The parameters set forth in the DOJ's memorandum have implications not only for the government's evaluation of compliance programs in the context of criminal charging decisions, but also for how defense counsel structure their conference-room advocacy seeking declinations or lesser sanctions in both criminal and civil investigations.

An effective compliance program is essential for any business, allowing the organization to identify potential vulnerabilities and to minimize risk. It is also relevant in defending against government investigations and prosecutions, criminal or civil. In fiscal year 2016, 132 organizations were sentenced (129 pleaded guilty; only three went to trial); however, according to the U.S. Sentencing Commission, only 2.1% of organizations seeking acceptance of responsibility credit under U.S. Sentencing Guideline § 8C2.5 had an “effective” compliance program. See U.S. Sentencing Commission Sourcebook at Tables 53, 54 (2016).

The effectiveness of an organization's compliance program is important to the government, too. It often assesses this factor in determining whether a business will be prosecuted; if so, whether the prosecution will be civil or criminal or both; and if found liable or guilty, the severity of sanctions to seek. The government's assessment of compliance program effectiveness has evolved. The more generalized criteria for a “good” compliance program once extrapolated from the Sentencing Guidelines, the U.S. Attorney's Manual or guidance documents from the DOJ, Securities and Exchange Commission (SEC) or Health & Human Services (HHS), now must give way to the DOJ's recently issued memorandum titled “Evaluation of Corporate Compliance Programs,” a seven-page, single-spaced inventory of “sample topics and questions.” DOJ Criminal Division, Fraud Section, “Evaluation of Corporate Compliance Programs” (Feb. 8, 2017).

The parameters set forth in the DOJ's memorandum have implications not only for the government's evaluation of compliance programs in the context of criminal charging decisions, but also for how defense counsel structure their conference-room advocacy seeking declinations or lesser sanctions in both criminal and civil investigations. Moreover, given the DOJ's “ Yates memo” reset on the prosecution of individuals within the corporation, defense counsel should be alert to the potential that these parameters may also provide a template for investigating a manager's or board member's reckless disregard or willful blindness for purposes of civil or criminal prosecutions, or an employee's ability to detect or remediate misconduct under the criminal “responsible corporate officer doctrine” (RCOD).

The DOJ's New Compliance Program Evaluation Parameters

The DOJ's corporate compliance evaluation memorandum systematically breaks out over 100 “sample” questions under 11 broad headings. These reflect a no-stones-left-unturned agenda apparently meant to generate a comprehensive overview of compliance program methodologies, structure and implementation, as well as how the program is empowered, resourced, and monitored in practice at different organizational levels.

To provide a sense of the memorandum's scope, these are just a few of the many probing questions the DOJ intends to ask:

• whether a root cause analysis of the suspect conduct has been performed;
• what specific actions senior management and stakeholders have taken to demonstrate their compliance commitment and what compliance expertise has been available to the Board;
• the resources, autonomy and stature devoted to the compliance function;
• whether a funding or resource request from the compliance or control function ever was denied and how the denial decision was made;
• the process for designing, implementing and assessing effectiveness of new policies and procedures;
• who is responsible for integrating policies and procedures;
• the methodology for risk assessment;
• whether training is tailored for high-risk and control function employees;
• if there is an incentive program for good compliance and ethical behavior;
• if there were internal investigations properly scoped, independent, and documented;
• if disciplinary actions have been consistently applied across the business; and
• if the relevant controls have been tested and risk assessments updated.

What is interesting about these interrogatories is just how granular the DOJ intends to be in reviewing compliance programs and how far it has come from the early caricature of accepting at face value the compliance program binder “on the shelf.” (This kind of detail is also found in recent guidance from the HHS Office of Inspector General (OIG). See “Measuring Compliance Program Effectiveness: A Resource Guide” (March 27, 2017).)

These DOJ questions look not only at the organization's existing compliance policies, but also probe: 1) the assumptions, methodology, design and judgments embedded in those policies; and 2) the proactive character and predictive accuracy of those policies. Such inquiries may call into question the compliance advice received from in-house auditors and legal, and compliance vendors and outside counsel, with attendant privilege and work product issues.

Conference-Room Advocacy

Of course, the DOJ notes that its evaluations necessarily are case-specific and that differences in organizations (including, presumably, differences in organizational size and resources) require “individualized determination[s].” No doubt it will take some time for the import of this memorandum to seep into the practice of Assistant U.S. Attorneys and agents. Nonetheless, when defense counsel embarks on conference room advocacy with the government and makes its “good corporate citizen” pitch seeking to avoid or ameliorate a government criminal prosecution, or minimize a civil resolution, woe to the lawyer who is not prepared either to provide this type of information proactively, or to respond to this level of inquiry from the prosecutors and agents across the table. Gathering this detailed information from the client also may add another layer to the scope of counsel's internal investigation into alleged misconduct.

Increased Risk for Executives and Board Members?

The DOJ compliance program evaluation memorandum also has the potential to reshape how government prosecutors view the action (or inaction) of executives and board members. Consider the following data points.

First, recall the basic framework of a board member's affirmative obligations — namely, to assure the existence of corporate information gathering and reporting systems to provide management and the board with material information, including compliance with applicable statutes and regulations. See, e.g., In re Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Del Ch.1996).

Second, the Yates Memo renews the DOJ's emphasis on the criminal and civil investigation and prosecution of individuals by, among other things, requiring written justifications for not prosecuting individuals. See DOJ, “Individual Accountability for Corporate Wrongdoing” (Sept. 9, 2015).

Third, willful blindness for purposes of a criminal prosecution requires proof that the defendant: 1) subjectively believed that there is a high probability that the misconduct is taking place; and 2) took deliberate actions to avoid learning about those facts. Global-Tech Appliances, Inc. v. SEB S.A., 131 S. Ct. 2060 (2011). And under the responsible corporate officer doctrine (RCOD), the government may attribute culpability to the employee who has, by reason of her corporate position, “responsibility and authority either to prevent in the first instance, or promptly to correct,” the alleged violations of law, irrespective of any actual knowledge of misconduct. United States v. Park, 421 U.S. 658, 673-74 (1975).

Fourth, reckless disregard, or deliberate ignorance, of the truth or falsity of information for purposes of a civil False Claims action requires proof that the defendant either: 1) intentionally avoided learning whether a particular piece of information is true or false; or 2) had serious doubts about the truth or falsity of the information, but failed to make simple inquiries to verify truth or falsity. See 31 U.S.C. § 3729(b). In practice, this obligates the individual to make such inquiry as a reasonable and prudent person would conduct under the circumstances in order to ascertain the true and accurate basis of the claim on pain of being liable for the “aggravated form of gross negligence” required to impute knowledge of a false claim. See, e.g., United States v. Quicken Loans, Inc., No. 16-cv-14050, 2017 U.S. Dist. LEXIS 33559, *13-14 (E.D.Mich. March 9, 2017); S. Rep. No. 99-345, at 20 (1986).

Fifth, the parameters set out in the DOJ compliance program evaluation memorandum are published, disseminated and available to organizations, management and boards. Especially in large, sophisticated and publicly traded organizations, executives (including compliance officers) and board members may be found to be on notice of them. The government may well expect: 1) boards to be asking management these same types of questions under their Caremark obligations; 2) management to be retrofitting compliance program upgrades so that the answers to those questions are “correct”; and 3) compliance officers or audit managers to include these parameters in their annual internal program audits.

In this context, the DOJ's compliance program evaluation memorandum may move the goalposts on what constitutes deliberately blinding oneself to the facts, failing to make reasonable inquiry into the truth or falsity of a claim, or Responsible Corporate Officer Doctrine (RCOD) authority to detect or remediate misconduct. That is, in addition to seeking direct evidence of knowledge and intent, the government may issue CID, HIPAA or grand-jury subpoenas for documents and testimony concerning DOJ's compliance program parameters as they relate to the conduct under investigation.

The results may vindicate the organization or reveal compliance program deficiencies in analysis, methodology and process tied to that alleged misconduct. To the extent a Board has not asked the questions set out in the DOJ's memorandum, or management has not acted on these inquiries, the government could take the position that such inaction contributes to evidence of the reckless disregard required for civil False Claims Act (FCA) liability. In extreme instances, such inaction might contribute to proving RCOD liability or the willful blindness necessary to bring a criminal fraud charge.

Conclusion

Compliance officers, in-house counsel, corporate management and board audit and compliance committees should review the DOJ's recent compliance program evaluation memorandum. It may help to build more robust compliance programs; guide defense counsel's conference room advocacy; and provide insight into potential management and the Board exposures under reckless disregard, RCOD or willful blindness standards.

Ronald H. Levine ([email protected]), a member of the Editorial Board of Business Crimes Bulletin, is a principal at Post & Schell, P.C., heading its Internal Investigations and White Collar Defense Group. Levine was previously Chief of the Criminal Division of the U.S. Attorney's Office for the Eastern District of Pennsylvania. Carolyn H. Kendall ([email protected]) is an Attorney in the Group working in the areas of tax, money laundering and compliance programs.