On April 30, 2019, the U.S. Department of Justice (“DOJ”), Criminal Division, released updated guidance to DOJ prosecutors on how to assess corporate compliance programs when conducting an investigation, in making charging decisions, and in negotiating resolutions. The pronouncement, “Evaluation of Corporate Compliance Programs,” updates earlier guidance that DOJ’s Fraud Section issued in February 2017 (covered in our 2017 Mid-Year FCPA Update). This guidance emphasizes DOJ’s laser focus on compliance programs, requiring companies under investigation to carefully evaluate, test, and likely upgrade their programs well before the investigation is over.
The updated Evaluation document has been restructured around the three “fundamental questions” from the Justice Manual that DOJ prosecutors should assess:
- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?
- Does the corporation’s compliance program work in practice?
Under these three categories, the updated Evaluation groups 12 topics and sample questions that DOJ considers relevant in evaluating a corporate compliance program. Much like the earlier Evaluation articulation, these topics relate to common elements of effective compliance programs, including policies and procedures, training, reporting mechanisms and investigations, third-party due diligence, tone at the top, compliance independence and resources, incentives and disciplinary measures, and periodic testing and review. Several of these core standards can be found in other compliance program guidance materials, such as the Resource Guide to the U.S. Foreign Corrupt Practices Act and, very recently, the “Framework for OFAC Compliance Commitments” issued by OFAC on May 2, 2019, pursuant to the Agency’s promise to provide more guidance on its expectations for sanctions compliance programs.
The following chart captures how the 12 compliance topics in the updated Evaluation are grouped under DOJ’s three core questions.
Core Questions |
Compliance Topic (Core Focus) |
Is the Program Well Designed? |
Risk Assessment DOJ will assess whether the program is appropriately tailored to the company’s business model and the particularized risks that accompany it, considering factors like the company’s locations, industry sectors, and interactions with government officials. |
Policies and Procedures DOJ will assess whether the company has established appropriate policies and procedures, the processes for doing so and disseminating them to the workforce, and the guidance and training provided to “key gatekeepers in the control processes.” |
|
Training and Communications DOJ will assess the compliance training provided to directors, officers, employees, and third parties, as well as efforts to communicate to the workforce about the company’s response to misconduct, and the availability of resources to provide compliance guidance to employees. |
|
Confidential Reporting Structure and Investigation Process DOJ will assess the company’s reporting channels and investigative mechanism. |
|
Third-Party Management DOJ will examine whether the company’s third-party due diligence process is risk-based and includes controls and monitoring related to the qualifications and work of its third parties. |
|
Mergers and Acquisitions DOJ will examine the company’s M&A pre-acquisition due diligence and post-acquisition integration processes. |
|
Is the Program Implemented Effectively? |
Commitment by Senior and Middle Management DOJ will evaluate the commitment by company leadership to a culture of compliance, including management’s messaging and promotion of compliance and the board’s role in overseeing compliance. The OFAC Compliance Framework similarly emphasizes the importance of management’s commitment to, and support of, a company’s compliance program. |
Compliance Autonomy and Resources DOJ will assess whether the compliance function has sufficient seniority, resources, and autonomy commensurate with the company’s size and risk profile. Notably, DOJ will ask whether the company outsourced all or parts of its compliance function to an external firm or consultant. If so, DOJ will probe the level of access that the external firm or consultant has to company information. |
|
Incentives and Disciplinary Measures DOJ will assess whether the company has clear disciplinary procedures that are enforced consistently, as well as whether and how the company incentivizes ethical behavior. |
|
Does the Program Work in Practice? |
Continuous Improvement, Periodic Testing, and Review DOJ will consider how the company has reviewed and evaluated its compliance program to ensure it is current, including changes made to the program in light of lessons learned. DOJ also will assess the internal audit function and how the company measures its culture of compliance. Effective training also is called out specifically in the OFAC Compliance Framework. |
Investigation of Misconduct DOJ will assess the effectiveness and resources of the company’s investigative function. Notably, this is the second instance in the updated Evaluation calling for DOJ to assess a company’s investigative function. |
|
Analysis and Remediation of Any Underlying Misconduct DOJ will consider whether the company conducts root-cause analyses of misconduct and takes timely and appropriate remedial action against violators. Under the heading “Accountability,” the updated Evaluation includes a question about whether disciplinary actions for failures in supervision have been considered by the company. |
KEY TAKEAWAYS
The updated Evaluation covers many of the same topics as the prior version, yet the addition of certain questions signals added emphasis or expectations compared to the prior guidance. Although non-exhaustive, the following list outlines key takeaways from the updated Evaluation that companies should consider in building, maintaining, and enhancing their compliance programs.
- Starting with a Risk Assessment and Building on “Lessons Learned”: The updated Evaluation calls for tailoring a company’s compliance program based on its risk assessment, and ensuring that the criteria for the risk assessment are “periodically updated.” Commentators suggest risk assessments annually or every two years. DOJ does not prescribe the timing of risk assessments. Going forward, “‘revisions to corporate compliance programs [should be made] in light of lessons learned.’” This means that a company’s risk assessment should be an ongoing and iterative process, and that a company should reexamine and revise its compliance program from time to time based on the risk assessment results. Reexamining and revising the compliance program is necessary to address DOJ’s particular emphasis on making enhancements in response to specific instances of misconduct. When companies conduct internal investigations, especially where there is a prospect of a government-facing inquiry, they should give serious consideration to taking prompt remedial steps to address the components highlighted by the updated Evaluation document. This will better position companies to advocate that they have effectively and timely remediated root-cause issues and should receive remediation credit.
- Importance of Compliance Personnel: In evaluating whether a company has sufficient staffing for compliance personnel, the updated Evaluation presents a number of related queries, such as where within the company the compliance function is housed (but without dictating a particular reporting structure) and how the compliance function compares with other functions within the company in terms of stature, compensation, rank/title, reporting lines, resources, and access to key decision-makers.
- Responsibility for Third Parties: The updated Evaluation indicates an increased focus on a company’s oversight of third parties, which historically have factored into the vast majority of Foreign Corrupt Practices Act enforcement actions. Among other things, DOJ will consider whether a company has “appropriate business rationale[s]” for the use of third parties and whether it has considered “the compensation and incentive structures” for third parties against the compliance risks posed. In addition, in assessing a company’s remediation of misconduct involving suppliers, DOJ will consider the company’s process for supplier selection. Termination of a supplier or business partner upon a company’s finding of misconduct, and steps to ensure that such third parties cannot be re-engaged without appropriate authorization, is a sign of a mature compliance program expected by DOJ.
- Cascading Tone from the Top: The updated Evaluation emphasizes “culture of compliance.” Crucially, messaging at the “top” alone will not equate to an adequate tone of compliance. Rather, DOJ will focus on how the compliance tone cascades downward in the organization and to counterparties. DOJ will examine not only the standards set by the board of directors and senior executives, but also the tone and actions of middle management to reinforce those standards. The focus on the cultural leadership by mid-level management has been a constant theme from DOJ for more than a decade. In addition, in assessing a company’s remediation, DOJ will consider whether managers were held accountable for misconduct that occurred under their supervision and whether the company considered disciplinary actions for failures in supervision.
Like its predecessor, the updated Evaluation guidance is an important resource for companies both for reactively defending their compliance programs in the context of a DOJ investigation and for proactively benchmarking or enhancing their programs. Clearly, this refined prism will provide the template for DOJ Filip Factor presentations.
This was originally published by Gibson Dunn to provide a summary of significant developments to its clients and friends. View the original publication here.
0 Comments