“One hallmark of an effective compliance program is its capacity to improve and evolve”
(DOJ Compliance Program Evaluation Guidelines at Section III. A.)
The U.S. Department of Justice (“DOJ”) is following its own advice in maintaining and reviewing its Guidance on Evaluating Corporate Compliance Programs (the “Guidelines”) in issuing an updated version of the document on June 1, 2020. This update comes in response to feedback from the business and compliance communities on DOJ’s April 2019 comprehensive re-issue of the Guidelines (which were first published February 2017). While this latest update is more modest in scope, DOJ’s willingness for the Guidelines to be flexible and evolve over time, as it expects corporate compliance programs to do, is welcome. The changes expand on and clarify a number of important compliance topics.
What are the Guidelines?
The Guidelines are intended to assist DOJ prosecutors in assessing corporate compliance programs at each stage of their consideration of charging and resolving any corporate criminal case. The Guidelines have also become a valuable resource for companies, even those not before DOJ in an enforcement action, to measure their compliance program against the expectations of the U.S. Government.
The majority of the Guidelines remain unchanged. The amendments add emphasis and detail in a number of areas as follows:
Compliance program design may be influenced by applicable foreign laws, but must still meet DOJ expectations. Due to the expansive jurisdiction of the U.S. Foreign Corrupt Practices Act and other U.S. corporate criminal statutes, many foreign companies find themselves before DOJ, having their compliance programs scrutinized by prosecutors through a U.S. lens. This can be a challenge for companies seeking to balance the expectations of their home country’s laws with those of DOJ. Some of the most common examples are the need for European companies to structure their compliance programs so as to protect employee and others’ personal data in accordance with the EU’s General Data Protection Regulation and the prohibition in certain jurisdictions against anonymous whistleblower reporting (which DOJ would otherwise expect to be made available). Local labor law considerations may also limit the options or timeline for taking disciplinary action against employees in cases where DOJ would otherwise expect immediate termination. In the new Guidelines, DOJ has more directly instructed prosecutors to appreciate that a company’s decisions about compliance issues and program structure may be influenced by those foreign laws to which the company is subject. Nevertheless, the Guidelines make clear that the burden will be on the company to explain the impact of any foreign law to DOJ prosecutors and defend the approach it has taken in balancing the requirements of foreign laws with DOJ expectations.
Compliance programs need to be suitably resourced to be effective. Although effective compliance programs will differ (and the new Guidelines have added reference to many of the internal and external factors that may impact program structure and design); all compliance programs must be adequately resourced to function effectively. This is not a new concept for DOJ, but the revised Guidelines contain a number of new references to the Department’s focus on resourcing. Indeed, it has now taken on sufficient importance to be added to the second of three “fundamental questions” that a prosecutor should ask about any corporate compliance program. This question now reads: “Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?” (emphasis added). The previous version of this question asked simply whether the program was being implemented effectively, without specific reference to its resourcing. The other fundamental questions (which remain unchanged) are “Is the corporation’s compliance program well designed?” and “Does the corporation’s compliance program work in practice?” Clearly companies finding themselves before DOJ will need to come prepared to justify their compliance program resourcing levels and to explain why the program has been designed the way that it has, in light of the company’s unique risk profile.
Companies must learn from their, and others’, mistakes. Inherently, companies defending their compliance programs before DOJ are there because something has gone wrong. Mistakes must be learned from and issues remediated. In the latest Guidelines, DOJ has highlighted that companies must incorporate lessons learned not only from misconduct identified at their company but also from “other companies facing similar risks.” Presumably, DOJ expects companies to be monitoring DOJ and other regulators’ enforcement actions for such lessons. The process for integrating lessons learned should be a systematic part of continuous improvement.
Compliance program monitoring must be continuous and data-driven. Repeatedly, throughout the new Guidelines, DOJ stresses the importance of continuously monitoring, in real time, compliance program effectiveness. One-off checks or periodic audits, on their own, will not be sufficient. Examples added to the new Guidelines include monitoring: i) employee engagement with policies and procedures (for example, by monitoring hit-counts or access logs on policies housed on the company’s intranet); ii) engagement in, and effectiveness of, training (for example, do employees who have been trained subsequently behave differently?); iii) third party compliance throughout the lifespan of the relationship, not just pre-engagement; iv) disciplinary decisions for consistency; and v) employee and third parties’ engagement with the company’s ethics hotline. To achieve all this, the new Guidelines stress that compliance departments must have unencumbered access to all data needed for such timely and effective monitoring.
Effective compliance programs cannot be static; and neither is DOJ. Among the many moving pieces that companies need to keep in mind in continuously enhancing their compliance programs is the need to stay on top of DOJ’s evolving expectations. For its part, DOJ has shown a willingness to be receptive to feedback and the evolving compliance challenges companies face. This includes the competing requirements placed on multinational companies’ compliance programs by an increasing number of international regulators and legal regimes.
About the Author:
Geoff Martin is a partner in the Litigation and Government Enforcement practice group in Washington, DC. Geoff started his career in Baker McKenzie’s London office in 2007 and moved to Washington DC in 2012. Geoff represents clients in matters before the federal government arising out of anti-corruption, trade sanctions, fraud, anti-money laundering, national security, and related enforcement actions. He also represents clients in civil and criminal matters in federal court. Geoff has extensive experience conducting internal investigations relating to such matters around the world