DoJ shines new light on compliance program expectations
On June 1, 2020, the US Department of Justice’s (DoJ) criminal division issued updated guidance on the ‘Evaluation of corporate compliance programs.’ The guidance lays out a series of factors for DoJ attorneys to consider when assessing the effectiveness of corporate compliance programs as part of making charging decisions and negotiating resolutions.
The updated guidance revises guidance that was first issued in February 2017 and amended in April 2019. The overarching theme of the new guidance, which provides a roadmap for designing and implementing compliance programs, is a renewed emphasis on the substance and adequacy of resources made available to the compliance program. It also reflects a focus on why the program was designed the way it was and why and how the program has evolved over time.
As with the previous guidance, and consistent with directives from the Justice Manual, the updated guidance includes three overarching questions:
- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively? (The italicized portion is revised from the earlier version that asked only whether the program was ‘being implemented effectively’)
- Does the corporation’s compliance program work in practice?
Also consistent with previous versions, the updated guidance includes a series of additional details, in the form of questions, that prosecutors are to consider, each related to the three questions above. The specific revisions lead us to seven key takeaways regarding the DoJ’s current focus when evaluating the effectiveness of a compliance program.
- No one size fits all
Although the DoJ’s guidance has always discussed the importance of a risk assessment, the updated version places further emphasis on the need to tailor the compliance program to the organization’s risk profile.
In the introductory section, it directs prosecutors to ‘make a reasonable individualized determination in each case’ regarding the effectiveness of the program. It now also lays out specific factors a risk assessment should consider ‘including but not limited to, the company’s size, industry, geographic footprint, regulatory landscape’ and other ‘internal and external’ factors that might impact the compliance program.
The fact that the DoJ issued this update amid a pandemic, when there are a host of ‘external’ factors that likely change almost every organization’s risk profile, is telling. The DoJ expects the compliance program to be designed around an organization’s risks, and if those risks change, the compliance program should adapt as well.
- It’s not a still life, it’s a never-ending story
Prosecutors are told to not just focus on the compliance program as it exists at the moment in time when he or she is looking at it at the end of an investigation, but also to go back in time and understand the story behind how the program got to its present state.
Prosecutors should ask questions such as why the company has chosen to set up the compliance program in the way it has and how it has evolved over time. This inquiry includes looking at how the organization conducts compliance assessments: are those assessments focused on a ‘snapshot’ in time or an evolving story?
- The devil is in the details
The DoJ has always included granular questions regarding the design of the compliance program, but the updated guidance gets even more into the weeds. The increased focus on details appears to come from the DoJ’s position – discussed further below – that companies have increased access to technology and data and should be using technology within the compliance program.
Some examples of the questions the DoJ will ask include not just whether policies and procedures are in place and accessible, but also whether they are ‘published in a searchable format’. Similarly, ‘does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?’ and ‘[d]oes the company have a process by which employees can ask questions arising out of in-person or online trainings?’
The addition of these questions does not mean an organization needs to overhaul its systems but, because the DoJ will be asking, it makes sense to review these new questions and consider whether the organization is already employing these techniques in connection with its compliance program, or can do so easily.
- Show me the money (and the data)
Another significant change is the refinement of the second effectiveness question to emphasize compliance resources and empowerment. The question used to ask whether the program was ‘implemented’ effectively. Now it asks whether the program was ‘adequately resourced and empowered to function’ effectively – putting more meat on the bones of what qualities the DoJ is looking for in effective program implementation.
At the same time, the question contains a fair amount of subjective judgment that could result in some troubling Monday-morning quarterbacking of organizational decisions. Take ‘adequate resources’. Organizations in normal times have to make decisions about budgets and staffing in competition with other parts of the organization. Now, with Covid-19 and the resulting financial hole many are experiencing, those decisions become more difficult to balance.
In the end, the board and executive team will need to make these decisions understanding that the government may ask for explanations of those decisions at some point in the future. Having contemporaneous documentation in board minutes about the reasons and thinking on this issue should be helpful in showing what the organization faced at the time and why it made the decisions it made.
The DoJ has also added a subsection on data resources and access; specifically, whether compliance has access to the data it needs to do its job and whether there are impediments and, if so, what the company is doing to address them. This addition likely reflects an observation from previous cases that there can be data silos within organizations or systems issues that create obstacles for compliance to access data to conduct an audit.
This change suggests the DoJ may examine this issue to determine whether the organization has taken adequate steps to ensure access to data when these changes or transactions occur.
- Compliance programs are life-long learners
The updated guidance makes it very clear the DoJ expects compliance programs to undergo continuous review and to evolve. The evolution will be driven by, among other things, the review of new data and experiences.
In addition to reviewing and tracking which policies are accessed the most and what questions are asked during training, new questions include whether the organization is tracking hotline reports ‘from start to finish’ and monitoring investigations and resulting discipline.
The DoJ also added ‘[d]oes the company review and adapt its compliance program based on lessons learned from its own misconduct and/or that of other companies facing similar risks?’ Frankly, this is a question we often get when representing clients in DoJ enforcement actions: what steps did your client take when it saw an enforcement action brought against another organization in the same industry? We need to have an answer, even if the answer is that the organization reviewed the situation and determined that it had no bearing on the compliance program.
- Don’t stop at the company door
The DoJ’s added qualifier around whether there is a ‘need’ to conduct diligence on third-party vendors suggests that in some cases an organization could determine there is not a need to conduct diligence of a third-party vendor’s compliance program. This might be due to the size or reputation of the vendor, past experience with the vendor, the pitch or other information provided by the vendor.
That said, this change suggests the DoJ is going to look at how and why the company made its decision about the third party and the information available when contracting and may also question the reason for hiring a third party rather than performing the function in-house. Perhaps more importantly, the DoJ says it will look at how the company manages the compliance risks associated with the third party’s activities, both when onboarding and throughout the relationship.
For acquisitions, the DoJ made changes to get more granular on the diligence process and added emphasis on the timely and orderly integration of the target into the existing compliance program. The reason for this addition is clear: the department says ‘flawed or incomplete pre or post-acquisition due diligence and integration can allow misconduct to continue at the target company.’
There are limitations to what one can reasonably expect to discover about a company’s operations during diligence. That said, the updated guidance suggests government attorneys may pressure-test whether that process unfolded in the way they think it should have.
Another way for the DoJ to get at this issue is by moving past due diligence limitations to ask what the organization did to integrate the target into its compliance program. Expect more questions from DoJ attorneys about why the company did not discover the problem – and why the problem continued for two, three or four years after the transaction – when the company may be talking to the DoJ about a resolution of its investigation.
- Tone at the middle
The DoJ has always emphasized the importance of ‘tone at the top’, including whether the board is involved in overseeing the compliance program and whether the program is run by senior leaders. Now it will be asking more about the role of middle management, as the updated guidance includes the following statement: ‘The effectiveness of a compliance program requires a high-level commitment by company leadership to implement a culture of compliance from the middle and the top.’ (The italicized language has been added in the update.)
Middle management, which has the greatest direct influence over the majority of employees, should not only be the recipient of communications regarding the compliance program, but also should be involved in communicating and training around the compliance program and should be rewarding subordinates who embrace the ‘culture of compliance’.
What to do with these key takeaways? The updated guidance and the specific revisions need to be reviewed and considered by the general counsel, the chief compliance officer and the board. What to tell the audit and compliance committee? Tell them the overarching themes: importance of a risk assessment, resources, the use of data and technology, the focus on third-party relationships and the need to be able to explain why the compliance program was designed in the way it was and why and how the compliance program has evolved over time.
It is also fair to consider and discuss the impact of potential changes to the program and the company’s ability to implement them in the context of the current business environment with all of its operational challenges. As the DoJ has always made clear, the updated guidance is not a checklist but it provides an important framework for the design and implementation of the compliance program and the revisions provide critical insight into the department’s current focus.
Tony Maida, Michael Peregrine and Sarah Walters are partners with McDermott Will & Emery.