DOJ Updates Guidance on Compliance Programs
By Richard Montes De Oca* and Claudia Herbello**
On June 1, 2020, the U.S. Department of Justice (“DOJ”) issued new updates to its Evaluation of Corporate Compliance Program Guidance (“New Guidance”). The original guidance was issued in February 2017, and this latest update clarifies and focuses on what new factors prosecutors should consider when evaluating the effectiveness of corporate compliance programs as a mitigating factor in charging decisions and dispositions. Compliance officers should use the New Guidance to update their existing compliance programs or to design new programs.
The New Guidance focuses on three fundamental questions:
1. Is the corporation’s compliance program well designed?
2. Is the program being applied earnestly and in good faith?
3. Does the corporation’s compliance program work in practice?
The New Guidance recognizes that a prosecutor’s goal is to make the compliance program evaluation more individualized and specific to the company under review. Specifically, they must assess a company’s risk profile to make a “reasonable, individualized determination in each case that considers various factors including, but not limited to, the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.”
Evolving and Dynamic Program
According to the New Guidance, compliance programs are to be viewed as “a journey, not a destination.” Prosecutors are asked to “endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.” They are also encouraged to analyze how and if the program has been modified based on lessons learned. These lessons learned should not be limited to experiences within the company but also based on lessons learned from “other companies operating in the same industry and/or geographical region.” The New Guidance also recognizes that compliance programs must be dynamic and constantly revised, monitored, and assessed to address the current risks of the company and any anticipated compliance violations.
The New Guidance emphasizes the importance for compliance programs to have adequate resources. It is not enough to implement a program; the program must also be “adequately resourced and empowered by function” effectively. It also reflects the need for companies to assign sufficient senior personnel to the compliance program, and for such personnel to be independent from management.
Compliance programs are expected to be “risk-tailored” to the various risks the company faces and should adapt based on changes to the company’s business, risks and circumstances. Under the New Guidance, prosecutors should ask whether the company conducts periodic risk assessments and whether they are based “snapshot-in-time or based upon continuous access to operational data and information across functions?” Further, prosecutors should determine whether “the company has a process for tracking and incorporating into its periodic risk assessment lessons learned.”
Policies and Procedures
Accessibility of a company’s policies and procedures is a key factor under the New Guidance. It asks whether the policies and procedures are “published in a searchable format” and whether they are “attracting more attention from employees.” If so, prosecutors will want to know how the company is tracking that fact. Companies should also ask whether their periodic assessments of compliance program have led to updates in their policies, procedures, and controls.
The New Guidance prompts prosecutors to ask: “has the company evaluated the extent to which the training has an impact on employee behavior or operations?” They should evaluate how well the company conveys the lessons learned to employees through training “in a manner tailored to the audience’s size, sophistication, or subject-matter expertise.” Prosecutors should also evaluate whether there is a process for employees to ask questions arising out of the trainings either online or in-person.