DOJ updates its corporate compliance guidance, incorporating feedback from business community and increasing focus on data and continuous improvement
The Guidance includes new language changing the second fundamental question from whether the compliance program is being “implemented effectively” to whether the program is “adequately resourced and empowered to function effectively.” By shifting the focus to resourcing and empowerment, the DOJ is sending a message that compliance departments need to have real stature within the organization. How programs are staffed, funded, and treated internally will be an important part of the analysis. In a similar vein, new language in the Guidance instructs prosecutors that a well-designed compliance program may be unsuccessful in practice if the implementation is under-resourced.
Focus on data resourcing and accessibility
The Guidance contains new language stressing the importance of compliance programs that adapt quickly, particularly with respect to what is reflected in data. Specifically, it asks whether compliance and control personnel have sufficient access (whether direct or indirect) to relevant sources of data for timely monitoring and/or testing of policies, controls, and transactions. The Guidance further asks whether any impediments exist that limit access to such relevant sources of data, and if so, what the company is doing to address the impediments.
Risk-based assessments based on data
The 2019 Guidance instructed prosecutors to review whether a risk assessment is “current and subject to periodic review.” But the 2020 Guidance takes it a step further, asking whether a company’s periodic risk assessments are based upon “continuous access to operational data and information across functions,” or rather, “are limited to a ‘snapshot’ in time.” Prosecutors are then to consider whether any such periodic review has led to updates in a company’s policies, procedures, and controls.
Responding to “lessons learned”
The Guidance instructs prosecutors to explore whether companies have adapted their compliance programs based on “lessons learned.” Notably, the Guidance adds language to this section, clarifying that “lessons” in this context derive both from inside the company and from other companies – those in the same industry, geographical region, and/or those facing similar risks. Prosecutors are also to review whether companies have a process for tracking and incorporating into periodic risk assessments any of these lessons learned.
Effectiveness of reporting mechanisms
The Guidance tells prosecutors to look to whether a company has ensured that employees are comfortable using whistleblower/reporting hotlines, and to whether the company tests “the effectiveness of the hotline, for example by tracking a report from start to finish.”
Third party management
The Guidance stresses that management of third-party relationships is an ongoing process – not one relevant solely to the onboarding process. To that end, the Guidance instructs prosecutors to explore whether the company engages in risk management of third parties “throughout the lifespan of the relationship,” or whether it does so “primarily during the onboarding process[.]”
M&A due diligence, before and after the fact
The Guidance makes clear that due diligence in the M&A context is just as critical post-acquisition as it is pre-acquisition (where pre-acquisition due diligence is in fact possible, as the DOJ now recognizes is not always the case). For example, while the prior guidance instructed prosecutors to look to the process by which compliance policies and procedures have been implemented at new entities, the updated Guidance instructs them to look also to whether post-acquisition audits were conducted. Similarly, the Guidance tells prosecutors to review more than just whether comprehensive due diligence of targets was conducted; prosecutors should look also to whether a program includes “a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.”
The Guidance reaffirms the DOJ’s approach to evaluating corporate compliance programs as one that looks to the unique facts of each case, and considers various factors, including (and as newly-articulated in the Guidance), the company’s size, industry, geographic footprint, and regulatory landscape.
The DOJ’s updated guidance is just the latest in a series of steps taken to clarify its expectations with respect to corporate compliance efforts, and to emphasize the role that compliance programs and cooperation play in enforcement and penalty decisions.
While compliance is not a check-the-box exercise, the DOJ’s Guidance effectively provides companies with a roadmap against which they can measure their own efforts. Those companies that (1) use this roadmap to inform their approach to implementing and maintaining a compliance program that is tailored to their unique risk profiles, and (2) can demonstrate how their program has grown and adapted in response to evolving risks and lessons learned, will be well-situated to minimize the likelihood of misconduct occurring and to seek a more favorable resolution with the DOJ in the unfortunate event that misconduct does occur.