On Monday, June 2, 2020, the DOJ’s Criminal Division announced updates to its guidance for Evaluation of Corporate Compliance Programs (the “Guidance”). The Guidance is a tool for federal prosecutors to evaluate the effectiveness of a company’s compliance program to assist in making decisions about prosecution or alternative resolutions, appropriate monetary penalties, and other obligations that may accompany a criminal resolution, such as monitorships or reporting obligations. Thus, the Guidelines are also an important resource for companies to evaluate if their compliance programs satisfy DOJ expectations.
Key substantive updates to the Guidance focus on four areas: (1) continued assessment, evaluation, and improvement of the compliance program; (2) company responsibilities with respect to third parties; (3) compliance personnel’s access to key data to carry out compliance responsibilities; and (4) integration of compliance programs after a merger or acquisition.
1. Continued Assessment and Evaluation of Compliance Program
The DOJ expects that a company’s compliance program evolves and improves over time, undergoing continuous assessment and evaluation. The updated Guidance requires that prosecutors seek to understand “why and how the company’s compliance program has evolved over time.”
The DOJ already expected that companies conduct periodic reviews of risk assessment practices and policies. The updated Guidance brings additional focus on the effectiveness of such reviews by asking, “Is the periodic review [of the company’s risk assessment] limited to a ‘snapshot’ in time or based upon continual access to operational data and information across functions?” The DOJ expects reviews to lead to “updates in policies, procedures, and controls.” While the prior version of the Guidance focused on processes for designing and implementing new policies, the updated Guidance directs prosecutors to consider whether a company has a process for “updating existing policies and procedures.”
The DOJ’s added emphasis on internal evaluation of compliance programs is clear in updates to the Guidance with respect to anonymous hotlines. The DOJ has long identified an anonymous reporting hotline as a hallmark of an effective compliance program. With the updated Guidance, the DOJ articulates an expectation that companies assess the effectiveness of the hotline by testing employees’ awareness of and comfort with using the hotline, and tracking hotline reports from start to finish.
One important addition reflecting the DOJ’s focus on evolution of a compliance program is the expectation that the company have a process to track and incorporate “into its periodic risk assessment lessons learned from the company’s own prior issues or from those of other companies operating in the same industry and/or geographic region.” Thus, while it’s obvious that compliance departments must seek to learn from their own company’s challenges, it is also important that compliance personnel remain apprised of any enforcement actions involving companies within the same industry.
2. Compliance Responsibilities with Respect to Third Parties
A seemingly minor edit to the language of the Guidance, replacing the terms “due diligence” with “management” gives insight into how the DOJ views a company’s compliance responsibilities with respect to third parties with which the company associates. The Guidance states, “In sum, a company’s third-party due diligence management practices are a factor that prosecutors should assess to determine whether a compliance program is in fact able to detect the particular types of misconduct most likely to occur in a particular corporation’s line of business.”
By replacing the words “due diligence” with “management,” the DOJ clearly articulates its expectation that companies actively manage the third party vendors and contractors with whom they work and that such management occurs throughout the course of the relationship. Indeed, a new addition to the Guidance suggests that, when evaluating a compliance program, the prosecutors ask, “Does the company engage in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?”
The continued management of third parties also extends to the use of a company’s anonymous reporting hotline. The updated Guidance expects that the hotline be publicized to third parties, in addition to employees. Thus, compliance officers and departments should consider notifying third parties, such as vendors and other contractors, of the existence of the anonymous hotline and make it available for their use.
3. Compliance Personnel’s Access to Data
The Guidance recognizes that having personnel with adequate authority and standing within the company to effectuate compliance oversight is essential to an effective compliance program. Key among the updates is the expectation that compliance personnel have sufficient access to data allowing compliance personnel to monitor and test “policies, controls, and transactions.” Compliance personnel and company management must collaborate and coordinate to ensure that compliance personnel can readily access data that will allow for testing of the effectiveness of the company’s compliance program.
4. Mergers and Acquisitions
The prior version of the Guidance addressed the importance of exercising “pre M&A due diligence” of an acquisition target’s compliance program. While such due diligence remains an important compliance function, the updated Guidance adds focus on post-acquisition responsibilities. Specifically, the DOJ expects an effective compliance program to have “a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.”
Sign up for our newsletter and get the latest to your inbox.