The U.S. Department of Justice updates roadmap to an effective compliance program

Introduction

These updates fall into three main categories. First, the DOJ made a subtle yet significant clarification to its three “fundamental questions.” Second, it provided more detail on the way it makes individualized determinations in assessing compliance programs. Third, throughout its guidance, the DOJ has included more specific questions it will ask about the nuances of a company’s programming, which provides greater insight into the DOJ’s expectations. Companies can look to these revisions for guidance on two fronts: to proactively create or enhance their compliance programs and to effectively advocate before the DOJ in the context of a criminal investigation.

Reframing a fundamental question

In 2019, the DOJ organized its guidance around three “fundamental questions” a prosecutor should ask in evaluating corporate compliance programs, as initially outlined in the Justice Manual:

1. Is the corporation’s compliance program well designed?

2. Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?

3. Does the corporation’s compliance program work in practice?

This second question – really, two questions – was arguably awkwardly framed. After all, earnest and good faith efforts do not guarantee effective implementation. As of June 2020, the DOJ resolves this disconnect, by now asking: Is the corporation’s compliance program adequately resourced and empowered to function effectively?

To test the sufficiency of this aspect of a program, the DOJ poses questions regarding investment in the training of compliance and other control personnel, and whether those personnel have sufficient access to relevant data sources to allow for meaningful oversight. The emphasis on resources is notable, particularly at a time when economic conditions may place downward pressure on compliance budgets. The DOJ also emphasizes that a company should foster a culture of ethics and compliance with the law “at all levels of the company” – including in the “middle” as well as at the top – conveying the importance of compliance leadership among those managers with more direct oversight of routine business operations.

Individualized determinations

Since its original guidance in 2017, the DOJ has eschewed a specific formula or one-size-fits-all checklist to evaluate corporate compliance programs. The June 2020 updates are consistent with this approach, acknowledging the need for individualized assessment. Under the revised guidance, the DOJ expressly “considers various factors including, but not limited to, the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.” Although these revisions may not affect how a company builds its compliance program, they may be useful touchpoints for effective advocacy during an investigation.

New questions; clearer direction

In posing a plethora of new questions, the DOJ offers additional building blocks to corporations seeking to refine their compliance programs. Many of these questions are directed at emphasizing the importance of data analytics and continuous evolution in the design and implementation of compliance programs. Among the new questions are the following, grouped by subject matter:

• Risk assessments

  • Is the period review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures, and controls?

  • In addition, does the company have a process for tracking and incorporating into its period risk assessment lessons learned from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region?

• Data and resources

  • Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?

• Policies and training

  • Have the company’s policies and procedures been published in a searchable format for easy reference? Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?

  • Whether online or in-person, is there a process by which employees can ask questions arising out of the trainings?

• Whistleblowing

  • How is the company’s anonymous reporting mechanism (to the extent there is one) publicized to other third parties? Does the company take measures to test whether employees are aware of the hotline and feel comfortable using it? Does the company periodically test the effectiveness of the hotline, for example by tracking a report from start to finish?

• Life-cycle management of third parties

  • Does the company engage in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?

• Consistency in disciplinary action

  • Does the compliance function monitor its investigations and resulting discipline to ensure consistency?

As the DOJ acknowledges, not all questions will be relevant to all companies. Nevertheless, the updated compliance guidance reveals the DOJ’s expectations for effective compliance programs, and thus can serve as a guide for companies looking to improve upon or create their own programs.

The broader view

These refinements are only the latest in a series of updates to the DOJ guidance and policies that, broadly speaking, have offered improved clarity and transparency around the DOJ’s exercise of prosecutorial discretion. For instance, in February 2017, DOJ's Fraud Section issued its first compliance guidance document, which was then updated in April 2019 and again now. In 2018, thenDeputy Attorney General Rod Rosenstein issued a memorandum entitled “Policy on Coordination of Corporate Resolution Penalties,” directing DOJ attorneys to “consider the totality of fines, penalties, and/or forfeiture imposed by all [DOJ] components as well as other law enforcement agencies and regulators in an effort to achieve an equitable result”—in other words, to help prevent undue “piling on” by multiple enforcement authorities. Thereafter, in October 2018, Assistant Attorney General Brian A. Benczkowski issued a memorandum entitled “Selection of Monitors in Criminal Division Matters,” providing clarity as to the criteria to be considered when determining whether a corporate compliance monitor is warranted. A year later, the DOJ issued a new guidance memorandum entitled “Evaluating a Business Organization’s Inability to Pay a Criminal Fine or Criminal Monetary Penalty,” concerning how DOJ’s Criminal Division evaluates claims by companies that they are unable to pay a proposed criminal fine or monetary penalty. And, in 2019, the DOJ clarified certain policies governing voluntary self-disclosures in FCPA and in export control and sanctions cases.

Beyond their clarifications, the June 2020 updates are consistent with an effort to account for the practical realities associated with investigations and enforcement actions against corporations. Just as important, they are another piece of an increasingly clear roadmap for companies looking to implement, enhance, defend, or gain mitigation credit for their compliance programs.

If you have any questions, please reach out to your Hogan Lovells contact.

Authored by Peter S. Spivack, Megan Dixon, Matthew C. Sullivan, and Jennifer Brechbill.