DOJ Again Updates Guidance for Evaluation of Corporate Compliance Programs

DOJ Again Updates Guidance for Evaluation of Corporate Compliance Programs

June 3, 2020, Covington Alert

On June 1, 2020, the U.S. Department of Justice (“DOJ” or the “Department”) Criminal Division released an updated version of its Evaluation of Corporate Compliance Programs document (the “Guidance”), which serves as a reference for prosecutors in assessing corporate compliance programs in the context of DOJ investigations. The Department last revised the Guidance in April 2019, which we covered in a previous alert. As with the prior iteration of the Guidance, the June 2020 revision continues to apply to all Criminal Division investigations and enforcement actions involving business organizations.

The June 2020 revisions to the Guidance are incremental in nature, but they do bring into sharper focus DOJ’s expectations with regard to what constitutes an effective compliance program and the increasingly exacting standards under which compliance programs will be evaluated in the context of a DOJ investigation. The revisions may also suggest that DOJ prosecutors will even more rigorously probe current and historical compliance program design and resources during the course of an investigation. While the updated Guidance does not reflect a sea change, it does continue the Department’s trend of expecting companies to be in a position to answer detailed questions underlying the design, resourcing, and implementation of their compliance programs, and to be able to demonstrate effectiveness through objective criteria backed by hard data. In the time of COVID-19, the Department is sending a clear signal that companies must continue to devote appropriate resources to the continuous evaluation and improvement of their compliance programs.

Summary of Key Revisions and Key Takeaways

1. Compliance Program Resourcing and Empowerment is Now Identified as a Fundamental Question

Those familiar with the April 2019 iteration of the Guidance will recall that it was organized around three “fundamental questions” from the Justice Manual that prosecutors should ask when evaluating the effectiveness of corporate compliance programs.[1] While the three “fundamental questions” from the Justice Manual remain unchanged,[2] the Department has now explicitly incorporated considerations of compliance program resourcing and empowerment by introducing those concepts into one of the “fundamental questions.”

In particular, to answer the question “‘[i]s the program being applied earnestly and in good faith?,’” DOJ will now ask whether “the program [is] adequately resourced and empowered to function effectively,” instead of asking whether the “program [is] being implemented effectively.” While a subtle change from a drafting standpoint, this revision signals an increased focus on whether a company has devoted adequate resources to its program and sufficiently empowered its compliance professionals. More to the point, by elevating the question of compliance resourcing and empowerment, DOJ may be sending the message to companies that they need to invest more into their compliance programs. This message may be particularly helpful to compliance professionals facing budgetary pressures and seeking to make the business case for program investments during the COVID-19 pandemic. While DOJ’s focus on the resourcing and stature of compliance programs is nothing new, we expect that this change, as well as others described below, may result in prosecutors probing these areas more rigorously during the course of an investigation, and companies may need to be even more prepared to answer difficult questions about compliance program budgets, headcount, and autonomy.

2. The Revisions Helpfully Emphasize a Risk-Based, Company-Specific Analysis

Compliance professionals are well familiar with the principles that compliance programs must be risk-based and tailored to the particular circumstances of any given company. Regulators have long recognized these concepts as well, and the revised Guidance reinforces to prosecutors that each company’s compliance program must be evaluated on a case-by-case basis.

In this vein, the revised Guidance commits DOJ to make a “reasonable, individualized” determination of the effectiveness of a corporate compliance program on a case-by-case basis – with the concept of reasonableness being a welcome and new addition to the Guidance. Prosecutors are instructed in the Guidance, in another addition, to consider “various factors including, but not limited to, the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.”

The revised Guidance also newly instructs prosecutors to consider the “circumstances of the company” in evaluating a company’s compliance program within the framework of the three “fundamental questions” and the balance of the Guidance. Similar to its approach to evaluating foreign data privacy issues that may emerge during the course of an investigation, in a footnote, the revised Guidance adds that in evaluating the “circumstances of the company,” prosecutors should consider whether “certain aspects of a compliance program may be impacted by foreign law” and urges prosecutors to question a company’s basis for its conclusions about foreign law and how allowances made for foreign law were addressed while still maintaining the integrity and effectiveness of the company’s compliance program. 

3. The Guidance Includes Enhanced Expectations for Risk (and Compliance Program) Assessments

Several of the key revisions to the Guidance concern risk assessments, one of the topics that prosecutors will evaluate under the rubric of the three “fundamental questions.”

First, the Department instructed its prosecutors to “endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.” Second, the updated Guidance instructs prosecutors to consider whether periodic risk assessments are limited to a “‘snapshot’” in time or based upon “continuous access to operational data and information across functions,” and whether periodic risk assessments have led to “updates in policies, procedures, and controls.” Together, these additions may result in further probing during the course of an investigation of compliance professionals’ thinking about the design and implementation of a company’s compliance program and a more detailed review of historic risk and compliance program assessments, including precisely how a company responded to items identified during such assessments. And the reference to “continuous access to operational data and information across functions” signals an increased focus on leveraging technology and data in compliance programs, a theme that comes through several times in the updated Guidance.

In a third addition to the Guidance’s evaluation criteria for risk assessments, DOJ instructed prosecutors to consider whether companies have a process for incorporating into periodic risk assessments “lessons learned” from a company’s own prior issues or from issues faced by companies operating in the same industry or geography. While not a major shift in best practices, companies should ensure that risk and compliance program assessment exercises take stock of both the company’s individualized risk profile (e.g., learnings from past investigations) and lessons that can be learned from peers.

In a final revision in the risk assessment section of the Guidance, DOJ wrote that prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate resources to high-risk transactions, even if it fails to prevent an infraction. In the previous version of the Guidance, the latter clause was limited to failure to prevent an infraction “in a low-risk area,” which DOJ struck from the current version of the Guidance. This suggests that an effective and appropriately resourced, risk-based compliance program may receive credit from DOJ prosecutors, even when it fails to prevent misconduct in a high-risk area.

Setting aside the individual revisions to the Guidance dealing with risk assessments, the message is clear: the Department expects that companies will undertake meaningful, periodic risk and compliance program assessments and take concrete and demonstrable steps to enhance compliance programs based on the information learned. Beyond that, however, the question of whether risk assessments are limited to a “snapshot” in time may signal heightened expectations for dynamic and closer-to-real-time assessment of risks based on continuous review of data regarding company operations (e.g., spikes in spending in high-risk areas or increased numbers of third parties).

4. DOJ Has an Increased Focus on Obtaining, Tracking, and Acting on Compliance-Relevant Data

Several additions to the Guidance suggest that the Department expects companies to focus more on collecting and monitoring data. The enhanced emphasis on data includes assessing how policies, procedures, training, and reporting mechanisms are being utilized by employees and what steps the company has taken to build on lessons that can be drawn from such information. For instance, the Guidance now instructs prosecutors to evaluate whether a company tracks “access to various policies and procedures to understand what policies are attracting more attention from relevant employees.” Similarly, the Guidance asks whether a company has “evaluated the extent to which [] training has an impact on employee behavior or operations.” Finally, with respect to reporting mechanisms, the revised Guidance asks whether a company “take[s] measures to test whether employees are aware of the hotline and feel comfortable using it” and whether a company “periodically test[s] the effectiveness of the hotline.” Thus, instead of merely asking how companies evaluate the effectiveness of their policies, procedures, training, and reporting mechanisms, the Guidance more explicitly signals an expectation that companies will more proactively leverage objective data to prove the effectiveness of these aspects of their compliance programs.

The focus on data also extends to a company’s ability to use data to conduct monitoring and other testing of the compliance program. In the section of the Guidance expanding upon the question of compliance program resources and empowerment, the Department added an evaluation criteria focused on “Data Resources and Access,” asking whether compliance and control personnel have “sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions.” Another addition to the Guidance asks whether “any impediments exist that limit access to relevant sources of data and, if so, what [] the company [is] doing to address the impediments.” Finally, as noted above, the revised section on risk assessments also focuses on continuous access to operational data.

Taken together, these additions suggest an increased focus on leveraging data and analytics to implement – and demonstrate – an effective compliance program. We will be watching to see how DOJ will apply its increased emphasis on data and analytics to companies with a lower risk profile, and based on size, industry, and the other company-specific factors identified in the Guidance and above.

5. The Guidance Emphasizes that Third-Party Management Should Be a Continuous Process

The revisions to the Guidance add a subtle, yet important, question regarding a company’s approach to third-party risk management by asking whether a company “engage[s] in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process.” This suggests that third-party compliance measures can neither be a one-time exercise nor limited to integrity due diligence; rather, companies must continue to evaluate compliance risk with respect to third-party business partners throughout the relationship and pay attention to information that arises during the course of the relationship.

If you have any questions concerning the material discussed in this client alert, please contact the members of our White Collar Defense & Investigations and Anti-corruption/FCPA practices below.