Compliance Officers Take Note: DOJ Emphasizes Increased Use of Analytics and Data Access in Revised Corporate Compliance Guidance
On June 1, 2020, the Criminal Division of the US Department of Justice (DOJ) revised its “Evaluation of Corporate Compliance Programs.” This was an update to guidance initially released by the DOJ’s Fraud Section in February 2017.
Last revised in April 2019 to provide greater transparency into prosecutorial decision-making, new statements in the guidance emphasize the importance of utilizing data when monitoring and testing the effectiveness of compliance programs, including testing the effectiveness of reporting hotlines. The guidance directs prosecutors to ask the following questions:
- Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions?
- Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?
With regard to hotlines, the prosecutors should explore whether the company takes “measures to test whether employees are aware of the hotline and feel comfortable using it,” and whether the company “periodically test[s] the effectiveness of the hotline, for example by tracking a report from start to finish.”
The update omits a fundamental question set forth in the 2019 update that prosecutors should consider in the context of an investigation: whether the program is “being implemented effectively.” Instead, prosecutors are now directed to ascertain whether the program is “adequately resourced… to function effectively” and whether the company is updating policies to address “lessons learned” from prior misconduct. Prosecutors should also seek to “understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.” Finally, the revised guidance expands upon due diligence surrounding mergers and acquisitions and relationships with third parties.
According to a statement by Assistant Attorney General Brian Benczkowski of the DOJ Criminal Division, the revised guidance “reflects additions based on our own experience and important feedback from the business and compliance communities.” This most recent iteration evidences an expectation by the DOJ that not only should companywide operational data be collected and used to inform risk assessments and compliance-related activities, but also that employee access to that data for monitoring and testing purposes should be evaluated. Failure to do so will factor into the DOJ’s decision-making.
For compliance officers and counsel, DOJ’s updated guidance provides an additional reference point for evaluation and for negotiating the need for (or severity of) remedial or punitive measures. Transparency assists in both preventing and responding to DOJ inquiries, and the June 2020 update offers a roadmap for navigating both.
BRG professionals have significant experience performing compliance program effectiveness and risk assessments for companies of all sizes. BRG stands ready to advise companies across various sectors regarding the implementation and improvement of effective compliance programs, the development and review of policies and procedures, and the detection and mitigation of risks.
 Dylan Tokar, “Justice Department Adds New Detail to Compliance Evaluation Guidance,” The Wall Street Journal (June 1, 2020), available at: https://www.wsj.com/articles/justice-department-adds-new-detail-to-compliance-evaluation-guidance-11591052949