Introduction

On 1 June 2020 the US Department of Justice (DOJ), Criminal Division, updated its guidance on the Evaluation of Corporate Compliance Programmes, providing increased clarity on some of the key questions that prosecutors ask in assessing the adequacy of corporate compliance programmes when making charging, sentencing and plea and settlement decisions.

These updates fall into three main categories. First, the DOJ made a subtle yet significant clarification to its three fundamental questions. Second, it provided more detail on the way in which it makes individualised determinations in assessing compliance programmes. Third, throughout its guidance, the DOJ included more specific questions that it will ask about the nuances of a company's programming, which provide greater insight into the DOJ's expectations. Companies can look to these revisions for guidance to:

  • proactively create or enhance their compliance programmes; and
  • effectively advocate before the DOJ in the context of a criminal investigation.

Reframing a fundamental question

In 2019 the DOJ organised its guidance around the three fundamental questions that a prosecutor should ask in evaluating corporate compliance programmes, as initially outlined in the Justice Manual:

  • Is the corporation's compliance programme well designed?
  • Is the programme being applied earnestly and in good faith? In other words, is the programme being implemented effectively?
  • Does the corporation's compliance programme work in practice?

This second question – really, two questions – was arguably awkwardly framed. After all, earnest and good faith efforts do not guarantee effective implementation. As of June 2020, the DOJ has resolved this disconnect by now asking whether a corporation's compliance programme is adequately resourced and empowered to function effectively.

To test the sufficiency of this aspect of a programme, the DOJ poses questions regarding investment in the training of compliance and other control personnel, and whether those personnel have sufficient access to relevant data sources to allow for meaningful oversight. The emphasis on resources is notable, particularly at a time when economic conditions may place downward pressure on compliance budgets. The DOJ also emphasises that a company should foster a culture of ethics and compliance with the law at all levels of the company – including in the middle as well as at the top – conveying the importance of compliance leadership among those managers with more direct oversight of routine business operations.

Individualised determinations

Since its original guidance in 2017, the DOJ has eschewed a specific formula or one-size-fits-all checklist to evaluate corporate compliance programmes. The June 2020 updates are consistent with this approach, acknowledging the need for individualised assessment. Under the revised guidance, the DOJ expressly:

considers various factors including, but not limited to, the company's size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company's operations, that might impact its compliance program.

While these revisions may not affect how a company builds its compliance programme, they may be useful touchpoints for effective advocacy during an investigation.

New questions, clearer direction

In posing a plethora of new questions, the DOJ offers additional building blocks to corporations seeking to refine their compliance programmes. Many of these questions are directed at emphasising the importance of data analytics and continuous evolution in the design and implementation of compliance programmes. Among the new questions are the following, grouped by subject matter:

  • Risk assessments:
    • Is the period review limited to a snapshot in time or based on continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures and controls?
    • In addition, does the company have a process for tracking and incorporating into its period risk assessment lessons learned from the company's own prior issues or from those of other companies which operate in the same industry or geographical region?
  • Data and resources:
    • Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and testing of policies, controls and transactions? Do any impediments limit access to relevant sources of data and, if so, what is the company doing to address these?
  • Policies and training:
    • Have the company's policies and procedures been published in a searchable format for easy reference? Does the company track access to various policies and procedures to gain an understanding of which policies are attracting more attention from relevant employees?
    • Whether online or in-person, is there a process by which employees can ask questions arising out of the training?
  • Whistleblowing:
    • How is the company's anonymous reporting mechanism (to the extent that there is one) publicised to other third parties? Does the company take measures to test whether employees are aware of the hotline and feel comfortable using it? Does the company periodically test the effectiveness of the hotline (eg, by tracking a report from start to finish)?
  • Lifecycle management of third parties:
    • Does the company engage in risk management of third parties throughout the lifespan of the relationship or primarily during the onboarding process?
  • Consistency in disciplinary action:
    • Does the compliance function monitor its investigations and resulting discipline to ensure consistency?

As the DOJ acknowledges, not all questions will be relevant to all companies. Nevertheless, the updated compliance guidance reveals the DOJ's expectations for effective compliance programmes and can thus serve as a guide for companies looking to improve or create their own programmes.

Comment

These refinements are only the latest in a series of updates to the DOJ guidance and policies that have, broadly speaking, improved the clarity and transparency of the DOJ's exercise of prosecutorial discretion. For instance, in February 2017 the DOJ's Fraud Section issued its first compliance guidance document, which was then updated in April 2019 and again now. In 2018, then-Deputy Attorney General Rod Rosenstein issued a memorandum entitled "Policy on Coordination of Corporate Resolution Penalties", directing DOJ attorneys to "consider the totality of fines, penalties, and/or forfeiture imposed by all [DOJ] components as well as other law enforcement agencies and regulators in an effort to achieve an equitable result" – in other words, to help prevent undue 'piling on' by multiple enforcement authorities. Thereafter, in October 2018 Assistant Attorney General Brian A Benczkowski issued a memorandum entitled "Selection of Monitors in Criminal Division Matters", providing clarity as to the criteria to be considered when determining whether a corporate compliance monitor is warranted. In 2019 the DOJ issued a new guidance memorandum entitled "Evaluating a Business Organisation's Inability to Pay a Criminal Fine or Criminal Monetary Penalty", concerning how the DOJ's Criminal Division evaluates companies' claims that they cannot pay a proposed criminal fine or monetary penalty. Further, in 2019 the DOJ clarified certain policies governing voluntary self-disclosures in Foreign Corrupt Practices Act and export control and sanctions cases.

Beyond their clarifications, the June 2020 updates are consistent with an effort to account for the practical realities associated with investigations and enforcement actions against corporations. Just as important, they are another piece of an increasingly clear roadmap for companies looking to implement, enhance, defend or gain mitigation credit for their compliance programmes.

Matthew Sullivan, counsel, assisted in the preparation of this article.