DOJ Updates Its "Evaluation of Corporate Compliance Programs" Guidance

On June 1, 2020, the DOJ updated its guidance document titled "Evaluation of Corporate Compliance Programs." The DOJ noted the changes were made based on the agency's experience and feedback from the business and compliance communities. The original version of this guidance was released in February 2017. It was then revised in 2019 to highlight the factors the DOJ considers when evaluating the effectiveness of a company's compliance program for purposes of determining an appropriate resolution of a DOJ matter. The 2020 update to this guidance offers additional insights into which factors the DOJ may prioritize and which additional factors companies should consider using as benchmarks in their evaluation of compliance programs.

The 2020 guidance underscores that there is no "one-size-fits-all" approach to compliance. It now asks prosecutors to make a "reasonable, individualized determination in each case" when evaluating a company's compliance program, taking into consideration the company's "size, industry, geographic footprint, and regulatory landscape," as well as the reasons why a company chose its program's structure and how the program has evolved over time. Prosecutors are also directed to assess the program both at the time of the conduct and at the time of resolution, in order to take into consideration any enhancements or remedial efforts undertaken in the interim period.

This revised guidance likewise emphasizes the DOJ's focus on the adequacy of the resources devoted to a company's compliance program and whether the program is continuously improving based on dynamic risk assessments, lessons learned, and data analytics. Here are a number of additional key updates in the 2020 guidance.

Significance of Adequate Compliance Resources

The 2019 guidance asked three fundamental questions about a company's compliance program, namely:

1. "Is the corporation's compliance program well designed?"
2. "Is the program being applied earnestly and in good faith?" In other words, is the program being implemented effectively?
3. "Does the corporation's compliance program work" in practice?

The second question has been amended in the 2020 guidance to focus on whether the company's compliance program is "adequately resourced and empowered to function effectively." Underscoring the emphasis on resources, the revised guidance now asks whether the company has adequately invested in training and development of compliance personnel and, as described below, whether the compliance function has adequate access to data to monitor and test.

Importance of Incorporating Lessons Learned

This revision reflects the DOJ's emphasis on incorporating "lessons learned" into the company's compliance program. The guidance now asks prosecutors to analyze the company's process for tracking and incorporating lessons learned from its risk assessments and compliance program.

Significance of Data Analytics

In a new subsection titled "Data Resources and Access," prosecutors are directed to consider whether the compliance function has sufficient access to relevant data to effectively monitor and test policies, controls, and transactions, and whether there are any impediments to accessing that data.  

Specific metrics prosecutors are asked to consider in this regard include: 

• Whether the company's risk assessments are based on a "snapshot" in time or on "continuous access to operational data and information across functions"; 
• Whether the compliance function monitors investigations and resulting discipline to ensure consistency;
• Whether access to specific policies and procedures are tracked to understand which policies are garnering more attention;
• Whether the impact of training on employee behavior is tested; and
• Whether employees are aware of the company's compliance hotline and are comfortable accessing it and whether the hotline is viewed as effective.

Other Key Updates Reflect the DOJ's Priorities and Signal Consideration as Best Practices

• Policies and Procedures: Whether the company's policies and procedures are in a searchable format.
• Training: Whether the company uses shorter, more targeted training sessions and mechanisms for employees to ask questions after training.
• Third parties: Whether the company monitors third parties throughout the relationship versus only at onboarding, and whether it publicizes the company's hotline to third parties.
• Post-acquisition integration: Whether the company executes timely and orderly post-acquisition integration of newly acquired entities into the company's existing compliance program and conducts post-acquisition audits of newly acquired entities.

These updates underscore the importance of continuous risk assessment as a major component of a corporate compliance program and of continuous improvement of the program as a whole. While the DOJ's updated guidance sets forth increased considerations relevant to the evaluation of a compliance program, this version—similar to past government guidance—leaves it to corporate management and boards of directors to make the decisions about the design and implementation of their own compliance programs. Companies may benefit from evaluating their existing compliance programs against this and other guidance and in light of best practices of companies with similar risk profiles.