Understanding the DOJ’s Updated Guidance on Corporate Compliance Programs
In Short
The Situation: On April 30, 2019, the U.S. Department of Justice ("DOJ") released an updated version of its guidance document, "Evaluation of Corporate Compliance Programs," in an effort to "better harmonize" the document with other DOJ materials and provide more detail around the government's approach to analyzing compliance programs.
The Development: The updated guidance provides new insight into the topics DOJ believes to be important when evaluating the effectiveness of a corporate compliance program.
Looking Ahead: The 2019 guidance demonstrates DOJ's increasing focus on corporate compliance and an emphasis on compliance programs that apply a risk-based approach and are continuously improving.
On April 30, 2019, the DOJ released an updated version of a guidance document titled "Evaluation of Corporate Compliance Programs." The original version of this guidance was first released in February 2017. The updated 2019 guidance offers new insight into the factors DOJ considers important when evaluating the effectiveness of a company's compliance program.
This guidance retains much of the same substance as the 2017 version, but it includes more detailed explanations of the compliance topics on which DOJ is focused, additional factors and questions DOJ considers in evaluating a compliance program, and a reorganized structure. While the 2017 version was billed as a list of sample topics and questions that DOJ "has frequently found relevant in evaluating a corporate compliance program," the 2019 guidance is described as a tool "meant to assist prosecutors in making informed decisions" about the effectiveness of a corporate compliance program for purposes of determining an appropriate resolution.
The 2019 guidance demonstrates DOJ's increasing focus on corporate compliance and provides an accompanying set of expectations as to what DOJ believes a compliance program should be doing to prevent and detect misconduct. In this guidance, DOJ emphasizes the importance of a risk-based approach to compliance and continuous improvement of corporate compliance programs.
2019 Guidance in Brief
The guidance reformulates the key topics DOJ examines in evaluating a company's compliance program around three questions:
- Is the compliance program "well designed"?
- Is the program "implemented effectively"?
- Does the compliance program "work in practice"?
Well Designed: The 2019 guidance—quoting the Justice Manual § 9-28.800—defines a well-designed compliance program as being "adequately designed for maximum effectiveness in preventing and detecting wrongdoing." DOJ believes a well-designed program should accomplish these ends through the communication of a clear message of compliance along with well-integrated policies and procedures.
The guidance identifies sample topics DOJ will evaluate to determine whether a compliance program is well designed, including the nature, extent, and effectiveness of a company's:
- Risk assessment;
- Policies and procedures;
- Training and communications;
- Confidential reporting structure and investigation process;
- Risk-based, third-party management process; and
- Due diligence in mergers and acquisitions.
Implemented Effectively: Next, the guidance asks: Is the compliance program purely a paper program or is it being "implemented effectively"? To answer this question, DOJ will examine the following sample topics:
- Senior and middle management's commitment to compliance;
- The compliance function's autonomy and resources; and
- Incentives for compliance and disciplinary measures for noncompliance.
Works in Practice: While acknowledging that no compliance program can detect all misconduct, DOJ expects that a program that "works in practice" should be generally effective in preventing and detecting misconduct. The factors DOJ will evaluate under this category include:
- Continuous improvement and evolution of the compliance program to address changing compliance risks;
- Periodic testing, auditing, and review of the compliance program, internal controls, and compliance culture to determine their effectiveness;
- Effective detection of, and response to, misconduct;
- Investigations that are appropriately staffed and sufficiently funded to thoroughly investigate and document suspected misconduct;
- The thoughtfulness of the root cause analysis to understand misconduct; and
- Thoroughness and effectiveness of remediation to prevent future misconduct, including examining and improving any identified compliance weaknesses.
Other Recent Compliance Guidance
DOJ's 2019 guidance was followed on May 2 with the publication of "A Framework for OFAC Compliance Commitments" by the Department of the Treasury's Office of Foreign Assets Control ("OFAC"). Like the DOJ guidance, OFAC's Framework encourages risk-based compliance programs and evaluates these programs based on "five essential components of compliance: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training."
Observations
DOJ's updated guidance on corporate compliance programs should be viewed as the next step in the U.S. government's march toward increasingly more proscriptive compliance programs. This march began with the United States Sentencing Guidelines § 8B2.1 on "Effective Compliance and Ethics Program," which led to the government's use of corporate monitors as part of pleas and other resolution agreements with companies. This was followed by the compliance-oriented guidance in DOJ's and SEC's 2012 "A Resource Guide to the U.S. Foreign Corrupt Practices Act," and then the 2017 version of DOJ's guidance document. It now culminates with DOJ's recently updated guidance and OFAC's Framework.
Despite the growing government input on compliance programs, DOJ's new guidance—similarly to past government guidance—leaves it to corporate management and boards of directors to make the tough decisions about the design, resource allocation, and implementation of compliance programs. While that may be the "right" place to leave that responsibility, DOJ and other regulators retain the advantage of evaluating the "reasonableness" of those decisions with perfect 20-20 hindsight when problems occur.
Two Key Takeaways
- The guidance indicates that DOJ is increasingly focused on how companies shape and implement their compliance programs.
- The guidance indicates that DOJ is prioritizing the following key components in its evaluation of a corporate compliance program:
Regular risk assessments and continuous improvement of and updates to the program based on lessons learned; and
Appropriate tailoring of the program based on an up-to-date risk profile of the company (including size, industry, geographic location, and regulatory environment);
Engagement and education on compliance issues by senior and middle management, the board, and key "gatekeepers."