DOJ Updates Guidance on Compliance Programs

By Richard Montes De Oca* and Claudia Herbello**
On June 1, 2020, the U.S. Department of Justice (“DOJ”) issued new updates to its Evaluation of Corporate Compliance Program Guidance (“New Guidance”). The original guidance was issued in February 2017, and this latest update clarifies and focuses on what new factors prosecutors should consider when evaluating the effectiveness of corporate compliance programs as a mitigating factor in charging decisions and dispositions. Compliance officers should use the New Guidance to update their existing compliance programs or to design new programs.
Fundamental Question
The New Guidance focuses on three fundamental questions:
1. Is the corporation’s compliance program well designed?
2. Is the program being applied earnestly and in good faith?
3. Does the corporation’s compliance program work in practice?
Individualized Evaluation
The New Guidance recognizes that a prosecutor’s goal is to make the compliance program evaluation more individualized and specific to the company under review. Specifically, they must assess a company’s risk profile to make a “reasonable, individualized determination in each case that considers various factors including, but not limited to, the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.”
Evolving and Dynamic Program
According to the New Guidance, compliance programs are to be viewed as “a journey, not a destination.” Prosecutors are asked to “endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.” They are also encouraged to analyze how and if the program has been modified based on lessons learned. These lessons learned should not be limited to experiences within the company but also based on lessons learned from “other companies operating in the same industry and/or geographical region.” The New Guidance also recognizes that compliance programs must be dynamic and constantly revised, monitored, and assessed to address the current risks of the company and any anticipated compliance violations.
Adequate Resources
The New Guidance emphasizes the importance for compliance programs to have adequate resources. It is not enough to implement a program; the program must also be “adequately resourced and empowered by function” effectively. It also reflects the need for companies to assign sufficient senior personnel to the compliance program, and for such personnel to be independent from management.
Risk Assessment
Compliance programs are expected to be “risk-tailored” to the various risks the company faces and should adapt based on changes to the company’s business, risks and circumstances. Under the New Guidance, prosecutors should ask whether the company conducts periodic risk assessments and whether they are based “snapshot-in-time or based upon continuous access to operational data and information across functions?” Further, prosecutors should determine whether “the company has a process for tracking and incorporating into its periodic risk assessment lessons learned.”
Policies and Procedures
Accessibility of a company’s policies and procedures is a key factor under the New Guidance. It asks whether the policies and procedures are “published in a searchable format” and whether they are “attracting more attention from employees.” If so, prosecutors will want to know how the company is tracking that fact. Companies should also ask whether their periodic assessments of compliance program have led to updates in their policies, procedures, and controls.
The New Guidance prompts prosecutors to ask: “has the company evaluated the extent to which the training has an impact on employee behavior or operations?” They should evaluate how well the company conveys the lessons learned to employees through training “in a manner tailored to the audience’s size, sophistication, or subject-matter expertise.” Prosecutors should also evaluate whether there is a process for employees to ask questions arising out of the trainings either online or in-person.
An effective reporting mechanism or hotline for compliance programs is essential according to the New Guidance. Specifically, it asks whether the company “periodically test[s] the effectiveness of the hotline-for example, by tracking a report from start to finish?” It also highlights the importance for companies to take measures to assess whether employees are aware of the hotline and feel comfortable using it. Lastly, the New Guidance focuses on the need for companies to promote reporting hotline not just to employees, but to third parties as well.
Third-Party Risk Management
The New Guidance places increased focus on third-party risk management. Prosecutors are expected to evaluate the “business rationale” for companies using third parties, and whether such arrangements are properly documented. Further, they must focus on whether companies engage in “ongoing monitoring of the third party relationship” throughout the “lifespan of their relationship or only during due diligence for the on boarding process.”
Mergers and Acquisitions (M&A)
With respect to M&A, the New Guidance asks whether the company was able “to complete pre-acquisition due diligence and, if not, why not?” It also addresses the importance of “a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.”
*Richard Montes De Oca is Managing Partner at MDO Partners, a boutique law firm that focuses on Corporate, International, and Real Estate law, as well as Global Compliance and Business Ethics.
**Claudia Herbello serves as one of MDO Partners’ Associate Counsel. Herbello is a corporate law attorney with experience in Corporate Governance, Mergers & Acquisitions Transactions, Corporate Formation, as well as Global Compliance and Business Ethics.