DoJ Guideline for the Evaluation of Compliance Programs: 2020 Update

While the 2020 changes to the Guidance are not radical, they emphasise that:

• Having a compliance programme in place is not enough. It has to work.
• Compliance programmes shouldn’t be “snapshots” but dynamic and updated to respond to new circumstances.
• An “off the shelf” compliance programme that merely exists on paper will not benefit a company that is under investigation.

The Guidance states that the starting point for a prosecutor’s evaluation of whether the company has a well-designed compliance programme is to understand how the company has identified, assessed and defined its risk profile. When it comes to risk assessment, the 2020 update makes two important changes which emphasise the importance of constant review and lessons learned:

• Under “Updates and Revisions”, the DoJ inserts the sentences: “Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures and controls?”
• The update adds a new section: “Lessons Learned – Does the company have a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographic region”

At a bare minimum, the Guidance states that corporations must demonstrate a robust code of conduct for the whole organisation and emphasises the importance of established policies and procedures that incorporate the culture of compliance into the company’s day-to-day operations.

The 2020 update increases the emphasis on employee access to policies and procedures and suggests companies might use policies as a tracking tool. The 2020 update includes the following changes to the section on accessibility (2020 update in bold):

“How has the company communicated its policies and procedures to all employees and relevant third parties? If the company has foreign subsidiaries, are there linguistic or other barriers to foreign employees’ access? Have the policies and procedures been published in a searchable format for easy reference? Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?”

The Guidance states that a further hallmark of a well-designed compliance programme is appropriately tailored training and communications. The 2020 update aims to strengthen the information on compliance training that prosecutors might expect to see.

For example, the Guidance now advises that “Other companies have invested in shorter, more targeted training sessions to enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management functions“.

The 2020 update also adds the question “Whether online or in-person, is there a process by which employees can ask questions arising out of the trainings?“

For assessing the effectiveness of the internal whistleblowing system, the DoJ has added (changes in bold):

“Does the company have an anonymous reporting mechanism, and, if not, why not? How is the reporting mechanism publicized to the company’s employees and other third parties? Has it been used? Does the company take measures to test whether employees are aware of the hotline and feel comfortable using it?”

This update strengthens the onus on corporations regarding their whistleblowing systems. In 2019 the Guidance mentioned “anonymous reporting mechanism” for the first time. This challenged corporations only offering an email address or a phone number for employees to speak up. From an organisational perspective, offering truly anonymous reporting channels is beneficial: studies indicate that companies who offer specialised channels receive more reports, and 59% of reporters choose to report anonymously when this option is available.

However, as per the 2020 update, companies should not simply be content offering an anonymous reporting mechanism, they should aim to widen its reach and consider making it available to other stakeholders beyond their own employees. The change also indicates that it is not enough for companies to simply offer an anonymous whistleblowing tool; they need to ensure that it is well-publicised and user-friendly.

The original Guidance emphasised that prosecutors wanted to see that corporations had well-resourced case management systems and processes that ensured allegations and suspicions of misconduct were thoroughly investigated and lessons are learnt. The 2020 update (changes in bold) suggests prosecutors will want to see that the investigation process has also been thoroughly tested.

“Are the reporting and investigating mechanisms sufficiently funded? How has the company collected, tracked, analyzed, and used information from its reporting mechanisms? Does the company periodically analyze the reports or investigation findings for patterns of misconduct or other red flags for compliance weaknesses? Does the company periodically test the effectiveness of the hotline, for example by tracking a report from start to finish?”

In the 2020 update the DoJ gives more consideration to the company’s M&A targets. Even if a company can’t perform perfect due diligence before the acquisition, prosecutors will want to see evidence that the company included the new entity in its compliance programme after the deal closed. The 2020 additions in bold:

“A well-designed compliance programme should include comprehensive due diligence of any acquisition targets, as well as a process for timely and orderly integration of the acquired entity into existing compliance programme structures and internal controls.”

The 2019 update organised the key topics in the guidance around “three overarching questions” that guide prosecutors’ review and assessment of a company’s compliance programme:

1. Is the programme well designed?
2. Is the programme being implemented effectively?
3. Does the programme work in practice?

The June 2020 update changes the second overarching question (“Is the programme being implemented effectively?”), to asking instead whether it is “adequately resourced and empowered to function effectively.”

By resources and empowerment, the DoJ implies a compliance programme requires sufficient funding, qualified compliance personnel, and widespread support at all levels of an organisation.

The 2020 update adds an entire paragraph on access to data. The compliance officer should have access to the relevant data to advance the compliance programme’s influence within the corporation.

“Data Resources and Access – Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?”