On June 1, 2020, the U.S. Department of Justice (“DOJ”) released updated guidance regarding how it evaluates a company’s compliance program (the “Updated Guidance”). This update builds upon DOJ’s prior guidance to companies and underscores its continued focus on the importance of effective compliance programs, as these programs demonstrate a company’s commitment to deterring and detecting potential misconduct. The overarching principles DOJ laid out in its April 2019 guidance regarding the development and implementation of a compliance program (and a federal prosecutor’s assessment of it) have not changed and still require consideration of three core questions:
- Is the corporation's compliance program well-designed?
- Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?
- Does the corporation’s compliance program work in practice?
While these core questions have not changed, a close review of the DOJ’s latest changes reveals a few key themes underlying its expectations of corporate compliance programs: (1) the importance of having an evolving, dynamic program; (2) the need for the compliance function to engage with company employees; (3) ensuring that the program is thoughtful and responsive to the company’s context; and (4) the importance of adequate compliance resources and empowerment of the compliance function. Continued attention to these principles can help ensure that companies are not only enhancing their compliance program and adhering to best practices, but that they are best positioning themselves in the event of an inquiry or enforcement action from a government regulator.
Evolving, Dynamic Compliance Program
The Updated Guidance reflects DOJ’s continued expectation that a compliance program will evolve over time as the business changes and the compliance function matures. Meaningful risk assessments are a critical part of this process. Specifically, in the existing section on risk assessments, the Updated Guidance added language asking prosecutors to assess “why and how the company’s compliance program has evolved over time” and “[h]as the periodic review led to updates in policies, procedures, and controls?”
DOJ also added a sub-topic under risk assessments, asking prosecutor to assess “Lessons Learned,” including whether “the company ha[s] a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region?” Relatedly, DOJ expects compliance and other control personnel to be at the forefront of ongoing assessment and knowledge development. To that end, the Updated Guidance added the following consideration: “[h]ow does the company invest in further training and development of the compliance and other control personnel?”
Engagement With Company Employees
In keeping with the theme of continuous, thoughtful improvement, the Updated Guidance includes additional considerations relating to policies, training and hotline management, all of which are geared towards ensuring that the compliance function is closely engaged with — and responsive to — the realities on the ground for the company’s rank and file.
With respect to policies, the Updated Guidance asks “does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?” In fact, the Updated Guidance goes further and instructs prosecutors to consider whether the company’s policies have been “published in a searchable format for easy reference.”
With respect to training, the Updated Guidance adds a suggestion that companies re-consider the format of their trainings to be more responsive, including by: (1) “invest[ing] in shorter, more targeted training sessions to enable employees to timely identify and raise issues”; and (2) ensuring that there is “a process by which employees can ask questions arising out of the trainings.” Additionally, to ensure that trainings are having the intended effect, DOJ now asks prosecutors to assess whether “the company [has] evaluated the extent to which the training has an impact on employee behavior or operations.”
With respect to compliance hotlines, the Updated Guidance added language to ensure that the hotline is an accessible, responsive tool, including by asking prosecutors to consider whether: (1) “the company take[s] measures to test whether employees are aware of the hotline and feel comfortable using it”; and (2) “the company periodically test[s] the effectiveness of the hotline, for example by tracking a report from start to finish.”
Of course, the ongoing global health crisis — including the remote working environment for countless employees worldwide — has only further highlighted the need to ensure that the compliance function is connecting with company employees, and is responsive to their questions, concerns, and experiences.
DOJ’s prior guidance has emphasized the importance of having a compliance program that is suited to a company’s unique risk profile. The Updated Guidance reiterated these considerations and identified DOJ’s related commitment to be flexible in its review of compliance programs by stating that DOJ’s “individualized determination” of a company’s circumstances includes multiple factors, such as “the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.” More fundamentally, the Updated Guidance asked prosecutors “to understand why the company has chosen to set up the compliance program the way it has.”
Additionally, DOJ expressly referenced the role of foreign law, noting that “[p]rosecutors should consider whether certain aspects of a compliance program may be impacted by foreign law.” Among other things, the Updated Guidance asked prosecutors to assess how the company is “maintain[ing] the integrity and effectiveness of its compliance program while still abiding by foreign law.”
Resources and Empowerment
DOJ’s revisions also stressed that the compliance function should be adequately resourced and empowered. Specifically, DOJ modified the second core principle to ask not just whether the compliance program is being applied in good faith, but also whether the program is “adequately resourced and empowered to function effectively.”
One particular resource that DOJ highlighted was access to actionable data, including the following considerations: “Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?”
The Updated Guidance is consistent with prior DOJ guidance regarding compliance programs, but the added context and detail provide an opportunity for companies to ensure that their compliance priorities are aligned with DOJ’s expectations.