On April 30, the Criminal Division of the Department of Justice released an update to the Fraud Section’s February 2017 guidance document titled “Evaluation of Corporate Compliance Programs.” The original 2017 guidance has been described as an “internal list of questions” that Fraud Section prosecutors could use when evaluating the strength of the corporate compliance program of a corporation under investigation in deciding whether to bring criminal charges. The updated guidance was developed with input from the other components of the Criminal Division, and it organizes the original topics around three “fundamental questions” a prosecutor should ask in the course of making a charging determination:

1. Is the corporation’s compliance program well designed?
2. Is the program being implemented effectively?
3. Does the corporation’s compliance program work in practice?¹

The stated purpose of the updated guidance is to “assist prosecutors in making informed decisions as to whether, and to what extent, the corporation’s compliance program was effective” at the time of the conduct for which it is being investigated. Because this evaluation is conducted in the course of a criminal investigation, the guidance also makes clear that the questions are to be used only as a guide to aid the prosecutor in determining the following: (1) the appropriate form of any resolution or decision to prosecute; (2) the appropriate monetary penalty; or (3) appropriate compliance obligations to be contained in a corporate criminal resolution (e.g., monitorship requirements). For companies not currently under investigation, this guidance reinforces the expectations of prosecutors in assessing compliance programs on an ongoing basis.

Corporate compliance professionals and lawyers with responsibility for developing and implementing compliance programs have a wealth of available information to use in benchmarking the strengths and weaknesses of corporate compliance programs. While it is important for corporations to review and understand this new guidance in its entirety, we identify and discuss the key takeaways below.

No Cookie-Cutter Compliance Programs

The DOJ expects corporations to analyze their compliance risks and tailor their compliance programs accordingly.

The idea that a corporation should be assessing its specific risk areas and tailoring its compliance program to address those needs appears in the original 2017 guidance. However, the new guidance emphasizes and expands on this point to make it clear that derivative, cookie-cutter compliance programs that are not customized to the needs of the corporation will not pass muster.

The new guidance states that the “starting point” for any prosecutor’s evaluation of a compliance program is whether the program is designed to detect “the particular types of misconduct most likely to occur in a particular corporation’s line of business.” This critical question embraces two different, but related, principles: (1) the need for a corporation to conduct its own, particularized risk assessments and (2) the need for a corporation to account for those specific risks when drafting its compliance program.

The new guidance elaborates on both of these principles. First, the DOJ provides a list of the factors that it believes bear directly on a corporation’s risk profile: location; industry sector; competitiveness in the market; regulatory landscape; potential clients and business partners; transactions with foreign governments; payments to foreign officials; use of third parties; gifts, travel and entertainment expenses; and charitable and political donations. A corporation should use this list as an outline when conducting its internal risk assessment by, in a way that is documented, evaluating each of these factors and obtaining any relevant information. This should be done before a corporation drafts its compliance program, and periodically thereafter, to ensure that the program addresses the specific risks it identifies.

Second, the new guidance repeatedly references the notion of a “spectrum of risks” that a given corporation faces. When evaluating the risk factors, a corporation should develop its own “risk spectrum” by categorizing its specific compliance risks from low risk to high risk. The company should then incorporate this “risk spectrum” into its compliance program by tailoring its policies and procedures to ensure that it devotes proportionately more resources to detection and prevention in high-risk areas.

Third, the new guidance suggests that prosecutors will look favorably upon corporations that periodically update and revise their compliance programs and internal risk assessments. Compliance program revisions that reflect lessons the corporation learned from prior acts of misconduct — if they were detected or, especially, if they were not detected — will be particularly effective in demonstrating that a corporate compliance program has, in fact, been customized to the corporation’s specific needs and risks.

Compliance Programs Must Be Seen and Heard

Corporations must have written compliance policies and procedures and must ensure employees understand them.

In the original 2017 guidance, the DOJ emphasized the need for corporations to reduce their compliance programs to written policies and procedures that could be shared with employees. The new guidance reiterates the importance of documenting and sharing compliance documents, but expands the DOJ’s focus on how corporations make the policies “accessible” to their employees.

The documentation step remains critical under the new guidance. “Any well-designed compliance program entails policies and procedures that give both content and effect to ethical norms.” The most important policy/procedure remains the corporate code of conduct, which should reflect the corporation’s commitment to full compliance with all relevant laws and drive a culture of compliance into day-to-day operations.

The new guidance expands the discussion on this point by addressing the manner in which a corporation should communicate its compliance policies and, more importantly, ensure its employees understand them. The DOJ regards employee training — which it refers to as a “hallmark of a well-designed compliance program” — as an excellent way to achieve these goals. A corporation should conduct periodic trainings on its compliance program for all directors, officers and relevant employees. This training should be tailored to the specific audience’s size, level of sophistication and subject matter expertise, and the training should include a test and/or certification of understanding at the conclusion that demonstrates each individual’s comprehension of the materials. A company should also incorporate its internal risk analysis into its training program, for example by ensuring employees who operate in one of its identified high-risk areas receive more frequent and more detailed trainings than employees who only operate in low-risk areas.

Corporate Commitment Is Key

The DOJ will not credit so-called “paper programs” that are not backed up by sufficient corporate commitment.

As important as the design of a corporate compliance program is to federal prosecutors, the extent to which a corporation has successfully implemented the program is equally, if not more, important. The new guidance instructs prosecutors to determine whether a corporate compliance program is merely a “paper program” or one that is “implemented, reviewed, and revised.” Put another way, prosecutors will decide whether the corporation is actually committed to being compliant or whether they are merely committed to having a compliance plan.

This assessment begins, as one would expect, with management. “The effectiveness of a compliance program requires a high-level commitment by company leadership to implement a culture of compliance from the top.” The DOJ has left no room for interpretation here. A corporation should take steps to ensure that its senior and middle managers are committed to being compliant and have demonstrated that commitment through their words — by clearly articulating the company’s compliance standards to employees — and, more importantly, through their actions — by their rigorous adherence to all compliance policies and procedures. Exemplary behavior by management is particularly important in situations where a manager must choose between compliance and revenue. According to the new guidance, prosecutors will seek out these instances and will question a corporation’s commitment to compliance if managers tolerate greater compliance risks in the name of pursuing new business or increased revenue streams.

The new guidance also invokes another, more imprecise, principle when evaluating a corporation’s commitment to compliance — that of a compliance department’s autonomy. Determining whether a compliance program operates autonomously involves examining both the authority given to compliance personnel and their independence from the rest of the corporation. To ensure a compliance department has sufficient authority, a corporation should appoint compliance personnel who have seniority within the organization to command respect and effectuate change, and who are also experienced enough in the corporation’s business and compliance function to be able to understand and identify the activities that pose the greatest compliance risks. To ensure a compliance department is sufficiently independent, a corporation should provide compliance personnel direct access to either the board of directors or an appropriate board committee so they do not need to rely on the same managers they are monitoring to enact change or punish violators.

Actions Speak Louder Than Words

Identifying misconduct is not enough; to be effective, a compliance program must investigate violations and incentivize good conduct.

Consistent with the DOJ’s warning that “paper programs” will not be sufficient (as discussed above), the new guidance also makes clear that prosecutors expect to see corporate action being taken in response to compliance issues that are detected. When prosecutors are evaluating the effectiveness of a corporate compliance program, they will not credit a corporation for detecting misconduct unless the detection is accompanied by appropriate action.

The first step in taking corporate action is conducting an investigation any time a compliance program detects misconduct (or allegations of misconduct). A well-functioning mechanism for thoroughly investigating misconduct is yet another “hallmark” of an effective compliance program identified by the DOJ in the new guidance. The DOJ elaborates on some of the characteristics it looks for in an investigatory process. First, a corporation should ensure the investigation has a proper scope that includes not only identifying misconduct but identifying the root cause of the misconduct, as well as any system vulnerabilities or accountability lapses that allowed it to occur. Second, the investigation should be “independent and objective.” To ensure investigations meet these criteria, companies should evaluate whether the investigation should be conducted internally or externally. For example, if the investigation involves misconduct that is either widespread or potentially implicates members of corporate management, the corporation should have outside counsel conduct the investigation to avoid a conflict of interest and maintain independence.

However, the best and most effective way a corporation can demonstrate its willingness to act in furtherance of compliance is by incentivizing its employees to be compliant. In the new guidance, the DOJ identifies two such forms of incentivizing. The first is imposing discipline on employees (especially managers) who violate compliance standards. A corporation should implement disciplinary procedures to be followed whenever an employee is found to have engaged in a compliance violation. These procedures should be clearly stated and applied uniformly across the company (to all levels of employees), and should provide for real punishments that are commensurate with the conduct and convey a clear corporate message that compliance violations will not be tolerated. One thing prosecutors will look for when evaluating compliance discipline is whether it appears designed to deter future violators.

The DOJ also suggests that corporations can incentivize employees to be compliant by rewarding those employees who prioritize compliance and follow the rules. One very strong indicator that a corporation takes compliance seriously is to tie a compliance metric to employee bonuses and/or career advancement. For example, a corporation could implement certain compliance-related conditions (e.g., a clean compliance record for that year, completion of a certain amount of compliance training) that an employee must meet in order to be eligible to receive an annual bonus or to be considered for a promotion. A corporation should also consider including an evaluation of an employee’s compliance-related activities as a component of his or her performance appraisal at the end of the year. In doing so, the corporation should document whenever the employee improved the compliance program or demonstrated ethical leadership, and consider that conduct in determining discretionary raises, bonuses or promotions.

Endnotes