DOJ Updates Guidance on Evaluating Corporate Compliance Programs

3 May 2019
View Debevoise Update
Key takeaways:
  • The Criminal Division of the U.S. DOJ released updated guidance this week regarding how federal prosecutors should evaluate corporate compliance programs.
  • This updated guidance incorporates previous pronouncements by DOJ and the SEC, and provides a helpful framework that focuses on three fundamental questions: whether a compliance program is well designed, whether it has been effectively implemented, and whether it works in practice.
  • While the guidance is intended for prosecutors, it can serve as a valuable resource for compliance professionals and others as they seek to design, implement, and monitor an effective compliance program.


On April 30, 2019, Assistant Attorney General Brian Benczkowski announced an updated version of the Evaluation of Corporate Compliance Programs (the “Updated Guidance”). This Updated Guidance supersedes a document of the same name that the Fraud Section of DOJ’s Criminal Division published online in February 2017 without any formal announcement (the “2017 Guidance”). Although not breaking much new ground, we believe the Updated Guidance can serve as a valuable resource for those grappling with how best to design, implement, and monitor an effective corporate compliance program.

In contrast to the 2017 Guidance—which listed dozens of questions to consider in evaluating a compliance program without providing much context—the Updated Guidance employs a more holistic approach. It focuses on three fundamental questions drawn from the Justice Manual:
  • Is the corporation’s compliance program well designed? 
  • Is the program implemented effectively?
  • Does the program work in practice?

In addition to the Justice Manual, the Updated Guidance incorporates and quotes from other governmental pronouncements regarding corporate compliance programs. These include A Resource Guide to the Foreign Corrupt Practices Act, issued jointly by DOJ and the SEC in 2012, and the United States Sentencing Guidelines.

CONTEXT

We previously wrote about the 2017 Guidance in our FCPA Update. That earlier version highlighted over 120 sample compliance questions (across eleven topics), which DOJ might ask a company to address in a criminal investigation. The 2017 Guidance provided little context apart from a short introduction noting that the “topics were neither a checklist nor a formula,” a caveat repeated in the Updated Guidance. In contrast, the Updated Guidance reorganizes the questions around key themes and provides more context for each set of questions.

As noted both in the Updated Guidance itself and in AAG Benczkowski’s speech announcing it, the Updated Guidance is intended to assist prosecutors in evaluating a company’s compliance program. It offers a framework to help prosecutors determine how to resolve or prosecute particular matters, what monetary penalties to seek, and what if any compliance obligations to impose (such as a monitor).

The Updated Guidance is also the most complete discussion of the government’s expectations for a corporate compliance program to date. Particularly with its focus on risk assessments and the effectiveness of a program as implemented, we think it provides a useful guide for companies and compliance officers seeking to evaluate and update their own programs.

COMPONENTS OF THE GUIDANCE

The Updated Guidance covers the same eleven topics as the 2017 version and includes virtually all of the earlier questions, now split into twelve topics and organized under the three fundamental questions noted above. As is unavoidable to a certain extent, there is some degree of repetition. The Guidance itself acknowledges that “some topics necessarily fall under more than one” question.

Nevertheless, we think this organizational framework is instructive:
  • First, the Updated Guidance provides that prosecutors should assess whether a compliance program is well designed. The “starting point” for that analysis is reviewing a company’s risk assessment; followed by reviewing its policies and procedures; training and communication; confidential reporting structure and investigation process; third-party management; and handling of mergers and acquisitions.
  • Second, the Updated Guidance instructs prosecutors to assess the implementation of the compliance program. That includes evaluating the commitment by senior and middle management; the autonomy and resources of the compliance program; and the incentives for compliance and disciplinary measures for noncompliance.
  • Third, the Updated Guidance explains that prosecutors should assess whether the compliance program works in practice. Elements of a properly functioning program include continuous improvement; periodic testing and review (including the role of internal audit); adequate investigation of misconduct; and thoughtful analysis and remediation of underlying misconduct. Importantly, the guidance reiterates that the existence of misconduct “does not, by itself, mean that a compliance program did not work or was ineffective at the time of the offense.”
KEY THEMES

Emphasis on Risk Assessments

As discussed throughout the Updated Guidance, designing an effective compliance program begins with conducting an appropriate risk assessment and periodically refreshing that critical work. The Updated Guidance gives a list of ten risk factors that companies should consider, all of which will be familiar to compliance officers: the location of operations; industry sector; competitiveness of the business; the regulatory landscape; potential clients and business partners; transactions with foreign governments; payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; and charitable and political donations.

By emphasizing the importance of a risk-based approach, the Updated Guidance encourages companies to focus their compliance efforts on preventing and detecting misconduct in light of the actual risks faced. This includes confronting the real-life constraint of needing to prioritize such mitigation efforts.

The Updated Guidance also specifically notes that prosecutors may still credit the effectiveness of a compliance program that appropriately focuses attention and resources on high-risk transactions, even if it fails to prevent an infraction in a lower-risk area. Although DOJ has made this point before, it is encouraging to see it stated in the Updated Guidance.

Forward-Looking Analysis

By design, and as we previously have noted, the 2017 Guidance was much more backward-looking, intended to identify the “root cause” of misconduct. By deemphasizing the review of particular misconduct at issue and focusing more holistically on the design and application of a company’s compliance program, the Updated Guidance addresses a core limitation of the 2017 Guidance.

In this regard, it also provides for more helpful guidance for companies assessing their own compliance efforts and seeking to enhance their programs.

Focus on Effective Integration with Internal Controls

The Updated Guidance makes clear that the government expects companies to integrate their anti-corruption compliance program into their internal controls. Prosecutors are instructed to consider who within a company is responsible for what the Updated Guidance calls “operational integration” and to assess the specific ways in which a company’s internal controls reinforce its compliance policies and procedures.

Additionally, the Updated Guidance provides that prosecutors should consider what internal guidance and training have been provided to gatekeepers in the control process, including employees with approval authority or certification responsibility.

Relatedly, in assessing whether a compliance program works in practice (the third question), the Updated Guidance directs prosecutors to consider whether a company has made significant investments in its internal controls systems and how internal audit assesses that program.

Guidance on Third-Party Management

One of the most challenging compliance areas for any company is managing its third-party relationships. As we have observed in the past, third parties typically present among the greatest anti-corruption risk to any company. The Updated Guidance notes that a well-designed compliance program should apply risk-based due diligence to third parties, beginning with an understanding of the business rationale for hiring each particular third party.

Regarding monitoring of third-party relationships, the Updated Guidance notes that there are multiple appropriate options, including updated due diligence, training, audits, and annual certifications.

CONCLUSION

There is no such thing as a one-size-fits-all compliance program. As the Updated Guidance reflects, an effective compliance program begins with thoughtful tailoring to the risks that a company actually faces. After ensuring that a compliance program contains all the vital underlying elements, next comes robust implementation of that program. And ultimately, a company must monitor and test to make sure that the program is functioning as intended and then refine the program as needed.

While intended for prosecutors, the Updated Guidance can serve as a valuable resource for compliance professionals and others evaluating and enhancing their organization’s compliance program.