Series
Blogs
Is your compliance program up to snuff?
Is your compliance program up to snuff?
14 May 2019
Series
Blogs
14 May 2019
In February 2017, the DOJ’s Fraud Section, which sits within the Criminal Division, issued guidance on the evaluation of corporate compliance programs. That guidance comprised a list of 119 questions, grouped into 11 topics, that prosecutors in the Fraud Section might ask companies in evaluating the effectiveness of their compliance programs. The principal themes of the 2017 guidance – which are clearly echoed in the new Compliance Guidance – were that companies’ compliance programs should be well-funded and supported by management, closely integrated into everyday business operations, demonstrably effective and appropriately tailored to a company’s unique risk profile. The new Compliance Guidance thus updates the February 2017 guidance and provides additional context about how companies’ compliance programs will be evaluated in any Criminal Division case.
The DOJ’s Compliance Guidance is meant to assist prosecutors in determining the effectiveness of a corporation’s compliance program for the purposes of determining the appropriate (1) form of any resolution or prosecution; (2) monetary penalties; and (3) compliance obligations, such as monitorship or reporting obligations. Accordingly, it is structured around the following three “fundamental questions” that a prosecutor should ask in evaluating compliance programs:
For each question, the Compliance Guidance sets forth various considerations that prosecutors should take into account. Although they form “neither a checklist nor a formula,” these considerations are “frequently relevant in evaluating a corporate compliance program.”
This question looks at whether the program sends a clear message that misconduct is not tolerated, and whether a company’s policies and procedures ensure the program is well-integrated into its operations and workforce. It focuses on the following factors: (a) risk assessment; (b) policies and procedures; (c) training and communications; (d) confidential reporting structure and investigation process; (e) third-party management; and (f) mergers and acquisitions.
This question examines whether a compliance program is a “paper program” or one that is “implemented, reviewed, and revised, as appropriate, in an effective manner,” including in particular whether employees are adequately informed about the compliance program. It focuses on the following factors: (a) commitment by senior and middle management; (b) autonomy and resources; and (c) incentives and disciplinary measures.
This final question assesses how misconduct was discovered, investigated, and remediated and how the compliance program itself has evolved over time to address existing and changing risks. It focuses on the following factors: (a) continuous improvement, periodic testing, and review; (b) investigation of misconduct; and (c) analysis and remediation of any underlying misconduct.
In issuing the Compliance Guidance, the DOJ stressed that the Criminal Division “does not use any rigid formula” in evaluating the effectiveness of such programs; each case requires an “individualized determination” based on a company’s unique risk profile. Nevertheless, the Compliance Guidance makes clear that merely having such a program in place – even a well-designed and appropriately-tailored one – is insufficient if companies are not ensuring the program is understood by all employees throughout the organization, and regularly audited and improved in light of real-world factors. Companies should thus consider how their compliance programs might fare under scrutiny in light of the new Compliance Guidance. A useful exercise is to think about how you would answer the questions posed in the text of the Compliance Guidance if you were sitting across a conference room table from a Criminal Division prosecutor. If there are areas where your answer does not sound convincing, even to you, it may be an area where you want to invest resources now.