What does the U.S. Department of Justice (DOJ) expect of a corporate compliance program? How does the DOJ evaluate whether a compliance program meets those expectations? And how can a company proactively shape its compliance program to meet those expectations? In late April 2019, the DOJ’s Criminal Division released an updated version of its “Evaluation of Corporate Compliance Programs” (the “revised Guidance”), which helps prosecutors and companies alike answer those questions. This article will briefly explore the history of the revised Guidance and highlight some of its most important aspects.
The Original Guidance
In February 2017, the Fraud Section of the DOJ’s Criminal Division released the original “Evaluation of Corporate Compliance Programs” Guidance (the “original Guidance”). Although released quietly on the Fraud Section’s website and technically applicable only to the Fraud Section, the stated purpose of the original Guidance was to provide a list of important topics and sample questions that the Fraud Section had frequently found relevant in evaluating a corporate compliance program. Many of the areas mentioned in the original Guidance had been discussed in other sources, including A Resource Guide to the U.S. Foreign Corrupt Practices Act (published jointly by the DOJ and the U.S. Securities and Exchange Commission in late 2012) and the Justice Manual’s “Principles of Federal Prosecution of Business Organizations.” But because of its user-friendly format and increased transparency into the DOJ’s thought process, the original Guidance received a generally positive reception from the legal and business communities.
The Revised Guidance
The revised Guidance builds on the original document by making it applicable to the entire Criminal Division and integrating the original set of topics and questions into a broader discussion of Justice Manual policies. Indeed, the revised Guidance uses as its organizational framework the three key questions that the Justice Manual instructs prosecutors to consider when evaluating a compliance program for effectiveness: (1) Is the program well designed? (2) Is the program being implemented effectively? And (3) does the program actually work in practice?
Some key aspects of the revised Guidance include:
Risk-Based Approach to Compliance. The revised Guidance makes clear that prosecutors must consider how well a company has evaluated its risk profile and used that evaluation to create a risk-based program. Referencing principles outlined in the Justice Manual, the revised Guidance explains how prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction in a low-risk area. The revised Guidance also instructs prosecutors to consider, as an indicator of risk tailoring, revisions to corporate compliance programs in light of “lessons learned.”
Risk-Based Third Party Management. Third parties are the number-one risk area for violations of laws such as the Foreign Corrupt Practices Act (FCPA), and the revised Guidance emphasizes that a well-designed program should apply risk-based due diligence to third-party relationships. It instructs prosecutors to consider how a company (i) ensures that there are appropriate business rationales for the use of a particular third party, (ii) tracks third parties that do not pass due diligence and/or are terminated, and (iii) ensures these entities are not hired in the future. For any third party implicated in potential misconduct, prosecutors will ask for the business rationale for hiring the third party, whether there were red flags identified during the due diligence, and what the company did to gain comfort before engaging the third party.
Tailored Training and Communication. The revised Guidance emphasizes that prosecutors should assess whether the company has relayed compliance information, including the company’s policies and procedures, in a manner “tailored to the audience’s size, sophistication, or subject matter expertise.” It offers examples for how to achieve this, including by providing case studies that address real-life scenarios. Moreover, the revised Guidance underscores the need for a company to incorporate learnings from prior misconduct—it directs prosecutors to consider whether a company’s training program incorporates lessons learned from prior compliance incidents.
Strong Example from Leaders and an “Empowered” Compliance Function. The revised Guidance emphasizes the importance of creating and fostering a culture of ethics and compliance, which comes from both senior and middle management. “Tone at the top” and “mood at the middle” have long been part of the rubric for an effective compliance program; however, the revised Guidance’s emphasis on these elements—and the reformulated “conduct at the top” rather than simply “tone at the top”—underscores their importance. Tone from leadership (at all levels) is central to the assessment of whether a program is effective in practice and not merely a “paper program,” because leaders are responsible not only for establishing a culture of zero tolerance for corruption but also for leading by example. Compliance personnel must also be empowered by the company. In particular, compliance personnel must have sufficient seniority, autonomy, and resources to execute their tasks effectively.
Monitoring, Investigations, and Root Cause Analysis. Under the revised Guidance, prosecutors should analyze whether a company has proactively tested its compliance system through such means as internal audits and control testing. Prosecutors should also ask whether a company has “a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct.” Among other things, this will include ensuring that an investigation was properly scoped, independent, and objective. The revised Guidance emphasizes that a company must identify and remediate the causes of any compliance failure. Among other things, prosecutors should look at prior indications of misconduct that a company may have missed; potential weaknesses in a company’s controls, policies and procedures, payment systems, and vendor management; and how remedial efforts, including employment actions, have addressed the issues identified in the root cause and missed opportunity analysis.
Conclusion
The revised Guidance exemplifies the DOJ’s continued efforts to be more transparent in its compliance expectations. The updated Guidance demonstrates the DOJ’s willingness to help provide companies with the tools they need to prevent and detect misconduct, ensure their compliance programs meet expectations, and put the business community and prosecutors on the same page when it comes to corporate compliance programs. And while the DOJ has emphasized that the revised Guidance should not be used merely as a checklist—underscoring its refrain that there is no “one-size-fits-all” approach to compliance—a company looking to benchmark its compliance program against the DOJ’s expectations should review the revised Guidance closely.
About the Authors:
Charles (Chuck) Duross serves as co-chair of the firm’s Investigations and White Collar Defense Practice Group and is a co-leader of the FCPA and Global Anti-Corruption practice. With more than 22 years of experience principally focused on white-collar cases, Mr. Duross’s practice has an emphasis on complex white-collar criminal matters, including internal corporate investigations, representing special committees, compliance counseling, due diligence regarding third parties and business transactions, and defense of clients before government enforcement agencies and multilateral investment banks.
James Koukios is a partner in Morrison & Foerster’s Washington, D.C. office and serves as Global Co-Head of the FCPA and Global Anti-Corruption Practice. Mr. Koukios represents companies and individuals in high-stakes government enforcement actions and complex internal investigations. An experienced trial attorney and former federal prosecutor, Mr. Koukios has tried over 20 federal jury cases, including serving as the lead prosecutor in two landmark FCPA-related trials, United States v. Esquenazi and United States v. Duperval.
Lauren Navarro is an associate in the firm’s Securities Litigation, Enforcement and White Collar Defense Practice Group and a member of the FCPA and Global Anti-Corruption practice. Her practice encompasses a range of white-collar criminal matters, including internal corporate investigations, compliance counseling, due diligence regarding third parties and business transactions, and defense of clients before government enforcement agencies.