On April 30, 2019, the Criminal Division of the Department of Justice issued updated guidance for prosecutors to use when evaluating the effectiveness of a company’s compliance program in the context of corporate charging and settlement decisions.[1]
Background
This guidance is the latest in a series of DOJ pronouncements on the “hallmarks” of an effective corporate compliance program.[2] While it neither breaks new ground nor otherwise reflects a fundamental shift in thinking, it nonetheless includes a number of observations that are notable and, at a minimum, serves as a useful benchmark for compliance departments to leverage in evaluating the strength of their existing programs.
The Assistant Attorney General of the Criminal Division prominently featured the updated guidance last week in a public speech that reiterated DOJ’s view that compliance programs are the “first line of defense”[3] for preventing misconduct. Unlike DOJ’s 2017 corporate compliance guidance, which was issued by and limited to the Criminal Division’s Fraud Section, and the 2012 FCPA Resource Guide (updated in 2015), which only applied to FCPA investigations, the new guidance is broadly applicable to prosecutors across all of the sections of the Criminal Division. It also serves as general guidance for (although not technically binding on) other DOJ components, such as the U.S. Attorneys’ Offices.
Key Observations in the Guidance
The updated guidance emphasizes that DOJ does not use a “rigid formula” to assess compliance programs and instead conducts an “individualized determination” based on a company’s “particularized” risk profile. Like the FCPA Resource Guide, the updated guidance acknowledges that the “existence of misconduct does not, by itself, mean that a compliance program did not work or was ineffective at the time of the offense.” The 2017 guidance, however, had not expressly included this important and helpful point. And unlike the 2017 guidance, the updated guidance is structured around three questions that had been posed in both the Justice Manual and the FCPA Resource Guide: (a) Is the compliance program well designed?; (b) Is the program implemented effectively?; and (c) Does the program work in practice?
In addressing these overarching questions, the updated guidance includes noteworthy, if not entirely new, observations:
- The guidance stresses that a “paper program” is insufficient and that a “well-designed compliance program may be unsuccessful in practice if implementation is lax or ineffective.” Instead, a compliance program will not be viewed as satisfactory unless it is effectively implemented and well-functioning, particularly with respect to identifying and remediating misconduct.
- The guidance emphasizes the importance of conducting a robust risk assessment and drawing on that assessment when designing a compliance program that is tailored to a company’s business and regulatory profile.
- The guidance repeatedly conveys the importance of periodically reviewing a compliance program, identifying the root causes of episodes of misconduct, and insuring that procedures and controls are updated to reflect “lessons learned” and evolving risk. By way of example, the guidance asks “[h]ow has the company collected, tracked, analyzed, and used information from its reporting mechanisms” and whether “the company periodically analyze[s] the reports or investigation findings for patterns of misconduct or other red flags for compliance weaknesses.” In its concluding section, the guidance emphasizes that a “hallmark” of a compliance program that works in practice is the extent to which it enables “thoughtful root cause analysis of misconduct and timely and appropriate[] remediat[ion] to address the root causes.”
- Under the updated guidance, DOJ will consider not only whether employees have been trained on compliance matters but whether they are tested on what they learned, and whether there are consequences for employees who fail this testing.
- The guidance highlights the role of middle management in supporting compliance programs in addition to the well-established role of senior management in setting the tone from the top. The guidance identifies various factors that bear on this evaluation of efforts by middle management, including the actions taken by managers to “demonstrate their commitment to compliance,” and whether managers have “persisted in that commitment in the face of competing interests or business objectives.”
- The guidance expands on the importance of confidential mechanisms for reporting suspected misconduct, audit rights for increasing visibility into the conduct of third parties, and the organizational prominence and independence of the compliance program within a company’s overall corporate structure.
- DOJ will evaluate a company’s compliance program at two points in time: when the misconduct occurred and when DOJ is making a charging decision. Thus, a company has an incentive to address shortcomings in its compliance program during the course of any investigation.
The Updated Guidance Is Consistent With Recent Pronouncements by DOJ
The revised guidance takes on heightened importance as DOJ has demonstrated a willingness to reduce or even decline to bring charges, or decline to impose a monitor as part of a corporate resolution, where it is satisfied that the company has an effective compliance program in place. In late 2017, the FCPA Corporate Enforcement Policy set forth a presumption against charging a company for FCPA violations if the company not only voluntarily self-reported the conduct and cooperated with the government, but also appropriately remediated including through “[i]mplementation of an effective compliance” program. In October 2018, DOJ guidance concerning the appointment of corporate monitors likewise credited the strength of a company’s compliance program, stating “[w]here a corporation’s compliance program and controls are demonstrated to be effective and appropriately resourced at the time of resolution, a monitor will likely not be necessary.” Recent examples of DOJ adhering to these enforcement guidelines include its decisions not to bring FCPA charges against Cognizant Technology Solutions Corporation and a subsidiary of Plantronics, Inc. In declining to charge Cognizant in February, DOJ noted the company’s self-report and cooperation, along with “the existence and effectiveness of the Company’s pre-existing compliance program, as well as steps that the Company has taken to enhance its compliance program.”[4] DOJ identified similar factors in its declination letter to Plantronics’ subsidiary in December 2018.[5]
To view and print this full report, please click here.
[2] Prior guidance on DOJ’s evaluation of corporate compliance programs includes: U.S. Dep’t of Justice, Criminal Division, Fraud Section, Evaluation of Corporate Compliance Programs (Feb. 8, 2017), reprinted in Advanced Compliance and Ethics Workshop 2018, at 365 (PLI Corp. & Sec. Practice, PLI Item #: 219493, 2018); Principles of Federal Prosecution of Business Organizations, Justice Manual 9-28.300 (formerly the United States Attorneys’ Manual); U.S. Dep’t of Justice and U.S. Sec. and Exch. Comm’n, A Resource Guide to the U.S. Foreign Corrupt Practices Act 56 (2012), https://www.justice.gov/sites/default/files/criminal-fraud/legacy/2015/01/16/guide.pdf; U.S. Dep’t of Justice, 9-47.120 – FCPA Corporate Enforcement Policy (Nov. 29, 2017, updated March 2019), https://www.justice.gov/criminal-fraud/file/838416/download; Assistant Attorney General Brian A. Benczkowski, Memo. to Criminal Division Personnel: Selection of Monitors in Criminal Division Matters (Oct. 11, 2018), https://www.justice.gov/opa/speech/file/1100531/download.