On June 1, the DOJ updated its guidance for evaluating a company’s compliance program when resolving corporate investigations. The updated guidance makes clear that prosecutors should consider a company’s particular circumstances when evaluating its compliance program. The updated guidance also emphasizes that a company must be proactive and continually assess and update its compliance program for it to be considered effective.
1. Background
In February 2017, the DOJ’s Criminal Division released a document titled “Evaluation of Corporate Compliance Programs,” which was the first formal guidance issued by the DOJ dedicated to corporate compliance matters. The effectiveness of a corporate compliance program is a factor that prosecutors consider in making charging decisions, sentencing recommendations and determining the appropriate resolution in corporate criminal enforcement actions. The DOJ updated the guidance in April 2019 and again on June 1 this year.
Instead of a rigid formula, the guidance provides sample questions on 12 topics relevant to the evaluation of a corporate compliance program. The 12 topics are organized under three fundamental questions a prosecutor should ask:
- “Is the corporation’s compliance program well designed?”
- “Is the program being applied earnestly and in good faith?”
- “Does the corporation’s compliance program work” in practice?
2. June 2020 update
In the updated guidance, the DOJ provided additional questions on nine of the 12 topics while leaving the substance of the guidance unchanged. The key revisions, discussed below, reflect the DOJ’s evolved thinking in two areas.
An effective compliance program is tailored to the company’s specific needs and circumstances. While the previous version of the guidance recognized that companies have different risk profiles and solutions to reduce their risks, the updated guidance emphasizes that prosecutors should make a “reasonable, individualized determination,” and should consider factors such as “the company’s size, industry, geographic footprint, [and] regulatory landscape.” The updated guidance also instructs prosecutors to “endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.”
A compliance programs is only considered effective if the company continually assesses and updates it. The updated guidance instructs prosecutors to evaluate the company’s performance on the 12 topics “both at the time of the offense and at the time of the charging decision and resolution.” Prosecutors are asked to consider whether the company’s risk assessment is subject to periodic review and whether the periodic review is “limited to a snapshot in time or based upon continuous access to operational data and information across functions.” The updated guidance places emphasis on whether a company’s compliance and control personnel have access to the relevant data to effectively monitor and test internal compliance. Prosecutors also are instructed to consider whether a company updates its risk assessment and compliance policies based on lessons learned from its own misconduct and that of companies with similar risk profiles. In addition, the updated guidance asks whether a company periodically tests the effectiveness of the reporting hotline and employees’ comfort in using it.
3. Key takeaways
In providing the updated guidance, the DOJ makes clear that an effective compliance program is one that is designed to meet the particular risk profile and needs of the company and then evolves with the company over time. A company should consider how it would explain the intentional design and implementation of its compliance program. It then needs to be proactive in testing the effectiveness of the program and making adjustments over time to address evolving needs and risks. A company should analyze the data it collects through its compliance program and perform periodic testing to identify compliance gaps and close them. Even a well-designed compliance program may become ineffective if the company’s risk profile changes and the company does not take necessary steps to update the program. In short, the DOJ will not consider a compliance program to be effective unless it works in practice, not only in theory.
Contributor: Bingxin Wu