On June 1, 2020, the US Department of Justice (the DOJ) announced a newly revised version of its Evaluation of Corporate Compliance Programs guidance. We look here at the four key themes running through this latest set of amendments, how the guidelines influence the approach of prosecutors outside the US, and what this means for global companies at this time.
The DOJ’s guidance was originally published on April 29, 2019 and explained how the DOJ evaluates of the effectiveness of corporate compliance programs. The guidance describes the type of review the DOJ would conduct on companies’ compliance programs and how they are implemented, reviewed, and improved upon.
Broadly, the 2019 guidance included a greater focus on risk assessments, metrics, governance (including board reporting), tracking and collection of information, compliance culture, compliance personnel, disciplinary measures and accountability, internal investigative processes, training, and periodic updates and reviews based on new information. The guidance also touched on M&A and third-party due diligence.
The DOJ focused on many of the same themes in early 2017, when it described its approach to the evaluation of compliance programs and outlined questions that it would typically pose in making this kind of assessment.
Less than a year after issuing the 2019 guidance, the revised version continues to emphasize these points. Indeed, much of the substance of the prior version remains the same, and there is not much new for sophisticated compliance professionals to consider.
Nonetheless, the DOJ has input a number of edits refining its approach to evaluating corporate compliance programs, shedding some light on the DOJ’s evolving thinking going forward, based on recent experience.
Overall, the majority of these changes fall largely into four themes.
1. An increased emphasis on how the compliance program has changed over time
A number of edits emphasize that the DOJ will be looking at how compliance policies and procedures have changed over time – in particular from the time of the offense to the time of the charging decision or resolution.
Overall, it appears the DOJ will view a company whose policies evolve overtime to accommodate changed circumstances and experience in a more favorable light. For example, the revised guidance specifically notes that the DOJ will assess whether a company has a process for incorporating “lessons learned” from periodic risk assessments.
This emphasis on change will be an interesting point to consider when assessing compliance in light of the COVID-19 pandemic. Based on the DOJ’s refinements, it is important that a program is not static and instead evolves to remain fit for purpose, despite any new or unforeseen circumstances which may arise.
While this is not a new concept by any means, it is noteworthy that DOJ has emphasized the point.
2. An increased emphasis on demonstrating continued compliance efforts rather than snap-shots
Relatedly, the guidance asked whether updates and changes to compliance policies and programs are limited to a “snap shot” in time or are based on a more continuous assessment.
In addition, with respect to third parties, the new version of this guidance includes questions about whether the company engages in risk management of third parties throughout the lifespan of the relationship, or whether such review is limited to the onboarding process.
It is clear from these changes that the DOJ is looking to see periodic, qualitative review of compliance programs.
3. Resources provided to a company’s compliance program
The prior version of this guidance focused on whether and how successfully a company’s compliance program is being implemented.
In this new version of the guidance, this language has become more precise. Now, the guidance notes that the DOJ will assess whether a compliance program is “adequately resourced and empowered to function.” With these changes the DOJ appears to be signaling that compliance programs that are under-resourced can be thereby rendered ineffective.
One of the specific ways that the DOJ has incorporated this theme into the guidance is by inquiring whether compliance and control personnel have sufficient access to sources of data for effective monitoring and testing. This continues on the DOJ’s past emphasis on the use of data and tracking, which was heavily emphasized in the original guidance, as well. Companies considering the allocation of scarce resources in the current climate should remain mindful of this point, especially if they are considering significant reductions to their compliance budgets.
For many companies, given the impact on the business of the COVID-19 pandemic, the needs of their compliance function might look very different now to how it did six months ago. For example, the organization might need help to review new sources of data or track new kinds of government interactions.
With budgets likely to be constrained, compliance teams many wish to consider if there are other functions internally who may assist (eg internal audit) or if resources may need to be temporarily diverted from long term projects to address any immediate, higher risk issues.
4. Training
Finally, the revised guidance includes an increased focus on training. The DOJ’s guidance now raises the question of whether shorter, more targeted training sessions with a practical impact have been implemented which would allow employees to raise issues with compliance.
Based on these changes, it appears that the DOJ is looking to see focused, practical training programs which empower employees to report any issues. Tying into the point above on continuous improvement, the DOJ also included a point asking whether companies periodically test the effectiveness of its hotline.
At this time, with more of the workforce working remotely than ever before, compliance teams may wish to review how their training is being delivered to ensure it remains fit for purpose in light of changing working practices.
The relevance of the DOJ’s guidance to investigations globally
In many jurisdictions, when a company faces an investigation, the effectiveness of its compliance program will come under scrutiny.
Some jurisdictions (eg France) have made certain standards of compliance mandatory. In others, an effective program may provide a defense (eg in Italy, Spain, Japan, and the UK, companies may escape criminal liability for certain crimes if they had an effective compliance program in place at the time).
Finally, like the US, the existence of an effective compliance program, either at the time of the wrongdoing or at the time charges are brought, will be a mitigating factor in a number of jurisdictions (eg in UK, Brazil, the Netherlands and South Africa).
In terms of offering guidance on how prosecutors assess and evaluate compliance, the DOJ has been much more forthcoming than some of its counterparts in other jurisdictions. The UK Serious Fraud Office’s equivalent guidance, published earlier this year, is not nearly as detailed. But in terms of broader principles the SFO adopts and the questions it asks companies under investigation, there is a good deal of consistency with the approach outlined in the DOJ guidance.
In many cases it will at least be somewhat persuasive in discussions with the similar agencies outside the US, if a company can demonstrate the effectiveness of its compliance program by reference to the DOJ guidance. The DOJ continues to move the needle on its expectations of compliance programs and to offer a helpful measure companies in the US and elsewhere may wish to use when evaluating their approach to managing the risk of misconduct in their business.
We would be happy to talk through these changes if any questions arise; please feel free to contact us.