Department of Justice Emphasizes Importance of Modern, Effective Compliance Programs in Revised Guidance to Companies
On June 1, 2020, the Criminal Division of the U.S. Department of Justice (“DOJ”) released revised guidelines for prosecutors to evaluate corporate compliance programs in charging and plea decisions (the “Revised Guidelines”). See U.S. Department of Justice, Criminal Division, Evaluation of Corporate Compliance Programs (updated June 2020), available at https://www.justice.gov/criminal-fraud/page/file/937501/download. The Revised Guidelines assume even more importance in light of DOJ Acting Criminal Division Chief Brian Rabbitt’s recent remarks that DOJ intends to move forward with key FCPA prosecutions and resolutions in 2020 despite the pandemic. Though it may be challenging, companies should ensure their compliance programs remain effective and responsive to the unique challenges of the current business environment.
The general purpose of the guidelines has not changed since they were first introduced in 2017—to assist prosecutors in evaluating a target company’s compliance program. Prosecutors use this information in their determination of: (1) the form of any resolution or prosecution for the company; (2) a monetary penalty, if any; and (3) any ongoing compliance obligations the company will be subject to after the resolution (e.g., a monitorship or ongoing reporting obligations).
The heart of the Revised Guidelines and the prosecutors’ analysis remains answering three core questions:
- 1. Is the company’s compliance program well designed?
- 2. Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
- 3. Does the company’s compliance program work in practice?
However, the Revised Guidelines demonstrate DOJ’s attempt to provide clarity to companies and the defense bar as to what it looks for in a corporate compliance program. Outgoing Head of the Criminal Division Brian Benczkowski previewed the thinking behind the revisions in his December 19 remarks at the American Conference Institute’s conference on the Foreign Corrupt Practices Act.
There, Mr. Benczkowski reassured companies who might be concerned that investing in effective compliance programs would create more problems than they solved by revealing misconduct that previously would have remained hidden. While quickly dispelling the notion that it would be beneficial for companies to specifically refrain from taking steps to identify misconduct in their midst, Mr. Benczkowski emphasized that DOJ had an interest in companies making “efficient” and “effective” investments in their compliance programs, and that DOJ should be incentivizing them to do so.
Mr. Benczkowski stated that the benchmark for an effective compliance program should be the design of the program, not how much money the company spent. Additionally, Mr. Benczkowski remarked that DOJ would conduct additional trainings for prosecutors to provide a “more sophisticated understanding of compliance program design” and “the challenges to effective implementation.” The latter point implicitly acknowledged the difficulty that companies can face in designing, implementing, monitoring, and revising a compliance program on the fly.
In short, Mr. Benczkowski addressed an issue that companies and the defense bar had raised for years—the perception that DOJ both (1) unreasonably discounted the significant work companies did in creating modern compliance programs by focusing solely on instances where the compliance program broke down, and (2) underestimated the difficulty of creating an effective compliance program and ignored the impossibility of preventing all misconduct. These concerns led many companies to conclude that further investment in compliance programs wasn’t warranted, as DOJ was not willing to take the company’s investment into account during charging and plea discussions.
In this way, the Revised Guidelines benefit companies, because they provide more guidance as to what DOJ will be looking for when it determines whether a company’s compliance program is adequate. The new guidelines place greater emphasis on whether the company’s compliance program is adequately resourced, and whether compliance professionals are given enough authority and resources within the company to perform their jobs effectively. This moves the discussion away from a whether the compliance program is 100% effective (which no compliance program can be), and towards whether the company takes compliance seriously. A company has significantly more flexibility to demonstrate the latter. By hiring good people and giving them the tools and authority to identify misconduct, the company can show it takes compliance seriously.
This shift in emphasis is apparent from changes in the Revised Guidelines. For instance, the title of Section II of the guidelines was previously, “Is the Corporation’s Compliance Program Being Implemented Effectively?” The new title is, “Is the Corporation’s Compliance Program Adequately Resourced and Empowered to Function Effectively?” If DOJ has more than a hunch that a company has done something wrong, it can argue that the company’s compliance program has already failed and is not being “implemented effectively.” By changing the conversation to whether the compliance program is “adequately resourced and empowered to function effectively,” DOJ is allowing the company to demonstrate that it has built a robust compliance program in spite of minor lapses.
Additionally, the Revised Guidelines direct prosecutors to consider softer indicia of a compliance program’s effectiveness. When considering whether the compliance program is adequately resourced, prosecutors should now ask, “Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions?” Such questions show that DOJ is willing to dig into the details of a company’s compliance program to truly understand how it works, and to credit companies that have taken the additional steps to build a functional and targeted compliance program.
A key feature of the Revised Guidelines is an emphasis on a compliance program that evolves over time, and learns from past mistakes. For example, when prosecutors consider the effectiveness of the company’s internal mechanisms for evaluating its own compliance programs (such self-evaluations are a critical part of any compliance program), they should now ask, “Is the [company’s] periodic review limited to a ‘snapshot’ in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures, and controls?” Additionally, when evaluating whether the company’s compliance department is set up for success, prosecutors should now ask, “Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?”
The Revised Guidelines also emphasize modernity, efficiency, and accessibility in a compliance program. In fact, they specifically note that some companies “have invested in shorter, more targeted training sessions to enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management functions.” Such specific references to “shorter” and “targeted” trainings indicate DOJ’s willingness to consider leaner compliance programs as effective. Other new directives instruct prosecutors to consider such things as whether the company is tracking which of its policies employees are actually looking at (see Revised Guidelines at 4), something that would not have been possible in the early days of compliance programs.
Finally, although somewhat unrelated to the other changes, the Revised Guidelines shift some emphasis from pre-deal due diligence to post-deal due diligence in the Mergers and Acquisitions (“M&A”) context. There are two possible explanations for this. First, there may have been criticism from practitioners that DOJ’s expectations for pre-deal due diligence were unrealistic. Second, DOJ may have been concerned that too many companies focused exclusively on pre-deal due diligence, while ignoring potential compliance risks after the deal was finalized. The new changes, such as directing prosecutors to consider the due diligence conducted during the “integration period” of an M&A deal, may address both concerns by incentivizing companies to shift some of the due diligence from the more intense pre-deal period to the less intense post-deal period.
Many of changes in the Revised Guidelines were also included in the second edition of the Resource Guide to the Foreign Corrupt Practices Act (“FCPA Resource Guide”), which DOJ and SEC issued on July 3, 2020. By including the changes in the FCPA Resource Guide, DOJ and SEC appear to be strengthening their commitment to the policies espoused in the Revised Guidelines and their application over the long term. (For more on the FCPA Resource Guide, see Quinn Emanuel’s client alert on its contents and implications for companies.)
In closing, the changes in the Revised Guidelines appear positive for companies and should reassure them that DOJ has been listening to feedback from industry and the defense bar. Specifically, DOJ appears to be open to companies demonstrating that a wide variety of compliance programs can be effective, and that leaner, more targeted compliance programs can replace larger, outdated ones. The changes show that DOJ understands that no compliance program will ever be 100% effective or fixed in time and the point DOJ is evaluating them, and that what DOJ is really looking to determine is whether the company is truly committed to building an effective compliance program, or just hiding behind one that looks good on paper.