How is this Guidance Different from All Other Guidance? ― DOJ Asks Three Questions of Corporate Compliance Programs

May 2, 2019 – On April 30, 2019, the Department of Justice’s Criminal Division (the “DOJ”) published updated guidance for prosecutors regarding the assessment and evaluation of corporate compliance programs.  The Evaluation of Corporate Compliance Programs (the “April 2019 Guidance”) modifies guidance that has existed in some form since the adoption of the amended U.S. Federal Sentencing Guidelines in 2004, and was last revised in February of 2017.  Because the April 2019 Guidance provides an up-to-date view of the DOJ’s thinking regarding compliance best practices, companies should take note of the DOJ’s views with an eye towards adjusting their own compliance practices.  Even companies who believe they are generally outside the DOJ’s jurisdiction are advised to review the April 2019 Guidance carefully as the DOJ’s positions often influence the views of regulators in other countries and at international organizations such as the World Bank. 

Much of the guidance is substantively similar to prior editions, but whereas the February 2017 Guidance discussed 46 compliance program elements organized under 11 specific themes (e.g., Policies and Procedures, Autonomy and Resources, Training and Communications), the April 2019 Guidance re-organizes the elements around three questions:

1. Is the compliance program well designed?
2. Is the compliance program effectively implemented?
3. Does the compliance program actually work in practice? 

Apart from modifying the framework of the guidance, the changes made in the April 2019 Guidance reveal several key areas of emphasis:

• Risk Assessments – The April 2019 Guidance positions Risk Assessments as a central means by which companies are expected to create, monitor, and improve their compliance practices.  The updated guidance highlights the DOJ’s expectation that companies complete regular, detailed, and concrete Risk Assessments and use the results to evaluate whether their compliance programs are well designed, effectively implemented, and actually working in practice.  The guidance emphasizes that prosecutors should evaluate whether a corporate compliance program has been well-designed to meet the commercial risks most likely to occur as identified, assessed, and defined through a Risk Assessment and whether a company continues to conduct regular Risk Assessments and gap analyses to determine where revisions might be made to its compliance program. 
• Data and Analysis – Running through the April 2019 Guidance is a focus by the DOJ on the collection, tracking, maintenance, and analysis of compliance-related data points, such as incident response times, reports of misconduct, and results of due diligence.  Prosecutors are instructed to evaluate how companies have analyzed such data to find patterns of misconduct, locate signs of compliance weaknesses, and develop metrics that can be used to evaluate compliance processes.  Like the focus on Risk Assessments, the emphasis on analytics reflects a “bottom-up” approach that compliance programs should be grounded in and tailored to actual, real-world results rather than dictated solely by top-down policies.  The collected data can be used both to devise and implement revisions to the compliance program as well as to document to external parties, such as enforcement authorities, that the compliance programs in place have been deliberately designed, implemented, and monitored.  
• Timing of Remediation – The April 2019 Guidance highlights the importance that prosecutors place on a company’s remedial actions during the window of time between when misconduct occurs and when the prosecutor makes a charging decision.  As a result, it is paramount that companies facing investigation maximize this window of opportunity to investigate and identify root causes of misconduct, implement timely remediation efforts, design and implement improvements to the compliance program to prevent similar misconduct in the future, and take reasonable steps to ensure that such policies are followed, including monitoring and auditing for misconduct.  Effective company actions during this window may result in remediation credit or a lower applicable fine range.  Furthermore, these activities will play a large role in determining whether the DOJ will require the appointment of a corporate monitor or compliance consultant. 
• Qualified and Specialized Compliance Function with Adequate Resources and Authority – The Guidance makes clear that the DOJ expects corporate compliance functions to be staffed by personnel with sufficient qualifications, experience, and training to understand and identify potential risks to the company.  It is not enough to maintain a compliance function staffed with personnel without the expertise or requisite level of authority to implement actual organizational change.  The April 2019 Guidance instructs prosecutors to evaluate, among other factors, (i) the guidance and training provided to employees with approval authority or certification responsibilities, (ii) whether supervisory employees have received specialized or supplementary compliance training, (iii) whether employees are evaluated on their compliance knowledge to assure a minimum level of competency, (iv) the turnover rate among and the seniority of compliance function personnel, and (v) whether concerns voiced by compliance personnel are adequately considered.  Prosecutors are also instructed to analyze whether the company has outsourced all or part of its compliance function to outside counsel, the qualifications of such outside counsel, and the level of access granted to outside counsel. 
• Compliance Incentives – In the April 2019 Guidance, the DOJ continues to emphasize that it expects companies to provide both positive and negative incentives to ensure compliance by its employees.  This includes providing bonuses for specific actions such as improving or developing compliance programs or demonstrating ethical leadership, tying promotions to compliance, including compliance as a metric for compensation, and publicizing disciplinary actions imposed on employees involved in misconduct.  Rewarding compliance may appear counterintuitive to many companies who rightly view compliance as a baseline requirement.  Nevertheless, the DOJ – as well as the World Bank and other Multilateral Development Banks – continues to instruct prosecutors to evaluate compliance incentives as a measure of a compliance program’s effective implementation. 

The updated Guidance for the Evaluation of Corporate Compliance Programs can be found at the Department of Justice’s website here. 

Please contact the attorneys in Hughes Hubbard’s Anti-Corruption and Internal Investigations practice if you have any questions about the Evaluation of Corporate Compliance Programs or the adequacy of your current anti-corruption compliance program or safeguards.