New DOJ Guidance Says Corporate Compliance Programs are Necessary and Should Evolve
On June 1, 2020, the Criminal Division of the U.S. Department of Justice (“DOJ”) issued a revision to its Guidance Document on the Evaluation of Corporate Compliance Programs. https://www.justice.gov/criminal-fraud/page/file/937501/download.
The Guidance Document, which was originally issued in February 2017, and updated in April 2019, is “meant to assist prosecutors in making informed decisions as to whether and to what extent, the corporation’s compliance program was effective at the time of the offense, and is effective at the time of a charging decision or resolution….”
Here are the key takeaways from the recent revisions:
- Corporate compliance programs will not all be treated the same, but they will be evaluated based on “the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.”
- Risk Assessments: The Guidance Document asks whether a company has performed risk assessments and subjected those assessments to periodic reviews that are “based on continuous access to operational data and information across functions,” and have “led to updates in policies, procedures in controls,” as opposed to a simple snapshot in time.
- Training: Companies are urged to adopt a training program that allows employees to ask questions and allows the company to evaluate “the extent to which the training has an impact on employee behavior or operations?”
- Compliance Hotlines: “Does the company take measures to test whether employees are aware of the [reporting] hotline and feel comfortable using it…” and “does the company periodically test the effectiveness of the hotline, for example by tracking a report from start to finish?”
- Third Parties: What is the “business rationale for needing” a third party in a transaction; What are the risks imposed by third parties; and “Does the company engage in risk assessment of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?”
- Mergers and Acquisitions: Well-designed compliance programs should include “a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.”
- Access to Data: Do compliance and control personnel have sufficient access to relevant data sources to allow timely and effective monitoring and/or testing of policies, controls and transactions?
- Evolving Updates: “Does the company review and adapt its compliance program based on the lessons learned from its own misconduct and/or that of other companies facing similar risks?”
Clearly evident from these revisions is the need for a company’s compliance program to continually assess its effectiveness and to evolve in order to meet the changing needs of the company and its business environment. Simply drafting a nice neat compliance program and then sticking it in a drawer will not win the company many points should it ever come under DOJ’s microscope. Rather, the companies that invest the time and resources to routinely test its compliance program, and adapt it accordingly, should receive a more favorable review during a DOJ investigation.
Butzel Long’s team of seasoned White Collar Criminal Defense and Investigations counsel are ready to assist you in crafting a new compliance program designed to meet the latest DOJ guidance or to test your current compliance program to make sure it is designed to be effective and adaptive.