On June 1, 2020, the US Department of Justice ("DOJ") published an updated version of its guidance on the "Evaluation of Corporate Compliance Programs" (the "Guidance"), which was first published in February 2017.1 When announcing the June 2020 update, Assistant Attorney General Brian Benczkowski of the Justice Department's Criminal Division explained that the document "reflects additions based on our own experience and important feedback from the business and compliance communities."2 The June 2020 update builds on themes found in last year's update (the "April 2019 Update"), with an increased emphasis on a functional and continual approach to assessing the effectiveness of a company's compliance program.
The 2017 Guidance
In February 2017, the Fraud Section of the US Department of Justice published the Guidance. It included the following 11 key compliance program evaluation topics, with corresponding "common questions" for each:
- Analysis and Remediation of Underlying Misconduct
- Senior and Middle Management
- Autonomy and Resources
- Policies and Procedures
- Risk Assessment
- Training and Communications
- Confidential Reporting and Investigation
- Incentives and Disciplinary Measures
- Continuous Improvement, Periodic Testing and Review
- Third Party Management
- Mergers and Acquisitions
April 2019 Update
The April 2019 Update made a number of changes that were designed "to better harmonize the guidance with other Department guidance and standards while providing additional context to the multifactor analysis of a company's compliance program."3
Most significantly, the April 2019 Update organized the key topics that were identified in the original 2017 guidance around "three overarching questions" that guide prosecutors' review and assessment of a company's compliance program:
- Is the programme well designed?
- Is the program being implemented effectively?
- Does the program work in practice?
Under this revised structure, Part I "discusse[d] various hallmarks of a well-designed compliance program relating to risk assessment, company policies and procedures, training and communications, confidential reporting structure and investigation process, third-party management, and mergers and acquisitions."4 Part II "detail[ed] features of effective implementation of a compliance program, including commitment by senior and middle management, autonomy and resources, and incentives and disciplinary measures."5 Finally, Part III "discusse[d] metrics of whether a compliance program is in fact operating effectively, exploring a program's capacity for continuous improvement, periodic testing, and review, investigation of misconduct, and analysis and remediation of underlying misconduct."6
June 2020 Update
While the revisions created by the June 2020 Update are not extensive, they reflect the DOJ's continued emphasis on a practical and dynamic approach to evaluating the effectiveness of a company's compliance program, one that seeks to continually ensure not only that the program is in place, but that it is working. For example, the June 2020 Update changed the second overarching question ("Is the program being implemented effectively?"), to asking instead whether it is "adequately resourced and empowered to function effectively." The DOJ has thus identified what it considers to be the requisite building blocks of an effective compliance function: adequate resources and empowerment within the company, and signaled that it may evaluate the effective implementation of a compliance program by assessing data points such as the number and experience level of compliance functions within an organization, including their reporting lines, and the resources available to the compliance function.
The June 2020 Update reflects other revisions that similarly emphasize making sure the compliance program works by underscoring the need to understand why "the company has chosen to set up the compliance program the way it has, and why and how the company's compliance program has evolved over time." When evaluating a company's updates and revisions to its compliance program, prosecutors are to inquire whether the company's periodic review is limited to a "snapshot in time" or whether it is based on "continuous access to operational data and information across functions?"
The June 2020 Update also requires an examination of the company's processes for updating existing policies and procedures, in addition to implementing new policies and procedures. These updates to existing policies and procedures should be made in accordance with the company's periodic risk assessments, and should be based on "lessons learned."
The June 2020 Update also includes new language asking whether the company "periodically tests the effectiveness of the hotline, for example by tracking a report from start to finish?"
Another example of the DOJ's functional approach to risk assessment is new language querying whether the company "engage[s] in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?"
With respect to mergers and acquisitions, the June 2020 Update calls for "a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls." This language is consistent with the Guidance's statement that the extent of scrutiny that a company applies to its targets "is indicative of whether its compliance program is, as implemented, able to effectively enforce its internal controls and remediate misconduct at all levels of the organization." In other words, companies should carefully consider the extent and scope of their compliance due diligence and integration efforts, as this is a factor for evaluating the effectiveness of their compliance program. Companies should also consider preserving evidence of their decision-making processes concerning compliance due diligence and integration, such that they can justify their decisions, if required.
To ensure that a compliance program evolves in step with a company's risk profile, the June 2020 Update asks "how does the company invest in further training and development of the compliance and other control personnel?" and "what are the reasons for the structural choices the company has made?" The June 2020 Update also includes a new sub-section on adequate access to and monitoring data to evaluate whether a corporation's compliance program is adequately resourced and empowered to function effectively. This new sub-section queries whether compliance and control personnel have access data "to allow for timely and effective monitoring and/or testing of policies, controls, and transactions?" It also asks whether "any impediments exist that limit access to relevant sources of data," and if so, "what is the company doing to address the impediments?"
The new-subsection on access to data indicates the DOJ's recognition that data access and monitoring is critical to the proper functioning of a compliance program. Data analytics can help determine whether compliance failures are systemic or more aberrational. Such data can also help a company monitor investigations and discipline "to ensure consistency," which the June 2020 Update suggests is part of a compliance program's effectiveness.
With its emphasis on resources, empowerment, and practical efforts to continually confirm that the compliance function is working, the June 2020 Update both conveys what an effective compliance program requires, and reaffirms that an "off the shelf" program that merely exists on paper will not benefit a company that is under investigation by the DOJ (and may work to its detriment). It sets forth the DOJ's expectation that an effective corporate compliance program should evaluate and revise the risks that companies face on an ongoing basis, rather than focus on the risks from a single point in time, and should be adapted and revised accordingly. Companies are expected to test their compliance programs in a number of different ways to ensure they are working. Companies are also put on notice that, as part of its determination of whether a compliance program is adequately resourced and empowered, the DOJ will look into whether compliance and control personnel have sufficient access to relevant compliance data, such that they can monitor compliance risks and suggest upgrades to the compliance program based on their findings.
Thus, companies should consider the following in light of the June 2020 Update:
- Take concrete steps to ensure their compliance function has the necessary manpower, resources, and mandate to evaluate and enhance their compliance programs continuously.
- Ensure that their compliance program continually adapts to fit the companies' needs and risk profile, and that such changes are made in the context of a relevant matrix of facts and analysis stemming from those facts.
- Ensure that their compliance program has a robust auditing and testing component to ensure all the pieces are working correctly together.
Adopting these measures is perhaps even more critical for China-related companies, given recent heightened tensions in the US-China bilateral relationship. Since the DOJ launched its China Initiative in November 2018, it has brought more than 30 enforcement actions against China-related companies or individuals on charges including trade secret theft, economic espionage, and FCPA violations.7 China-related companies with a nexus to the US would be well served to take heed of the June 2020 Update, and assess and update their compliance programs accordingly. By doing so, they can better position themselves in the event of a DOJ investigation or prosecution.
1 US Department of Justice Criminal Division, Evaluation of Corporate Compliance Programs (Updated June 2020).
2 Dylan Tokar, Justice Department Adds New Detail to Compliance Evaluation Guidance, Wall Street Journal (June 1, 2020).
3 "Criminal Division Announces Publication of Guidance on Evaluating Corporate Compliance Programs," 30 April 2019. Press release.
7 US Department of Justice, Information About the Department of Justice's China Initiative and a Compilation of China-related Prosecutions Since 2018.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2020 White & Case LLP