From Implementation to Empowerment: Department of Justice Updates Its Guidance for Evaluation of Corporate Compliance Programs

On June 1, 2020, the Criminal Division of the U.S. Department of Justice (“DOJ”) updated its guidance for its evaluation of corporate compliance programs when making charging decisions. The Guidance, first published in February 2017 and last updated in April 2019, provides continuing insight into DOJ’s expectations for compliance.  As such, it should be considered not only a tool for federal prosecutors but also an essential resource for companies in building, maintaining, and enhancing their compliance programs.  A copy of the latest Guidance is available here.

The original Guidance provided “some important topics and sample questions that the [DOJ] Fraud Section has frequently found relevant in evaluating a corporate compliance program” and included a list of 11 topics and 119 questions to that end.  The 2019 update expanded the applicability of the Guidance from specifically the Fraud Section to the Criminal Division more generally.  In doing so, the Guidance became organized around the three key questions that the Justice Manual (JM § 9-28.800) directs prosecutors to consider when evaluating a compliance program:

1. Is the corporation’s compliance program well-designed?
2. Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?
3. Does the corporation’s compliance program work in practice?

Among other revisions, this week’s update to the Guidance edits the second question and instead instructs prosecutors to ask “Is the program adequately resourced and empowered to function effectively?” This shift from “effective implementation” to “effective empowerment to function” is further reflected in other changes to the Guidance focusing on ensuring that compliance programs are dynamic in response to continual access to data rather than static assessments of “snapshots” in time.  Brian Benczkowski, head of the Criminal Division, noted that this latest version “reflects additions based on our own experience and important feedback from the business and compliance communities.”¹ 

Below we highlight some of the key areas from the updated Guidance where companies should devote effort to best ensure that DOJ will find their compliance programs adequately dynamic and effectively empowered.

Data Utilization and Reporting: The Guidance sets forth new considerations as to whether compliance personnel are granted sufficient access to different sources of data to effectively and timely monitor the company’s operations and how the company is addressing any impediments to such access. In tandem with this, it also focuses on the adequacy and actual utilization of reporting mechanisms, such as anonymous hotlines.

Third-Party Risk: The Guidance emphasizes a need for risk management with respect to third parties (e.g., agents, consultants, vendors, and distributors) over time.  Diligence is not only necessary at the inception of a business relationship, but also throughout the “lifespan” of that relationship, including a specific inquiry into what auditing processes the company uses with respect to third parties.

Training: The Guidance poses new specific questions as to whether the company’s compliance training is interactive, how the company handles employees who fail compliance training testing, and whether the company evaluates the impact of training on employee behavior.

Resources and Funding: The Guidance encourages the company to commit the resources necessary to examine and test its compliance program, including the ability to modify its structure and policies when necessary in response to “continuous monitoring of operational data and new information.”

Special Attention to Mergers & Acquisitions: The 2019 update to the Guidance addressed the importance of the company exercising “pre M&A due diligence” of an acquisition target’s compliance program. The Guidance now adds focus on the company’s post-acquisition responsibilities. Specifically, an effective compliance program is expected to have “a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.”

It is clear from these enhanced DOJ guidelines that organizations are expected to continue to monitor the effectiveness of their compliance programs but also should perform regular reviews to assure that they are adequately resourced and have access to the proper tools and technology to properly collect and analyze data, perform adequate due diligence and manage third party risks.  Such continued vigilance will help the organization reduce the risk of a compliance failure and potential investigation along with minimizing risk of prosecution in the event of an investigation.

[1] Dylan Tokar, Justice Department Adds New Detail to Compliance Evaluation Guidance, Wall Street Journal (June 1, 2020).