On June 1, 2020, the U.S. Department of Justice (“DOJ”) published a revised version of its guidance on the “Evaluation of Corporate Compliance Programs” (the “June 2020 Guidance”). Like its predecessors in February 2017 and April 2019, the June 2020 Guidance provides greater transparency regarding DOJ’s expectations for corporate compliance programs and demonstrates DOJ’s willingness to listen to and incorporate the experiences of the business community into its internal policies. The additions to the Guidance provide valuable insight into DOJ’s views of how the compliance environment is evolving, and focusing on these additions should prove valuable to compliance and legal professionals looking to enhance or benchmark an existing compliance program.
Background
In February 2017, the Fraud Section in DOJ’s Criminal Division released the original “Evaluation of Corporate Compliance Programs” Guidance (“the Guidance”). The stated purpose of the document was to provide a list of “some important topics and sample questions that the Fraud Section has frequently found relevant in evaluating a corporate compliance program” and included a list of 11 topics (and 119 questions) to that end. The increased transparency provided by the Guidance received a generally positive reception from the legal and business communities. The Guidance provided useful direction for companies not only undertaking or responding to investigations but also designing or enhancing compliance programs, or simply wishing to benchmark an existing compliance program against the government’s expectations.
On April 30, 2019, the Assistant Attorney General (“AAG”) for the U.S. Department of Justice’s Criminal Division, Brian Benczkowski, announced the release of an updated version of the February 2017 Guidance (“the revised Guidance”)—a document that provided more information and guidance as to how prosecutors conducting corporate investigations should assess a company’s compliance program. Our prior alert discussed some of the more noteworthy changes in the revised Guidance, including its emphasis on a company’s ability to develop a risk-based approach to compliance and third-party management.
The June 2020 Guidance
In announcing the June 2020 Guidance, AAG Brian Benczkowski of the Justice Department’s Criminal Division explained that the document “reflects additions based on our own experience and important feedback from the business and compliance communities.”[1] The June 2020 Guidance leaves much of the substance from earlier versions unchanged; however, there are a number of useful updates for businesses and in-house professionals looking to enhance a company’s compliance program and/or benchmark a program against DOJ expectations. These more recent updates also demonstrate DOJ’s ongoing efforts to improve its policies and provide greater transparency and clarity to companies looking to comply with DOJ policy.
Below we discuss some of the key aspects of the June 2020 Guidance.
- Utilizing Data. The June 2020 Guidance adds two new references that underscore DOJ’s expectation that companies will increasingly use data to shape and enhance their compliance programs. First, in the “Continuous Improvement, Periodic Testing, and Review” section, the June 2020 Guidance instructs prosecutors to consider whether a company’s periodic risk assessments “are limited to a ‘snapshot’ in time” or if they are based on “continuous access to operational data and information across functions.” Prosecutors should then ask whether this periodic review has led to updates in the company’s policies, procedures, and controls. Second, in the “Autonomy and Resources” section, the June 2020 Guidance instructs prosecutors to consider the extent to which compliance and control personnel “have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions.” Prosecutors should also ask whether there are any impediments that limit access to relevant sources of data and, if so, whether the company is undertaking any efforts to address those limitations. These additions are notable in that they underscore DOJ’s focus on data analytics as a critical component of the overall compliance program. Metrics, and an emphasis on controls and monitoring, have always been central to a robust compliance function, but enforcement authorities are increasingly looking for companies to be thoughtful and innovative in how they harness the power of data analytics to enhance their compliance environment.
- Leveraging “Lessons Learned.” The June 2020 Guidance builds on the prior version’s discussion of the importance of incorporating “lessons learned” into corporate compliance programs and training materials, emphasizing that the “lessons learned” should come both from a company’s own experiences and from other companies facing similar risks. The document asks prosecutors to consider whether the company has a process for tracking and incorporating such lessons into its periodic risk assessments and whether the company reviews and adapts its compliance program based upon such lessons.
- Creating User-Friendly Compliance and Training Resources. The June 2020 Guidance adds language geared toward assessing whether employees can effectively use the training they receive. The Guidance suggests that an effective training program will enable employees to timely identify and elevate issues to the proper internal resources and will provide employees with the opportunity to ask questions arising out of their training. The Guidance instructs prosecutors to ask whether the company has evaluated the extent to which training has had an impact on employee behavior and operations. The Guidance also instructs prosecutors to ask whether the company’s policies and procedures have been published in a searchable format for easy reference and whether the company tracks access to the various policies and procedures to understand which ones are attracting more attention from relevant employees. The June 2020 Guidance also asks whether the company periodically tests the effectiveness of its own hotline, such as by measuring employee awareness of, and comfort in using, the hotline.
- Integrating Acquisitions. Whereas the April 2019 Guidance focused largely on pre‑acquisition due diligence, the June 2020 Guidance added new language focused on the integration of the acquired entity into the acquiring company’s compliance program and internal controls, including the use of post-acquisition due diligence and audits of the acquired company.
- Ensuring Adequate Resourcing. The April 2019 Guidance emphasized the importance of properly funding various aspects of the compliance program. The June 2020 Guidance includes additional language designed to explore not simply whether the compliance program is “being implemented effectively,” as the prior of the Guidance stated, but whether it is “adequately resourced and empowered to function effectively.” For example, the June 2020 Guidance asks prosecutors to consider how the company invests in further training and development of the compliance function and other control personnel and, as discussed above, whether compliance and control personnel have access to data and other information needed to perform their functions.
- Understanding the Context. The June 2020 Guidance includes new language that instructs prosecutors to “endeavor to understand why the company has chosen to set up the compliance program the way it has, and why and how the company’s compliance program has evolved over time.” It asks prosecutors to explore the reasons behind certain structural choices that have been made. These additions highlight the need to better understand the context surrounding a company’s compliance program—including where the program started and how it has evolved, as well as factors such as “the company’s size, industry, geographic footprint, regulatory landscape, and other facts, both internal and external to the company’s operations, that might impact its compliance program.”
Key Takeaways
- Similar to the revised guidance issued in April 2019, the June 2020 Guidance is a positive development in that it is another example of DOJ’s efforts to be more transparent in its expectations for corporate compliance programs and its responsiveness to the experiences and concerns of the business community.
- Data analytics are an ever-increasing aspect of a robust compliance program. The addition of language related to the use of data analytics underscores this trend and DOJ’s continued focus on compliance-related metrics and other enhancements that can be driven by data analytics. Companies should be thoughtful and creative in thinking through the ways its organization can utilize data to identify patterns, trends, relationships, and anomalies as real-time early warning systems.
- As discussed in our prior alerts, there is no “one-size-fits-all” approach to compliance. Like its predecessors, the June 2020 Guidance should not be thought of as a “checklist” or formula. Rather, it should serve as a guide for companies to consider when creating, enhancing, or benchmarking their compliance programs. This is particularly true when considering the implementation of complex and potentially very expensive efforts to capture big data and employ artificial intelligence systems.
[1] Dylan Tokar, Justice Department Adds New Detail to Compliance Evaluation Guidance, Wall Street Journal (June 1, 2020).