Compliance Officers Take Note: DOJ Releases New Guidance on Corporate Compliance Programs
On April 30, 2019, to provide greater transparency into prosecutorial decision-making, the Criminal Division of the US Department of Justice (DOJ) published its Evaluation of Corporate Compliance Programs, an update to guidance released by the DOJ’s Fraud Section in February 2017. Intended to “better harmonize” the Fraud Section’s guidance with other DOJ publications and standards, this new guidance expands upon the principles that prosecutors should consider when “conducting an investigation of a corporation, determining whether to bring charges, and negotiating plea or other agreements.” According to the Justice Manual, those factors include “the adequacy and effectiveness of the corporation’s compliance program at the time of the offense, as well as at the time of a charging decision,” and the corporation’s remedial efforts “to implement an adequate and effective corporate compliance program or to improve an existing one.”
The update expands on the factors set forth in the 2017 guidance that prosecutors consider in the context of an investigation, organizing those factors pursuant to three fundamental questions:
- “Is the corporation’s compliance program well designed?”
- “Is the program being applied earnestly and in good faith?” In other words, is the program being implemented effectively?
- “Does the corporation’s compliance program work” in practice?
Importantly, when answering the final question—whether the program works in the real world—the updated guidance calls prosecutors to consider a new factor: “Investigation of Misconduct.” In discussing this new factor, DOJ recognizes that the existence of misconduct does not, in itself, indicate that a compliance program is not working, but notes that an effective program has in place a “mechanism for the timely and thorough investigation… of any allegations or suspicions of misconduct.” Consistent with that, the updated guidance sets forth a two-part assessment of the company’s internal investigations process, according to which DOJ will:
- Evaluate whether the company has ensured that investigations have been independent, objective, appropriately conducted, as well as properly scoped and documented by qualified; and
- Assess the company’s response to investigations (g., by examining how the investigations have been used to identify root causes or system vulnerabilities).
Given that the “Investigation of Misconduct” factor will be assessed after alleged misconduct has been discovered, DOJ likely will review the investigation and response at hand as well as the company’s recent history of investigations and responses.
In addition to the new factor, the guidance now contains questions that compliance officers should answer when assessing each factor. No longer must a company “read the tea leaves” in an attempt to divine whether its compliance program meets the standards set forth by the government. With regard to the previously amorphous goal of determining whether a company has “appropriately tailored training and communications,” for example, the guidance now contains multiple questions to assess whether the company is effectively conducting “risk-based training,” periodically evaluating the effectiveness of that training, communicating about misconduct, and making guidance available to employees. Far less is left to interpretation by DOJ or the company it is evaluating, hopefully facilitating a more transparent analysis.
This level of detail not only focuses the prosecutors on the appropriate factors to consider, but also provides the company with a checklist for what DOJ might consider an effective compliance program. Indeed, an effective program can be highly beneficial to a company, as highlighted in recent public statements by DOJ officials. During his keynote address at the Ethics and Compliance Initiative 2019 Annual Impact Conference, Assistant Attorney General Brian A. Benczkowski explicitly referenced a February 2019 case wherein DOJ declined to prosecute Cognizant Technology Solutions Corporation, in part because Cognizant maintained an effective program that allowed it to detect and report misconduct by two of its employees. Emphasizing that this voluntary disclosure—combined with Cognizant’s full cooperation and remediation—led to DOJ’s decision, Benczkowski stressed that DOJ has strived to incentivize and reward companies that implement effective compliance programs.
For compliance officers and corporate counsel, DOJ’s updated guidance provides an easier way to craft and evaluate internal controls. While it may appear to add levels of complexity, the clear purpose is to understand the company’s compliance approach and to analyze how the program relates to the specific misconduct at issue. For lawyers who defend companies in ongoing investigations, this update provides an additional reference point for evaluation and for negotiating the need for (or severity of) remedial or punitive measures. Transparency assists in both preventing and responding to DOJ inquiries, and the April 2019 update offers a useful roadmap for navigating both.
BRG professionals have significant experience performing compliance program effectiveness and risk assessments for companies of all sizes. They can advise companies across various sectors regarding the implementation and improvement of effective compliance programs, the development and review of policies and procedures, and the detection and mitigation of risks.
The views and opinions expressed in this article are those of the authors and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates.