Overview
On June 1, 2020, the US Department of Justice (DOJ) Criminal Division, with little fanfare, issued updated guidance on the Evaluation of Corporate Compliance Programs (2020 Guidance). The document, which was released without any accompanying public announcement or explanation, updates an April 30, 2019 version of the document (2019 Guidance), as discussed in our May 9, 2019 Advisory. The 2019 Guidance updated original guidance published by the Division's Fraud Section on February 8, 2017 (2017 Guidance), as discussed in our 2017 FCPA Mid-Year Review.
The DOJ's evaluation of the effectiveness of a company's compliance program continues to be a relevant factor to charging decisions under the Principles of Federal Prosecution of Business Organizations in the Justice Manual, as well as to an organization's eligibility to receive a reduction in criminal fines calculated under the US Sentencing Guidelines (USSG); it is also important to the DOJ's assessment of whether a monitor is warranted.
While the 2019 Guidance made more substantive changes to the original 2017 Guidance, including by reorganizing the document and broadening its application (following the 2019 update, the guidance applies to the DOJ Criminal Division more broadly), the latest updates are more discrete. In some ways, the 2020 updates bring the 2019 Guidance more fully in line with other available guidance and DOJ pronouncements, including most notably the 2012 DOJ/SEC FCPA Resource Guide (FCPA Resource Guide).[1]
The most significant updates in the 2020 Guidance are: (i) changes emphasizing the need for a dynamic compliance program and reflecting heightened expectations for the use of data analytics and testing; and (ii) clarifications concerning the DOJ's expectations for a risk-based approach to compliance. These are described in more detail below.[2]
Emphasis on a dynamic compliance program and heightened expectations for the use of data analytics and testing
Updates in the 2020 Guidance emphasize that a company's compliance program should be dynamic, applying lessons learned from the company's own prior experience as well as those of other companies; making use of data and testing as it reviews and updates its risk assessment, policies, and procedures; and investing in further training and development of compliance and other control personnel.
The expectation for companies to incorporate lessons learned into their compliance programs is not new, in particular when it comes to insights gained from the company's own issues and prior misconduct. While considering lessons learned from other companies operating in the same industry and/or geographic region has long been a good practice and a feature of most sophisticated corporate compliance programs, the 2020 Guidance now explicitly creates the expectation that companies will have a "process" in place "for tracking and incorporating" into their periodic risk assessments both lessons learned from the company's own prior issues and misconduct, as well as "from those of other companies operating in the same industry and/or geographical region."
In addition, the 2020 Guidance suggests the DOJ will be evaluating whether a company conducts periodic reviews of its risk assessment "based upon continuous access to operational data and information across functions," and not just based on a "snapshot" in time. Other updates in the 2020 Guidance point to increased expectations on the part of the DOJ that companies will collect and review data in monitoring, assessing, and testing their compliance programs. Under the heading "Autonomy and Resources," the document includes a specific point on data resources and access, which focuses on determining whether "compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions."
This emphasis on the use of data and testing is also reflected in other points added in the 2020 Guidance, namely: (i) whether "the company track[s] access to various policies and procedures to understand what policies are attracting more attention from relevant employees"; (ii) whether "the company [has] evaluated the extent to which the training has an impact on employee behavior or operations"; (iii) whether "the company take[s] measures to test whether employees are aware of the hotline and feel comfortable using it"; (iv) whether "the company periodically test[s] the effectiveness of the hotline, for example by tracking a report from start to finish"; and (v) whether "the compliance function monitor[s] its investigations and resulting discipline to ensure consistency."
The increased emphasis on testing in the 2020 Guidance is consistent with a trend in recent years recognizing the importance of testing to ensure a compliance program is operating effectively, although the DOJ is becoming more prescriptive in the sorts of testing it might expect to see. The heightened expectations regarding use of data analytics echo remarks made on September 12, 2019 by then-Deputy Assistant Attorney General Matthew S. Miner at the 6th Annual Government Enforcement Institute, in which he noted that “if misconduct does occur, our prosecutors are going to inquire about what the company has done to analyze or track its own data resources."[3] While many large companies have adopted sophisticated compliance dashboards and other technology facilitating such data analysis, it will be important for the DOJ to take into account an organization’s size, resources, and risk level when evaluating whether a given company can reasonably be expected to implement technology enabling the various categories of data analysis referenced in the 2020 Guidance.
Clarifications regarding the DOJ's expectations for a risk-based approach
Additional updates reflected in the 2020 Guidance provide greater insights into the DOJ Criminal Division’s expectations regarding a risk-based approach to compliance. The document provides that "[p]rosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction" (emphasis added). Significantly, the 2020 Guidance version deletes the reference to "in a low risk area" that previously appeared at the end of that sentence. This change suggests that the DOJ recognizes that an effective risk-based approach may fail to prevent an infraction, irrespective of whether such an infraction takes place in a low- or higher-risk area. Also significant is the statement that "the need for, and degree of, appropriate [third party] due diligence may vary" (emphasis added). The added reference to "the need for" in the 2020 Guidance suggests the DOJ does not necessarily expect that due diligence will be required for all third parties under a risk-based approach to compliance. In contrast, the FCPA Resource Guide – while also endorsing a risk-based approach to third-party due diligence ("[a]lthough the degree of appropriate due diligence may vary based on industry, country, size and nature of the transaction, and historical relationship with the third-party") – stated that "some guiding principles always apply" (emphasis added).[4] The FCPA Resource Guide formulation suggests that, with respect to anti-corruption due diligence, at least some baseline due diligence should be conducted with respect to all third parties.
The 2020 Guidance also makes more explicit the DOJ's approach to evaluating an organization's circumstances when assessing the adequacy of a corporate compliance program. This is reflected in language added to the introduction stating that the Criminal Division will make "reasonable, individualized" determinations regarding a company's compliance program that will consider "various factors including, but not limited to, the company's size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company's operations, that might impact its compliance program." These factors are broadly consistent with the factors that the FCPA Resource Guide instructed companies to consider when developing a risk-based anti-corruption compliance program.[5]
In addition, a new footnote calls on prosecutors to also consider "whether certain aspects of a compliance program may be impacted by foreign law" (footnote 2), recognizing that the design of compliance programs may be affected by foreign law. Although the 2020 Guidance does not further elaborate on this, data protection, privacy, blocking, national security, state secrets, and related laws are examples of foreign laws that the DOJ likely recognizes multinational companies will need to take into account when developing and implementing compliance programs. The footnote also makes clear, however, that prosecutors will ask how the organization has ensured the integrity and effectiveness of its compliance program while abiding by foreign law.
This emphasis on an organization's circumstances is further reflected in questions added throughout the document for the consideration of prosecutors, focusing on identifying and understanding the rationale for specific aspects of the company's compliance program. According to the 2020 Guidance, "prosecutors should endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company's compliance program has evolved over time" (emphasis added), and should consider "[w]hat are the reasons for the structural choices the company has made."
Other updates
At a high level, updates in the 2020 Guidance emphasize that effective implementation requires an adequately resourced and empowered compliance function. Other updates ensure internal consistency with existing text from the 2019 Guidance and/or bring the 2020 Guidance further in line with other pre-existing guidance (such as the FCPA Resource Guide). These include, for instance, updates to the section on mergers and acquisitions, which now recognize more explicitly that thorough pre-acquisition due diligence may not always be possible and expresses the expectation for post-acquisition due diligence (and auditing) in such situations, in addition to reiterating the importance of post-acquisition integration. The revised formulation in the 2020 Guidance is broadly consistent with both the FCPA Resource Guide[6] and remarks delivered by then-Deputy Assistant Attorney General Miner at the American Conference Institute’s 9th Global Forum on Anti-Corruption Compliance in High Risk Markets on July 25, 2018.[7]
On training and communication, the 2020 Guidance notes that some companies have invested in targeted training to ensure issues will be identified and raised up to appropriate personnel on a timely basis. While not prescriptive, this language, coupled with additions emphasizing the need to test the effectiveness of training efforts, suggests that prosecutors will be evaluating the relevance and effectiveness of training, including in relation to channels for potential whistleblowing and for obtaining guidance.
Conclusion
While the latest updates to the DOJ Criminal Division's guidance on Evaluation of Corporate Compliance Programs are more in the nature of refinements than overhaul, some of the revisions appear to reflect the DOJ's continued raising of the compliance bar – particularly related to the use of data as part of continuous monitoring and periodic testing and program updates – and a continued emphasis on the need for programs to be properly tailored and dynamic to be effective. Given this trend, it would be prudent for organizations to review the 2020 Guidance with an eye to identifying any compliance program enhancements that may be warranted to keep pace with DOJ expectations. In that process, organizations can continue to be guided by the overarching principle that their compliance programs may be risk-based. The key is being able to explain how the organization reasonably designed and implemented an appropriately robust program that is tailored to its particular features and risks, and how the program has been adapted over time in response to evolving risks and lessons learned, even if it does not have all the bells and whistles adopted by the largest and highest-risk organizations.
[1] US Dept. of Justice, Criminal Div. and US Securities & Exchange Comm'n, Enforcement Div., FCPA, A Resource Guide to the U.S. Foreign Corrupt Practices Act (Nov. 14, 2012), https://www.justice.gov/criminal-fraud/fcpa-guidance ("FCPA Resource Guide").
[2] A link to a comparison marking all changes made to the 2019 Guidance is here.
[3] Press Release, Deputy Assistant Attorney General Matthew S. Miner Delivers Remarks at the 6th Annual Government Enforcement Institute, US Dept. of Justice, Office of Pub. Affairs (Sept. 12, 2019), https://www.justice.gov/opa/speech/deputy-assistant-attorney-general-matthew-s-miner-delivers-remarks-6th-annual-government.
[4] FCPA Resource Guide at p. 60.
[5] Id. at p. 55-57.
[6] Id. at p. 62.
[7] Press Release, Deputy Assistant Attorney General Matthew S. Miner Remarks at the American Conference Institute 9th Global Forum on Anti-Corruption Compliance in High Risk Markets, US Dept. of Justice, Office of Pub. Affairs (July 25, 2018), https://www.justice.gov/opa/pr/deputy-assistant-attorney-general-matthew-s-miner-remarks-american-conference-institute-9th.