DOJ Releases Revised Guidance on Corporate Compliance Programs and in Doing so Takes a More Nuanced Approach to Compliance Investigations

On June 1, 2020, the Department of Justice Criminal Division published updated guidance on an important piece of DOJ literature, the “Evaluation of Corporate Compliance Programs” (“Guidance”), which for many is considered the standard against which companies are to implement, evaluate, customize, and improve their compliance programs. First issued in February 2017 by the DOJ’s Fraud Section, the 2017 Guidance was heralded as an important blueprint for companies struggling with how exactly to design and implement an effective compliance program. But, in addition to being utilized proactively by General Counsels, Chief Compliance Officers, and outside counsel, the Guidance also serves as a mandatory tool in the federal prosecutor’s toolbox for evaluating whether a company’s compliance program works, and if so, how well, and ultimately, whether it weighs in favor or against criminal charges or other enforcement actions. To that end, the Guidance emphasizes the need for independent investigations, informed and effective oversight, and training tailored to key risk areas. Since its original issuance some two-and-a-half years ago, the Guidance has not remained static; in fact, it was updated once before in April 2019, to reframe the focus onto three fundamental questions regarding whether a company’s compliance program is (1) “well designed,” (2) “being implemented effectively,” and (3) “work[ing] in practice.”

The 2020 updates provide further refinement of the Guidance and reflect a more nuanced approach to compliance analyses, while still emphasizing the importance for effectiveness. The key takeaways from the 2020 updates are: (1) the focus on a reasonable, individualized approach to compliance; (2) the importance of incorporating “lessons learned” into risk assessment and compliance policies; and (3) the need to allocate adequate resources to corporate compliance programs.

Embracing a “reasonable, individualized” approach to compliance analyses

The 2020 Guidance calls for “a reasonable, individualized determination” that considers “the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.” This tailored approach to compliance analyses is further reflected throughout the 2020 updates. Most notably, the 2020 Guidance advises prosecutors to “endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time,” and to consider “the reasons for the structural choices the company has made.” This is a welcomed move away from a “one size fits all” approach.

In a new, important footnote, and perhaps recognizing that major multinationals do business throughout the world, prosecutors are told to consider how a particular compliance program “may be impacted by foreign law” and to ask “the basis for the company’s conclusion about foreign law, and how the company has addressed the issue to maintain the integrity and effectiveness of its compliance program while still abiding by foreign law.”  The issue of foreign law also arises indirectly in new language asking whether “any impediments exist that limit access to relevant sources of data,” which could come in the form of foreign data transfer laws or blocking statutes.  These changes reflect the reality of the globalized economy in which many companies do business, and provide companies an opportunity to reasonably rely on foreign law to explain weaknesses (or limitations) in their compliance programs.  But, not only can such factors be used as a shield, they can also be turned into a sword:  The absence of careful and thoughtful international input into a company’s compliance program can also be used by prosecutors to argue for (or show) an ineffective compliance program that is not properly tailored to the company’s risk profile, does not work, or does not work well, and is a recipe for after-the-fact excuses when trouble hits.

Implementing “lessons learned” from risk assessments

Updates in the 2020 Guidance emphasize the importance of creating dynamic compliance programs that evolve through time-tested experience.  Under the latest Guidance, prosecutors should consider “why and how the company’s compliance program has evolved over time” in determining whether the program is well designed.  The 2020 Guidance recognizes the need for periodic risk-assessment reviews leading to informed updates in compliance policies and procedures. 

As in previous versions of the Guidance, the “starting point” for a prosecutor’s inquiry into a compliance program is whether a company has assessed its risk profile, scrutinized its methodologies, and devoted resources appropriately.  But the 2020 Guidance takes the inquiry a step further and asks prosecutors to consider whether the company’s risk assessment is subject to periodic review “based upon continuous access to operational data and information across functions” rather than just a “‘snapshot’ in time.”  In evaluating the “lessons learned” through risk-assessment reviews, the 2020 Guidance asks whether companies have been learning not only from their own experiences, but also those of other companies operating in the same industry and/or geographical region, or facing similar risks.  This is the classic view that if you are not learning, growing, and adapting, you are struggling, if not failing.  As such, prosecutors are further invited to consider whether “periodic review led to updates in policies, procedures, and controls.”  Together, these updates suggest that DOJ prosecutors will be looking for broad and proactive assessments of risks, and tangible changes to company policies and procedures following compliance violations.  

Allocating adequate resources for success

Recognizing that the best of compliance programs need to be nourished or else they will starve, the 2020 updates refocus the Guidance’s second fundamental question from whether the compliance program is “being implemented effectively” to whether the program is “adequately resourced and empowered to function effectively.” The change is more than just linguistic or symbolic; it makes clear that companies cannot develop adequate or even best-in-class compliance programs, and then fail to devote sufficient funds or personnel to put the programs into practice. As the Guidance acknowledges, “[e]ven a well-designed compliance program may be unsuccessful in practice if implementation is lax, under-resourced, or otherwise ineffective.” (Updates emphasized.)  In other words, the emphasis is not on the paper on which a program is written, but on its real-life implementation and effectiveness.  This emphasis will impose a heftier burden on prosecutors—or monitors—attempting to evaluate the effectiveness of compliance programs.

Moreover, the reframing of the second question signifies a shift towards a more process-oriented inquiry that is further reflected in questions throughout the revised Guidance. For example, the 2020 Guidance recognizes the importance of “creat[ing] and foster[ing] a culture of ethics and compliance with the law at all levels of the company,” and “implement[ing] a culture of compliance from the middle and the top.” (Updates emphasized.) This concept of “tone from the middle” is not accidental; it reflects the reality that often mid-level managers are those that are in the best position to identify, fix, and prevent problems and lead the rank and file through the day-to-day challenges of business. As such, companies need to actively engage management at all levels to promote a culture of respect and compliance.

The 2020 updates also bring the Guidance into the 21st century by embracing the role of technology in monitoring the effectiveness of compliance programs. To that end, prosecutors are now asked to consider whether personnel in the compliance and control function are utilizing relevant sources of data to effectively track, monitor, and test a company’s risk assessment and compliance policies and procedures. These new provisions suggest that it is money well spent for companies to invest in data analytics and similar technologies and to incorporate such technologies into their compliance programs.

Conclusion

It is not unusual for the DOJ to tweak guidance documents, especially after such guidance has been in effect for several years and has the benefit of age and seasoning, along with the battle scars that come with being on the front lines and time tested. Here, although not an overhaul, the 2020 Guidance is still significant in its own regard. It builds upon previous iterations of the Guidance and reflects a trend towards nuanced, individualized compliance analyses. As the compliance function continues to evolve and grow, one can expect additional guidance changes will take root. For now, the 2020 Guidance reflects that corporate globalization is here, that lessons learned— even the hard way—are critical to risk assessments and compliance policies, and that lofty goals turn into achievable missions when they are funded and appropriately resourced.