Summary of June 2020 Revisions to the US Department of Justice Corporate Compliance Programs Evaluation Guidance Document

On June 1, 2020, the United States Department of Justice (“DOJ”) substantially revised its guidance for evaluating the effectiveness of corporate compliance programs (the “Revised Guidance”). The new guidance contains several key recommendations which should be carefully reviewed by US and non US companies in order to ensure that their compliance programs meet DOJ’s expectations. Significantly, whether a company’s compliance program was “effective” under the guidelines at the time of an offense, and was effective at the time of a charging decision or resolution, are substantial considerations for DOJ prosecutors in deciding whether to charge a corporation for misconduct, and may also be relevant to whether employee misconduct will be attributed to the company in question.

In evaluating the effectiveness of a company’s compliance program, US prosecutors are directed to ask three “fundamental questions”: (1) Is the corporation’s compliance program well designed?; (2) Is the program adequately resourced and empowered to function effectively?; and (3) Does the corporation’s compliance program work in practice? The recent revisions provide further guidance on how prosecutors consider those three questions.

I. Is the Corporation's Compliance Program Well Designed?

This question looks at matters such as the company’s risk assessment, policies and procedures, training and communications about compliance expectations; reporting mechanisms and investigations into issues raised; management of third parties; and mergers and acquisitions.

• Risk Assessment: The Revised Guidance contains a number of recommendations with respect to a company’s assessment of potential compliance risks, including that:
  • a corporation should ensure that it conducts a periodic review of potential compliance risks based upon continuous access to operational data and information across functions, rather than being limited to a “snapshot” in time. Similarly, these periodic reviews should lead to updates in policies, procedures, and controls.
  • companies should also implement a process for tracking and incorporating into these periodic risk assessments the lessons learned either from the company’s own prior compliance issues or from those of other companies operating in the same industry and/or geographical region.
  • in addition, the company’s process for designing and implementing new policies and procedures should include updating existing policies and procedures.
  • finally, companies should be prepared to explain to the DOJ, should an investigation commence as to suspected violations of US law, why the company chose to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.
• Training and Communications: The Revised Guidance states that companies should implement a process by which employees can ask questions arising out of trainings. Moreover:
  • the companies’ policies and procedures should be published in a searchable format for easy reference, and the company should track access to various policies and procedures to understand which policies are attracting more attention from relevant employees.
  • similarly, companies should address employees who fail all or a portion of the testing, and evaluate the extent to which the training has an impact on employee behavior or operations.
• Confidential Reporting Structure and Investigation Process: The DOJ’s guidance has long recommended that companies maintain a compliance “hotline” or other anonymous mechanism to report suspected violations of law. The Revised Guidance recommends that companies should now take measures to test whether employees are aware of any available hotline and feel comfortable using it. A company should also:
  • publish its reporting mechanism to third parties.
  • periodically test the effectiveness of the hotline, for example by tracking a report from start to finish, and finally,
  • engage in risk management of third parties throughout the lifespan of the relationship, rather than exclusively or primarily during the onboarding process.
• Mergers and Acquisitions: The Revised Guidance states that a company’s compliance program should now include a process for “timely and orderly integration” of any entity acquired (by merger or otherwise) into existing compliance program structures and internal controls. In addition, companies should make sure to complete pre-acquisition due diligence pertaining to compliance with US law, and should implement a process for conducting post acquisition audits, at newly acquired entities.

II. Is the Corporation's Compliance Program Adequately Resourced and Empowered to Function Effectively?

In general, this factor looks at issues such as the commitment of senior and middle management to compliance, whether the compliance function has adequate autonomy and resources, and the interaction between the company’s employee incentives and discipline and compliance considerations.

The Revised Guidance reflects a shift in the DOJ’s emphasis from the question of whether the company’s compliance program is “being implemented effectively” to whether the company’s compliance program is “adequately resourced and empowered to function effectively.” This guidance suggests that while many corporate functions are under economic pressure in the current business climate, it is critical to ensure that compliance functions remain adequately resourced.

With respect to senior and middle management commitment to the compliance program, the Revised Guidance reiterates DOJ’s longstanding recommendation that companies should create and foster a culture of ethics and compliance at all levels of the company. This commitment should come, according to the Revised Guidance, from both the middle and the top of the companies’ management (e.g., while the “tone at the top” remains highly relevant, DOJ is placing an increasing emphasis on the commitment of middle managers to compliance).

The Revised Guidance further states that companies should invest in further training and development of the compliance and other control personnel, and that compliance and control personnel should have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions. Finally, the Revised Guidance notes that a company should consciously try to ensure consistency in its investigations and resulting discipline.

III. Does the Corporation's Compliance Program Work in Practice?

This factor is focused on whether a corporation has periodically reviewed the effectiveness of its compliance program and made significant investments in, and improvements to it. The DOJ expects that as a company’s business changes over time, its compliance program should be continually adjusted to keep pace. In addition, as issues arise and are investigated, the company should be incorporating the lessons learned from the investigation into its compliance program.

The Revised Guidance emphasizes that companies should adopt a mechanism for the ongoing review and adaptation of their compliance programs based upon lessons learned from the company’s own compliance experience and/or that of other companies facing similar risks. In practice, this means that a robust compliance program should include a formal, periodic (e.g. annual) review process involving the company’s legal and compliance staff and key internal stakeholders.

Conclusion

While the recommendations provided in the Revised Guidance may reflect the current practice of some companies with robust US legal compliance programs, it is important for all companies having ties to the United States to review their current policies carefully in order to ensure that they are consistent, to the extent feasible, with the Revised Guidance.

We have a global platform specializing in compliance and investigations work, and are ready to help companies design and implement sanctions and other compliance programs to meet regulators’ expectations. Please contact the authors or your usual Herbert Smith Freehills contacts for more information.