Is your compliance program up to snuff?
On April 30, 2019, the U.S. Department of Justice’s (“DOJ”) Criminal Division issued new guidance on the evaluation of corporate compliance programs (the “Compliance Guidance”), which provides useful insight into the DOJ’s three focus areas when evaluating such programs: design, implementation, and efficacy. Companies should accordingly consider how their compliance programs might be evaluated in light of the DOJ’s Compliance Guidance, and whether any adjustments are prudent.
In February 2017, the DOJ’s Fraud Section, which sits within the Criminal Division, issued guidance on the evaluation of corporate compliance programs. That guidance comprised a list of 119 questions, grouped into 11 topics, that prosecutors in the Fraud Section might ask companies in evaluating the effectiveness of their compliance programs. The principal themes of the 2017 guidance – which are clearly echoed in the new Compliance Guidance – were that companies’ compliance programs should be well-funded and supported by management, closely integrated into everyday business operations, demonstrably effective and appropriately tailored to a company’s unique risk profile. The new Compliance Guidance thus updates the February 2017 guidance and provides additional context about how companies’ compliance programs will be evaluated in any Criminal Division case.
New Compliance Guidance: Three Fundamental Questions
The DOJ’s Compliance Guidance is meant to assist prosecutors in determining the effectiveness of a corporation’s compliance program for the purposes of determining the appropriate (1) form of any resolution or prosecution; (2) monetary penalties; and (3) compliance obligations, such as monitorship or reporting obligations. Accordingly, it is structured around the following three “fundamental questions” that a prosecutor should ask in evaluating compliance programs:
- Is the compliance program well designed?
- Is the compliance program being implemented effectively?
- Does the program work in practice?
For each question, the Compliance Guidance sets forth various considerations that prosecutors should take into account. Although they form “neither a checklist nor a formula,” these considerations are “frequently relevant in evaluating a corporate compliance program.”
Whether a compliance program is well designed
This question looks at whether the program sends a clear message that misconduct is not tolerated, and whether a company’s policies and procedures ensure the program is well-integrated into its operations and workforce. It focuses on the following factors: (a) risk assessment; (b) policies and procedures; (c) training and communications; (d) confidential reporting structure and investigation process; (e) third-party management; and (f) mergers and acquisitions.
Whether the program is implemented effectively
This question examines whether a compliance program is a “paper program” or one that is “implemented, reviewed, and revised, as appropriate, in an effective manner,” including in particular whether employees are adequately informed about the compliance program. It focuses on the following factors: (a) commitment by senior and middle management; (b) autonomy and resources; and (c) incentives and disciplinary measures.
Whether the program works in practice
This final question assesses how misconduct was discovered, investigated, and remediated and how the compliance program itself has evolved over time to address existing and changing risks. It focuses on the following factors: (a) continuous improvement, periodic testing, and review; (b) investigation of misconduct; and (c) analysis and remediation of any underlying misconduct.
In issuing the Compliance Guidance, the DOJ stressed that the Criminal Division “does not use any rigid formula” in evaluating the effectiveness of such programs; each case requires an “individualized determination” based on a company’s unique risk profile. Nevertheless, the Compliance Guidance makes clear that merely having such a program in place – even a well-designed and appropriately-tailored one – is insufficient if companies are not ensuring the program is understood by all employees throughout the organization, and regularly audited and improved in light of real-world factors. Companies should thus consider how their compliance programs might fare under scrutiny in light of the new Compliance Guidance. A useful exercise is to think about how you would answer the questions posed in the text of the Compliance Guidance if you were sitting across a conference room table from a Criminal Division prosecutor. If there are areas where your answer does not sound convincing, even to you, it may be an area where you want to invest resources now.