Insight Into the DOJ's Updated Guidance on Evaluation of Corporate Compliance Programs
This April the Department of Justice (DOJ) issued updated guidance on the evaluation of corporate compliance programs with the goal of assisting prosecutors in making informed decisions as to whether corporate compliance programs are performing effectively.
July 24, 2019 at 02:30 PM
9 minute read
This April the Department of Justice (DOJ) issued updated guidance on the evaluation of corporate compliance programs with the goal of assisting prosecutors in making informed decisions as to whether corporate compliance programs are performing effectively. Understanding this updated guidance is essential for implementing an effective compliance program that conforms with the technical requirements that are guiding prosecutors’ enforcement decisions. To that end, the updated guidance poses three basic questions for the evaluation of a compliance program: Is the program well designed? Is the program being implemented effectively? Does the program work in practice? These basic elements have long been considered by the department and the courts. For example, the Justice Manual states that the adequacy and effectiveness of the corporation’s compliance program is one of the factors to be considered in making a charging decision, and it may be one of the most significant influencers to avoid punitive decisions. And the U.S. Sentencing Guidelines Section 8C2.5(f) provides that an effective compliance program significantly reduces a corporate entity’s culpability score, potentially reducing a fine by millions of dollars. How does this updated guidance alter the landscape, and what should a corporation focus on to ensure that its compliance program is deemed effective?
The department guidance answers these questions and provides a template for compliance.
Compliance programs will be measured first by how thoughtfully a company designs:
- Risk assessment processes
- Adequate policies and procedures
- Training and communications
- Confidential reporting and investigations conduits
- Third-party relationship management
- Due diligence for merger activity
Implementation will be measured by the:
- Commitment of management
- Autonomy and adequate resourcing of compliance
- Appropriate incentives and discipline
Whether a compliance system actually works will be measured by its:
- Improvement, testing and feedback systems
- Investigations of misconduct
- Analysis and response to misconduct
Together the themes of compliance have not changed, but the new guidance provides clarity and structure, as well as an opportunity to reinvest in a few ounces of prevention.
To have a well-designed program, you have to assess the specific and unique risks you face. The threat environment varies according to business and industry, and a compliance program’s design and implementation must be tailored to match. The updated guidance recognizes that not all corporations operate in the same environment, and some corporations will not need to spend as much time or money if they operate in a low-regulation or low-consequence environment. But the expectations of compliance increase with the risks. Consider the difference between two retailers, one of outdoor sporting goods and the other involved in the export of technology that could qualify as dual-use commodities under 15 C.F.R. Section 734.3. If either transacts with a prohibited end-user, there could be regulatory consequences. However, while the former may be subject to a welter of potential liability, the latter is nearly certain to incur serious liability without a robust compliance program. The size, funding and arrangement of a company’s compliance program should reflect its operating environment. As that environment changes, the program must as well.
Effective design empowers the right people to make policies work on the ground, not just on paper. An effective compliance program empowers corporate actors to take remedial action without over-inclusively flooding a reporting system with noise. Companies should ask “where do the problems occur and who should be empowered to stop them?” In the areas of heightened risk, reporting protocols are expected to be more robust—police officers are expected to focus their resources on high-crime areas. Effective design can thus be both economical and minimally invasive to regular operations. Conversely, relying on stringent controls in a low-risk area provides little counterweight to significant failures in a high-risk one.
Design should consider the importance of tailoring palatable conduits for reporting. The corollary to empowering those close to the action is the difficulty in identifying errors of people you know. The updated guidance emphasizes that “an efficient and trusted mechanism by which employees can anonymously or confidentially report” misconduct is a “hallmark of a well-designed compliance program” and “highly probative” of an effective program. The updated guidance places a greater emphasis on culture and easy, anonymous reporting. One way to overcome human nature is to routinize, anonymize and normalize the process. This is why algorithmic compliance measures have made compliance efforts so much more effective to overcome the natural human hesitance to report misconduct or the “fear of retaliation.” An effective compliance program must make it easy for people at all levels to do the right thing.
To implement a program effectively, you must learn from mistakes. The updated guidance emphasizes that past violations and the company’s reaction to them is critical. Virtually every company will face the specter of some kind of regulatory violation given enough time. The guidance acknowledges this reality, and does not equate every offense as a proxy for a deficient compliance program. Acknowledging the inevitability of wrongdoing means that an effective compliance program must also have a robust protocol for self reporting. Self reporting is a sensitive task, but a thorough internal investigation followed by prompt and full disclosure can reap large rewards. For example, the Foreign Corrupt Practices Act Guide states that prosecutors place “a high premium on self-reporting, along with cooperation and remedial efforts, in determining the appropriate resolution of FCPA matters,” and the updated guidance states “if a compliance program did effectively identify misconduct, including allowing for timely remediation and self-reporting, a prosecutor should view the occurrence as a strong indicator that the compliance program was working effectively.” Proactively examining a business’ vulnerabilities and investigating and reporting errors when they do occur is consistent with upholding a culture of compliance, but also helps negate intent, and allows companies to craft their own investigations instead of conceding to the government.
In addition to learning from one’s own mistakes, executives would do well to study competitors’ practices. Part of an evolving and comprehensive compliance program should involve studying and applying “lessons learned” from competitors’ failings. At a minimum, companies should consider whether their program would have flagged the same activity that led to an enforcement action against a competitor. Proactively adjusting to changes in the legal landscape and continually fine-tuning a program is critical to its effectiveness.
Proving the negative is often worth the effort. While prosecutors may be cynical, data helps make cases. In monitoring a program’s efficacy, steps that show positive feedback complement those that show when errors occur. The guidance asks prosecutors to consider whether the program has “collected, tracked, analyzed, and used information from its reporting mechanism.” An effective compliance program will flag many instances where there is no wrongdoing, but shows that a conscientious observer felt comfortable reporting a possible issue. A company’s reaction to the absence of a violation can demonstrate sincerity just as a reaction to actual wrongdoing might. Citing examples where a company undertook a thorough and well-documented investigation and concluded there was no wrongdoing is preferable to the alternative. Determining where false positives occur can also aid in the fine tuning of a program’s design and could save time and money by implementing tweaks that will avoid such results.
Implementing a program that works in practice requires fostering a culture of compliance. No matter how well a program is designed, what matters most may be how a program is perceived inside the company. It can be very easy for compliance to be considered a cost center that hampers business operations. Previous guidance had addressed culture in an indirect manner, asking whether senior leadership had “through their words and actions, encouraged or discouraged the type of misconduct in question.” The updated guidance now directly and thoroughly emphasizes culture, and states that that management “sets the tone” for employees below and for a program to be deemed effective, it “requires a high-level commitment by company leadership to implement a culture of compliance from the top.” If regular communication and action from management makes it clear that doing things right matters as much as doing them at all, that will filter through an organization, and the reverse is true as well. Likewise, if there are bonuses, rewards, and perks for increasing operations but none for compliance, it will influence the perception of sincerity of a program. Incentives speak louder than policy messages.
The DOJ’s updated guidance is helpful and more detailed than its prior iteration, but it is complementary to other sources as well, such as the Benczkowski Memorandum from October 2018. Ultimately, the focus in the updated guidance is on results; whether the program is actually effective. There is no magic number of resources to allocate to compliance, and efforts that emphasize uncontextualized spending or top-level inputs will not be as persuasive as those that show that a company has thought through its operations and compliance risks, and that it has taken proactive steps to maintain an effective and adapting program. It bears reminding that one of the principle goals of prosecutors is to deter wrongdoing—by a specific company, but also by other companies generally. The guidance emphasizes that effective compliance requires preparation, vigilant oversight, commitment of culture and resources, and adaptability to changing landscapes. The updated guidance can be an effective tool to get buy-in from operational executives for implementing measures that may help weather the inevitable storms ahead.
Aloke Chakravarty is the co-chair of Snell & Wilmer’s investigations, government enforcement and white-collar protection practice. A former state, federal and international prosecutor, he also focuses on cybersecurity, data protection and privacy. He represents corporations, boards of directors and corporate management with a broad range of preventative services designed to avoid or mitigate crisis, security vulnerability and liability, government investigations, enforcement actions, and white-collar actions.
Sam Ballingrud is currently a law clerk to Magistrate Judge Nina Y. Wang on the U.S. District Court for the District of Colorado. He will be joining Sherman & Howard’s litigation, trials and appeals practice group this fall.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllA Blueprint for Targeted Enhancements to Corporate Compliance Programs
7 minute readThree Legal Technology Trends That Can Maximize Legal Team Efficiency and Productivity
Corporate Confidentiality Unlocked: Leveraging Common Interest Privilege for Effective Collaboration
11 minute readTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250