On April 30, 2019, the Criminal Division of the U.S. Department of Justice ("DOJ") released a new corporate compliance guidance document for prosecutors titled "Evaluation of Corporate Compliance Programs" ("Guidance").1 The Guidance sheds light on how the DOJ evaluates the effectiveness of a company's compliance program – whether white collar- or antitrust-oriented – focusing on the program's design, implementation and practical application. Notably, this Guidance applies to the entire Criminal Division as opposed to only the Fraud Section, to which the prior 2017 guidance applied. In fact, the head of the DOJ's criminal division, Assistant Attorney General Brian Benczkowski, in a speech at the 2019 Ethics and Compliance Initiative Conference, explained that one of the purposes of the Guidance is to "better harmonize the prior Fraud Section publication with other Department guidance and legal standards."2

Unlike its predecessor, the Guidance presents a detailed and instructive framework for prosecutors to consider when assessing compliance programs. The Guidance is not, however, a rigid manual on compliance program construction. Rather, it directs the government to review compliance programs in the context of a particular company's business and formalizes three themes to frame the analysis:

  1. Is the compliance program well-designed?
  2. Is the compliance program effectively implemented?
  3. Does the compliance program work in practice?

These themes are designed to force prosecutors to undertake "individualized determination[s]" about a company and its compliance program and to make charging decisions accordingly, not on a "one-size-fits-all" basis.

Although this Guidance is intended as a message to prosecutors, Benczkowski expressed that it also offers "transparent and comprehensible standards to the public so that companies can understand how [the DOJ] evaluate[s] compliance programs."3 In doing so, the Guidance affords companies an opportunity to structure meaningful and tailored compliance programs that maximize the likelihood the DOJ will deem their compliance programs effective.

Is the compliance program well-designed?

A key factor in analyzing a compliance program is identifying whether it is comprehensively designed to prevent and detect illicit activity. To make this determination, the Guidance directs prosecutors to consider six components:

  • Risk Assessment – The Guidance emphasizes that the compliance program should be designed to account for the needs and risks of the company, including the "location of [the company's] operations, the industry sector, the competitiveness of the market, the regulatory landscape, potential clients and business partners, transactions with foreign governments, payments to foreign officials, use of third parties, gifts, travel and entertainment expenses, and charitable and political donations."4 Routinely updating risk assessments and appropriately allocating company resources based on high-risk and low-risk areas will garner credit from prosecutors.
  • Policies and Procedures – The Guidance advises prosecutors to evaluate a company's policies and procedures to identify its commitment to compliance with relevant federal laws. It also recommends analyzing the comprehensiveness, accessibility and applicability of the policies and procedures. An effective compliance program should aim to reduce identified risks and include policies and procedures to "deal with the spectrum of risks [the company] faces . . . ."5 The evolution of a company's policies and procedures relative to the company's risk environment will therefore be of interest to the DOJ.
  • Training and Communications – The Guidance states that a "hallmark of a well-designed compliance program is appropriately tailored training and communications."6 It requires that prosecutors assess a company's efforts to train employees, directors, officers, and agents and third parties (where appropriate) on an ongoing basis in a manner that is tailored to the size of the company, the sophistication of the audience and the compliance history of the company, including a "lessons learned" component. The Guidance also highlights the importance of assessing whether employees understand the training.
  • Confidential Reporting Structure and Investigation Process – The Guidance directs prosecutors to determine whether a compliance program has a "trusted mechanism by which employees can anonymously or confidentially report allegations of a breach" of the company's policies.7 It is important for businesses to understand that the DOJ will be evaluating complaint-reporting systems, investigation response processes, and investigation conduct and teams. Critically, the Guidance emphasizes the value of metrics and monitoring to measure whether companies devote appropriate resources and time to investigations.
  • Third-party Management – It is clear from the Guidance that third-party diligence is a key concern for prosecutors. The Guidance suggests that prosecutors assess the extent to which companies have an "understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct."8 To have a well-designed compliance program, companies need to ensure they have effective controls before hiring a third party and comprehensive monitoring procedures after the third party is hired.
  • Mergers and Acquisitions – The Guidance explains that a well-designed compliance program should "include comprehensive due diligence of acquisition targets."9 There is severe risk in underperforming due diligence in that acquisition targets engaged in misconduct could continue the illicit activities upon being acquired. The Guidance reflects the expectation that companies integrate certain processes into their compliance programs to track and address merger risks identified during due diligence.

Is the compliance program effectively implemented?

This factor requires prosecutors to determine whether a company's compliance program is one that is in name only or one that is actually implemented and continually enforced and updated. The DOJ discourages "paper program[s]" and has instituted three areas of focus designed to determine whether there is a commitment to compliance by management:

  • Commitment by Senior and Middle Management – Acknowledging that "the company's top leaders – the board of directors and executives – set the tone for the rest of the company,"10 the Guidance encourages prosecutors to examine situations where a company's leadership, including directors and senior/middle management, failed to articulate ethical standards or de-prioritized compliance. Companies must understand that the Guidance specifically notes the potential for compromise between business generation and compliance risks. Thus, managers at all levels need to project an ethical and compliance-minded culture.
  • Autonomy and Resources – Those responsible for maintaining a company's compliance program, according to the Guidance, must have adequate seniority, expert knowledge, resources and autonomy as necessary given the size and risk profile of the company.
  • Incentive and Disciplinary Measures – The Guidance emphasizes the importance of a company's commitment to implementing clear disciplinary procedures regarding noncompliance. It approves of companies that make compliance a "metric for management bonuses"11 and also lauds companies that act consistently in their disciplinary measures. In fact, the Guidance highlights the need to assess (1) whether the same process is followed for each instance of misconduct, and whether true reasons (as opposed to pretext) are communicated to employees; and (2) whether there is consistent application of discipline, and in applicable cases, an explanation of why "similar instances of misconduct" are treated differently.

Does the compliance program work in practice?

It is important to note that the DOJ recognizes that "the existence of misconduct does not, by itself, mean that a compliance program did not work or was ineffective at the time of the offense."12 However, in assessing a compliance program's ongoing effectiveness, the Guidance directs prosecutors to review how the misconduct was detected, what level of investigation occurred, what resources were devoted to the investigation and the nature of the company's remediation. To analyze these criteria, companies should track that prosecutors would consider three factors:

  • Continuous Improvement, Periodic Testing and Review – Simply put, companies should be continually gauging their compliance programs and cultures through audits, surveys, violation and responsiveness metrics, and testing. Note that attempts at improving controls, policies and procedures can lead the DOJ to offer credit. It is in this section of the Guidance that the "Culture of Compliance" takes center stage. Questions and concepts regarding inclusiveness in compliance and respect for policies and procedures are meant to aid prosecutors and companies not only in assessing the importance a company places on compliance but also in evaluating a company's evolution of its compliance programs.
  • Investigation of Misconduct – The Guidance explicitly calls for "a well-functioning and appropriately funded mechanism for the timely and thorough investigation of any allegations or suspicions of misconduct by the company, its employees, or its agents."13 It sends a strong message that a thorough compliance program will have mechanisms to ensure proper documentation of remediation and independence of investigations.
  • Analysis and Remediation – The final mark of a comprehensive compliance program, according to the Guidance, is the ability of a company to analyze the root cause of misconduct and to remediate it in a timely manner. Upon discovering a breach or other illicit acts, prosecutors are advised to analyze how the acts occurred, whether they could have been prevented and whether new processes can prevent future acts. This last point is especially important, considering the Guidance suggests that the best compliance programs are those that constantly evolve and are expertly updated.

Conclusion

Although not presented as a compliance checklist or formula, the Guidance provides valuable insight into the DOJ's view of best practices, reflecting themes upon which companies should focus. Assistant Attorney General Benczkowski stated in his announcement that a "company's compliance program is the first line of defense that prevents the misconduct from happening in the first place. And if done right, it has the ability to keep the company off [the DOJ's] radar screen entirely."14 Companies that do not have compliance programs should consider implementing well-designed, effective and practical programs with expert counsel. Those with white collar and antitrust compliance programs should regularly review them with experienced counsel to ensure that they are evolving alongside the company's risk profile.

Footnotes

1 U.S. Dep’t of Justice, Criminal Division, “Evaluation of Corporate Compliance Programs,” 2019, https://www.justice.gov/criminal-fraud/page/file/937501/download.

2 U.S. Dep’t of Justice, “Assistant Attorney General Brian A. Benczkowski Delivers Keynote Speech at the Ethics and Compliance Initiative (ECI) 2019 Annual Impact Conference,” April 30, 2019, https://www.justice.gov/opa/speech/assistant-attorney-general-brian-benczkowski-delivers-keynote-address-ethics-and. The Guidance references the Justice Manual (formerly the U.S. Attorney’s Manual), U.S. Sentencing Guidelines and DOJ memoranda released since the last version of the Guidance in February 2017.

3 Id.

4 “Evaluation of Corporate Compliance Programs,” supra note 1.

5 Id.

6 Id.

7 Id.

8 Id.

9 Id.

10 Id.

11 Id.

12 Id.

13 Id.

14 Assistant Attorney General Brian A. Benczkowski Delivers Keynote Speech, supra note 2.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.