Department of Justice Updates Compliance Program Guidelines
This week, the Department of Justice updated its guidance concerning how it evaluates compliance programs when making corporate criminal charging decisions or negotiating plea agreements. This is an update from the original 2017 document, which was revised in 2019.
These considerations are extremely important when there is an investigation of a Company by federal law enforcement agencies and decisions are made as to whether the Company will be charged, for what, what the penalties sought would be, etc. The “odds” of avoiding criminal charges, or at least limiting the damage from any charges that are brought, are significantly better if the Company has a robust, legitimate and constantly monitored and enforced compliance program. If that program has led to an internal investigation, either with in-house and/or with outside counsel, that also is an important consideration for the Government.
The DOJ fundamental focus is on three areas: (1) Is the compliance program well-designed; (2) Is it applied earnestly and in good faith--in other words, is it adequately resourced and empowered to function effectively; and (3) does it work in practice.
The program needs to be designed with the Company’s particular business in mind. The specific risk associated with the business must be addressed. A “one-size fits all” model will not work. This also requires regular monitoring and updating of the program in light of changing customer base, things learned from the day-to-day business operations, recent changes in laws and regulations, changes in personnel and responsibilities and any other matters that need to be kept up to date to make the compliance program a viable one. Related to that, as new contracts or contracts with new customers are being considered, or implemented, the guidelines direct inquiry into whether the company put more resources into policing high-risk areas, higher value contracts, and relationships with government agencies in high-risk countries?
The DOJ analysis also will consider whether the Company has established well-designed ways of communicating the policies, procedures, updates, and “lessons learned” to its employees. There needs to be serious, thorough and regular training for the employees (and management, and even the Board) and it must be clearly communicated to all concerned that violations of law, will not be tolerated, and that the “tone at the top” is one of strict compliance. Most basically, the compliance program cannot be seen as a roadmap as to how to skirt the law, or outright violate it, rather than following it.
There must be an effective method of reporting misconduct up the chain of command within the Company, including the Board if necessary, anonymously, and with no fear of retribution for such reporting. The Company must have a mechanism in place for following up on complaints, and that must be documented. The new guidelines specifically note that an important factor in the DOJ consideration is whether the Company periodically tests the effectiveness of the hotline, for example, by tracking a report from start to finish.
Importantly, the new guidelines place specific attention on the third party relationships of the business, and whether, e.g. “the company engages in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process”. Similarly there will be attention to mergers and acquisitions of new business.
A very important-and always targeted inquiry-is whether the compliance program is “real” or a one-time project put on paper to look good and only dragged out when a government investigation surfaces. The guidelines direct inquiry into whether the program is “under-resourced” or otherwise ineffective. Since the government inquiry usually results from complaints that there is criminal conduct occurring, which would be contrary to the compliance program dictates, the Company already starts off on the defensive. Almost by necessity, the government likely will believe that the compliance program “failed” someplace with regard to the conduct at issue. That does not mean that the program was “ineffective” or not taken seriously by management. Indeed, if an internal investigation uncovered the misconduct, it often can be shown that the effectiveness of the overall program is what led to the discovery of the misconduct of a particular employee acting on his or her own. That is why the investigation of any suspected, or reported criminal conduct must be thorough and supported by management (or the audit committee) no matter how “high up” the trail leads. The program necessarily must account for the autonomy of the compliance investigator, and any outside counsel conducting an investigation.
At bottom, the DOJ purpose in enacting these guidelines is to encourage companies to adopt programs that lead to compliance with laws and regulations, and to engage the companies themselves in ferreting out illegal conduct.