Accept All Cookies
On June 1, 2020, DOJ updated the guidance that its prosecutors use to evaluate corporate compliance programs. The guidance is critical to companies subject to the FCPA and other corporate criminal liability, as it informs prosecutors’ charging and settlement decisions, as well as how to assess monetary penalties, and whether ongoing compliance obligations (including monitorships) are necessary. The update emphasizes the importance of a dynamic, adaptable compliance program and the centrality of a data-driven approach to compliance.
In a recent presentation at a virtual conference ahead of the publication of the new guidelines, the Chief of the Fraud Section noted that his prosecutors were using the time during the COVID-19 pandemic to evaluate their own compliance programs, and that he expected companies to be doing the same. This memorandum describes the June 2020 updates and serves as a checklist against which companies can evaluate their compliance programs in light of DOJ’s update.
Rather than being merely “implemented” effectively, compliance programs must be “adequately resourced and empowered to function effectively.” An “under-resourced” program could raise red flags.
Companies should ensure that employees as well as “other third parties” are aware of reporting mechanisms such as hotlines, and test whether employees and third parties feel comfortable using such measures.
DOJ’s updates highlight the importance of a data-driven approach to compliance and effective use of that data. The central inquiry is whether “compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions.”
Companies should gather and analyze available operational data, which may include “track[ing] access to various policies and procedures to understand what policies are attracting more attention from relevant employees.”
The evolution of the compliance program over time is key, as DOJ evaluates the program “both at the time of the offense and at the time of the charging decision and resolution.” Therefore, a company must continually update its programs and policies to address “lessons learned” from the “company’s own prior issues or from those of other companies operating in the same industry and/or geographical region.”
Periodic reviews of the compliance program should not be a “snapshot” in time but rather “based upon continuous access to operational data and information across functions.”
Companies should monitor the impact of training on “employee behavior or operations,” and test the effectiveness of reporting mechanisms by “tracking a report from start to finish.”
Policies and procedures should be “published in searchable format for easy reference” by employees and third parties (in addition to being translated to meet linguistic needs).
Companies should continue to implement appropriately tailored training sessions, which may take the form of “shorter, more targeted training sessions to enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management functions.” Regardless of whether trainings occur “online or in person,” companies must implement “a process by which employees can ask questions arising out of the trainings.”
When taking disciplinary action, the compliance function should “monitor its investigations and resulting discipline to ensure consistency” in treatment among employees. As to third parties, a company should engage its risk-management procedures “throughout the lifespan of the relationship” and not just “during the onboarding process.”
The updated guidance makes clear that DOJ will cast a critical eye on assertions that foreign law impedes a company’s compliance efforts. “Where a company asserts that it has structured its compliance program in a particular way or has made a compliance decision based on requirements of foreign law, prosecutors should ask the company the basis for the company's conclusion about foreign law, and how the company has addressed the issue to maintain the integrity and effectiveness of its compliance program while still abiding by foreign law.”
The updated guidance expressly recognizes that access to “relevant sources of data” may be impeded (e.g., by the General Data Protection Regulation (GDPR) or other data-privacy constraints), and that prosecutors will ask the company what it is “doing to address the impediments.”
An acquiring company’s compliance obligations do not end at the initial due diligence phase; rather, the company must have a “process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.”
When evaluating the integration process, DOJ prosecutors will ask: “[h]ow has the compliance function been integrated into the merger, acquisition, and integration process”; how has the company implemented compliance policies and procedures at the acquired entity; and whether the company “conduct[ed] post-acquisition audits” at the newly acquired entity.
* * *
The update emphasizes DOJ’s view that, in order to be implemented effectively, compliance programs must be dynamic and easily adaptable to lessons the company has learned from its own compliance issues as well as those in its industry or region more broadly. Real-time access to and effective use of data are critical to ensuring that the company is achieving that objective. And companies should take particular note of DOJ’s clarification that an effective compliance program is one that is “adequately resourced and empowered to function effectively.” This and the recent comments by the Chief of the Fraud Section are clear signals that companies should use the current slowdown as a period to assess whether they have “adequately resourced” compliance programs and where improvements may be made.