On June 1, the U.S. Department of Justice updated its guidance on the Evaluation of Corporate Compliance Programs (DOJ Compliance Guidance). While the changes are modest, they reflect DOJ’s evolving expectations regarding effective corporate compliance programs. The DOJ Compliance Guidance is published to “describe specific factors that prosecutors should consider” when conducting an investigation, filing a criminal action, and negotiating a resolution, but it also has become a touchstone for companies when designing and implementing compliance programs. The June 2020 updates reflect DOJ’s expectation that a compliance program should be appropriately tailored to reflect its company’s business and risks, dynamically positioned to evolve over time, and adequately resourced and empowered. All corporate compliance programs — whether in their infancy or sophisticated and battle-tested — should consider these newly released updates to be priorities in the near and long term to avoid and mitigate costly government investigations.
One Size Does Not Fit All
The June 2020 updates reinforce what companies have long understood: Effective compliance programs come in various shapes and sizes. What is important to DOJ, however, is that each company puts thought into what its compliance program should look like given the company’s “size, industry, geographc footprint, regulatory landscape, and other factors, both internal and external to the company’s operations.” To that end, the June 2020 updates add that “prosecutors should endeavor to understand why the company has chosen to set up the compliance program the way that it has.” That is, companies should not simply use off-the-shelf compliance policies and controls, and assume that those will suffice. Instead, companies need to think critically about where their company has compliance risk, why that risk exists, and what can be done to mitigate and monitor it. Moreover, companies should document these considerations so that they can show their work in the event of a government inquiry.
Continuous Improvement Through Data Analytics
Designing and implementing an effective compliance program is not a one-time exercise, as the June 2020 updates make clear. Now, more than ever, companies have countless data streams, and DOJ increasingly expects that compliance programs will harness that data to ensure that their programs are effectively monitoring and assessing risk, training company personnel, identifying areas for improvement, and responding to potential violations of company policy or law.
The June 2020 updates state that compliance personnel should continuously:
-
monitor “operational data and information across functions” to assess risk and to track “lessons learned”
-
maintain a process to update existing policies and track employee access to policy documents to understand “what policies are attracting more attention from relevant employees”
-
evaluate whether compliance training impacts “employee behavior or operations” and ensure that training provides opportunities to “raise issues” and “ask questions”
-
test the effectiveness of compliance hotlines and ensuing investigations.
While there are many ways to complete these tasks, using data can be the most efficient and effective way. The June 2020 updates therefore ask whether “compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls and transactions.” In short, DOJ knows that the data is there and wants to see that compliance personnel can get to it.
Understanding, evaluating and improving a compliance program is always important, but becomes critical when a potential violation of law comes to light. The June 2020 DOJ Compliance Guidance updates state that prosecutors will evaluate a compliance program “both at the time of the offense and at the time of the charging decision and resolution,” giving companies crucial time to remediate compliance gaps and demonstrate a commitment to future compliance. Therefore, when a potential issue comes to light, it is important that companies act quickly to understand the problem and how it occurred, and to incorporate lessons learned to strengthen the compliance program going forward.
Beyond Due Diligence
The focus on ongoing assessment and monitoring applies to third-party relationships as well. One hallmark of the June 2020 updates is an increased expectation that companies will do more than conduct one-time due diligence at the beginning of a business relationship, but will engage in ongoing monitoring and risk management. This issue is raised in two distinct arenas.
First, in the context of “third-party management” — such as of agents, distributors and vendors — the DOJ Compliance Guidance asks whether the company’s risk management occurs “throughout the lifespan of the relationship, or primarily during the onboarding process.” Second, in the context of M&A activity, the June 2020 updates emphasize that compliance personnel should ensure post-acquisition “integration of the acquired entity into existing compliance program structures and internal controls” in addition to pre-acquisition due diligence.
Compliance personnel should consider mechanisms to ensure this ongoing risk management throughout the life of business relationships, tailored to the potential risk of that third party or class of third parties. Additionally, compliance personnel should engage in robust integration efforts to ensure that an acquired entity and its employees are incorporated into existing compliance expectations, beyond the closing date.
Resourcing and Empowerment; Tone in the Middle
The June 2020 updates also include a focus on the effective implementation of a compliance program by ensuring that the program is “adequately resourced and empowered.” DOJ has long expected a demonstrable commitment to compliance from the top of the company, including by providing adequate resources to compliance programs and establishing a structure that gives the compliance function a prominent voice within the organization. However, in addition to the “tone at the top,” the June 2020 updates emphasize that compliance personnel should also pay attention to the tone in the “middle” to drive compliance messaging through all levels of the company.
Conclusion
In general, the June 2020 updates to the DOJ Compliance Guidance reflect that DOJ continues to consider effective compliance programs to be vital. DOJ has continued to invest time and resources into refining and communicating its expectations for compliance programs, and companies should heed DOJ’s guidance and pay careful attention to the recent updates.