On June 1, 2020, the Criminal Division of the U.S. Department of Justice (DOJ) publicized an updated version of its “Evaluation of Corporate Compliance Program” guidance. This is the third version of the document, with the DOJ having issued the guidance in 2017 (which we analyzed here) and revised it in April 2019 (which we analyzed here). This further revision is another reminder of the DOJ’s heightened focus and increasing sophistication regarding evaluating compliance programs during investigations. While the overall structure of the guidance generally remains consistent with the last version, the revisions provide additional insight into the DOJ’s expectations for corporate compliance programs. More specifically, the revisions highlight the importance of an adequately resourced and empowered compliance department, a constantly evolving compliance program based on the company’s current risk profile and relevant compliance issues, and the use of key compliance metrics to test the effectiveness of a compliance program.
Under DOJ’s Justice Manual, federal prosecutors will consider several principles when investigating and deciding whether to charge corporate entities under investigation. These factors, commonly known as the Filip Factors, include two that focus on a company’s compliance program: (1) “the adequacy and effectiveness of the corporation’s compliance program at the time of the offense, as well as at the time of a charging decision,” and (2) the company’s remedial efforts “to implement an adequate and effective corporate compliance program or to improve an existing one.”
DOJ’s compliance program guidance provides more detail on how federal prosecutors will probe a company’s compliance program under these factors in the process of investigating and resolving an enforcement matter. The June 2020 version of the guidance continues to focus on the same topics as the previous version and is structured around three fundamental questions that prosecutors are expected to ask when evaluating compliance programs:
- Is the compliance program well designed?
- Is the compliance program adequately resourced and empowered to function effectively?
- Does the compliance program actually work in practice?
June 2020 Revisions
The most notable revision (and the only revision to the three fundamental questions themselves) emphasizes the importance of companies prioritizing their compliance programs. While the second fundamental question had previously asked whether a compliance program “is being implemented effectively,” the revised June 2020 guidance now more practically asks whether the program is “adequately resourced and empowered to function effectively.” This revision builds on the prior version’s focus on the autonomy and resources, structure, seniority and stature, and experience and qualifications of a corporate compliance department.
The June 2020 revisions also provide insights into DOJ’s expectations regarding several specific aspects of corporate compliance programs. Critically, the revisions highlight the importance of a compliance program not reflecting a “snapshot” in time, but rather being regularly updated. The revisions expand on the expectation that each company’s compliance program should be risk based and individualized by indicating that an appropriate compliance program should be based on “various factors including … the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.” The guidance indicates that a compliance program should evolve based on “lessons learned” from the company’s internal risk assessments, as well as issues and misconduct identified both within the company and at companies operating in the same industry and/or geographical region.
The current guidance now explicitly discusses measurable compliance metrics in a new subsection titled, “Data Resources and Access.” More specifically, new language states that prosecutors should ask:
Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?
Revisions throughout the guidance include various examples for the use of metrics, including “track[ing] access to various policies and procedures to understand what policies are attracting more attention from relevant employees,” “evaluat[ing] the extent to which . . . training has an impact on employee behavior or operations,” and “test[ing] whether employees are aware of the [company’s compliance] hotline and feel comfortable using it.”
The revisions also indicate DOJ’s focus on training best practices. The guidance now suggests that companies should consider shorter, more targeted, and in-person training sessions to encourage employees to raise questions and timely report issues. Additionally, the guidance suggests that companies should “invest in further training and development of the compliance and other control personnel.”
With respect to third parties, the guidance now inquires whether a company “engage[s] in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process,” a question consistent with DOJ’s overall expectation regarding ongoing monitoring of third parties. Additionally, the revisions indicate that DOJ expects that a company’s reporting mechanism will be publicized to third parties — not just internally to employees.
Finally, with respect to mergers and acquisitions, while the previous guidance focused on the due diligence process, the updated guidance also emphasizes post-acquisition actions, including the “timely and orderly” post-acquisition “integration of the acquired entity into existing compliance program structures and internal controls.” The guidance also asks whether post-acquisition audits have been conducted at newly acquired entities.
* * *
Because the guidance provides general insight into the government’s expectations of how a corporate compliance program should operate in practice, it has broader utility than just applying to ongoing enforcement actions, including for companies that have not presently identified a problem. Companies should review the current guidance and evaluate and update their compliance programs in light of it to ensure that they are prepared before a problem arises, including to prevent misconduct entirely, or, at minimum, to detect and remediate misconduct at an early stage.