On April 30, 2019, the Criminal Division of the Department of Justice (DOJ) released an updated Guidance for evaluating corporate compliance programs. The Guidance is intended to provide insight into compliance program factors that prosecutors will consider in their charging decisions in criminal matters. It expands upon a February 2017 guidance document issued by the Department’s Fraud Section (a sub-division of DOJ’s Criminal Division). The Guidance provides greater “transparency” into the Department’s recent thinking on effective corporate compliance programs, as revealed by Assistant Attorney General Brian Benczkowski’s keynote address at the Ethics and Compliance Initiative (ECI) 2019 Annual Impact Conference. In his address, AAG Benczkowski reaffirmed the central role of corporate compliance programs in the context of DOJ’s charging decisions. According to the Guidance, compliance programs will be significant in “determining the appropriate (1) form of any resolution or prosecution; (2) monetary penalty, if any; and (3) compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations).”
To determine whether a compliance program is effective, the new guidance instructs prosecutors to ask three “fundamental questions”:
Is the Compliance Program Well Designed?
In his keynote address unveiling the guidance, AAG Benczkowski emphasized the specific and individualized nature of the Department’s compliance program assessments. “We recognize that each company’s risk profile and solutions to reduce its risk warrant particularized evaluation,” and that, “[a]ccordingly, we make an individualized determination in each case.” In short, with the release of the updated guidance, DOJ has made clear that one-size-fits-all compliance programs, and programs based around generic best practices, will not provide companies much protection in charging decisions. Programs must have policies and procedures tailored for each company that:
Focus on High-Risk Areas
The Guidance places heightened importance on a compliance program’s ability to identify and effectively allocate resources to high-risk areas specific to the company’s business and the unique spectrum of risks it faces. Thus, it instructs prosecutors to perform a “Risk-Tailored Resource Allocation” assessment focused on determining whether a company appropriately prioritizes high-risk areas and transactions.
Base Employee Training on “Lessons Learned”
Prosecutors will assess whether a company has policies and procedures that emphasize a culture of compliance and are readily available to its employees. In addition, companies will be evaluated on how effectively they train their employees and gatekeepers in compliance-related areas. Additionally, the updated guidance underscores the importance of conducting compliance training in language appropriate to enable target audience comprehension. Central to the training assessment will be an analysis of whether compliance training is effective, such as using “real-life scenarios” and/or “case studies” that provide practical advice to employees rather than mere generalities, and assessing whether the compliance program is specifically tailored for employees in high-risk areas. In this regard, prosecutors will seek to determine whether compliance program training “adequately covers prior compliance incidents” and implements changes based on “lessons learned,” and whether employees know when to seek advice relating to compliance policies.
Provide for Confidential Reporting Mechanisms
The Guidance designates a “Confidential Reporting Structure and Investigation Process” as a “hallmark” of a well-designed compliance program. Companies are expected to design complaint-handling processes that include “pro-active measures to create a workplace atmosphere without fear of retaliation, appropriate processes for the submission of complaints, and processes to protect whistleblowers.” Citing the Justice Manual and U.S. Sentencing Guidelines, the Guidance states that “confidential reporting mechanisms are highly probative of whether a company has established corporate governance mechanisms that can effectively detect and prevent misconduct.”
Consider Third-Party Risk
A compliance program is simply not well-designed if it fails to assess risks associated with third-party relationships. Third-party risk varies greatly by industry, company and transaction, which is why prosecutors will assess whether a company understands the “qualifications and associations of third-party partners, including agents, consultants and distributors.” It is these third parties that are commonly used to conceal misconduct. Thus, companies must ensure that there is an appropriate rationale for the use of third parties and that third-party contracts are tailored to identify the work to be performed, provide evidence that the work is being performed, and compensate third parties commensurate with the services they render. Ongoing monitoring of these relationships through due diligence, training and/or auditing is integral to an effective program. (Note, the need for due diligence does not end with third parties. To the extent that a company engages in mergers and acquisitions, an effective compliance program must ensure that the acquiring company appropriately scrutinizes the acquisition target and effectively enforces its compliance programs upon the acquisition target.)
Is the Compliance Program Being Implemented Effectively?
Without effective implementation, a well-designed compliance program is not useful in effectively deterring misconduct. Thus, the Guidance instructs prosecutors to investigate the “company’s culture of compliance” and specifically probe “whether a compliance program is a [mere] paper program.”
Commitment by Senior and Middle Management
The Guidance underscores the need for senior and middle management personnel to set a “tone from the top” of compliance that incentivizes, rather than impedes, their employees’ compliance efforts. It also instructs prosecutors to evaluate whether leaders are demonstrating “rigorous adherence by example” to compliance and ethics policies that are readily communicated to employees in “clear and unambiguous terms.”
Compliance Program Stature, Autonomy and Resources, and Incentives
The Guidance emphasizes the importance of providing company compliance officers with the autonomy and resources necessary to act with “adequate authority and stature” within their organizations. Prosecutors will consider the structure and reporting lines for the compliance function, along with the level of seniority, stature and resources compliance officials have relative to others within the company. The key question prosecutors will seek to answer in the implementation section is whether those officials are “empowered and positioned to effectively detect and prevent misconduct.” Equally important to an effective compliance program is creating incentives for compliance, such as promotions and rewards, as well as disincentives for non-compliance, such as disciplinary action.
Does the Compliance Program Work in Practice?
A key point of the Guidance instructs prosecutors to assess “the adequacy and effectiveness of [a] corporation’s compliance program at the time of the offense, as well as at the time of a charging decision.” This temporal analysis emphasizes that prosecutors will be looking for a living and evolving compliance program when making charging decisions. Prosecutors, therefore, will examine both whether a compliance program was adequately designed and implemented at the time of the misconduct—despite having failed to prevent it—and whether the program has been effectively updated to prevent such misconduct in the future. The hallmarks of this analysis include (1) whether a compliance program has the capacity to improve, be tested and evolve; (2) timely investigation of misconduct; and (3) a root cause analysis.
Continuous Program Improvement
This element of the overall analysis builds upon AAG Benczkowski’s October 2018 memorandum on the Selection of Monitors in Criminal Division Matters, which instructs prosecutors to consider, in evaluating the benefit of a monitor, “whether remedial improvements to the compliance program and internal controls have been tested to demonstrate that they would prevent or detect similar misconduct in the future.”
In keeping with its major themes, the Guidance instructs prosecutors to “consider revisions to corporate compliance in light of lessons learned.” To determine whether compliance programs are living up to this standard, prosecutors may want to understand if and when a company performed an internal audit or control testing of its compliance program (especially in “high-risk” areas or areas “relating to” prior misconduct). Beyond internal audits, the Guidance instructs prosecutors to investigate whether a company has sought “input from all levels of employees to determine […] senior and middle management’s commitment to compliance,” as well as the company’s “culture of compliance” as a whole. Finally, in this regard, prosecutors will look to whether a company’s compliance program is continuously evolving to meet the new challenges presented by changes to its business, customers, technology, and governing laws and regulations. AAG Benczkowski referred to this broader goal in his ECI address: “[…] compliance is a fast-moving field, and one in which evolving technologies and globalization of economies and enforcement can provide both challenges and solutions.”
Timely Investigation of Misconduct and Root Cause Analysis
In the event of misconduct, prosecutors will assess whether compliance programs provide for timely and thorough investigations of allegations or suspicions of misconduct and how companies address such misconduct. Adequate analysis and remediation of misconduct is a hallmark of an effective compliance program. This element reflects an acknowledgment by the Criminal Division that the “root cause” analysis prevalent in FCPA remediations will now be incorporated into the standard for evaluating compliance programs more generally. Similarly, the Department’s expectation that companies will undertake “root cause” analyses to remediate past misconduct and prevent future similar misconduct is in keeping with the general aim of the Guidance to reward specific and particularized compliance programs that maintain emphases on prevention and detection in high-risk areas and continually evolve based upon lessons learned.
The Guidance marks a clear effort by the Criminal Division to harmonize its compliance guidance “with other Department guidance and standards.” Moreover, it provides new insight into the “multifactor analysis” prosecutors will perform in evaluating corporate compliance programs at the charging stage of an investigation. Prosecutors will seek to reward companies with strong compliance cultures. Those compliance programs require effective design, implementation, and function in practice, all of which must be specifically tailored to the risks inherent to a company’s business. Considering the importance that DOJ has placed on compliance program evaluation in its charging decisions, companies should take this opportunity to re-evaluate and reconfigure compliance as a key initiative in 2019.