1. Home
  2. |Insights
  3. |Revisions to DOJ’s Corporate Compliance Guidance Indicate that a Dynamic, Data-Driven and Well-Resourced Compliance Program is More Important than Ever

Revisions to DOJ’s Corporate Compliance Guidance Indicate that a Dynamic, Data-Driven and Well-Resourced Compliance Program is More Important than Ever

Client Alert | 4 min read | 06.08.20

On Monday, June 1, 2020, the Department of Justice’s (DOJ’s) Criminal Division issued an updated version of the “Evaluation of Corporate Compliance Programs” guidance. The guidance was originally published by the Criminal Division’s Fraud Section in February 2017, and last revised in April 2019. The updated guidance emphasizes the need for companies to ensure that their compliance function is sufficiently resourced and empowered to fulfill its mission, and to engage in continuous improvement—evolving as necessary to meet changing circumstances and challenges. The updated guidance also provides practical takeaways on issues related to training, testing, mergers and acquisitions, and the impact of foreign law on a company’s compliance program. Given the unique stressors and challenges that the coronavirus pandemic has created, this updated guidance is a timely reminder for companies to assess whether their compliance program comports with best practices and DOJ’s expectations.

Like its predecessor versions and as previously discussed here, the purpose of the updated guidance is to assist prosecutors in evaluating a company’s compliance program to determine appropriate charging and resolution decisions. The DOJ guidance remains structured around three central framework considerations to help guide prosecutors in their evaluation of a corporation’s compliance program:

  1. whether a corporation’s program is well-designed;
  2. whether the program is being applied earnestly and in good faith; and
  3. whether the program works in practice. 

Focus on the Authority of and Resources Allocated to Compliance Function

The updated guidance refines the application-focused question, explaining that the good faith application of a company’s compliance program directly relates to whether the company has provided the program with the resources it needs to function effectively. The prior version of the guidance explained that this question was focused on whether a corporation’s compliance program was being “implemented effectively.” The updated guidance reframes the issue as whether the program is “adequately resourced and empowered to function effectively.” Associated edits to the section addressing this topic direct prosecutors to probe the underlying reasons for structural choices related to a company’s compliance function, and place new emphasis on the need to assess whether a company’s compliance personnel have the access they need to relevant data to facilitate “timely and effective monitoring and/or testing of policies, controls, and transactions” or conversely, whether impediments exist to such access. 

Leveraging Data for Continuous Improvement

Updates throughout the revised guidance also make clear that the DOJ expects an effective, good faith, and well-designed compliance program to be dynamic and capable of adjusting as needed to the changing risk profile of the company, to incorporate lessons learned, and to have access to and incorporate relevant data from the company. 

The DOJ has made additions to all three framework questions to reflect this focus on dynamism, with questions geared toward understanding how a compliance program has evolved over time—including whether the company’s risk assessment is subject to periodic review and based on “continuous access to operational data and information across functions.” Specifically, DOJ now inquires whether the company:

  • tracks and incorporates lessons learned into its risk assessment and compliance program, both from its own prior issues and from those of other companies facing similar risks;
  • engages in risk management of third parties throughout the lifespan of the relationship instead of just during the onboarding process; and
  • invests in the ongoing training and development of its compliance and control personnel.

While emphasizing the need for continuous evolution in these areas, DOJ also underscores the importance of an unwavering—and still data-driven—standard in others: the guidance now asks whether the compliance function monitors its investigations to ensure disciplinary standards are applied consistently.

Other Notable Updates

The updated DOJ guidance also provides clarity related to several other substantive issues. Notable changes include the following:

  • Accessibility of Policies, Training, and Testing – The updated questions include whether policies and procedures are published in a searchable format for easy reference, and encourage prosecutors to evaluate whether a company tracks access to those policies “to understand what policies are attracting more attention from relevant employees.” Compliance training should provide a forum for employees to ask questions, and a company should also—as a general matter—evaluate the effectiveness of such training by identifying “the extent to which [it] has an impact on employee behavior.” Elsewhere, the updated guidance highlights the importance of testing, asking if the company evaluates whether employees are aware of reporting mechanisms (e.g., reporting hotline), are comfortable using those mechanisms, and whether the company periodically tests the effectiveness of those mechanisms. 
  • Mergers and Acquisitions – The updated guidance indicates that a well-designed program should include a process for the “timely and orderly integration” of an acquired entity into a company’s preexisting compliance and internal controls infrastructure. Importantly, it acknowledges that pre-acquisition due diligence might not be feasible in all situations, with the addition of a question that asks whether the company was able “to complete pre-acquisition due diligence and, if not, why not?”
  • Foreign Law – The updated guidance acknowledges that companies may be impacted by various non-U.S. laws and provides insight on how it will consider a company’s assertions that it structured its compliance program in a particular way, or made a compliance decision, based on foreign law. First, companies should be asked about “the basis for . . . its conclusion about foreign law.” Additionally, the guidance notes that irrespective of limitations imposed by foreign law, companies should not skimp on compliance requirements and are expected to maintain the “integrity and effectiveness of its compliance program while still abiding by foreign law.” 

As a result of the ongoing pandemic, companies are facing new and additional compliance challenges, including those related to the health and safety of the workforce, supply chain and distribution disruption, use of federal stimulus funds, and a remote workforce. Using the updated DOJ guidance as a benchmark, companies should take stock of whether their current compliance program is appropriately calibrated to meet those challenges and make the necessary enhancements to enable them to be able to respond appropriately to questions regarding the sufficiency of the program.