views an effective compliance program. Importantly, the 2019 Evaluation Guidance provides transparency to those in the business, legal, and compliance communities seeking to develop, implement, and maintain effective compliance programs that can both protect their companies and serve as an adequate defense should a problem occur.
I. 2012 FCPA Resource Guide (Updated in 2015)
DOJ’s first effort to define its expectations of corporate compliance programs was published in November 2012, as part of the FCPA Resource Guide, a joint publication with the U.S. Securities and Exchange Commission, laying out legal issues related to enforcement of the Foreign Corrupt Practices Act.
II. 2017 Compliance Questions
The compliance questions released in February 2017 by the Fraud Section
These topics were consistent with the “Hallmarks of an Effective Compliance Program” as previously described in the FCPA Resource Guide, and the compliance community had long considered these areas as fundamental features of an effective compliance program. Nonetheless, DOJ’s publication of the topics and associated questions provided a roadmap for those seeking to develop, improve, and implement compliance initiatives, testing their effectiveness or anticipating potential criticisms from prosecutors.
III. 2019 Evaluation Guidance
The 2019 Evaluation Guidance, at 18 pages, expands on the original Hallmarks and sample questions and topics. It provides greater detail about what prosecutors (as well as business executives and compliance professionals) should consider when evaluating a compliance program, including with regard to training, investigations, and management commitment.
DOJ, once again, is not prescriptive and does not provide a checklist or formula to assess the effectiveness of a corporate compliance program. Rather, DOJ provides principles and “fundamental questions” upon which a prosecutor should base her evaluation of a company’s compliance program. DOJ’s rationale for its reluctance to provide a rigid formula is that the government must evaluate each corporate compliance program in the specific context of that company’s business, including its industry and size, geographic footprint, as well as the context of the particular criminal investigation. DOJ mandates that prosecutors make individualized determinations in their review of corporate compliance programs, and DOJ contends that requiring specific requirements would fail to recognize the complexity and heterogeneity of effective compliance programs. The 2019 Evaluation Guidance does, however, provide a valuable look into the “fundamental questions” considered by prosecutors:
A. Is the Program Well Designed?
According to the 2019 Evaluation Guidance, the first fundamental question that federal prosecutors should ask is whether the company’s compliance program is well designed. As such, Part I of the 2019 Evaluation Guidance “discusses various hallmarks of a well-designed compliance program relating to risk assessment, company policies and procedures, training and communications, confidential reporting structure and investigation process, third-party management, and mergers and acquisitions.”
1. Risk Assessment
The 2019 Evaluation Guidance makes clear that the “starting point for whether a prosecutor’s evaluation of whether a company has a well-designed compliance program is to understand…how the company has identified, assessed and defined its risk profile.”
2. Policies and Procedures
As expected, in the 2019 Evaluation Guidance, DOJ affirms its position that a “well-designed compliance program entails policies and procedures that…aim to reduce risks identified by the company as part of its risk assessment process.”
3.Training and Communications
The 2019 Evaluation Guidance notes that a “hallmark of a well-designed compliance program is appropriately tailored training and communications.”
4.Confidential Reporting and Investigation Process
The 2019 Evaluation Guidance asks prosecutors to determine whether a corporate compliance program has a “trusted mechanism by which employees can anonymously or confidentially report allegations of a breach of”
5. Third Party Management
DOJ’s updated guidance reinforces that companies should use a risk-based approach to due diligence on their third-party relationships. Moving forward, DOJ wants prosecutors to assess the extent to which companies have an “understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct.”
6. Mergers and Acquisitions
The 2019 Evaluation Guidance advises that a well-designed compliance program should “include comprehensive due diligence of acquisition targets.”
B. Is the Program Effectively Implemented?
Part II of the 2019 Evaluation Guidance focuses on the effective implementation of corporate compliance programs. DOJ has been focused for some time on discouraging “paper programs,” advising prosecutors to focus on whether a program has been appropriately implemented. The 2019 Evaluation Guidance makes clear that a well-designed corporate compliance program can be “unsuccessful in practice if implementation is lax or ineffective.”
1. Commitment by Senior and Middle Management
The updated guidance notes that an effective compliance program requires “a high-level commitment by company leadership to implement a culture of compliance at the top.”
2. Autonomy and Resources
The 2019 Evaluation Guidance demands that a comprehensive review of a compliance program also include an evaluation of the structure of the program and an assessment of whether those responsible for compliance have: (1) sufficient seniority; (2) sufficient resources; and (3) sufficient autonomy. DOJ acknowledges in the updated guidance that the sufficiency of each factor depends on the “size, structure, and risk profile of the particular company,” but notes that for a compliance program to be truly effective, the key personnel must be empowered within the company. Notably, the 2019 Evaluation Guidance places an emphasis on the role of the internal audit function, directing prosecutors to determine whether “internal audit functions [are] conducted at a level sufficient to ensure their independence and accuracy.”
3. Incentives and Disciplinary Measures
The new guidance emphasizes the importance of a company’s commitment to implementing clear disciplinary procedures with regard to non-compliance and the enforcement of those procedures consistently across the organization. The 2019 Evaluation Guidance directs prosecutors to assess “the extent to which the company’s communications convey to its employees that unethical conduct will not be tolerated and will bring swift consequences, regardless of the position or title of the employee who engages in the conduct.”
C. Does the Compliance Program Actually Work in Practice?
Lastly, Part III of the 2019 Evaluation Guidance asks that prosecutors, in evaluating a corporate compliance program, determine whether the compliance program works “in practice.” Specifically, this section of the updated guidance focuses on whether, at the time of the misconduct that led to the criminal investigation, the company had a compliance program in place that was working effectively.
Notably, DOJ recognizes here that “the existence of misconduct does not, by itself, mean that a compliance program did not work or was ineffective at the time of the offense.”
1. Continuous Improvement, Periodic Testing, and Review
In determining whether compliance programs work in practice, the 2019 Evaluation Guidance asks that prosecutors (and the business community) assess whether companies are engaging in meaningful efforts to review compliance programs to “ensure that [they are] not stale.”
Investigation of Misconduct
DOJ also reiterates the importance of a functioning, well-funded mechanism for the timely investigation of allegations of misconduct. The updated guidance sends a strong message that an effective compliance program will have a robust investigations function and notes that an effective investigation structure will have an “established means of documenting the company’s response, including any disciplinary or remediation measures taken” and analyzing results for patterns or compliance gaps.
3. Analysis and Remediation of Any Underlying Misconduct
The 2019 Evaluation Guidance ends by emphasizing that a company with an effective compliance program will be able to “conduct a thoughtful root cause analysis of misconduct,” and be able to “timely and appropriately remediate to address root causes.”
Where there is identified misconduct, prosecutors will consider, among other factors, the extent and pervasiveness of the criminal misconduct, the number and level of corporate employees involved, and any remedial actions taken by the company.
IV. Key Takeaways
As noted previously, our assessment is that with the 2019 Evaluation Guidance, DOJ has improved its previous statements with regard to the evaluation of corporate compliance programs. While 2012’s Ten Hallmarks of Effective Compliance Programs and 2017’s Compliance Questions have been useful tools since their publication, we have observed five improvements and key takeaways in DOJ’s most recent edition:
The 2019 Evaluation Guidance, as promised in DOJ’s press release and associated speeches by key figures at the agency, provides additional detail with regard to what DOJ expects in a well-designed compliance program. In each of the three areas of the updated guidance, DOJ has bolstered its descriptions and discussion of the requirements for an effective corporate compliance program and grounded its analysis in the legal foundations of other DOJ guidance. Companies will be better served by understanding the legal principles upon which DOJ is providing the guidance.
The language of the 2019 Evaluation Guidance provides evidence that DOJ is becoming, and expects the compliance, legal, and business community to become, more sophisticated with regard to the nuances of compliance programs and the use of data and data analytics, including significant discussion with regard to the collection, tracking, measurement, and analysis of data. Companies should recognize the shift in emphasis and invest appropriately in designing programs capable of measurement.
The updated document is designed to be understood not only by those deeply invested and experienced in compliance culture, but also by the typical prosecutor– or business person– seeking to gain a basic understanding of the fundamental components of an effective compliance apparatus.
DOJ’s use of the three overarching questions to organize its evaluation of compliance programs will be extremely helpful for companies trying to identify the next steps to improve their programs. Moving forward, compliance professionals and business executives will be able to better develop and enhance, in a targeted fashion, compliance programs that are well-designed, implemented effectively, and work in practice, guided by those basic questions and the numerous categories within each of the basic questions.
For many of those in the legal and compliance communities that are close observers of the guidance published by the DOJ’s Criminal Division, the publication of the 2019 Evaluation Guidance came as a welcome surprise in the midst of an ongoing dialogue between the compliance, legal, and enforcement communities about the need for further explanations from DOJ. While it was designed for prosecutors who may not have a compliance background, the more detailed and thoughtful analysis will be useful for companies searching for ways to use limited compliance resources efficiently. It remains to be seen how much of an impact the publication of this guidance will have on a prosecutor’s discretion and in the negotiations over what is, and is not, a fair resolution of a given matter. Nevertheless, the additional language and context provided by DOJ puts businesses on notice once again of the importance of implementing a well-designed, effective, and appropriate resourced compliance program.
V. Questions Outstanding
Despite the benefits of this new guidance, DOJ has left some key questions unanswered:
First, DOJ has indicated it would not replace the Compliance Counsel position that had previously been focused on corporate compliance initiatives and remediation analysis for prosecutors in the Fraud Section.Instead, DOJ noted that it would invest more in compliance training for its prosecutors, and seek to hire new prosecutors with compliance backgrounds.The compliance and business community could benefit from further transparency on DOJ’s initiative and how prosecutors will be informed about the nuances of complex compliance programs, which they will be evaluating based on the guidance.
Second, this guidance places new emphasis on companies’ management and assessment of the effectiveness of their compliance programs. While that emphasis is no doubt important and well-placed, DOJ does not offer any practical guidance as to how companies might in fact demonstrate such effectiveness. In our experience, assessing effectiveness is not a straightforward exercise for most companies, and only the most sophisticated companies have robust and reliable metrics that defensibly measure such effectiveness, especially when subject to inquiries at the end of a complex criminal investigation. Further updates from DOJ on how they will be evaluating effectiveness would be especially appreciated.
No doubt, the publication of this guidance will spawn useful additional discussion in the compliance legal and enforcement community intimately involved in these issues, resulting in ever-more calls for additional guidance from DOJ in the years to come.