On June 1, 2020, the U.S. Department of Justice (“DOJ”) issued revised guidance on corporate compliance programs. The revised “Evaluation of Corporate Compliance Programs,” a document intended to provide guidance to DOJ prosecutors on how to evaluate compliance programs in the context of decisions about charging and resolving criminal cases against business organizations, provides useful insights for organizations in understanding what prosecutors and regulators expect from corporate compliance programs. Although the revisions don’t present any sea-changes, they reflect evolving standards and make clear areas of likely government focus.
First and foremost, the issuance of the revised guidance document during the current COVID-19 crisis is itself an unmistakable message: the need for attention to compliance—whether on the part of the regulators or on the part of companies—should not wane even in the current environment. Underscoring this point, the DOJ revised the second of its three “fundamental questions” a prosecutor should ask about a compliance program from “is the program implemented effectively” to “is the program adequately resourced and empowered to function effectively.” The theme of ensuring that adequate resources are devoted to compliance also appears elsewhere in the revised guidance, including in relation to how the company “invest[s] in further training and development of the compliance and other control personnel.”
Other areas in which the DOJ clarified or expanded on its expectations for corporate compliance programs include:
- Third parties.The new guidance shifts the focus regarding third parties from initial due diligence “primarily during the onboarding” to “risk management of third parties throughout the lifespan of the relationship.”
- Data analytics.The DOJ makes clear that the use of data and data analytics in compliance programs is no longer considered a “nice to have” component, but rather should be part of every compliance program.Specifically, the guidance directs prosecutors to consider whether “compliance and control personnel have sufficient direct or indirect access to relevant sources of data” and whether any “impediments exist that limit access to relevant sources of data.”It also indicates that risk assessments should be “based upon continuous access to operational data and information across functions.”
- Evaluation and evolution of compliance programs.The revisions make clear that the DOJ expects companies to periodically reevaluate their compliance programs and adapt them as circumstances change.This includes determining whether “periodic reviews led to updates in policies, procedures, and controls” and incorporating into risk assessment processes “lessons learned” from prior issues within the company and from issues faced by other companies operating in the same industry or region.Likewise, the guidance suggests that companies should test their reporting and internal investigation processes.
- Impact of foreign laws.The new guidance adds commentary regarding how the DOJ will consider the impact of foreign law on a company’s compliance program.Prosecutors are directed to “ask a company the basis for [its] conclusion about foreign law” where the company has asserted that a compliance decision was made based on foreign law.Beyond that, the guidance makes clear that, irrespective of any limitations imposed by a foreign law, the DOJ will expect the company to be able to demonstrate “how [it] has addressed the issue to maintain the integrity and effectiveness of its compliance program while still abiding by foreign law.”
The complete text of the new DOJ Evaluation of Corporate Compliance Programs (June 2020) can be found here.
Click here to download this article.