On June 1, 2020, the U.S. Department of Justice released updated guidance for federal prosecutors to use in their assessment of misconduct committed by corporations. That a revised version of the Evaluation of Corporate Compliance Programs guidance document was released in the midst of a global pandemic responsible for worldwide operational disruption reveals that DOJ’s expectation for corporate compliance remains the same whether in times of upheaval or stability. No matter the social, political, or economic climate, prosecutors are told to zero in on whether a corporation’s compliance program is “adequately resourced” and has top-down commitment—at both the time of the alleged offense and when charges are being considered—to address the compliance challenges unique to its business.
This alert identifies some of the key changes to the updated guidance. Although there are other noteworthy changes, we have focused this alert only on those revisions that seemingly break new ground.[1]
Adequately resourced and empowered to function
Three “fundamental questions” guide a prosecutor’s assessment of a corporate compliance program. The second question, which previously asked whether the program was “being implemented effectively,” has been updated and now asks:
Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
This revision, in our view, takes on heightened import given the timing of its release. Companies have taken unprecedented measures to keep supply chains intact, transform business channels, and coordinate global operations. This has resulted in unplanned investments in technology platforms, vendors, and other substantial expenses, despite likely financial underperformance. How companies have responded to the challenges presented by this pandemic of course varies. The timing of this new guidance, however, appears to send the message that DOJ will judge the effectiveness of a compliance program based in part upon the resources devoted to it, and companies should not unreasonably shift resources away from their respective compliance programs during this time.
This question also reaffirms DOJ’s consistent message that prosecutors should consider, when evaluating corporate misconduct, whether the target corporation is meaningfully committed to its compliance program. That commitment is analyzed using a variety of factors. Newly added is whether compliance personnel have access to corporate data and the ability to use that data to monitor the effectiveness of compliance policies and processes. We see this new factor as requiring companies to consider investments in compliance tools that can be used to compile and monitor key data points about, for example, high-risk financial transactions, vendors operating in high-risk jurisdictions, and the amount and frequency of employee and vendor compliance violations.
Consistent application of compliance policies
As part of their assessment of a compliance program’s resources and support, prosecutors will consider whether and to what extent the application of that program to initiate investigations or to levy discipline is monitored for consistency. In some ways, this question is asking whether the compliance department is monitoring itself. Indeed, DOJ updated the section titled “Consistent Application” to read:
Have disciplinary actions and incentives been fairly and consistently applied across the organization? Does the compliance function monitor its investigations and resulting discipline to ensure consistency? Are there similar instances of misconduct that were treated disparately, and if so, why?
This new question suggests that compliance personnel should conduct a review of prior compliance violations and the resulting investigation and discipline (if any). The objective thereof would be to understand past compliance investigation and disciplinary practices so as to ensure future compliance-related investigation and disciplinary actions either comport with or establish a new, consistent standard.
Lessons learned
A retrospective review of compliance violations and the company’s responses thereto also will be relevant to another set of newly added considerations:
Does the company have a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region? . . . Does the company review and adapt its compliance programs based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?
Most companies are likely to have the first component of these questions covered: risk assessments and internal investigations often conclude with a series of recommendations aimed at mitigating the risk of similar compliance violations in the future. Those recommendations are put into action plans, and compliance departments implement them accordingly.
What is notable here, however, is that prosecutors will now also assess whether a compliance program has been adequately tested and upgraded based on lessons learned from other companies’ compliance shortcomings. And while a prosecutor’s assessment in this context is ostensibly confined to only those lessons learned by companies “facing similar risks,” what constitutes a “similar risk” remains uncertain under this guidance.
Nevertheless, we view this new question as a word to the wise. Compliance personnel should keep their fingers on the pulse of DOJ’s existing corporate enforcement efforts while also reviewing its prior enforcement actions against companies in similar industries, of similar size, in similar locations, or with similar revenue. In reviewing the publicly available deferred prosecution agreements, settlement agreements, corporate integrity agreements, and other documents related to such enforcement actions, compliance departments can develop an appreciation for the range of risks that exists for the sectors and locations in which they conduct business, key compliance failures, and the policies and practices DOJ accepted as appropriate remedies or mitigating factors.
Looking ahead
These are turbulent times for companies—especially multinational enterprises. The manifold challenges presented by this pandemic have caused companies to make difficult decisions about where and how to focus their resources in response. From our perspective, DOJ’s release of this updated guidance right now affirms that, no matter what the extenuating circumstances may be, corporate compliance programs are deserving of appropriate resources and support to effectively function. If they do not receive it, prosecutors will take note, and it will factor heavily into their charging decisions.
- For a refresher about the purpose and scope of the Evaluation of Corporate Compliance Programs guidance document, refer to our prior alert, “Reality Check: DOJ’s new guidance on corporate compliance makes clear that effective compliance is about more than checking boxes.”
[Back to reference]