I. Background
The “Principles of Federal Prosecution of Business Organizations” in the DOJ’s Justice Manual describes specific factors that prosecutors should consider when conducting an investigation of a corporation, determining whether to bring charges, or negotiating plea or other agreements.1 These factors include “the adequacy and effectiveness of the corporation’s compliance program at the time of the offense, as well as at the time of a charging decision” and the corporation’s remedial efforts “to implement an adequate and effective corporate compliance program or to improve an existing one.”2
The June 2020 issuance is the third version of the document, with the DOJ having issued guidance originally in 2017 and updating that guidance in April 2019.
The June 2020 version maintains that each corporate compliance program must be evaluated in the specific context of a criminal investigation but provides additional guidance stating that the DOJ makes “reasonable, individualized determination in each case that considers various factors including but not limited to, the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program” (emphasis showing changes). The guidance also focuses on three issues that prosecutors may consider in the course of making individualized determinations:
- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively? and
- Does the corporation’s compliance program work in practice?3
The June 2020 revisions focus on the following general areas: (1) whether a compliance program is adequately resourced and empowered to function effectively; (2) the evolution of the compliance program over time based on a corporation’s risk profile; and (3) the value of data for ensuring compliance program effectiveness.
II. ‘Adequately resourced and empowered’
One of the most prominent changes in the June 2020 revision is the only change made to one of the three fundamental questions prosecutors may ask in the course of making individualized decisions. Previously, the second question asked whether a compliance program “is being implemented effectively.” The new guidance expands on this question and asks whether the program “is adequately resourced and empowered to function effectively.” The new wording emphasizes that an effective compliance program cannot just be a “paper program” and instead must have “staff sufficient to audit, document, analyze, and utilize the results of the corporation’s compliance efforts.”
III. Evolution of compliance programs
In several changes throughout the June 2020 revisions, the DOJ emphasizes that a corporation must continually evolve its compliance program based upon the company’s risk profile. Documentation on the reasons for changes made during that evolution will be critical in helping the DOJ to understand compliance program effectiveness. The revisions stress that a compliance program should be updated regularly and include new language in the risk assessment section on “lessons learned,” asking:
Does the company have a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region?
The revisions go even further in a section discussing continuous improvement, periodic testing, and review, asking: “Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?” The revisions also encourage prosecutors to ask whether corporations are continually reassessing their risk profile or whether the review is limited to a “snapshot” in time.
Further, the guidance encourages companies to not only continue to reevaluate their own risk profile, but also to engage in risk management of third parties throughout the lifespan or the relationship with the third party, and not just at the onboarding process. Similarly, the new guidance includes numerous changes to the section on mergers and acquisitions, noting that pre-acquisition due diligence is not enough. Corporations need to also have a “process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.” This includes asking whether post-acquisition audits were conducted at newly acquired entities.
The new guidance highlights DOJ’s interest in understanding changes made to the compliance program and the reasoning behind such changes. The new guidance states that DOJ will be specifically evaluating compliance programs at multiple points in time: “both at the time of the offense and at the time of the charging decision and resolution.” Further, in the risk assessment section, prosecutors are encouraged to “understand why the company has chosen to set up the compliance program the way it has, and why and how the company’s compliance program has evolved over time.” Therefore, companies should thoroughly document their reasoning for compliance program changes.
IV. Data to ensure effectiveness of compliance programs
The revisions add specific guidance on the DOJ’s expectations of data collection and use. A subsection was added to the guidance titled “Data Resources and Access,” which explains that prosecutors should ask:
Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?
This new section places a particular emphasis on measurable compliance metrics. Other revisions throughout the document also reference data to ensure the effectiveness of a compliance program. Some examples include: understanding which policies and procedures are being accessed by relevant employees; evaluating how training impacts employees’ behavior or operations; testing whether employees are aware of a hotline and the effectiveness of a hotline; and monitoring investigations and resulting discipline for consistency.
V. Implications
Reed Smith encourages any corporation that has a corporate compliance program or is looking to build one to use this newly issued guidance as a tool in evaluating compliance program effectiveness, and, where appropriate, enhance the programs in line with the guidance. While the guidance may be particularly apt for a corporation currently under DOJ investigation, any corporation using a compliance program to mitigate the risk of wrongdoing, and thus criminal exposure, is urged to use the guidance to ensure program effectiveness. This guidance also applies to any company under DOJ monitoring or any company in the process of implementing a compliance program in response to a previously identified issue. By following this guidance, corporations can tailor compliance programs to be more effective in mitigating the risk of wrongdoing, while also mitigating their risk of exposure in the event misconduct does occur.
- Justice Manual 9-28.300.
- Justice Manual 9-28.300 (citing Justice Manual 9-28.800 and Justice Manual 9-28.1000).
- The guidance notes that the sample questions and topics are not a checklist or formula, and in some cases may not even be relevant.
Client Alert 2020-368