DOJ Quietly Revises Guidance on Evaluation of Corporate Compliance Programs
On June 1, 2020, the Criminal Division of the U.S. Department of Justice (DOJ) issued updated guidance on the "Evaluation of Corporate Compliance Programs" (June 2020 Guidance). This update revises a previous version issued in April 2019 (April 2019 Guidance). Both versions are intended to "assist prosecutors in making informed decisions as to whether, and to what extent, [a] corporation's compliance program was effective at the time of the offense, and is effective at the time of a charging decision or resolution, for purposes of determining the appropriate (1) form of any resolution or prosecution; (2) monetary penalty, if any; and (3) compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations)." The updates in the June 2020 Guidance are "based on [the DOJ's] own experience and important feedback from the business and compliance communities,"1 according to a statement by Assistant Attorney General Brian Benczkowski. These changes, sprinkled throughout the June 2020 Guidance, demonstrate the DOJ's evolving thinking on key compliance themes such as business decision-making, the value of data for ensuring the effectiveness of compliance programs, the evolution of compliance programs over time, and the relevance of foreign legal considerations. Forward-looking companies will take note of particular changes in sections discussing risk assessments, policies and procedures, training, reporting and investigations, third party management, and mergers and acquisitions (M&A).
Changes reflected in the June 2020 Guidance show the DOJ's evolving approach on a few key issues:
- Greater understanding of individual company circumstances and business reality. In the June 2020 Guidance, the DOJ makes a number of additions and clarifications that demonstrate an increased sensitivity to the circumstances and business realities of companies. For example, in new language in its introductory paragraphs, the DOJ notes that certain portions of the June 2020 Guidance may be more or less relevant to companies depending on their circumstances: "In any particular case, the topics and questions set forth below may not all be relevant, and others may be more salient given the particular facts at issue and the circumstances of the company." (Italics indicate language that is new in the June 2020 Guidance.) The DOJ's increased sensitivity is particularly evident in the June 2020 Guidance language on M&A activity. In its discussion of M&A, rather than assuming that a company will conduct all due diligence prior to an acquisition, the DOJ explicitly acknowledges that may not be the case, adding the following question: "Was the company able to complete pre-acquisition due diligence and, if not, why not?"
- Increasing emphasis on the use of data to track effectiveness and test programs. In a few areas of the June 2020 Guidance, the DOJ adds guidance on its expectations vis-à-vis data collection and use. In particular, in discussing autonomy and resources, the June 2020 Guidance adds a section on "Data Resources and Access," which asks: "Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?" The DOJ's mention of impediments to data transfer may reflect both the value the Department sees in data as a necessary tool for monitoring and testing compliance programs, and an awareness of General Data Protection Regulation (GDPR) and other restrictions that have come into force in recent years, which can limit access to data for international companies. The June 2020 Guidance also makes clear DOJ expectations that companies gather operational data across the company and on employee access to policies, which data points feed into updates to risk assessments and evaluating access to governing documents, respectively. For further information, Miller & Chevalier International Chair James Tillen will moderate the webinar, "Three Months In - Remote Auditing, Monitoring, and Investigating In the Time of COVID-19," on June, 16, 2020, which will cover strategies for monitoring, detecting, and investigating internal control and compliance failures without in-person site visits.
- Focus on the evolution of compliance programs. Throughout the June 2020 Guidance, the DOJ emphasizes both a company's own efforts to evolve its compliance program and on the DOJ's understanding of that evolution. With respect to the company's own efforts, the June 2020 Guidance includes new language in Risk Assessment on "Lessons Learned," asking: "Does the company have a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company's own prior issues or from those of other companies operating in the same industry and/or geographical region?" And, in discussion of Continuous Improvement, Periodic Testing, and Review, the DOJ now guides prosecutors to ask: "Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?" Both of these additions highlight the importance of learning from internal and external issues.
The June 2020 Guidance also makes clear the DOJ's interest in understanding the reasoning behind a company's compliance program evolution. In the introduction to the June 2020 Guidance, the DOJ now states that it will be specifically evaluating compliance programs at multiple points in time: "both at the time of the offense and at the time of the charging decision and resolution." There are also modifications throughout the June 2020 Guidance that emphasize this point, summed up well by the following addition in Risk Assessments: "In short, prosecutors should endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company's compliance program has evolved over time." For companies on the receiving end of questions from the DOJ, documentation on their compliance program changes – including the "why" behind changes – will be critical.
- Critical eye towards company assertions of complications from foreign law. In two notable instances, the June 2020 Guidance adds language making clear that the DOJ intends to look closely at company assertions of impediments from foreign regulation. First, as discussed above, the DOJ intends to ask questions related to any "impediments" to data transfer. Second, a new footnote directs prosecutors to look deeper at assertions by companies that their compliance structures or decisions are guided by foreign law, and that foreign law considerations are not to supersede considerations regarding the integrity of a compliance program: "Prosecutors should consider whether certain aspects of a compliance program may be impacted by foreign law. Where a company asserts that it has structured its compliance program in a particular way or has made a compliance decision based on requirements of foreign law, prosecutors should ask the company the basis for the company's conclusion about foreign law, and how the company has addressed the issue to maintain the integrity and effectiveness of its compliance program while still abiding by foreign law."
Notable Topic-Specific Updates and Their Practical Implications:
The revisions in the June 2020 Guidance provide companies with a number of practical steps to take in tailoring compliance programs.
- Assessment of specific risks. The April 2019 Guidance recognized that each company's risk profile and solutions warrant particularized evaluation. The June 2020 Guidance expands on this principle by detailing the various factors that prosecutors may consider when evaluating the effectiveness of a compliance program. Those factors include company size, industry, geographic footprint, and regulatory landscape. The DOJ, however, signals the importance of identifying "other factors, both internal and external to the company's operations, that might impact its compliance program." With the addition of two new evaluation questions, the DOJ emphasizes that the identification of risk factors must be continuous and should result in updates to policies, procedures, and controls. The DOJ encourages prosecutors to ask: "Is the periodic review limited to a "snapshot" in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures, and controls?" Companies should expect prosecutors to focus on the design of a company's risk assessment procedures and whether those procedures are designed to detect the company's specific compliance risks—not just whether traditional or general compliance risks affect a company's risk profile. Companies, therefore, should evaluate their existing risk assessment procedures to ensure they draw from data and personnel across their operations rather than only from sources focused on traditionally compliance-sensitive areas.
- Accessibility and use of policies and procedures. The June 2020 Guidance directs prosecutors to consider whether companies seek to increase employee access to policies and procedures and monitor the use of those policies and procedures by employees. It is no longer enough for companies to make policies and procedures accessible: the DOJ will now ask whether those policies and procedures have "been published in a searchable format for easy reference" and challenges companies to "track access to various policies and procedures to understand what policies are attracting more attention from relevant employees." These changes build upon the April 2019 Guidance's focus on the importance of ensuring that core elements of a compliance program are integrated into the day-to-day cadence of an organization. The challenges of monitoring access to policies and procedures is not insignificant, but tools and platforms exist that can facilitate these challenges. Companies should explore resources available, including through their own communications or marketing departments, to track and evaluate access to online content.
- A focus on impact and communication in training. The April 2019 Guidance stressed the importance of providing training and conveying information on its compliance program "in a manner tailored to the audience's size, sophistication, or subject matter expertise." The DOJ also provided examples on the approach that companies might take with respect to their training programs. Building upon those examples, the June 2020 Guidance suggests that companies should consider "more targeted training sessions" designed "to enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management functions." To that end, prosecutors are advised to consider whether a company provides employees with processes for asking questions arising out of trainings (whether both online or in-person). In keeping with its focus on data aggregation and continuous improvement, the DOJ challenges companies to evaluate "the extent to which the training has an impact on employee behavior or operations." With more training taking place online, especially in decentralized workforces, companies would do well to ensure that online trainings are targeted and interactive. In particular, trainings should keep employees engaged, test their understanding, and provide the opportunity to ask questions during training or after, including through email or other internal communication platforms.
- Reporting channels – can you hear me now? The June 2020 Guidance reminds companies that it is not enough simply to have reporting mechanism; they must be effective. Before companies defend their compliance programs by highlighting sophisticated reporting mechanisms, they must be prepared to show that those mechanisms work. Companies must be prepared to show on-going efforts to test whether employees are aware of a hotline and whether they feel comfortable using it. The DOJ will also want to know whether the company has conducted hands-on testing of the hotline, "for example by tracking a report from start to finish." Companies can engage in such testing on a regular basis in the course of risk assessments, audits, or otherwise and be sure to test all reporting mechanisms.
- Looking beyond due diligence in third party relationships. The June 2020 Guidance adds one question only to the DOJ's evaluation of third parties, but with it strikes at what is often the greatest challenge to many companies: "Does the company engage in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?" The answer for many companies is quite often the latter. Two key issues need to be front of mind. First, the DOJ's risk-based approach to third party due diligence and management remains unchanged. Third party due diligence and management procedures must be commensurate to the compliance risk associated with each third party. Companies should ensure that third party policies and procedures do not stop at onboarding, but include clear, risk-based guidance on managing higher risk third parties. Second, the DOJ's holistic view of compliance also remains unchanged. This means the burden of managing third party compliance risk need not fall on compliance or legal departments alone. Companies should leverage business and other functions (e.g., finance, internal audit) to help manage third party relationships throughout their life.
- Integration matters. The April 2019 Guidance focused on the need for comprehensive due diligence of any acquisition targets, but said very little about a company's post-acquisition obligations despite DOJ resolutions focusing on companies' failures to effectively and timely integrate acquired entities into their compliance organization. The June 2020 Guidance remedies that omission by including "timely and orderly integration" processes as a key element to a well-designed compliance program: "A well-designed compliance program should include comprehensive due diligence of any acquisition targets, as well as a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls." While the DOJ does not offer specific insight into what companies should include in integration processes, at a minimum, companies can expect prosecutors to ask "[h]ow  the compliance function [has] been integrated into the merger, acquisition, and integration process," how the company implements compliance policies and procedures at the acquired entity, and whether it has conducted post-acquisition audit at the newly acquired entities. Companies should review all existing M&A policies and procedures (whether owned by compliance or a business function) to ensure that compliance is included in both pre- and post-acquisition workstreams and timelines.
Originally published in Law360 on June 2, 2020. For more information, please contact:
1 Dylan Tokar, Justice Department Adds New Detail to Compliance Evaluation Guidance, The Wall Street Journal (June 1, 2020, 7:09 PM).
This, and related communications, are protected by copyright laws and treaties. You may make a single copy for personal use. You may make copies for others, but not for commercial purposes. If you give a copy to anyone else, it must be in its original, unmodified form, and must include all attributions of authorship, copyright notices, and republication notices. Except as described above, it is unlawful to copy, republish, redistribute, and/or alter this presentation without prior written consent of the copyright holder.