United States: Guidance From Attachment C: Recent Resolutions Include DOJ Updates To The Requirements For An Effective Compliance Program

Continuing with recent policy updates (and with more analysis to come on today's M&A policy announcement), the U.S. Department of Justice (DOJ) has revised its detailed requirements for effective corporate compliance programs found in "Attachment C"¹ to better reflect its policy guidance and incorporate lessons learned from recent cases and monitorships. These edits focus on management commitment, training, third party management, remediating misconduct, monitoring and testing, compensation structures, and consequence management.

Attachment C requirements present a clear guide to DOJ thinking on critical compliance program elements. They have become standardized over the years, and when DOJ revises or alters them, it is a noteworthy development for compliance professionals as well as practitioners. Companies defending their programs before DOJ will need to be prepared to address these new program criteria.

DOJ has long recognized the crucial significance of management's commitment to compliance, but, in the past, Attachment C has focused "High Level Commitment" on support by directors and senior managers. In the recent resolutions, DOJ has expanded the focus of this requirement, renamed "Commitment to Compliance," to ensure "that mid-level management . . . reinforce leadership's commitment to compliance policies and principles." DOJ has also sought to clarify "tone and conduct" to mean demonstrating support for compliance through "actions and words" that "create and foster a culture of ethics and compliance" in their "day-to-day operations at all levels of the company." Taken together, these new edits make clear the expectation that the concept of "high-level commitment" found in prior guidance must translate into the governance and business processes of the organization, which requires more a granular, visible effort than occasional communications from the C-suite. When presenting a program before DOJ, companies should be able to provide evidence of meaningful engagement in the compliance effort, reflected in actions as well as words, across all levels of management. In short, the business must own compliance.

The Attachment C training and guidance requirements have been updated to promote effectiveness in practice, a theme that DOJ has increasingly emphasized in its policy pronouncements since at least 2020. Among other changes, Attachment C now requires that the mechanisms designed to ensure that policies, including the Code of Conduct, are effectively communicated include "metrics for measuring knowledge retention and effectiveness" of training. In the same vein, training must be "tailored to the audience's size, sophistication, or subject matter expertise." Lastly, DOJ wants companies to "discuss prior compliance incidents" in training, where appropriate. All these revisions appear to be aimed at enhancing the practical utility of training, by making it more targeted, measurable, and impactful.

The most extensive revisions to Attachment C are reflected in the always-important area of third party management. Recent resolutions include a new paragraph that, among other requirements, imposes explicit obligations that companies understand and document the reasons for using a third party in a transaction (documenting business justification is a fundamental step too often overlooked in due diligence), and likewise ensure that contract terms with those third parties "specifically describe the services to be performed." Companies must have an effective way to confirm "that the third party is actually performing the described work" and is receiving compensation "commensurate with the work being provided," including relative to the "industry and geographical region." Just as importantly, the revisions to Attachment C show that DOJ expects companies to monitor their third party relationships on an ongoing basis through "updated due diligence, training, audits, and/or annual compliance certifications," a key feature that DOJ has underscored in other recent guidance as well.

Another entirely new provision in the recent resolutions' Attachment C addresses remediation of misconduct. This change tracks DOJ's rubric for evaluating compliance programs, which includes the question of whether the program is working effectively in practice. Following the Criminal Division's March 2023 Evaluation of Corporate Compliance Programs (ECCP), Attachment C now requires that companies subject to FCPA resolutions "conduct a root cause analysis of misconduct, including prior misconduct, to identify any systemic issues and/or any control failures." This root cause analysis must be accompanied by "timely and appropriate" remediation, and – in what is likely part of DOJ's effort to reduce siloing of information – the identified root causes of misconduct, and actions to address them, are to be "shared with management as appropriate."

The new Attachment C also includes two short but significant additions relevant to a company's ability to perform effective data monitoring and testing, an area of increased DOJ focus in recent years. First, in the section regarding Mergers and Acquisitions, DOJ added that companies should "where warranted, establish a plan to integrate the acquired businesses or entities into the Company's enterprise resource planning [ERP] systems as quickly as practicable." This addition reflects learnings from a collection of enforcement actions, spanning several years, brought against companies that had grown largely by acquisition, but had not effectively integrated ERP systems. Complex ERP environments present obstacles to clear sight lines into data needed to inform effective monitoring of transactions. Relatedly, in the Monitoring and Testing section, DOJ added that companies should "ensure that compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of transactions." This requirement will serve to drive cross-functional coordination, since functions other than Compliance own the data that companies are now expected to monitor to identify issues and to ensure program effectiveness.

Lastly, the DOJ has revised its requirements related to incentives and compensation, in line with policies first introduced in a memo issued last year by Deputy Attorney General Lisa Monaco and subsequently reflected in changes to the ECCP. Consistent with DOJ's publicly articulated position, Attachment C now specifies that compensation structures and consequence management incentivize behavior that complies with company policy against violations of anti-corruption laws. These efforts shall include implementing criteria related to compliance and discipline "in the Company's compensation and bonus system." These revisions reinforce DOJ's policy focus on compensation and clawbacks to incentivize compliance and disincentivize noncompliance.

Companies should benchmark their policies and practices against these revisions to Attachment C. With post-resolution self-reporting now the norm in FCPA (and other) corporate criminal resolutions, companies are well advised to incorporate these mandates from DOJ into the realities of their business operations and existing compliance program and internal controls.

Footnote

1. Attachment C to the typical FCPA corporate resolution is where DOJ specifies the defendant company's obligations to establish and maintain an effective corporate compliance program.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.