DOJ Updates Corporate Compliance Program Evaluation Guidelines to Invite the Practice of Continuous and Evolving Improvements Through Data Analysis

The Department of Justice (DOJ) recently updated its Evaluation of Corporate Compliance Programs guidelines, which federal prosecutors consider when making decisions to prosecute corporate compliance violations, impose monetary penalties, and require future compliance commitments. The guidelines highlight what prosecutors should deem relevant in evaluating a corporate compliance program, both at the time of the offense(s) and at the time of the charging decision and resolution. In turn, the guidelines serve as a roadmap for corporate compliance and control personnel in designing a corporate compliance program, allocating resources to the program, evaluating the efficacy of the program in practice, and redesigning the program as needed on a regular basis.

The updates make clear that the DOJ is interested in the continuous evaluation and evolution of corporate compliance programs, and that prosecutors will now be examining whether and how a compliance program incorporates data analytics. As before, the guidelines instruct federal prosecutors to ask three questions, though now slightly revised as follows:

1. Is the compliance program well designed?
2. Is the program adequately resourced and empowered to function effectively?
3. Does the program work in practice?

A welcome addition to the guidelines is a stated recognition that the circumstances of the company, e.g., size, industry, geographic footprint, regulatory landscape, etc., are relevant to prosecutors’ analysis. The guidelines also suggest that corporate compliance and control personnel are well-advised to design a program that reflects a comprehensive and effective risks assessment based on the circumstances of the company, a tailoring of the program to the identified risks, and – baked into the program – periodic reevaluation of the risks assessment followed by appropriately corresponding updates to the program. Among other factors, federal prosecutors have now been instructed to assess whether and to what extent the company: (1) regularly reviews and revises its program on the basis of continuous access to operational data and information across functions, (2) disseminates its policies to employees in a searchable and accessible manner, and (3) tracks access to its policies and reporting hotline to enable it to understand what level of attention the policies/hotline are receiving and by whom. In addition, prosecutors will evaluate whether the program includes a periodic assessment of any lessons learned, either from the company’s own prior issues or from those companies operating in the same industry, geographic footprint, or other similar circumstances.

Consistent with the theme of a dynamic and evolving compliance program, the updated guidelines emphasize that companies are to be actively engaged in the risk management of third parties throughout the lifespan of the relationship, not simply during the onboarding process. In addition, while the guidelines continue to emphasize federal prosecutors should assess a company’s third-party management practices to determine whether a compliance program is able to detect misconduct most likely to occur in a particular corporation’s line of business, the revisions now note specifically that “[p]rosecutors should also assess whether the company knows the business rationale for needing the third party in the transaction, and the risks posed by third-party partners, including the third-party partners’ reputations and relationship, if any, with foreign officials.”

The updated guidelines also call attention to not only complete pre-acquisition due diligence of a target company, but also a timely and orderly post-acquisition integration of the target company into existing compliance program structures and internal controls, as well as post-acquisition audits. The updates note that “[f]lawed or incomplete pre- or post-acquisition due diligence and integration can allow misconduct to continue at the target company, causing resulting harm to a business’ profitability and reputation and risking civil and criminal liability.” Prosecutors are instructed to seek an explanation for why thorough due diligence was not or could not have been completed, asking: “Was the company able to complete pre-acquisition due diligence and, if not, why not? . . . What has been the company’s process for implementing compliance policies and procedures, and conducting post-acquisition audits, at newly acquired entities?”

Another important revision to note: the prior version of the guidelines instructed prosecutors to assess whether a compliance program was implemented “in good faith.” The updated version instead calls for an evaluation of whether the program is “adequately resourced and empowered to function.” To assess this, prosecutors are now instructed to examine, among other things, the extent to which the company invests in the training and development of compliance and control personnel, and whether this personnel has sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions. How the company works to identify and address any impediments hindering compliance and control personnel will also be relevant to the analysis.

A final noteworthy revision comes by way of a footnote advising prosecutors to consider whether certain aspects of a compliance program may be impacted by foreign law. Any company that has made a compliance decision based on foreign law should be prepared to explain the basis for its conclusion about foreign law, and how it “has addressed the issue to maintain the integrity and effectiveness of its compliance program while still abiding by foreign law.”