06.09.2020

|

Updates

The U.S. Department of Justice on June 1, 2020, released another update to its “Evaluation of Corporate Compliance Programs” (the 2020 Update). This update revises guidance that the DOJ initially published in February 2017 and first updated in April 2019.

Key Changes in the 2020 Guidance  

Unlike the 2019 update, which significantly modified and added detail to the 2017 publication, the 2020 Update largely tracks the format and most of the substance of its immediate predecessor. While the changes in the 2020 Update are not as pronounced, the additional direction offers practitioners further insight on how the DOJ evaluates compliance programs by refining key terms and providing more context. These changes include:

Resources Become a Focus: Like the 2019 update, the 2020 Update lists three main questions that a prosecutor should ask when evaluating a corporation’s compliance program. Those questions are:

    1. Is the corporation’s compliance program well designed?
    2. Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
    3. Does the corporation’s compliance program work in practice?

The questions are nearly identical to the 2019 version, with one notable exception in the second question. Instead of asking if the compliance program is “adequately resourced and empowered to function effectively,” the prior version in 2019 instructed prosecutors to only focus on whether the program was “implemented effectively.” Thus, the 2020 Update emphasizes the importance of corporations providing proper resources to the compliance function, instead of just focusing on compliance being operative.

Compliance Improvements Noted: The 2020 Update adds that a prosecutor may evaluate a corporation’s compliance program “both at the time of the offense and at the time of the charging decision and resolution.” Accordingly, a corporation may get credit for implementing compliance measures that address changing risk factors even after the original compliance gap or prohibited conduct is discovered. This gives corporations additional opportunities to improve their policies, controls, training, and other components of their compliance program, and use such improvements or remedial measures as mitigation with the DOJ.

Risk Assessments Gain Importance: Aligned with the 2019 update’s focus on encouraging tailored risk assessments, the 2020 Update directs prosecutors to also review whether the corporation has a “process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region.” As a result, a corporation that successfully changes/updates its compliance program after reviewing or becoming aware of issues—be it internal to its organization or one that its peers faced—may be treated more favorably by the DOJ than a corporation that does not respond to the changing landscape.

Data Resources and Access Emphasized: In the section on evaluating a compliance program’s autonomy and resources, the 2020 Update adds a factor directing prosecutors to consider whether “compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions.” Staying in line with the update’s focus on resources for compliance programs, the DOJ wants a corporation to ensure that its risk functions are receiving information that could assist them in monitoring the corporation’s behavior.

Hotline and Reporting Highlighted: The 2020 Update also provides some additional direction on a corporation’s reporting hotline. Specifically, the DOJ wants prosecutors to also consider: (1) how the reporting mechanism is publicized to the corporation’s employees and other third parties; (2) whether the corporation takes measures to test whether employees are aware of the hotline and feel comfortable using it; and (3) whether the corporation periodically tests the effectiveness of the hotline, for example, by tracking a report from start to finish. By delineating these considerations, the DOJ is signaling not only that a corporation needs to have a hotline, but also that the corporation needs to provide the resources and attention to make sure that the hotline works effectively. Accordingly, simply having a functioning hotline seems like it will no longer be sufficient to gain favor with the DOJ.

Practice Tips

In addition to the changes noted above, there are several other instances where the 2020 Update clarifies what the DOJ considers best practices. The fact that the DOJ updated its guidance on corporate compliance programs only a year after its major 2019 overhaul of the 2017 publication indicates the agency’s interest in the subject. Armed with this newly refined direction, prosecutors have authority to reference official guidance when evaluating a corporation’s risk functions, and companies would do well to take note.

The first thing that companies should do when evaluating their own compliance programs is ensuring that the programs have adequate resources—both in terms of funding and available information. Tailoring the corporation’s compliance program to the corporation’s unique risks remains a critical step. However, the DOJ has made clear that compliance should not be thought of as a static exercise. Instead, any program needs to be evaluated and refreshed when additional data becomes available ensuring that the compliance program is robust and flexible. And this ongoing improvement should not be put on hold if a significant compliance issue is discovered; the corporation can benefit by staying on course and use any improvements to lessen the impact of a government investigation and any ensuing penalties.

Dedicating time and resources to compliance on the front end is the best way for a corporation to avoid later headaches. After all, the incentives for reporting misconduct to the government are strong: in 2019, the DOJ paid out $265 million to individuals reporting False Claim Act violations and the Securities Exchange Commission awarded $387 million via its whistleblower program, with some tips leading to DOJ investigations. And the SEC just announced a $50 million award for a whistleblower—its largest ever. Whether a corporation’s compliance issues garner government interest through self-disclosure or some external source, the best shield would be an effective compliance program.

© 2020 Perkins Coie LLP


 

Sign up for the latest legal news and insights  >