DOJ Emphasizes Data-Driven Approach to Monitoring and Importance of Culture in Latest Adjustments to Corporate Compliance Program Guidance
Introduction
On 1 June 2020, the Criminal Division of the U.S. Department of Justice (DOJ) updated a critical guidance document, the “Evaluation of Corporate Compliance Programs” memorandum (Guidance), providing further detail regarding its expectations for the design and implementation for corporate compliance programs. Specifically, the Guidance emphasizes (1) the need to adequately resource and empower the compliance function; (2) the importance of data access and data analysis in monitoring program effectiveness; and (3) the need to foster a culture of compliance not only among senior executives but across all levels of employees.
The 2020 Guidance Revisions
Originally published in 2017 and first revised in 2019, the Guidance is intended to provide prosecutors with a flexible tool that allows them to “make a reasonable, individualized determination in each case that considers various factors including, but not limited to, the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.”1 In our in-depth look at the 2019 revisions to the Guidance, we noted the Guidance’s emphasis on completing meaningful risk assessments, effectively creating a corporate culture of compliance, and demonstrating continuous compliance program improvement—e.g., through testing and monitoring. The June 2020 Guidance, which applies to all components of the DOJ’s Criminal Division, further clarifies key points on program adaptability, data access, and the effectiveness of internal reporting.2
Specifically, the 2020 revisions modify one of the three core “fundamental questions” that prosecutors ask by more precisely defining what it means to have a properly “implemented” program. While prior versions directed prosecutors to focus solely on whether a program was “implemented” effectively, the 2020 revision removes the word “implemented” and replaces it with “adequately resourced and empowered to function.” As such, the Guidance redefines a program’s implementation by the depth of resources employed and its ability to function unimpeded in practice. Accordingly, the new language means that corporate defendants will need to make a more robust showing with respect to how they support and promote their compliance programs.
The revised Guidance also incorporates a discussion of the importance of access to data and analytical tools when describing how prosecutors should evaluate the adequacy of resources. Specifically, in its evaluation of whether a compliance department has sufficient resources and independence to function effectively, DOJ will now ask:
- Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions?
- Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?
The Guidance’s new emphasis on the compliance function’s access to data dovetails with other revisions related to the need for a compliance program to have an effective monitoring function and a process for periodic review and incorporation of “lessons learned.” Specifically, the Guidance now asks:
- Is the periodic review limited to a “snapshot” in time or based on continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures, and controls?
- Does the company have a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region?
- Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?
Finally, the new emphasis on adequately resourcing and empowering the compliance function flows into DOJ’s evaluation of other significant areas of a company’s compliance program. For example:
- Searchable format for policies and procedures. The June 2020 Guidance considers whether compliance policies and procedures are easily searchable and whether the company tracks employee access to policies and procedures.
- Mergers and acquisitions due diligence. Federal prosecutors will ask if the company conducted pre-acquisition due diligence and post-acquisition audits and if the company created a process for the timely and orderly integration into existing compliance programs and internal controls.
- Training. The June 2020 Guidance sharpens focus on whether the company evaluates the effectiveness of training through impact on “employee behavior or operations” and asks whether there is a process that allows employees to raise questions about training.
- Oversight of third parties. The June 2020 Guidance directs federal prosecutors to examine risk management of third parties “throughout the lifespan of the relationship” with the company.3
- Effectiveness of complaint hotlines. Inquiries about periodic testing of the effectiveness of hotlines, the ability to track a hotline-generated report “from start to finish,” and whether employees use the hotline are also included.4
Takeaways
The revised Guidance announces that compliance programs will be judged according to how they employ tools to analyze objective data sources and continuously translate those findings into ongoing program enhancements. While companies make difficult resource-allocation decisions in the short term and the long term, the Guidance reinforces the government’s expectation that companies will continue to make investments in tools to monitor compliance and operationalize the results of such monitoring.
The benefits of a proactive and robust compliance program are significant. Abiding by DOJ’s updated guidance to empower and resource a well-designed corporate compliance program may result in mitigation of monetary penalties and post-resolution compliance obligations or convince federal prosecutors that an alternative form of resolution, like a non-prosecution agreement or deferred prosecution agreement, is appropriate. Even if your company is never the target of a DOJ investigation, a vibrant compliance program is an important part of any well-run corporation today. Compliance departments and in-house legal departments should ensure that their budgets include substantial allocations for such features in order to support a dynamic, evolving, and risk-conscious compliance program.
Lawyers from K&L Gates regularly counsel clients with respect to the design, evaluation, and implementation of corporate compliance programs. For more information regarding this client alert, do not hesitate to contact the authors of this alert or any other member of the firm’s investigations, enforcement, and white collar practice group.
This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.