DOJ updates Guidance on the Evaluation of Corporate Compliance Programs
On June 1, 2020, the Criminal Division of the U.S. Department of Justice (“DOJ”) has published an updated version of its guidance on how to evaluate the effectiveness of corporate compliance programs. The guidance, which is a framework of questions meant to assess the adequacy and effectiveness of a compliance program during investigations and settlements, has been first released in 2017 and notably amended and restructured last year (see our article).
Much of the substance of earlier versions is left unchanged, however, the new update provides useful clarifications and refinements in some key areas:
Particularly striking, the updated guidance specifies one of the three fundamental questions prosecutors should always consider when evaluating the company’s compliance performance: “Is the program being applied earnestly and in good faith?” In this context, prosecutors previously were advised to look into whether a corporation’s compliance program has been “implemented effectively”. By now requiring prosecutors to assess whether the program is being “adequately resourced and empowered to function effectively” the DOJ clearly emphasizes its key considerations (and presumably what it has experienced as inadequate in the past) when it comes to effectivity.
Other changes in the guideline are to make clear that compliance programs are not and should not be “snapshots” but individual, risk-tailored, dynamic, and regularly updated to fit new circumstances. In this respect, prosecutors are explicitly asked to evaluate the company’s compliance performance “both at the time of the offense and at the time of the charging decision and resolution” and “understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time”. They should look at whether the company applies “processes for tracking and incorporating […] lessons learned” either from their own prior problems or from “other companies operating in the same industry and/or geographical region” and whether “the periodic review led to updates in policies, procedures, and controls”.
In addition to these general principles, the latest version of the guideline includes the following notable amendments:
- Commitment at all company levels: The updated version once again specifies the need for a culture of ethics and compliance with the law “at all levels of the company” and requires high-level commitment by company leadership to implement “a culture of compliance from the middle and the top”.
- Data Resources and Access: For the first time, the guidance explicitly speaks to how compliance functions should access and utilize “relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions”.
- M&A post-acquisition integration: The new version stresses the need for a “process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls”.
- Policy accessibility: The updated guidance clarifies that compliance policies should be easily accessible to relevant personnel (e.g. “searchable format for easy reference”) and advises companies to track the accessibility of their policies and the effectiveness of training and hotlines.
- Third-party risk assessment: The updated guidance expands upon third-party management practices and now asks prosecutors to assess whether companies “engage in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process”.
Like the previous versions, the updated DOJ Guidance will serve as an important source for the evaluation of the effectiveness of corporate compliance programs – not only for companies within the jurisdiction of the US authorities.
The DOJ Guidance may also provide important indications as to what is meant by an effective Compliance Management System in terms of the planned German “Act on the Sanctioning of Corporate-Related Offences”, as the recently released draft bill – despite respective expectations and requests from practitioners – does not contain any concrete specifications on this issue (see our article).
A copy of the updated DOJ Guidance “Evaluation of Corporate Compliance Programs (updated June 2020)” can be downloaded from the DOJ website. A redline comparison – showing all changes from the 2019 version – can be found here.
Please do not hesitate to contact us if you have any questions or would like to elaborate on this in more detail.