DOJ Issues Expanded Guidance for Prosecutors in Evaluating Corporate Compliance Programs
May 6, 2019
Last week, the Department of Justice (DOJ) released a new guidance document, “Evaluation of Corporate Compliance Programs” (Guidance), addressing how federal prosecutors should evaluate the compliance programs of corporations it is investigating for purposes of charging and resolution. The new policy represents an effort to better harmonize guidance between different DOJ components and with the United States Sentencing Guidelines, and to provide perspective and context to its compliance program analysis. Notably, unlike an earlier version of the guidance that had been issued by the Fraud Section, this new guidance document has been issued by the Criminal Division itself, signaling broader application within DOJ, including to prosecutions by attorneys from Money Laundering and Asset Recovery Section (MLARS) and other components. Companies assessing or developing their own enterprise compliance programs will find the Guidance a useful tool in understanding the expectations of DOJ and evaluating the relative strength of those programs against DOJ’s criteria.
Three Questions Framework
While the guidance emphasizes that there is no rigid formula to assess the effectiveness of a company’s compliance program, it sets forth three “fundamental” questions a prosecutor should ask in making individualized determinations about a company’s compliance program.
- Is the compliance program well-designed?
Prosecutors are first told to examine the comprehensiveness of the compliance program, its policies and procedures, and integration of the compliance program into the company’s operation. This is a shift from the old guidance, which was backward-looking and advised prosecutors to start with a root cause analysis looking to the conduct at issue and prior history of similar conduct.
Instead, the new guidance looks first to the quality of the company’s risk assessment in providing an understanding of the company’s business, risk profile, regulatory environment, and how the compliance program addresses each of these factors. The Guidance rewards companies for strong efforts in the right risk areas, even if the program has its failures; “[p]rosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction in a low‑risk area.”
Other key factors prosecutors should consider include whether the company’s policies and procedures reflect a strong culture of compliance on a day-to-day level, whether training and communication are properly tailored to the company’s activities, and whether the company has developed a strong confidential reporting structure and investigation process. The existence of trusted mechanisms for anonymous and confidential employee reporting of concerns and allegations is given particular new emphasis in the Guidance, with an expectation that companies will track and maintain metrics regarding how quickly such reports were investigated and addressed.
Another enhancement in the Guidance directs prosecutors to assess the company’s risk-based diligence with regard to third parties, including the extent of the company’s understanding of the qualifications and associations of its third-party partners, such as with agents and other facilitators that may conceal bribes and other misconduct. In a direct nod to concerns usually articulated in the Foreign Corrupt Practices Act (FCPA) arena, the Guidance specifically contemplates an assessment of the company’s understanding of its third-party partners’ reputations and relationships with “foreign officials” and the business rationale for including the third party in the transaction. Companies are expected to properly train their third-party relationship managers about compliance risks, incentivize compliance and ethical behavior by third parties, ensure third-party compensation is commensurate with the nature and location of the work being provided, and exercise their audit rights to analyze the books and records of their third-party partners. These changes undoubtedly heighten the burden on companies to understand, test, and analyze risks attendant to third-party business partner relationships and will likely be an increased focus for prosecutors outside of the arena of traditional FCPA enforcement.
DOJ’s Guidance warns growing companies that it expects compliance and risk mitigation to effectively include new mergers and acquisitions, and that any failure will not be borne solely by the target company, but will reflect poorly on the acquiring company’s compliance program. “The extent to which a company subjects its acquisition targets to appropriate scrutiny is indicative of whether its compliance program is, as implemented, able to effectively enforce its internal controls and remediate misconduct at all levels of the organization.”
- Is the program effectively implemented?
As the new Guidance makes clear, DOJ will be looking to see whether a company’s written compliance program is simply a “paper program” or is a sincere and comprehensive approach to compliance evidenced by sufficient and well-resourced staff that have the backing of committed management. More so than in prior guidance, this Guidance emphasizes the importance of the company dedicating sufficient funding, resources, and independence to compliance staff, as well as to the placement and structure of the compliance program within the corporation. Key questions to be asked by prosecutors include: How has leadership modeled compliance? What actions have leaders and managers taken in the face of competing business interests? What compliance expertise is available on the board of directors and what are the qualifications of compliance staff?
Companies will need to demonstrate that compliance functions are allocated significant seniority and stature within the organization to reflect a strong culture of compliance flowing from the highest levels. At the same time, those responsible for day-to-day compliance should be afforded independence from management and autonomy in communicating with the board of directors, audit committee, and/or senior management.
The Guidance also directs prosecutors to judge a compliance program’s effectiveness by assessing existing incentives and disincentives for compliance. To start, a company’s communications should make it widely known to employees that there are consequences for unethical or illegal behavior. Further, while not prescribing any one method, DOJ highlights the effectiveness of publicizing disciplinary actions, or providing bonuses or other career advancement based on compliance efforts. Any such programs naturally require strong and consistent Human Resources administration.
- Does the compliance program actually work in practice?
Under the new Guidance, this question should be answered in two parts: 1) was the compliance program working effectively at the time of the offense, and 2) how effective is the compliance program now (at the time of charging or resolution). In addressing the first question, the Guidance helpfully notes that the fact that misconduct was uncovered does not necessarily mean the compliance program was not effective at the time it occurred. In fact, the Guidance recognizes that a strong compliance program could have led to remediation and self-disclosure. In evaluating the current state of the compliance program, prosecutors will consider whether and how the program has evolved over time, and whether the company undertook a sincere and adequate root-cause investigation aimed at preventing future misconduct.
DOJ expects corporate compliance to be an ongoing process of improvement and development, consistent with business changes and ongoing risk assessments. Prosecutors are encouraged to reward proactive efforts to audit and test programs, take corrective action, and revise policies and procedures to enhance compliance.
When specific instances of misconduct are alleged or uncovered, DOJ will look closely at the nature and effectiveness of the internal investigation to judge whether an independent and properly scoped investigation produced results that were actually used to improve or remediate root causes, vulnerabilities, or management failures. The Guidance notes that remediation should be commensurate with the pervasiveness and scope of the misconduct, and tied closely to the results of root cause analyses that have been conducted. Individuals engaged in misconduct and policies and procedures that created vulnerabilities should be appropriately addressed. Ultimately, DOJ is looking for signs that the corporation has been serious about accountability, for individuals, processes, and programs that were not effective.
This new Guidance should serve as a helpful checklist for in-house counsel and compliance officers to use in measuring ongoing compliance efforts. It represents the most comprehensive and robust guidance issued by DOJ to date and focuses on those areas that have historically produced risks for companies facing DOJ criminal investigations. On the other hand, the scale and depth of the guidance, despite caveats about not adopting a one-size-fits-all approach, may leave many companies and their counsel wondering whether DOJ’s expectations for businesses are realistic, especially when it comes to monitoring third parties. Further, the Guidance could lend weight to criticism of DOJ for legislating impossible standards over which it will then preside as judge and jury while knowing that many companies are unwilling to risk criminal litigation with DOJ.
This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Nicole Argentieri, an O’Melveny partner licensed to practice law in New York, Laurel Loomis Rimon, an O’Melveny senior counsel licensed to practice law in the District of Columbia and California, Steven J. Olson, an O’Melveny partner licensed to practice law in California, and Ben Singer, an O’Melveny partner licensed to practice law in New York, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.
© 2019 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.