The U.S. Department of Justice Criminal Division recently released updated guidance to aid prosecutors in evaluating corporate compliance programs as part of their investigations into corporate misconduct. The import of this guidance cannot be overstated. Corporate compliance regimes—or the lack thereof—directly impact prosecutors’ charging decisions, the monetary penalties sought, and the types of corporate criminal resolutions available to organizations. This alert provides corporate counsel with the key takeaways from DOJ’s Evaluation of Corporate Compliance Programs guidance document.
Although there are best practices in compliance, there is no one-size-fits-all compliance program. And DOJ recognizes that. With that recognition in mind, DOJ’s new guidance reinforces and adds substance to the three overarching questions that the Justice Manual directs prosecutors to use in their assessment of compliance program efficacy. Those questions are: (1) Is the corporation’s compliance program well designed?; (2) Is the program being applied in good faith?; and (3) Does the corporation’s compliance program work in practice?
To help prosecutors answer these questions, the guidance identifies various topics and questions relative to each. Here are the main points to note.
- Compliance is not just on paper: The updated guidance itself affirms that paying lip service to compliance does not cut it. Having a well-designed compliance program is not enough; it’s critical that the program also be effectively implemented. Senior management should clearly communicate the message that misconduct will not be tolerated, reinforce that message regularly, and lead by example in fostering a business culture that embraces robust compliance programs and ethical practices.
- Identify and address your specific risks: We said it above, and we’ll say it again: there’s no such thing as a one-size-fits-all compliance program. DOJ’s guidance emphasizes the importance of conducting a risk assessment that identifies the specific areas of risk your company faces based upon the industry and geography it operates in. Companies should devote resources to those areas in which they face the highest risk, and avoid spending an inordinate amount of time policing low-risk areas.
- Training is not trivial: Prosecutors are told to evaluate whether compliance policies are provided to and understood by employees at all levels of business organizations. Gone are the days of burying compliance training in the middle of an orientation day. Prosecutors want to know how companies are disseminating information about compliance policies, what companies are doing to gauge employee engagement and understanding, and whether the training offerings are sufficient. And training does not necessarily look the same for all employees, but may need to be tailored to address the real-life scenarios employees are likely to face in their respective lines of work.
- Continuous review and assessment is key: DOJ views compliance policies as living documents. That is, DOJ expects companies to regularly review the effectiveness of their policies in practice and make necessary adjustments to address the evolving risks they face. To meet that end, the guidance instructs prosecutors to understand what steps, if any, companies take to assess the risks they face, test the effectiveness of their compliance programs, and adjust policies and practices based on experience. In other words, building a muscular compliance system is just a first step—to keep that muscle, it must be worked out regularly.
Bottom line: With this new guidance and the earlier roll-out of an amended FCPA Corporate Enforcement Policy, DOJ is not just telling prosecutors what they should be looking for. It’s also telling businesses what it expects from them on the compliance front. And what DOJ expects is not just a compliance program that looks good on paper, but a compliance program that works in practice, is tailored to meet the risks the company faces, and has the flexibility to evolve along with those risks.