The Department of Justice-Criminal Division recently updated its internal guidance to federal prosecutors for evaluating corporate compliance programs. The DOJ does not promulgate a checklist or formula for evaluating such a program. Rather, in the criminal context, prosecutors are directed to evaluate, on a case by case basis, whether the program is well designed, is adequately resourced and empowered to work effectively, and works in practice.
Although there were no major substantive changes from the prior, 2019 version of the guidance, the key changes to the current version highlight DOJ’s continued focus on the importance of individualized risk-based compliance programs, and the fact that risks may change over time. The updated guidance encourages prosecutors to take the risk profile of a corporation, “including its size, industry, geographic footprint, regulatory landscape, and other factors,” into account when evaluating its compliance program.
The guidance includes:
- Corporate compliance programs should be designed comprehensively for “maximum effectiveness” in preventing wrongdoing by employees, and corporate management must enforce the program to prevent tacit encouragement of misconduct.
- Corporate compliance programs should be effectively implemented to avoid being merely “paper programs.” An effective compliance program includes “the company’s culture of compliance” and an “awareness among employees that any criminal conduct will not be tolerated.” Employees should be adequately informed of the compliance program and convinced of the corporation’s commitment to it.
- Corporate compliance programs should not reflect a point in time; rather, programs must be continually monitored and improved upon, taking into account internal and external data on operational effectiveness and best practices.
- Corporate compliance programs should identify misconduct timely to allow for remediation and self-reporting. This is a “strong indicator” that the program is effective. Compliance programs should also “evolve over time to address existing and changing compliance risks,” and organizations should “undertake adequate and honest root cause analysis to understand both what contributed to the misconduct and the degree of remediation needed to prevent similar events in the future.”
Whether federal prosecutors are conducting an investigation, prosecuting misconduct by a business organization, or determining an appropriate penalty or criminal fine, great consideration is given to whether the corporation had an adequately designed and effectively implemented program that timely identified misconduct.