New guidance issued by the US Department of Justice (DOJ) is the latest confirmation of the importance of implementing a robust compliance programme that is not simply well designed, but which is also adaptable and functions effectively. Issued on 30 April 2019, and titled "Evaluation of Corporate Compliance Programmes", the DOJ's latest guidance for its Criminal Division builds on prior guidance that encouraged prosecutors to assess the adequacy of corporate compliance programmes with respect to charging, sentencing, and plea and settlement decisions. The new guidance reiterates three fundamental questions that a prosecutor should ask:
- Is the corporation's compliance programme well designed?
- Is the programme being applied earnestly and in good faith? In other words, is the programme being implemented effectively?
- Does the corporation's compliance programme work in practice?
As this latest guidance makes clear, companies have a strong incentive to maintain an effective compliance programme. Most importantly, these programmes must:
- be fully implemented;
- account for the structure and scope of a company's business; and
- actually operate effectively.
This requires sufficient resources and attention, updating, and periodic auditing and testing to ensure that each company's programme is evolving to account for changing business conditions and risks.
The DOJ guidance provides a list of subsidiary topics and questions that will drive prosecutors' evaluation of the adequacy, implementation and functioning of a compliance programme:
- In Section I, which concerns programme design, the guidance directs prosecutors to examine the "comprehensiveness of the compliance program" for clear messaging regarding a company's intolerance of misconduct and thorough integration of compliance policies and procedures into ongoing corporate operations.
- Section II, which addresses compliance implementation, encourages prosecutors to analyse whether a compliance programme has been put in place "in an effective manner", with adequate resources devoted to ensuring that staff will "audit, document, analyse, and utilize the results of the corporation's compliance efforts" and that employees are adequately informed of the programme. Evidence of ethics and compliance commitment by senior leaders and middle management stakeholders, the autonomy and resources of compliance personnel and the establishment of tangible incentives for compliance – as well as disincentives for non-compliance – are all relevant to the DOJ's implementation inquiry.
- Finally, Section III directs prosecutors to evaluate "whether a company's compliance program is working effectively". Among other factors, prosecutors may consider evidence of:
- a company's "continuous improvement, periodic testing, and review" of compliance systems;
- the existence of a "well-functioning and appropriately funded mechanism" for timely investigating alleged misconduct; and
- the extent to which a company is able to conduct a "root cause analysis" of any identified misconduct, accompanied by appropriate remediation measures.
Largely structured as a series of questions, the DOJ guidance does not provide a complete roadmap to designing and implementing a compliance programme. Nevertheless, the DOJ and other regulators achieve several objectives through the promulgation of such documents, including by providing genuine insight (which has been long sought by industry) into the particular criteria by which their compliance efforts will be judged.
Good intentions are not enough for a compliance programme to act as a shield in the event of a subsequent government investigation. The DOJ's latest guidance reflects the realities that compliance programmes must be appropriately tailored to address particular foreseeable risks and that "[e]ven a well-designed compliance program may be unsuccessful in practice if implementation is lax or ineffective". Although the guidance's sample topics and questions "form neither a checklist nor a formula" for prosecutorial decision making, they emphasise consistent themes of meaningful programme implementation and operational testing designed to probe whether a company has created an effective rather than merely a 'paper programme'. In light of this guidance, companies will do well to commit the necessary focus and resources toward the ongoing oversight and auditing of compliance programmes, including well after particular policies and procedures have been promulgated.
As the DOJ guidance makes clear, companies should test their compliance programmes to ensure that the processes in place function as designed and lead to the identification and remediation of compliance issues. In practice, this means that companies should take stock of their compliance programmes at regular intervals and in real time following incidents or credible allegations of misconduct. One meaningful way to test a compliance programme is to systemically ask the questions set out in the DOJ guidance with regard to a company's existing compliance programme. The answers may go a long way towards identifying areas in which the functioning of a compliance programme can be improved – particularly those gaps that the DOJ would focus on should the company later find itself facing an investigation.
In addition, a company must devote attention to the company's communications about compliance, from top management and throughout the organisation, and to the structure of the compliance department and allocation of resources critical to its functioning. Companies that designate minimal resources to internal and external support for compliance will signal to the government that they are not focused on maintaining an effective programme.
Importantly, a company seeking to implement enhancements should proceed with an eye towards being able to later articulate and affirmatively demonstrate – including to the DOJ – how the changes align with applicable guidance and promote a compliance programme's efficacy. That reality is particularly acute for companies in the early stages of internal or government investigations, when – despite the need to focus on core investigative issues – the remedial action and compliance programme improvements occurring in parallel have the potential to strongly impact the terms of a resolution.
As a company assesses its compliance programme in light of this general DOJ guidance, it should also bear in mind other sources of guidance – typically more targeted in scope, but at times more specific with respect to the criteria – promulgated by the DOJ and other regulators, including:
- the Resource Guide to the US Foreign Corrupt Practices Act (FCPA), published by the DOJ and the Securities and Exchange Commission; and
- the DOJ's FCPA Corporate Enforcement Policy (last updated in March 2019), which provides guidance concerning remediation.
On 2 May 2019 the US Department of Treasury's Office of Foreign Assets Control (OFAC) released "A Framework for OFAC Compliance Commitments", which is "intended to provide organizations with a framework for the five essential components of a risk-based [sanctions compliance programme]" and which further identifies several "root causes" that have led to apparent sanctions violations. As indicated by the government's recent focus on compliance programming, multinational companies must confront and manage the various compliance risks they face, and it is important to ensure that such targeted compliance guidance are factored into the assessment and implementation of a compliance programme.
In sum, this guidance and other recent announcements underscore the government's emphasis on updated, evolving and fully functional compliance programmes, with a level of sophistication and scope to match a company's individualised business and risks. As the DOJ guidance and others have illustrated, regulators' expectations for corporate compliance programmes have never been higher. However, to a greater extent than in the past, companies have a clearer blueprint to follow when developing and carrying out the sort of enhancements that regulators will increasingly expect. Ultimately, an approach that prioritises ongoing evaluation and refinement of a compliance programme will not only help a company to identify and address issues in the first instance, but also serve a company well should the day come when a compliance issue draws the attention of government enforcement agencies.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.
