DOJ Updates Compliance Program Guidance

King & Spalding
Contact

On June 1, 2020, the DOJ Criminal Division released an updated version of its guidance regarding the evaluation of corporate compliance programs (the 2020 DOJ Compliance Guidance). DOJ originally issued this guidance in February 2017, and then updated and restructured the guidance in April 2019.

As with the prior versions of the guidance, the purpose of the 2020 DOJ Compliance Guidance is to “assist prosecutors in making informed decisions as to whether, and to what extent, the corporation’s compliance program was effective at the time of the offense, and is effective at the time of a charging decision or resolution, for purposes of determining the appropriate (1) form of any resolution or prosecution; (2) monetary penalty, if any; and (3) compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations).” Although the guidance is primarily structured to provide guidance to federal prosecutors with respect to prosecutorial decisions involving organizations across all industries, the guidance offers valuable insights for healthcare organizations seeking to enhance their compliance program efforts and assess current expectations with respect to the design and sophistication of compliance programs.

Although the recent revisions are notable, the 2020 DOJ Compliance Guidance largely resembles the prior version released in April 2019. DOJ continues to reiterate key themes from prior versions of its compliance program effectiveness guidance as well as other sources of DOJ guidance. The 2020 DOJ Compliance Guidance, like the April 2019 version, is organized around three “fundamental questions.” First, “Is the corporation’s compliance program well designed?” Second, “Is the program being applied earnestly and in good faith?” Third, “Does the corporation’s compliance program work in practice?” Within each of these three areas, DOJ offers specific questions and topics for prosecutors to consider when evaluating the effectiveness of a compliance program under review.

Notably, the DOJ revised its terminology related to the second question to focus on whether the compliance program is “adequately resourced and empowered to function effectively” rather than on whether the program was being “implemented effectively.” This change appears to highlight the DOJ’s continuing focus on identifying concrete compliance measures an organization can take and DOJ’s longstanding expectation that compliance programs have sufficient resources (including financial resources) and organizational support to function effectively.

Other key changes in the 2020 DOJ Compliance Guidance include:

  • Lessons Learned and Importance of Compliance Program Evolution – Several of DOJ’s revisions place additional emphasis on the concept that a compliance program should be constantly evolving and should incorporate feedback from both internal and external sources. This concept is not new, but DOJ’s revisions further emphasize its importance. DOJ’s discussion of the organization’s risk assessment process adds a section on “Lessons Learned” and instructs prosecutors to probe whether the company has “a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region.” Also, with respect to reporting mechanisms, DOJ has added a question regarding whether the company “periodically test[s] the effectiveness of the hotline, for example by tracking a report from start to finish.” This question underscores that it is not sufficient to simply implement compliance program functions; instead, the compliance program should take the next step to test and evaluate those functions.
  • Relevant Time Periods for Evaluation – The 2020 DOJ Compliance Guidance clarifies that prosecutors should evaluate the “fundamental questions” for the compliance program “both at the time of the offense and the time of the charging decision and resolution.” This revision reflects the common theme that a compliance program should be constantly evolving based on lessons learned and evolving risk profiles and that a snapshot in time of a compliance program does not necessarily capture all metrics that are important to DOJ’s evaluation.
  • Integration of Compliance Program – DOJ’s revisions also build upon the longstanding emphasis on the need for a compliance program to be more than a “paper program” and that compliance efforts cannot be merely a “check the box” exercise. The 2020 DOJ Compliance Guidance highlights the need to integrate compliance program efforts into the company’s operations in a useful and relevant manner in two key areas: (1) policies and procedures and (2) training. With respect to policies and procedures, the 2020 DOJ Compliance Guidance probes the accessibility and usability of policies and procedures. Prosecutors are instructed to evaluate whether the “policies and procedures have been published in a searchable format for easy reference” and whether the company “track[s] access to various policies and procedures to understand what policies are attracting more attention from relevant employees.” For training, DOJ has added questions regarding whether there is “a process by which employees can ask questions arising out of the trainings” and whether the company has “evaluated the extent to which the training has an impact on employee behavior or operations.” Again, these changes underscore that merely having written policies and providing training is not the end of the analysis and additional efforts are needed to assess whether the policies and training are effective.
  • Continuing Compliance Efforts for Third Parties and Acquisition Targets – DOJ also added several questions relating to third party management and mergers and acquisitions. Several of these revisions are designed to evaluate the extent to which compliance efforts for third parties and acquisition targets are limited to the beginning of the relationship, versus continuing throughout the duration of the relationship. For third party vendors, prosecutors are now instructed to consider whether the company “engage[s] in risk management of third parties throughout the lifespan of the relation, or primarily during the onboarding process.” For mergers and acquisitions, the 2020 DOJ Compliance Guidance explicitly recognizes that there may be circumstances where a company is unable to complete pre-acquisition due diligence but places additional emphasis on the need for post-acquisition due diligence and integration efforts. For example, DOJ added a question relating to post-acquisition audits at newly acquired entities.

The 2020 DOJ Compliance Guidance is available here.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide