On June 1, 2020, the U.S. Department of Justice (DOJ) issued its revised Evaluation of Corporate Compliance Programs guidance (June 2020 Guidance). The updated guidance is a prosecutorial resource for assessing corporate compliance programs during criminal investigations and determining whether to bring charges and when negotiating pleas or other agreements. The notable updates focus on clarifications regarding data utilization, third parties, adequate resources, and dynamic evaluation.
The June 2020 Guidance
The April 2019 Guidance directed DOJ prosecutors to focus on the quality of compliance program design, the effectiveness of implementation, and the proper functioning of a given compliance program. Though these foundational elements still constitute most of the guidance, the revisions set some new standards and offer greater insight into the DOJ’s methodology. Accordingly, institutions should review their compliance programs to ensure — at a minimum — parity with prosecutors’ expectations. The thematic revisions within the guidance are as follows:
Perhaps most importantly, the June 2020 Guidance directly reflects the DOJ’s shift in view toward a more pragmatic understanding of a company’s real-world business experience. Prosecutors are directed to focus on the totality of a company’s compliance program, making sure to consider not only the compliance failures but also subsequent remediation. The focus of the DOJ is to understand why a company’s compliance program operates in a certain way and how that program has evolved over time. The DOJ embraced this dynamic review perspective, which accounts for factors such as a company’s size and industry. The DOJ understands that compliance programs must be built to fit the company and tailored over time to address the relevant risk concerns based upon internal and external lessons learned from compliance failures, shortcomings, and internal risk assessments.
Constructive Data Utilization
The updates in the June 2020 Guidance indicate that the DOJ is highly focused on how companies embrace data analytics to monitor and improve their compliance programs. The document now directs prosecutors to evaluate whether the company’s periodic risk assessments are limited to discrete “snapshot” reviews or if they are representative of robust, ongoing evaluations of operational data and other cross-functional information to continuously update policies and controls. Prosecutors will evaluate whether compliance staff have sufficient access to direct and indirect sources of data to allow for timely and effective monitoring, and testing of policies, procedures, and transactions. Where prosecutors determine that data access is lagging, then assessment will focus on how the corporation is addressing the access impediments. Poor quality or weak data sharing can unduly expose organizations to increased regulatory and enforcement risks.
Sustained Focus on Third Parties
The revised guidance demonstrates the DOJ’s continued expectation for companies to diligently manage third-party relationships. Compared to the April 2019 Guidance, the June 2020 Guidance explicitly directs prosecutors to assess whether companies are aware of the business rationale for engaging third parties and the various risks that they pose to the company. Moreover, prosecutors should evaluate whether companies’ conduct third-party risk assessment and management over the lifespan of the relationship or primarily during onboarding. Similarly, the revisions in the June 2020 Guidance acknowledge the importance of a company’s due diligence processes for mergers and acquisitions. Prosecutors may ask a company to justify its integration approach with a focus on timely incorporation of third parties into a company’s existing compliance program. Such steps will require post-acquisition audits to assure adherence to the June 2020 Guidance. Accordingly, the revisions emphasize the importance of documenting and maintaining a comprehensive set of processes and controls that support ongoing monitoring of third parties and acquisitions.
Importance of Adequate Resources
The June 2020 Guidance also directs prosecutors to determine whether a company’s compliance program is adequately resourced and empowered to function effectively. This new focus is a subtle but important departure from the DOJ’s past prioritization on purely effective implementation and incorporates training into a determination of resource adequacy. Accordingly, the DOJ will investigate the methods for training employees, the adequacy of available training resources, and escalation protocols. With recent and potentially lasting increases in remote operations, companies should ensure that online trainings are targeted, engaging, and monitored for staff comprehension and understanding. In addition, providing employees with opportunities to raise questions through email or other internal communications platforms is a necessity for remote training. The June 2020 Guidance advises DOJ prosecutors to evaluate the effectiveness of these communication avenues through data analysis. Accordingly, companies must therefore diligently test reporting methods on a regular basis to ensure effectiveness.
What Does This Mean for Your Business?
While the June 2020 Guidance does not mark a major change from the previous guidance issued in April 2019, the implications of the guidance show the DOJ’s continued effort to improve transparency and effectiveness. Companies should seize this opportunity to improve their compliance programs and align themselves with the DOJ’s future expectations in the following ways:
All compliance departments should continue to leverage data analytics to develop their compliance programs in innovative ways.
The company should continue to diligently perform and document ongoing monitoring and training of third parties to ensure the company maintains alignment with DOJ guidelines.
Compliance programs must ensure that communication avenues are effective and easily accessible.
Post-acquisition compliance testing is vitally important to ensure the effective operation and sustainability of the organization’s compliance program.
The company should identify and incorporate lessons learned both internally and through public disclosures into standard practice.
Ultimately, the June 2020 Guidance demonstrates the DOJ’s evolving perspective on corporate compliance and will continue to inform the foundation of company compliance programs moving forward.
Special thanks to contributing authors Benjamin Donat and Robert Wilson.