June 8, 2020
On June 1, 2020, the United States Department of Justice (“DOJ”) updated its guidance on “Evaluation of Corporate Compliance Programs” (the “Guidance”) for the second consecutive year. The Guidance is a tool used by prosecutors to evaluate the effectiveness of a corporation’s compliance program when determining the appropriate resolution of a criminal matter, including any monetary penalty or compliance obligations. It eschews a one-size-fits-all approach to compliance, instead focusing on factors prosecutors should consider in evaluating a corporate compliance program. The Guidance provides an invaluable roadmap against which prudent companies benchmark their compliance programs. A version comparing the recent guidance against the prior (April 2019) version can be accessed here.
The DOJ provided little explanation as to the intent of the latest update, beyond a statement by Assistant Attorney General Brian Benczkowski that the updates are “based on [the DOJ’s] own experience and important feedback from the business and compliance communities.” However, the June 2020 revisions to the Guidance reflect the DOJ’s heightened focus on companies’ efforts to ensure that their compliance programs are actually working in practice, and that they have adopted a mindset of constant improvement of their compliance programs. Through this update, the DOJ is underscoring that building an effective compliance program does not end with putting policies and procedures on the shelf; rather, it requires ongoing attentiveness to evolving risks and operational changes and the agility to grow and adapt with the business.
This takeaway is clear: Companies need to be vigilant both in their current compliance efforts and in evaluating the effectiveness of their compliance programs to ensure that they are robust and respond to the evolving compliance challenges they face. The DOJ’s message is timely, given recent and dramatic changes to work environments as a result of COVID-19, including widespread working from home and other operational shifts, and pressures on businesses resulting from the downturn in the economy. This is a critical time for companies to benchmark their programs against the Guidance and, in particular, to assess whether and how their compliance risks have evolved and what adjustments to their policies and procedures may be necessary to effectively address those risks. The updates to the Guidance reflect the DOJ’s expectation that companies are doing so and, if not, that, armed with this Guidance, they will do so going forward.
In the updated Guidance, the DOJ removed almost no content, instead supplementing and emphasizing already existing portions of the Guidance. In the order they appear in the Guidance, these revisions include the following:
- Risk Assessment and Management – The Guidance now emphasizes that prosecutors should assess not only whether a company’s risk assessment has been periodically reviewed but how that periodic review was performed: “Is the periodic review limited to a ‘snapshot’ in time or based on continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures, and controls?” Further, the Guidance also asks whether the company tracks and incorporates into its risk assessment “lessons learned” from the company’s experience or industry enforcement trends.
- Policies and Procedures – The Guidance now reflects the DOJ’s focus on a company’s process for updating policies and procedures—not just designing and implementing them—and how accessible those policies and procedures are to employees. For instance, have they been provided in a searchable format that is easy for employees to reference? The revisions further indicate that prosecutors should consider whether the company is monitoring employee access to its policies and procedures to assess their utility and accessibility to employees.
- Training – Revisions to the Guidance highlight the need for interactive trainings that provide employees an opportunity to ask questions and raise new issues for compliance consideration and that have testing capabilities so that the company can monitor the efficacy of the training and tailor remedial training to relevant employees.
- Reporting – The Guidance now directs prosecutors to consider whether a company’s hotline reporting mechanism(s) is available to third parties, not just employees, and whether the company is periodically testing the hotline’s effectiveness and accessibility.
- Third Parties – The Guidance focuses on whether a company continually monitors and evaluates the risks posed by its third-party relationships as opposed to primarily relying on the onboarding process.
- Mergers and Acquisitions – Changes to the Guidance reflect a focus on mitigating M&A risk through full integration, including timely and effective post-acquisition integration into the company’s compliance structure and post-acquisition audits of the newly acquired entity.
- Autonomy and Resources – The updated Guidance has a continued emphasis on ensuring that compliance programs are adequately resourced and staffed by qualified and trained personnel. However, the Guidance now reflects that adequate and appropriate autonomy is impacted by personnel’s access to data for the purpose of monitoring the compliance program, pointedly asking whether compliance personnel have “access to relevant sources of data to allows for timely and effective monitoring and testing” of program implementation. Of particular note, the Guidance highlights the need for proactive efforts by a company to address such access and impediments to access by instructing prosecutors to ask: “Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?”
- Foreign Law – The updated Guidance cautions prosecutors to consider the impact of foreign law on a company’s compliance infrastructure and, where a company asserts that foreign law dictates certain decisions (for instance, as to data privacy constraints), prosecutors should independently assess those claims. When combined with the Guidance’s focus on data access, this revision should push companies to thoughtfully adapt their operations and compliance mechanisms to account for potential hurdles to data access and data sharing across international borders that may impact their ability to monitor compliance and respond to enforcement demands. Any prosecutorial review will consider a company’s analysis of and adjustments based on foreign law, with the Guidance directing prosecutors to ask “how the company has addressed the issue to maintain the integrity and effectiveness of its compliance program while still abiding by foreign law.”
The updates to the Guidance focus on whether and how a company updates its compliance framework to reflect evolving risks, further emphasizing the Guidance’s core principle—to ensure that corporate compliance programs are not just pieces of paper but risk management systems that work in practice. Further, the fact that the DOJ has updated the Guidance twice in the last two years demonstrates the importance of this Guidance as a tool for prosecutors. Given this importance and the circumstances created by the current health crisis, every company should evaluate its compliance framework and ensure that it is benchmarked against the Guidance.