DOJ Criminal Division Issues Comprehensive Guidance on Corporate Compliance Programs

 

On April 30, 2019, the U.S. Department of Justice (“DOJ”) issued the most comprehensive guidance that the DOJ has provided on how prosecutors should evaluate corporate compliance programs (“Policy”).  In a speech announcing the Policy, Assistant Attorney General for the Criminal Division, Brian A. Benczkowski expressed the DOJ’s desire “to provide additional transparency” to companies in designing and implementing compliance programs.

The Policy was published by the DOJ’s Criminal Division, which is responsible for cases involving the Foreign Corrupt Practices Act, securities and financial fraud, asset forfeiture, and anti-money laundering.  It is expected that this Policy will be implemented by the DOJ Criminal Division and U.S. Attorney’s Offices.

Benczkowski emphasized that a “company’s compliance program can play a significant role in the [DOJ’s] investigation of criminal wrongdoing” and outlined the three fundamental questions that a prosecutor should ask in evaluating a corporation’s compliance program:

(1) Is the corporation’s compliance program well-designed?;

(2) Is the corporation’s compliance program being implemented effectively?; and

(3) Does the corporation’s compliance program work in practice?

With this Policy the DOJ hopes to provide “additional insight” under the framework of these three questions.

(1) Is the Corporation’s Compliance Program Well-Designed?

A compliance program should be comprehensive and well-integrated into a company’s operations and workforce.  Prosecutors are instructed to consider the following factors in evaluating this question:

Risk Assessment

A compliance program should be specifically tailored to the company’s risk profile.  Prosecutors should consider whether the program is appropriately “designed to detect the particular types of misconduct most likely to occur in a particular corporation’s line of business and complex regulatory environment”.  Relevant factors to consider include the location of operations, the industry sector, the competitiveness of the market, the regulatory landscape, potential clients and business partners, transactions with foreign governments, payments to foreign officials, use of third parties, gifts, travel, and entertainment expenses, and charitable and political donations.

Policies and Procedures

The Policy reiterates the need for a code of conduct that sets forth the company’s commitment to full compliance that is accessible and applicable to all company employees.  The Policy directs prosecutors to look at the design of the company’s process for implementing new policies and procedures, the comprehensiveness of those policies and procedures, their accessibility, and those responsible for integrating them in the company’s operations.

Training and Communications

The Policy also explains that a compliance program is not effective if it is not being disseminated to, and understood by, employees in practice.  Prosecutors are directed to determine whether instances of misconduct are communicated to employees, the availability of guidance on compliance, and the effectiveness of risk-based training.

Confidential Reporting Structure and Investigation Process

Confidential reporting is an important factor to consider because, as the Policy directs, a well-designed compliance program is one that includes pro-active measures to create a workplace atmosphere without fear of retaliation.  A company should consider setting up mechanisms for confidential reporting that allow for anonymity, such as an internal hotline number, and establishing a team of dedicated and qualified personnel that can timely and efficiently evaluate complaints.

Third Party Management

Prosecutors are asked to evaluate whether a company has the appropriate controls to monitor and manage third-party relationships, and whether that process is risk-based to account for the nature and level of the enterprise risk identified by the company.  A company should assess how it incentivizes compliance from its third-party partners and how it handles instances of misconduct with those partners.

Mergers and Acquisitions

When looking at any acquisition target, a company should conduct pre-M&A due diligence to evaluate more accurately each target’s value and negotiate for the costs of any corruption or misconduct identified.  Failing to do so could permit the misconduct to continue at the target company.

(2) Is the Corporation’s Compliance Program Being Implemented Effectively?

The Policy instructs prosecutors to “probe specifically whether a compliance program is a ‘paper program’ or one ‘implemented, reviewed, and revised as appropriate in an effective matter.’”

Commitment by Senior and Middle Management

Prosecutors are told to consider whether the company’s senior leaders encourage compliance, what actions they have taken to demonstrate leadership themselves in the company’s compliance, and whether there is sufficient oversight by senior leaders.  The Policy further directs prosecutors to assess whether the company’s senior leaders and middle-management coordinate their efforts to ensure a culture of compliance.

Autonomy and Resources

Prosecutors are instructed to analyze a compliance program for its structure (“Where within the company is the compliance function housed?”), its stature within the company (“How does the compliance function compare with other strategic functions in the company…?”), its funding and resources, its autonomy, and how much of the compliance function is outsourced to an external firm or consultant.

Incentives and Disciplinary Measures

The Policy instructs prosecutors to evaluate a compliance program’s process (“Who participates in making disciplinary actions?”), its application (“Have disciplinary actions and incentives been fairly and consistently applied across the organization”), and the incentives (“How does the company incentivize compliance and ethical behavior?”).  The Policy references some effective “stick and carrot” methods such as internally publicizing disciplinary actions, providing positive incentives – personnel promotions, rewards, and bonuses – and making compliance a significant metric for management bonuses and career advancement.

(3) Does the Corporation’s Compliance Program Work in Practice?

The DOJ recognizes that no compliance program can ever prevent all criminal activity by a corporation’s employees.  Instead, this inquiry focuses on whether the program has evolved over time to address existing and changing compliance risks and whether the company made a good faith effort to understand both what contributed to the misconduct and the steps necessary to prevent similar misconduct in the future.

Continuous Improvement, Periodic Testing, and Review

According to the Policy, a company should reassess, among other things:  (1) the process for determining where and how frequently to undertake an internal audit;  (2) the efficacy of the company’s control testing and how those results are reported and remedial action items tracked; (3) the frequency with which the company updates its compliance policies, procedures, and practices; and (4) the overall culture of compliance.

Investigation of Misconduct

Prosecutors are advised to look for whether a company has established a means of documenting responses to misconduct, including any disciplinary or remediation measures taken.  The Policy considers a “well-functioning and appropriately funded mechanism for the timely and thorough investigations” of misconduct to be a “hallmark” of an effective compliance program.

Analysis and Remediation of Any Underlying Misconduct

Following the discovery of any misconduct, a company should ask whether any remedial actions taken were effective in addressing the cause of the misconduct.  The Policy explains that a compliance program is working in practice if it is “able to conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate” those root causes.

In conclusion, we recommend that a company carefully consider the new framework provided by the DOJ under the three questions above.  The Policy is clear that the DOJ is serious about compliance programs and that compliance programs should play an important role in the DOJ’s investigations.