DOJ Issues Most Detailed Guidance Regarding Evaluation of Corporate Compliance Programs to Date

On April 30, 2019, the U.S. Department of Justice (“DOJ”) released new guidance regarding its evaluation of the adequacy and effectiveness of a company’s compliance program (the “Guidance”). DOJ has issued similar documents in recent years, providing companies with blueprints to use when developing and assessing their compliance programs, though this recent Guidance significantly expands upon DOJ’s prior statements, underscoring its continued focus on compliance and endeavoring to give companies more specific benchmarks for meeting DOJ expectations.

The Guidance makes clear that the adequacy and effectiveness of a company’s compliance program are critical factors in any DOJ investigation of a corporation, including when making prosecutorial decisions and negotiating potential resolutions. As Assistant Attorney General Brian Benczkowski stated on April 30, 2019, at the Ethics and Compliance Initiative Annual Impact Conference, “the importance of corporate compliance cannot be overstated.” DOJ’s Guidance is intended to provide practical insight and transparency to prosecutors as they make charging decisions or resolve criminal cases, and to companies as they develop and implement their compliance programs.

Key Takeaways From the New Guidance

The Guidance directs that a prosecutor should ask three “fundamental questions” when evaluating a company’s compliance program:

1. Is the corporation's compliance program well-designed?
2. Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?
3. Does the corporation’s compliance program work in practice?

Within this framework, the Guidance walks through 18 pages of specific considerations prosecutors will use when evaluating a company’s compliance program. The Guidance also explains that prosecutors should focus on context and make individualized assessments based on the facts of each criminal investigation.

1. Is the corporation's compliance program well-designed?

When evaluating whether a company’s compliance program is “adequately designed for maximum effectiveness in preventing and detecting wrongdoing by employees,” as well as corporate management’s commitment to the program, the Guidance instructs consideration of the following elements: 

• Risk Assessment. Prosecutors should familiarize themselves with the company’s business and risk profile and then assess whether the company has tailored its compliance program to detect the types of misconduct most likely to occur in that context. Accordingly, prosecutors will evaluate a company’s risk assessment process, whether the company devotes appropriate time and resources to high-risk areas, whether the risk assessment itself is updated over time, and whether policies and procedures are updated in response to lessons learned and issues identified.

• Policies and Procedures. Prosecutors will then evaluate whether a company’s policies and procedures actually address the risks identified in the risk assessment process. At a minimum, a company should have a Code of Conduct demonstrating a commitment to compliance, as well as a suite of policies and procedures that incorporate a culture of compliance into everyday operations. Prosecutors also should examine the company’s process for, and individuals involved in, designing the policies; the comprehensiveness and accessibility of those policies; and the assignment of individuals responsible for rolling out and acting as gatekeepers in control processes.

• Training and Communications. Because a company’s policies and procedures are only effective if known and understood, prosecutors will assess a company’s training program and methods of communication. This includes whether the company has employed a risk-based approach, communicating compliance material in a manner tailored to the audience’s size, sophistication or subject matter expertise, and whether the company provides practical advice to address real-life scenarios and prior compliance incidents. 

• Confidential Reporting Structure and Investigation Process. An efficient mechanism by which employees can anonymously or confidentially report misconduct allegations without fear of retaliation is key to a well-designed compliance program. Prosecutors will assess whether a company has appropriate processes for the submission of complaints, routed to and reviewed by qualified personnel; processes for timely and thorough completion of investigations; appropriate follow-up, discipline and tracking of results; and protection for whistleblowers.

• Third-Party Management; Mergers & Acquisitions. Prosecutors will assess whether a company applies risk-based due diligence to its third-party relationships, including whether the company understands its third-party partners’ qualifications and relationships with foreign officials, as well as how the company ensures there is a proper business rationale for engaging the third party. Such diligence should not be a one-time endeavor — rather, prosecutors will assess whether a company engages in ongoing monitoring of its third-party partners, through updated due diligence, training, audits, and/or annual compliance certifications. Steps should also be taken to ensure that red flags are addressed and third-party misconduct is tracked. Similarly, prosecutors will assess whether the company has appropriate processes in place for conducting pre-M&A due diligence of any acquisition targets and remediating any identified misconduct.

2. Is the program being applied earnestly and in good faith?

The following categories are aimed at aiding prosecutors in determining whether a company has a mere “paper program” in place, rather than one that is effectively implemented, reviewed and revised as appropriate.

• Commitment by Senior and Middle Management. Prosecutors will assess a company’s “tone at the top” — whether senior management has demonstrated a commitment to clearly defined ethical standards and leads by example, including through remediation efforts. In addition, prosecutors will assess whether middle management has reinforced those commitments.

• Autonomy and Resources. Expounding on its previous guidance, DOJ directs prosecutors to evaluate whether a company’s compliance function is appropriately staffed and empowered relative to the size, structure and risk profile of the company. This analysis includes review of whether compliance personnel have sufficient seniority, resources, autonomy from management and access to key decision-makers.

• Incentives and Disciplinary Measures. Prosecutors will assess whether a company has incentivized compliance and disincentivized non-compliance by establishing clear, commensurate disciplinary procedures that are enforced consistently across the organization. Prosecutors may also recognize a company’s efforts to incentivize compliance, such as through promotions or bonuses for demonstrating compliance leadership.

3. Does the corporation's compliance program work in practice?

The Guidance specifically notes that the existence of misconduct does not, in and of itself, mean that a compliance program was not working effectively at the time of the offense. Rather, a compliance program that identified misconduct, allowing for timely remediation and self-reporting, should be viewed as a strong indicator of the program’s efficacy. Accordingly, prosecutors will consider whether and how the misconduct was detected, what resources were in place to investigate suspected misconduct, and the nature and thoroughness of the company’s remedial efforts.

Regarding whether a company’s compliance program is working effectively at the time of a charging decision or resolution, prosecutors will consider if the program evolved to address changing compliance risks and whether the company undertook an honest root cause analysis to understand what caused the misconduct and the remediation necessary to prevent similar issues in the future. 

• Continuous Improvement, Periodic Testing, and Review. Per the Guidance, prosecutors may reward efforts to promote improvement and sustainability, and will assess whether a company engaged in meaningful efforts to review and update its compliance program. To that end, prosecutors will examine a company’s process for determining the subject and frequency of internal audits; whether a company has reviewed the compliance program in areas relating to misconduct; and the frequency with which the company updates its risk assessments, policies and procedures.

• Investigation, Analysis, and Remediation of Misconduct. Prosecutors will assess whether the company has an effective and appropriately funded mechanism to provide for timely, thorough and independent investigations undertaken by qualified personnel. Identification and remediation of root causes, as well as disciplinary action to hold bad actors accountable, will be key in prosecutors’ analyses of whether the company has demonstrated recognition of the seriousness of the misconduct and implemented measures to reduce the risk that it will reoccur.