United States: Updated DOJ Criminal Division Guidance On The "Evaluation Of Corporate Compliance Programs"

On April 30, 2019, the U.S. Department of Justice ("DOJ"), Criminal Division, released updated guidance to DOJ prosecutors on how to assess corporate compliance programs when conducting an investigation, in making charging decisions, and in negotiating resolutions.  The pronouncement, "Evaluation of Corporate Compliance Programs," updates earlier guidance that DOJ's Fraud Section issued in February 2017 (covered in our 2017 Mid-Year FCPA Update).  This guidance emphasizes DOJ's laser focus on compliance programs, requiring companies under investigation to carefully evaluate, test, and likely upgrade their programs well before the investigation is over.

The updated Evaluation document has been restructured around the three "fundamental questions" from the Justice Manual that DOJ prosecutors should assess:

  1. Is the corporation's compliance program well designed?
  1. Is the program being applied earnestly and in good faith?  In other words, is the program being implemented effectively?
  1. Does the corporation's compliance program work in practice?

Under these three categories, the updated Evaluation groups 12 topics and sample questions that DOJ considers relevant in evaluating a corporate compliance program.  Much like the earlier Evaluation articulation, these topics relate to common elements of effective compliance programs, including policies and procedures, training, reporting mechanisms and investigations, third-party due diligence, tone at the top, compliance independence and resources, incentives and disciplinary measures, and periodic testing and review.  Several of these core standards can be found in other compliance program guidance materials, such as the Resource Guide to the U.S. Foreign Corrupt Practices Act and, very recently, the "Framework for OFAC Compliance Commitments" issued by OFAC on May 2, 2019, pursuant to the Agency's promise to provide more guidance on its expectations for sanctions compliance programs.

The following chart captures how the 12 compliance topics in the updated Evaluation are grouped under DOJ's three core questions.

Core Questions

Compliance Topic

(Core Focus)

Is the Program Well Designed?

Risk Assessment 

DOJ will assess whether the program is appropriately tailored to the company's business model and the particularized risks that accompany it, considering factors like the company's locations, industry sectors, and interactions with government officials.

Policies and Procedures

DOJ will assess whether the company has established appropriate policies and procedures, the processes for doing so and disseminating them to the workforce, and the guidance and training provided to "key gatekeepers in the control processes."

Training and Communications

DOJ will assess the compliance training provided to directors, officers, employees, and third parties, as well as efforts to communicate to the workforce about the company's response to misconduct, and the availability of resources to provide compliance guidance to employees.

Confidential Reporting Structure and Investigation Process

DOJ will assess the company's reporting channels and investigative mechanism.

Third-Party Management

DOJ will examine whether the company's third-party due diligence process is risk-based and includes controls and monitoring related to the qualifications and work of its third parties.

Mergers and Acquisitions

DOJ will examine the company's M&A pre-acquisition due diligence and post-acquisition integration processes.

Is the Program Implemented Effectively?

Commitment by Senior and Middle Management

DOJ will evaluate the commitment by company leadership to a culture of compliance, including management's messaging and promotion of compliance and the board's role in overseeing compliance.  The OFAC Compliance Framework similarly emphasizes the importance of management's commitment to, and support of, a company's compliance program.

Compliance Autonomy and Resources

DOJ will assess whether the compliance function has sufficient seniority, resources, and autonomy commensurate with the company's size and risk profile.  Notably, DOJ will ask whether the company outsourced all or parts of its compliance function to an external firm or consultant.  If so, DOJ will probe the level of access that the external firm or consultant has to company information.

Incentives and Disciplinary Measures

DOJ will assess whether the company has clear disciplinary procedures that are enforced consistently, as well as whether and how the company incentivizes ethical behavior.

Does the Program Work in Practice?

Continuous Improvement, Periodic Testing, and Review

DOJ will consider how the company has reviewed and evaluated its compliance program to ensure it is current, including changes made to the program in light of lessons learned.  DOJ also will assess the internal audit function and how the company measures its culture of compliance.  Effective training also is called out specifically in the OFAC Compliance Framework.

Investigation of Misconduct

DOJ will assess the effectiveness and resources of the company's investigative function.  Notably, this is the second instance in the updated Evaluation calling for DOJ to assess a company's investigative function.

Analysis and Remediation of Any Underlying Misconduct

DOJ will consider whether the company conducts root-cause analyses of misconduct and takes timely and appropriate remedial action against violators.  Under the heading "Accountability," the updated Evaluation includes a question about whether disciplinary actions for failures in supervision have been considered by the company.

KEY TAKEAWAYS

The updated Evaluation covers many of the same topics as the prior version, yet the addition of certain questions signals added emphasis or expectations compared to the prior guidance.  Although non-exhaustive, the following list outlines key takeaways from the updated Evaluation that companies should consider in building, maintaining, and enhancing their compliance programs.

  • Starting with a Risk Assessment and Building on "Lessons Learned":  The updated Evaluation calls for tailoring a company's compliance program based on its risk assessment, and ensuring that the criteria for the risk assessment are "periodically updated."  Commentators suggest risk assessments annually or every two years.  DOJ does not prescribe the timing of risk assessments.  Going forward, "'revisions to corporate compliance programs [should be made] in light of lessons learned.'"  This means that a company's risk assessment should be an ongoing and iterative process, and that a company should reexamine and revise its compliance program from time to time based on the risk assessment results.  Reexamining and revising the compliance program is necessary to address DOJ's particular emphasis on making enhancements in response to specific instances of misconduct.  When companies conduct internal investigations, especially where there is a prospect of a government-facing inquiry, they should give serious consideration to taking prompt remedial steps to address the components highlighted by the updated Evaluation document.  This will better position companies to advocate that they have effectively and timely remediated root-cause issues and should receive remediation credit.
  • Importance of Compliance Personnel:  In evaluating whether a company has sufficient staffing for compliance personnel, the updated Evaluation presents a number of related queries, such as where within the company the compliance function is housed (but without dictating a particular reporting structure) and how the compliance function compares with other functions within the company in terms of stature, compensation, rank/title, reporting lines, resources, and access to key decision-makers.
  • Responsibility for Third Parties:  The updated Evaluation indicates an increased focus on a company's oversight of third parties, which historically have factored into the vast majority of Foreign Corrupt Practices Act enforcement actions.  Among other things, DOJ will consider whether a company has "appropriate business rationale[s]" for the use of third parties and whether it has considered "the compensation and incentive structures" for third parties against the compliance risks posed.  In addition, in assessing a company's remediation of misconduct involving suppliers, DOJ will consider the company's process for supplier selection.  Termination of a supplier or business partner upon a company's finding of misconduct, and steps to ensure that such third parties cannot be re-engaged without appropriate authorization, is a sign of a mature compliance program expected by DOJ.
  • Cascading Tone from the Top:  The updated Evaluation emphasizes "culture of compliance."  Crucially, messaging at the "top" alone will not equate to an adequate tone of compliance.  Rather, DOJ will focus on how the compliance tone cascades downward in the organization and to counterparties.  DOJ will examine not only the standards set by the board of directors and senior executives, but also the tone and actions of middle management to reinforce those standards.  The focus on the cultural leadership by mid-level management has been a constant theme from DOJ for more than a decade.  In addition, in assessing a company's remediation, DOJ will consider whether managers were held accountable for misconduct that occurred under their supervision and whether the company considered disciplinary actions for failures in supervision.

Like its predecessor, the updated Evaluation guidance is an important resource for companies both for reactively defending their compliance programs in the context of a DOJ investigation and for proactively benchmarking or enhancing their programs.  Clearly, this refined prism will provide the template for DOJ Filip Factor presentations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Akin Gump Strauss Hauer & Feld LLP
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Akin Gump Strauss Hauer & Feld LLP
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions