On June 1, 2020, the US Department of Justice (DOJ) released revised guidance for evaluating a company’s corporate compliance program.¹ Since its creation in 2017, the Evaluation of Corporate Compliance Programs (Guidance) has undergone several revisions to provide clarification and transparency, including a significant reorganization of the established hallmarks of a successful compliance program in 2019.²

The June 2020 changes provide useful insight into the DOJ’s current focus, which appears to include increased emphasis on the (i) ongoing evolution of a company’s compliance program; (ii) the need to evaluate the compliance program based on a company’s individual circumstances; and (iii) the importance of ensuring the compliance function is sufficiently resourced and has appropriate authority.

Evolution of the Corporate Compliance Program

The revised Guidance contains several additions emphasizing the importance of continuously testing and revising the compliance program to address evolving risks. While the DOJ has recognized that there is no one-size-fits-all compliance program, it is not enough to implement a stagnant compliance program. The Guidance emphasizes that prosecutors should consider whether the company is proactive in identifying gaps in its compliance programs and in taking remedial measures to prevent potential issues.

The revisions incorporate this theme into multiple compliance “hallmarks,” that predictably affect the hallmarks of risk assessments and of continuous improvement, periodic testing, and review the most. While the Guidance previously addressed the need to consider “lessons learned,” the revisions indicate an increased focus on the importance of adapting the compliance program to account for evolving issues identified by risk assessments and based on the company’s own experiences or the experiences of peer companies operating in the same industry or geographical location.

The revisions also clarify the factors that prosecutors should consider when evaluating whether a company’s risk assessments sufficiently account for an evolving risk profile: “Is the periodic review limited to a ‘snapshot’ in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures, and controls?” In other words, it is simply not enough to consider whether risk assessments are being conducted and successfully identify risks—prosecutors will consider whether the risk assessments accounted for the evolution of the company’s program, and whether the company used identified gaps to then improve its compliance program.

The revisions also provide additional factors to consider when testing and reviewing other areas of the compliance program.

• Policies and Procedures: The revised Guidance emphasizes the need for companies to test employee access to policies and procedures and to identify which policies attract the most employee attention. In evaluating a company’s policies and procedures, prosecutors may also consider whether the company is proactive in updating existing policies and procedures to reflect changing circumstances.
• Training and Communications: Previously, the Guidance instructed prosecutors to consider the form, content, and effectiveness of training, including whether training was provided to the appropriate people, and whether the company tested employee understanding and retention of the content. Now, the Guidance goes one step further, questioning whether the company tests the extent to which the training impacts future employee behavior and operations.
• Confidential Reporting Structure and Investigation Process: The Guidance has stressed the need for anonymous and publicized reporting hotlines or other reporting mechanisms. But, perhaps in an effort to avoid a check-the-box approach, the Guidance now notes that prosecutors should consider whether companies test the extent to which employees know and are comfortable using the reporting methods, and periodically test the effectiveness of the available reporting mechanisms.
• Third Party Management: Companies likely are already conducting risk-based due diligence of third parties. The Guidance now goes even further, instructing prosecutors to consider whether the company identifies risks that arise after the initial relationship takes effect, and “engage[s] in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process.”

Considering the “Why”

The revised Guidance cautions prosecutors to avoid falling into a rigid assessment of a company’s compliance program, expressly instructing prosecutors to “endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.”

Previously, the Guidance has recognized that companies have different risk profiles, and their compliance programs should be appropriately tailored to address those risks to avoid expending unnecessary resources implementing measures inapplicable to the companies’ circumstances. The Guidance also already instructed prosecutors to make an individualized determination of the compliance program’s effectiveness.

The June 2020 revisions expand on how the prosecutors should conduct this “individualized” determination, adding that the evaluation should be “reasonable,” and providing prosecutors with examples of the factors that should be considered in that determination, “including, but not limited to, the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.”

This theme also appears within the different hallmarks. For example, the Guidance explains that the DOJ should not penalize a company simply because it failed to complete pre-acquisition due diligence in a merger or acquisition. Rather, prosecutors should inquire into why the due diligence was not completed, and then determine whether this was reasonable given the company’s specific circumstances.

Sufficient resources and authority for compliance

The Guidance also provides additional information about how to evaluate whether a compliance program is being applied “earnestly and in good faith.” In April 2019, the Evaluation of Corporate Compliance Programs re-structured the existing hallmarks—which are considered to be fundamental for an effective compliance program—under three questions: (1) Is the corporation’s compliance program well designed?; (2) Is the program being applied earnestly and in good faith?; and (3) Does the corporation’s compliance program work?

At that time, the Guidance explained that the second question—whether the compliance program was “being applied earnestly and in good faith”—meant whether the compliance program was “being implemented effectively.” The revised Guidance now clarifies that a compliance program is “applied earnestly and in good faith” if it is “adequately resourced and empowered to function effectively.” The Guidance also specifies that prosecutors should consider whether the compliance program is “under-resourced” when determining whether the program is effective. This revision and others throughout the Guidance re-emphasize the importance of ensuring that the compliance function does not simply exist—it is empowered to effect change.

In addition to ensuring the compliance program is sufficiently resourced and has appropriate authority, the Guidance repeatedly discusses the need for the compliance function to have access to data to implement the compliance program effectively: “Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?” The emphasis on the use of data repeatedly appears throughout the Guidance as a key component of improvement, testing, and reviewing the compliance program.

Notably, the Guidance is intended to be a resource for prosecutors evaluating a company’s corporate compliance program, and not as guidance for companies structuring their compliance programs. However, the Guidance and the recent revisions provide insight into the risks and subjects on which the DOJ is currently focused, which in turn provides useful information about the factors companies should be considering when evaluating their own compliance programs.

[View source.]