U.S. Department of Justice tweaks its guidance on compliance programs

In 2017, DOJ issued guidance which applied solely to the Department’s Fraud Section – the home of all FCPA investigations and prosecutions – and offered a framework of 11 compliance program “hallmarks.”  In April 2019, the Department released updated guidance that applied to the DOJ’s entire Criminal Division.  While the 2017 Guidance provided a solid framework for how to establish and evaluate a compliance program, the 2019 Guidance harmonized other Department guidance and showed the Department’s growing sophistication and maturation related to compliance programs.

On June 1, 2020, DOJ released an update to the 2019 guidance.  Like the 2019 Guidance, the 2020 Guidance remains organized around three important overarching questions:

1. Is the program well designed?
2. Is the program applied earnestly and in good faith?
3. Is the program working in practice?

For those who have been in the weeds on these issues for some time, the updates in the 2020 Guidance are neither novel nor groundbreaking, but there are some adjustments worth noting:

• First, resources and authority. The 2020 Guidance makes clear that a compliance program must be resourced adequately and have a strong voice within the company.  In fact, these requirements have been enshrined as part of the second overarching question referred to above.  That question in its entirety now reads: “Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?”  The guidance goes on to consider whether the compliance program is empowered to function in a way that enables it to successfully identify and mitigate misconduct and whether “those with ‘day-to-day operational responsibility'” over the program maintain the appropriate stature within the organization and have “direct access” to management and the Board of Directors.
• Second, evolve pursuant to risk assessment. The Department continues to sharply emphasize the need for corporate compliance programs to be iterative and to be informed by risk assessments.  The 2020 Guidance places a spotlight on prosecutors understanding “why the company has chosen to set up the compliance program the way it has” and “how the company’s compliance program has evolved over time.”  This highlights that compliance is not “one size fits all,” and that companies must establish a risk-based approach to compliance and align its program to the specific commercial and operational risks it faces, as well as the regulatory obligations it must meet.
• Third, due diligence is just a start. Oversight of third parties must include broader “risk management . . . throughout the lifespan of the relationship.” Because companies can be liable for misconduct by third parties acting on their behalf, there must be ongoing monitoring of  high-risk business partners through their entire engagement.  This helps proactively remediate potential compliance risk and can serve to reaffirm the justification for retaining a business partner by verifying alignment with the company’s commercial strategies and priorities.
• Fourth, use data. The 2020 Guidance guidance notes that periodic reviews of the program should be “based upon continuous access to operational data and information across functions[.]” This suggests the company should be using data analytics, or otherwise have regular, robust access to relevant financial and other data and use that data to inform the program’s evolution.
• Lastly, don’t forget to test. It is worth noting that the 2020 Guidance continues the emphasis of the 2019 version on testing a program. The need to audit and otherwise test the effectiveness of a compliance program was a key takeaway from the 2019 Guidance and remains a central tenet of the 2020 Guidance.

The compliance program guidance offered by the Department since 2017 has grown increasingly sophisticated which, in turn, means so should our compliance programs. The days of simply issuing policies and rolling out some online training modules has long since passed.  The 2020 Guidance can serve as a reality check for companies who should ask whether they can answer the Department’s overarching three questions in the affirmative and, if not, what they can do to remediate that situation.