On June 1, 2020, the Criminal Division of the U.S. Department of Justice (the “DOJ”) published an updated version of its Evaluation of Corporate Compliance Programs (the “Updated Guidelines”), an official guide for prosecutors on how to evaluate a company’s compliance programs. “Today’s revised guidance on the Evaluation of Corporate Compliance Programs reflects additions based on our own experience and important feedback from the business and compliance communities,” Assistant Attorney General Brian Benczkowski commented.
Though most of the changes to DOJ’s prior Compliance Guidelines represent refinements of points in the prior versions, they nonetheless constitute significant trend indicators for evaluating compliance programs against evolving business realities. The most significant refinements relate to:
The last two topics in particular are relevant to multinational companies subject to U.S. jurisdiction.
First published in February 2017, the stated purpose of the DOJ Compliance Guidelines was to help prosecutors assess whether a corporation under investigation maintains an effective compliance program. If the DOJ concludes that a compliance program is effective, it may agree to certain concessions in terms of a charging decision, a more lenient monetary penalty, or exemption from independent compliance monitoring.
In our experience, it is exceedingly rare for DOJ to agree that the United States Sentencing Guidelines factors have been met regarding whether a company had a pre-existing effective compliance program. In theory, where those factors are met, a company is automatically entitled to a reduction in penalties under the Sentencing Guidelines. See U.S. Sentencing Guidelines Manual §8C2.5(f)(1). While it is impossible to objectively quantify how much credit DOJ gives for a company the Department concludes has an effective program at the time of a settlement, it is our experience that demonstrating a robust program to the Department is an important part of achieving the most favorable resolution possible under the particular circumstances of any given matter.
In April 2019, the DOJ updated and reorganized its Compliance Guidelines (the “2019 Guidance”) into twelve (12) factors categorized under three fundamental questions:
(1) Is the corporation’s compliance program well designed?
(2) Is the program being applied earnestly and in good faith?
(3) Does the corporation’s compliance program work in practice?
The Updated Guidelines retain the basic structure of the 2019 Guidelines. However, this year’s changes indicate that DOJ will be focusing more on an organization’s unique circumstances and attempting to determine whether the compliance program is appropriate for those circumstances. For example, the introduction to the Updated Guidelines states that DOJ will make an individualized determination in each case based on such factors as “the company’s size, industry, geographic footprint, regulatory landscape, and additional factors, both internal and external to the company’s operations, that might impact its compliance program.”
1. Evolution of Corporate Compliance Programs in Response to Changing Risk Profile
The Updated Guidelines refine the risk assessment inquiry by asking whether periodic risk reviews are “limited to a ‘snapshot’ in time or based upon continuous access to operational data and information across functions.” Companies are also expected to track and incorporate into their periodic risk reviews “lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographic region.” A prosecutor evaluating a company’s compliance program is instructed to understand why the company has chosen to set up the compliance program the way it has, and why and how the company’s compliance program has evolved. An effective compliance program thus should be a living entity periodically updated and improved in accordance with the company’s evolving risk profile.
2. Compliance Resources
The Updated Guidelines stress the question of adequate resourcing for a company’s compliance program even more strongly than the prior guidance. The Updated Guidelines begin discussion of this subject by noting, “Even a well-designed compliance program may be unsuccessful in practice if implementation is lax, under-resourced, or otherwise ineffective.” The Updated Guidance then delves specifically into the question of whether compliance and control personnel have sufficient direct or indirect access to relevant sources of data allowing for timely and effective monitoring and/or testing of policies, controls and transactions. DOJ will consider any existing impediments which limit access to relevant data and will also examine what the company is doing to address those impediments. These additions reflect the DOJ’s awareness of the critical nature of data access to effective oversight and operation of a successful compliance program.
The Updated Guidelines also instruct investigators to evaluate the structural choices a company has made with respect to where the Compliance function sits within the corporate organization, and the reasons for that choice, as well as the company’s investment in further training and development of its compliance personnel. These changes show that DOJ will be asking companies to demonstrate that they have given due consideration to the degree of autonomy and authority granted to the compliance function, as well as to ensuring that resources are dedicated to the ongoing professional development of compliance personnel.
3. Post-Acquisition Compliance Audit of Acquired Entities
With respect to mergers and acquisitions, the Updated Guidelines now state that a well-designed compliance program should also include “a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.” The DOJ expressly recognizes that in certain cases substantial pre-acquisition due diligence is not always possible. As a result, it adds the inquiry “[w]as the company able to complete pre-acquisition due diligence and, if not, why not?” Post-acquisition audits are also now included as a measure for which prosecutors should look.
4. Post-Onboarding Monitoring of Third Parties
Relationships with third parties often present significant compliance risk to companies operating in countries with high corruption risk. Indeed, almost all FCPA investigations involve some aspect of third-party misconduct. Third party management is thus a necessary and critical component of an effective compliance program.
The Updated Guidelines highlight third party risks by directing prosecutors to probe a company’s business rationale for the use of third parties and the company’s awareness of the associated risks. It requires companies to manage third party risk throughout the lifespan of the relationship. This change addresses scenarios in which companies may have a robust pre-engagement third party due diligence process, but inadequate continuing-risk management mechanisms. In addition, companies should weigh the necessity of using third parties against the compliance risks which may result from those relationships.
5. Data Resources and Access
A significant feature of the Updated Guidelines is its emphasis on data. In discussing risk assessment, the Updated Guidelines mention the importance of periodic review “based upon continuous access to operational data and information across functions.” In discussing compliance resourcing, the Updated Guidelines add “Data Resources and Access” as an additional factor to consider. Indeed, data (for example, database relating to accounting and corporate finance, human resources, customers and contracts, vendors and third parties, etc.) provide flesh to and empirical support for a company’s compliance risk assessment, monitoring, tracking, audit, investigation, testing, assessment and evaluation. Without access to and use of data, a corporate compliance program may easily become pro forma or stale, as compliance and control personnel may become detached from business realities.
The DOJ also mentions inadequate access to data as a potential impediment to an effective compliance program. Although the DOJ does not specify what it means by impediment, this may equally relate to internal or external factors. For example, a company’s internal data management and access protocols may prevent compliance teams from accessing the data necessary to effectively evaluate potential violations. Externally, and as discussed further below, DOJ’s concerns about impediments may also pertain to the laws or regulations put in place by certain countries to restrict data access and export–such as the European Union’s General Data Protection Regulation (GDPR) or China’s state secret protection regime and cross-border data export regulations–and whether or not the company has taken steps to ensure that its compliance programs work effectively within those legal boundaries and across the entire organization. While acknowledging that impediments may exist, the DOJ expects companies to take measures to address them.
6. The Impact of Foreign Law on a Company’s Compliance Program
The Updated Guidelines contain a newly added Note 2, which reads:
Prosecutors should consider whether certain aspects of the compliance program may be impacted by foreign law. Where a company asserts that it has structured its compliance program in a particular way or has made a compliance decision based on requirements of foreign law, prosecutors should ask the company the basis for the company’s conclusion about foreign law, and how the company has addressed the issue to maintain the integrity and effectiveness of its compliance program while still abiding by foreign law.
A multinational corporation with operations in multiple jurisdictions may face the challenge of staying compliant with multiple legal regimes. In some cases, compliance with foreign laws (e.g., privacy and procedural laws) may complicate the company’s efforts to build a comprehensive compliance program considered effective by the DOJ. For example, EU and Chinese law on personal data protection may restrict investigation efforts. Additionally, allowing the headquarters-based compliance function access to data sitting in China could risk violation of China’s data export or even state secret regulations. Note 2 of the Updated Guidelines addresses these dilemmas by providing companies with an opportunity to explain the conflict of laws situation. To help the prosecutors understand the situation, the company should secure foreign law expertise in support of its conclusion on foreign law, show its best efforts to achieve effectiveness, and explore alternative options around – but not in violation of – the restrictions imposed by foreign law.
7. Other Refinements Changes and Additions
In addition to the changes discussed above, the Updated Guidelines contain other refinements regarding accessibility of policies and procedures, training and communications, confidential reporting structures, consistent application of incentives and disciplinary measures, and evolving updates of the compliance program, including:
(1) Publication of corporate policies and procedures in a searchable format for easy reference, and tracking of access to various policies and procedures to understand what policies are attracting more attention from relevant employees;
(2) Processes through which employees can ask questions in online or in-person trainings;
(3) Testing of the confidential reporting mechanism to find out whether or not employees are aware of the hotline and feel comfortable using it;
(4) Periodic testing of the effectiveness of the hotline by, for example, tracking a report from start to finish; and
(5) Monitoring of investigations and resulting discipline to ensure consistency in the application of disciplinary measures.
The changes presented in the Updated Guidelines come just 14 months after DOJ last updated its Compliance Guidelines. The substantive changes and timing of the revision indicate that DOJ is working both to close the gap between its understanding of corporate compliance and the realities that corporate compliance programs face in practice. It also reflects the Government’s effort to stay abreast of changes in global business and legal environments. The changes in the Updated Guidelines indicate that DOJ investigators should recognize that compliance programs are not one-size-fits-all. At the same time, DOJ will expect companies to allocate sufficient resources to their compliance programs and to test and update their programs regularly as circumstances change. DOJ investigators also will expect companies to be self-aware: if impediments to an effective compliance program exist, companies will be expected to have identified these impediments and to have taken steps to ensure that their compliance programs are not compromised.
The changes in the Updated Guidelines present opportunities to revisit and update as needed resources devoted to compliance programs, compliance program structure and implementation, strategies for identifying and overcoming impediments to a comprehensive program, and a general evaluation to assess how the company’s program would withstand the type of scrutiny contemplated by DOJ’s Updated Guidelines.
As always, we will continue to monitor developments in these areas. Please feel free to contact any of our team members with questions.