DoJ Guideline for the Evaluation of Compliance Programs
Must read for compliance officers: Fresh guidance from the US Department of Justice (DoJ) on effective compliance programs.
The US Department of Justice (DoJ) issued more changes to their guidance on corporate compliance programs in the first quarter of 2023. The updated guidelines offer even more detail on areas such as compensation initiatives as well as the measures companies need to take around data retention and device usage.
Back in October 2021, Deputy Attorney General Lisa Monaco issued a memorandum with new guidance for prosecutions and this was supplemented by a second memorandum on 15 September 2022, reaffirming the US government’s government’s commitment to fighting corporate crime. In March 2023, Monaco announced the latest series of initiatives and programs.
With the extraterritorial scope of US regulations like the FCPA, this guidance is relevant for all companies with even the smallest link to the US – for example, handling transactions in US dollars might be enough to fall under its remit.
Doj Compliance Guidance: Main Themes
In March 2023, new policies were announced standardising voluntary self-disclosures for US attorney’s offices while clarifying the requirements for companies to self-disclose. Businesses would be incentivised to maintain effective compliance programs capable of identifying misconduct and mitigating it.
The section of the guidance entitled “Compensation Structures and Consequence Management” received the most significant changes with the introduction of incentives for compliance and disincentives for failures in compliance. Prosecutors will now monitor the effectiveness of compliance programs through tracking data on disciplinary actions and consider whether transparent communication was involved in any disciplinary processes or actions taken. A three-year Pilot Program on Compensation Initiatives and Clawbacks was also introduced and this is covered in more detail further down in this article.
It was also announced that additional resource commitments would be made to corporate criminal enforcement and this includes 25 new prosecutors. There would also be a substantial investment in the Bank Integrity Unit and Criminal Division’s Money Laundering and Asset Recovery Section. Finally, the issuance of joint advisories with the Commerce and Treasury Departments would inform the private sector about enforcement trends and the expectations around security-related compliance.
The latest policies follow some important changes that occurred in June 2020. While they were not radical at the time, they emphasised that:
- Having a compliance program in place is not enough. It has to work.
- Compliance program shouldn’t be “snapshots” but dynamic and updated to respond to new circumstances.
- An “off the shelf” compliance program that merely exists on paper will not benefit a company that is under investigation.
The DOJ later emphasised the importance of incentivising companies to voluntarily disclose misconduct and it obliged its components to adopt policies outlining potential benefits for organisations such as:
- A presumption against a guilty plea if a company has fully cooperated and taken appropriate action.
- No requirement for a DOJ monitor if a company has already implemented a compliance program.
Risk Assessment: Periodic Review and Lessons Learned
The Guidance states that the starting point for a prosecutor’s evaluation of whether the company has a well-designed compliance program is to understand how the company has identified, assessed and defined its risk profile. When it comes to risk assessment, the Guidance emphasises the importance of constant review and lessons learned:
- Under “Updates and Revisions”, the DOJ asks the questions: “Is the risk assessment current and subject to periodic review? Is the periodic review limited to a ‘snapshot’ in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures, and controls? Do these updates account for risks discovered through misconduct or other problems with the compliance program?
- A further section includes the following: “Lessons Learned – Does the company have a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographic region”
Policies and Procedures: Access and Tracking
At a bare minimum, the Guidance states that corporations must demonstrate a robust code of conduct for the whole organisation and emphasises the importance of established policies and procedures that incorporate the culture of compliance into the company’s day-to-day operations.
Revisions have brought a bigger emphasis on employee access to policies and procedures and suggests companies might use policies as a tracking tool. For example, the 2020 update included changes to the section on accessibility:
“How has the company communicated its policies and procedures to all employees and relevant third parties? If the company has foreign subsidiaries, are there linguistic or other barriers to foreign employees’ access? Have the policies and procedures been published in a searchable format for easy reference? Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?”
Training and Communications: Two-Way and Targeted
The Guidance states that a further hallmark of a well-designed compliance program is appropriately tailored training and communications. The Guidance has accordingly strengthened the information on compliance training that prosecutors might expect to see.
For example, it now advises that “Other companies have invested in shorter, more targeted training sessions to enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management functions”. The question was also added as to “Whether online or in-person, is there a process by which employees can ask questions arising out of the trainings?” Further questions ask how companies deal with employees who fail all or a portion of the training as well as how the training impacts employee behavior or operations.
Whistleblowing System: For Third Parties and User-Friendly
For assessing the effectiveness of the internal whistleblowing system, the DOJ includes the following:
“Does the company have an anonymous reporting mechanism, and, if not, why not? How is the reporting mechanism publicized to the company’s employees and other third parties? Has it been used? Does the company take measures to test whether employees are aware of the hotline and feel comfortable using it?”
This inclusion strengthened the onus on corporations regarding their whistleblowing systems. In 2019 the Guidance mentioned “anonymous reporting mechanism” for the first time. This challenged corporations only offering an email address or a phone number for employees to speak up. From an organisational perspective, offering truly anonymous reporting channels is beneficial: studies indicate that companies who offer specialised channels receive more reports, and 59% of reporters choose to report anonymously when this option is available.
However, as per the 2020 update, companies should not simply be content offering an anonymous reporting mechanism, they should aim to widen its reach and consider making it available to other stakeholders beyond their own employees. The change also indicates that it is not enough for companies to simply offer an anonymous whistleblowing tool; they need to ensure that it is well-publicised and user-friendly.
Investigation Process: Thorough Testing
Originally, the Guidance emphasised that prosecutors wanted to see that corporations had well-resourced case management systems and processes that ensured allegations and suspicions of misconduct were thoroughly investigated and lessons were learnt. It also suggested prosecutors would want to see that the investigation process has also been thoroughly tested.
“Are the reporting and investigating mechanisms sufficiently funded? How has the company collected, tracked, analyzed, and used information from its reporting mechanisms? Does the company periodically analyze the reports or investigation findings for patterns of misconduct or other red flags for compliance weaknesses? Does the company periodically test the effectiveness of the hotline, for example by tracking a report from start to finish?”
The September 2022 Memorandum laid out the need for compensation systems that allow for retrospective discipline and further guidance was provided by Monaco in March 2023 when she previewed the introduction of a Pilot Program on Compensation Initiatives and Clawbacks.
The three-year Pilot Program has two main components. Firstly, any company entering into a corporate resolution with the Criminal Division will now be required to include compliance-promoting criteria in its compensation and bonus systems. The criteria must be tailored to an organisation’s existing compensation system.
The second component will see companies offered fine reductions to claw back compensation provided the organisation in question has cooperated with the DOJ investigation and taken steps to eliminate the misconduct. At the onset of the resolution period, the company could pay the applicable fine minus the amount of compensation it is seeking to recover from those involved in the misconduct.
At the close of the resolution period, the company would be allowed to keep all compensation recovered. Organisations that pursue clawbacks in good faith but without success will be eligible for a fine reduction.
Integrating M&A Targets
In an earlier update, the DOJ gave more consideration to a company’s M&A targets. Even if a company can’t perform perfect due diligence before the acquisition, prosecutors want to see evidence that the company included the new entity in its compliance program after the deal closed. The Guidance states that:
“A well-designed compliance program should include comprehensive due diligence of any acquisition targets, as well as a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.”
Key topics in the guidance are organised around “three overarching questions” that guide prosecutors’ review and assessment of a company’s compliance program:
- Is the program well designed?
- Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
- Does the program work in practice?
Regarding the second question referencing resources and empowerment, the DOJ implies a compliance program requires sufficient funding, qualified compliance personnel, and widespread support at all levels of an organisation.
In 2023, it was announced that the DOJ will consider numerous factors in determing how a company’s compensation contributes to the presence or lack thereof of an effective compliance program. Prosecutors are being instructed to assess whether companies have adequate compliance management policies and procedures in place that are consistently enforced.
Access to Data
The March 2023 announcement brought in fresh scrutiny on personal devices and the retention of ephemeral messaging. Despite the ubiquity of personal mobile devices, the DOJ expects companies to update their policies accordingly and it will examine the communication channels used, levels of risk management in place and the overall policy environment.
As such they need to consider the following questions: “What policies and procedures are in place to ensure that communications and other data is preserved from devices that are replaced? What are the relevant code of conduct, privacy, security, and employment laws or policies that govern the organization’s ability to ensure security or monitor/access business-related communication?”
Additionally, if the company has a “bring your own device” (BYOD) program, it needs to consider “Its policies governing preservation of and access to corporate data and communications stored on personal devices—including data contained within messaging platforms—and what is the rationale behind those policies?”
The September 2022 memorandum recognised that there may be foreign data information laws that prohibit the company from disclosing documents that might be considered relevant to the investigation. The DOJ therefore will verify that non-US companies are not using laws from overseas as a method for witholding relevant data.
The earlier update added an entire paragraph on access to data. The compliance officer should have access to the relevant data to advance the compliance program’s influence within the corporation.
“Data Resources and Access – Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?”
One-size Doesn’t Fit All
The Guidance underscores the importance of prosecutors understanding each company’s unique circumstances and how they have influenced the development of its compliance program. For example, prosecutors “should endeavour to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.”
It now asks prosecutors to make a “reasonable, individualized determination in each case” when evaluating a company’s compliance program, taking into consideration the company’s “size, industry, geographic footprint, and regulatory landscape,” as well as the reasons why a company chose its program’s structure and how the program has evolved over time.
With recent updates, the DOJ has provided clearer guidelines for companies on what to expect when under investigation by US authorities. Having an effective compliance program in place when misconduct takes place can have a positive effect on the outcome of the prosecution or resolution, as long as the program matches the key requirements outlined in the guide.
This is especially important given the additions announced in March 2023 that serve to show that the DOJ is aggressively investigating and prosecuting corporate crime while holding the actors responsible accountable. Therefore, the updated DOJ guide is essential reading for all compliance professionals – regardless of where their company is based.
Companies must understand the DOJ’s recent policy changes and implement a number of short-term measures so that wrongdoing can be swiftly identified and mitigated. They should review and update policies related to device usage and data retention while training employees on best practice in those areas. Evaluation and compensation metrics should also be reviewed while remedial trainings should be held on compliance policies and procedures.
How to effectively create, implement and communicate compliance policies and measure the success of your policy program – for everyone who is responsible for Compliance policies in their organization