Alerts and Updates

DOJ Updates Guidance on Corporate Compliance with Focus on Data Analysis and Continuous Monitoring for Effectiveness

June 22, 2020

The revisions highlight the DOJ’s consideration of the unique circumstances of each company and the design and implementation of its compliance policies and systems.

On June 1, 2020, the Department of Justice’s (DOJ) Criminal Division updated its guidance on how prosecutors should evaluate corporate compliance programs. This update follows the comprehensive guidance provided by the DOJ in April 2019 and discussed in our previous Alert. The updated guidance provides additional transparency regarding the DOJ’s approach to evaluating corporate compliance programs and the three (slightly revised) fundamental questions that a prosecutor should ask when conducting such an evaluation:

  1. Is the corporation’s compliance program well designed?
  2. Is the program being applied earnestly and in good faith? In other words, is the program being adequately resourced and empowered to function effectively?
  3. Does the corporation’s compliance program work in practice?

The updated guidance contains slight modifications to the evaluative tools federal prosecutors should use when conducting an investigation of a corporation, determining whether to bring charges and negotiating a plea or other agreements. In announcing the updates, Assistant Attorney General Brian Benczkowski of the Criminal Division stated that the additions are “based on [the DOJ’s] own experiences and important feedback from the business and compliance communities.” The updated guidance is the latest example of the DOJ’s ongoing efforts to encourage robust corporate compliance programs to facilitate self-reporting, full cooperation and remediation by companies subject to corporate criminal investigations.

Key Updates

The revisions highlight the DOJ’s consideration of the unique circumstances of each company and the design and implementation of its compliance policies and systems. While emphasizing the importance of periodic assessments of a company’s compliance program’s functionality and efficacy, the revisions encourage prosecutors to take into account evolving business structures, legal and regulatory landscapes and the company’s own experiences with compliance-related issues. The following are the key updates and changes to the guidance:

Changes to the Second Fundamental Question

The DOJ revised the second question prosecutors should ask in evaluating corporate compliance programs. Instead of asking whether the program is “being implemented” effectively, the revised question asks whether the program is “adequately resourced and empowered to function properly.” Thus, the resources and authority behind the program will be key considerations in reviewing the effectiveness of the program.

Individualized Assessment

In the introduction to the updated guidance, the DOJ now emphasizes a flexible, “reasonable, individualized determination” of each case. This case-by-case analysis considers a multitude of factors, including the company’s size, industry, geographic footprint, regulatory landscape and other factors that might impact its compliance program.

Periodic Review

Prosecutors are now expected to question whether a company’s periodic review of its compliance program is limited to a “snapshot” in time or based upon continuous access to operational data and information across functions. This underscores an understanding that effective compliance programs are evolving rather than static.

Lessons Learned

The DOJ will now ask whether the company has a process for tracking and incorporating into its periodic risk assessment “lessons learned” either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region.

Hotlines

The updated guidance encourages prosecutors to ask whether the company takes measures to test whether employees are aware of the company’s confidential reporting “hotline” mechanism and whether they feel comfortable using it. Prosecutors should ask whether the company periodically tests the effectiveness of the hotline by, for example, tracking a report from start to finish.

Third Party Relationships and Acquisitions

Guidance on how prosecutors should assess third party relationships and acquired entities, within the compliance framework, has been updated to reflect a more thorough and encompassing approach. Prosecutors will now ask whether the company engages in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process. The updated guidance instructs that a well-designed compliance program not only includes comprehensive due diligence of acquisition targets, but also a process for the acquired entities to be integrated into the company’s existing compliance program in a timely and orderly fashion.

Data Resources and Access

The updated guidance adds a focus on the importance of access to relevant sources of data as a means of monitoring and enhancing compliance procedures and policies. Prosecutors should consider whether compliance data is accessible and whether impediments to accessing relevant data collection are addressed.

Foreign Law

Prosecutors are encouraged to consider whether certain aspects of a compliance program may be impacted by foreign law and how to permit a company to address the issue of maintaining the integrity and effectiveness of its compliance program while still abiding by foreign law. The updated guidance shows the DOJ’s recognition that the requirements of foreign law may affect how a company designs its compliance program.

Takeaways

The updated guidance demonstrates the DOJ’s view of the importance of dynamic and evolving compliance programs based on data-driven analysis and testing, continuous risk assessment and analysis of the effect of foreign law on such programs, if applicable. While these updates show that the DOJ will consider each company’s individual compliance program in light of its industry, geographic footprint and other factors, companies will benefit by establishing compliance programs that are data-focused, evolving over time and consistently monitored.

About Duane Morris

Duane Morris’ white-collar criminal defense attorneys develop preventative corporate compliance programs designed to protect against corporate misconduct and, if misconduct occurs, can mitigate the consequences of a corporate criminal prosecution.

For More Information

If you have any questions about this Alert, please contact Christopher H. Casey, Forrest Hansen, Brittany Pagnotta, George D. Niespolo, Eric R. Breslin, any of the attorneys in our White-Collar Criminal Defense, Corporate Investigations and Regulatory Compliance Group or the attorney in the firm with whom you are regularly in contact.

Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.