DoJ Guideline for the Evaluation of Compliance Programs
Must read for compliance officers: Fresh guidance from the US Department of Justice (DoJ) on effective compliance programmes.
In June 2020 the US Department of Justice (DoJ) issued several changes to their guidance document “Evaluation of Corporate Compliance Programs”. The updated guidelines offer even more detail on how prosecutors will evaluate the effectiveness of corporate compliance programs.
With the extraterritorial scope of US regulations like the FCPA, this guidance is relevant for all companies with even the smallest link to the US – for example, handling transactions in US dollars might be enough to fall under its remit.
DOJ Compliance Program Guidance: Main Themes
While the 2020 changes to the Guidance are not radical, they emphasise that:
- Having a compliance program in place is not enough. It has to work.
- Compliance programs shouldn’t be “snapshots” but dynamic and updated to respond to new circumstances.
- An “off the shelf” compliance program that merely exists on paper will not benefit a company that is under investigation.
Risk Assessment: Periodic Review and Lessons Learned
The Guidance states that the starting point for a prosecutor’s evaluation of whether the company has a well-designed compliance program is to understand how the company has identified, assessed and defined its risk profile. When it comes to risk assessment, the 2020 update makes two important changes which emphasise the importance of constant review and lessons learned:
- Under “Updates and Revisions”, the DoJ inserts the sentences: “Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures and controls?”
- The update adds a new section: “Lessons Learned – Does the company have a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographic region”
Policies and Procedures: Access and Tracking
At a bare minimum, the Guidance states that corporations must demonstrate a robust code of conduct for the whole organisation and emphasises the importance of established policies and procedures that incorporate the culture of compliance into the company’s day-to-day operations.
The 2020 update increases the emphasis on employee access to policies and procedures and suggests companies might use policies as a tracking tool. The 2020 update includes the following changes to the section on accessibility (2020 update in bold):
“How has the company communicated its policies and procedures to all employees and relevant third parties? If the company has foreign subsidiaries, are there linguistic or other barriers to foreign employees’ access? Have the policies and procedures been published in a searchable format for easy reference? Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?”
Training and Communications: Two-Way and Targeted
The Guidance states that a further hallmark of a well-designed compliance program is appropriately tailored training and communications. The 2020 update aims to strengthen the information on compliance training that prosecutors might expect to see.
For example, the Guidance now advises that “Other companies have invested in shorter, more targeted training sessions to enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management functions“.
The 2020 update also adds the question “Whether online or in-person, is there a process by which employees can ask questions arising out of the trainings?“
Whistleblowing System: For Third Parties and User-Friendly
For assessing the effectiveness of the internal whistleblowing system, the DoJ has added (changes in bold):
“Does the company have an anonymous reporting mechanism, and, if not, why not? How is the reporting mechanism publicized to the company’s employees and other third parties? Has it been used? Does the company take measures to test whether employees are aware of the hotline and feel comfortable using it?”
This update strengthens the onus on corporations regarding their whistleblowing systems. In 2019 the Guidance mentioned “anonymous reporting mechanism” for the first time. This challenged corporations only offering an email address or a phone number for employees to speak up. From an organisational perspective, offering truly anonymous reporting channels is beneficial: studies indicate that companies who offer specialised channels receive more reports, and 59% of reporters choose to report anonymously when this option is available.
However, as per the 2020 update, companies should not simply be content offering an anonymous reporting mechanism, they should aim to widen its reach and consider making it available to other stakeholders beyond their own employees. The change also indicates that it is not enough for companies to simply offer an anonymous whistleblowing tool; they need to ensure that it is well-publicised and user-friendly.
Investigation Process: Thorough Testing
The original Guidance emphasised that prosecutors wanted to see that corporations had well-resourced case management systems and processes that ensured allegations and suspicions of misconduct were thoroughly investigated and lessons are learnt. The 2020 update (changes in bold) suggests prosecutors will want to see that the investigation process has also been thoroughly tested.
“Are the reporting and investigating mechanisms sufficiently funded? How has the company collected, tracked, analyzed, and used information from its reporting mechanisms? Does the company periodically analyze the reports or investigation findings for patterns of misconduct or other red flags for compliance weaknesses? Does the company periodically test the effectiveness of the hotline, for example by tracking a report from start to finish?”
Integrating M&A Targets
In the 2020 update the DoJ gives more consideration to the company’s M&A targets. Even if a company can’t perform perfect due diligence before the acquisition, prosecutors will want to see evidence that the company included the new entity in its compliance program after the deal closed. The 2020 additions in bold:
“A well-designed compliance program should include comprehensive due diligence of any acquisition targets, as well as a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.”
The 2019 update organised the key topics in the guidance around “three overarching questions” that guide prosecutors’ review and assessment of a company’s compliance program:
- Is the programme well designed?
- Is the programme being implemented effectively?
- Does the programme work in practice?
The June 2020 update changes the second overarching question (“Is the programme being implemented effectively?”), to asking instead whether it is “adequately resourced and empowered to function effectively.”
By resources and empowerment, the DoJ implies a compliance program requires sufficient funding, qualified compliance personnel, and widespread support at all levels of an organisation.
Access to Data
The 2020 update adds an entire paragraph on access to data. The compliance officer should have access to the relevant data to advance the compliance program’s influence within the corporation.
“Data Resources and Access – Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?”
One-size Doesn’t Fit All
The 2020 Guidance underscores the importance of prosecutors understanding each company’s unique circumstances and how they have influenced the development of its compliance program. For example, prosecutors “should endeavour to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.”
It now asks prosecutors to make a “reasonable, individualized determination in each case” when evaluating a company’s compliance program, taking into consideration the company’s “size, industry, geographic footprint, and regulatory landscape,” as well as the reasons why a company chose its programme’s structure and how the programme has evolved over time.
With this update the DoJ provides clearer guidelines for companies on what to expect when under investigation by US authorities. Having an effective compliance program in place when misconduct takes place can have a positive effect on the outcome of the prosecution or resolution, as long as the programme matches the key requirements outlined in the guide. Therefore, the updated DoJ guide is essential reading for all compliance professionals – regardless of where their company is based.
How to effectively create, implement and communicate compliance policies and measure the success of your policy program – for everyone who is responsible for Compliance policies in their organization