�鶹��Ƶ

On June 1, 2020, the U.S. Department of Justice, Criminal Division released an update to its guidance on the Evaluation of �鶹��Ƶ Compliance Programs (“2020 Guidance”),[1] which is intended to assist prosecutors in making informed decisions about whether a company’s compliance program was effective at the time of the offense and whether it is effective at the time prosecutors are make charging decisions. The release updates the guidance released by the Criminal Division in April 2019 (“2019 Guidance”),[2] which was based on prior guidance first released by the DOJ Fraud Section in February 2017 (“2017 Guidance”).[3] In a statement announcing the 2020 Guidance, Assistant Attorney General Brian Benczkowski noted that it “reflects additions based on [the DOJ’s] experience and important feedback from the business and compliance communities.”[4] Although the guidance is directed at prosecutors, its importance is far more wide-ranging because companies, insurers, lenders, accountants, lawyers, and others often use the guidance as a resource to measure the effectiveness of corporate compliance programs in other settings.

The 2020 Guidance emphasizes the importance of using data and technology to support compliance efforts, including assisting with continuous updating of a compliance program and assessing “the adequacy and effectiveness of the corporation’s compliance program at the time of the offense, as well as at the time of a charging decision and resolution” rather than examining a “snapshot” in time.[5] The 2020 Guidance clarifies that third-party risk management includes monitoring throughout the life of the relationship between companies and third parties. Finally, the 2020 Guidance conveys a recognition by the DOJ that due diligence may not always be possible in advance of mergers or acquisitions and, therefore, emphasizes the importance of post-acquisition due diligence as well.

Background

The Fraud Section’s 2017 Guidance was the first DOJ guidance for the evaluation of corporate compliance programs.[6] The 2017 Guidance set forth a list of 119 “common questions that the Fraud Section may ask in making an individualized determination” regarding the effectiveness of corporate compliance programs. In April 2019, the DOJ Criminal Division updated the 2017 Guidance by releasing the 2019 Guidance and making it applicable to all corporate criminal matters in order to “harmonize the prior Fraud Section publication with other DOJ guidance and legal standards” and to “provide additional transparency on how [the DOJ] will analyze a company’s compliance program.”[7] In the 2019 Guidance, the DOJ emphasized that it does not use a rigid formula to assess the effectiveness of corporate compliance programs. The 2020 Guidance underscores that principle, and reflects the DOJ’s efforts to fine tune its approach as it gains greater experience assessing corporate compliance programs and receives further input from the corporate, compliance, and legal communities. In addition, it advances the DOJ’s approach by addressing the important roles of data and technology in modern compliance programs.

The 2020 Guidance

Like the prior guidance, rather than providing a list of standards to meet, the 2020 Guidance is formulated as a set of questions to be asked when evaluating the effectiveness of a compliance program without providing rigid answers. This approach indicates a recognition that compliance programs must be evaluated in context.[8] The 2020 Guidance preserves the list-of-questions format and the vast majority of the substance of the 2019 Guidance. It largely preserves the three fundamental questions intended to implement principles from the U.S. Sentencing Guidelines and the DOJ’s Justice Manual—(i) whether a corporation’s compliance program is well designed; (ii) whether the program is being applied earnestly and in good faith; and (iii) whether the program works in practice.[9] The new guidance, however, sharpens the focus of the second question by clarifying that it is intended to include whether a program is “adequately resourced and empowered to function effectively.”[10] Other key revisions to the guidance are as follows:

Continuous Improvement and Use of Data and Technology: Several updates included in the 2020 Guidance underscore the importance of continued and sustained improvement for a compliance program to be effective. The 2020 Guidance adds several questions aimed at a company’s ability to learn from its own experience through, among other things, the use of data and technology. This theme runs throughout the guidance and shows the importance the DOJ puts on effective use of data and technology in everything from updating policies to effective training. For example, the 2020 Guidance asks whether a company’s periodic review is limited to a “snapshot” in time or whether it is based on continuous access to operational data across functions.[11] The guidance also focuses on the importance of incorporating “lessons learned” by asking whether a company employs a “process for tracking and incorporating into its periodic risk assessment” the lessons it has learned both internally and from other similarly situated companies.[12] The 2020 Guidance asks questions about a company’s process for updating existing policies and procedures, as well as whether compliance and control personnel have sufficient access to data to allow for effective monitoring and testing of policies.[13] In addition, the 2020 Guidance focuses on accessibility, including looking at the manner in which compliance requirements are disseminated to employees. It asks, for example, whether a company has the ability to track access to specific policies and procedures to understand which are attracting the most attention from relevant employees.[14] This addition suggests practical steps for companies to consider. In the context of training, the 2020 Guidance asks whether procedures have been published in a “searchable format for easy reference,” whether there are processes—online or in-person—by which employees can ask questions arising out of trainings, and whether the company has evaluated the extent to which training has had an impact on employee behavior or operations.[15] The 2020 Guidance further highlights the need to continuously monitor and improve reporting mechanisms, asking whether a company “periodically test[s] the effectiveness of [its] hotline, for example by tracking a report from start to finish.”[16]

Third-Party Management: Although the 2019 Guidance asked several questions about third-party risk and the steps companies take to conduct due diligence on third parties, the 2020 Guidance emphasizes a company’s third-party management practices, not just its third-party due diligence practices. The guidance asks whether a company engages in risk management of a third-party throughout the lifespan of the relationship or primarily during the onboarding process.[17] Like other updates, this shows that the DOJ is asking practical questions about whether a compliance program just “checks the box” (e.g., performing third-party due diligence only at the outset of an engagement) or truly focuses on dynamic, practical risk-management (e.g., managing third parties effectively throughout the life of the engagement).

Merger and Acquisition Due Diligence and Compliance Integration: The DOJ has made clear through its prior guidance that a well-designed compliance program should include comprehensive due diligence of acquisition targets. The 2020 Guidance takes two important strides forward, however: (1) It acknowledges the reality that, in some cases, for legitimate reasons pre-acquisition due diligence may not be possible; and (2) it makes clear that a compliance program must also include “a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.”[18] Taking these two concepts together, the 2020 Guidance emphasizes that where pre-acquisition due diligence cannot be practically performed, post-acquisition compliance due diligence and audits should be an important part of an acquirer’s integration plan.[19]

The Rationale Behind a Company’s Compliance Program Structure: The 2020 Guidance asks several “why” questions, which encourage not only asking how a company structures its compliance program but also examining the rationale behind those decisions. The guidance includes an overarching instruction to “endeavor to understand why the company has chosen to set up the compliance program the way it has, and why and how the company’s compliance program has evolved over time.”[20] Specific questions explore the reasons behind a company’s structural choices, such as the department in which the compliance function is housed, to whom the compliance function reports, and the responsibilities of compliance personnel.

Practical Takeaways

Although the new guidance is directed to prosecutors evaluating charging and settlement decisions, such policy announcements from the DOJ have come to be used by boards of directors and audit committees, general counsel, and compliance officers as a key tool for measuring the effectiveness of a company’s compliance program. The DOJ’s questions also find their way into compliance due diligence questionnaires and due diligence in corporate mergers and acquisitions and joint venture activities.

The questions added by the DOJ in the 2020 Guidance reflect the DOJ’s maturing and nuanced understanding of corporate compliance programs, based on feedback it has received over the years from the business, legal, and compliance communities. The new guidance acknowledges that compliance programs must adapt to changing circumstances through the use of data and technology. It recognizes that compliance programs should be designed and implemented for the maturity, size, industry, geography, and other risk factors of a company. It also highlights, among other things, the importance and effectiveness of companies critically evaluating their compliance programs, providing for and responding to the feedback of their employees, and using the lessons they have learned to create and sustain dynamic compliance programs. Fundamentally, the 2020 Guidance encourages companies not take a “cookie-cutter approach” in designing a compliance program, but rather to consider the company’s specific risks and circumstances and the reasons for a company’s structural choices, resource allocation, and enhancements. It may be wise, for example, for companies to properly document in real-time its rationale for taking action to enhance, improve, change, or alter resources for their compliance programs in order to evidence their reasoning at a later date.

                                                                                                            *       *       *

[1] �������� U.S. Dep’t of Just., Criminal Division, Evaluation of �鶹��Ƶ Compliance Programs at 1 (June 1, 2020) [hereinafter “2020 Guidance”], available .

[2] �������� U.S. Dep’t of Just., Criminal Division, Evaluation of �鶹��Ƶ Compliance Programs at 1 (Apr. 30, 2019).

[3] �������� U.S. Dep’t of Just., Criminal Division, Fraud Section, Evaluation of �鶹��Ƶ Compliance Programs (Feb. 8, 2017).

[4] �������� Dylan Tokar, Justice Department Adds New Detail to Compliance Evaluation Guidance, Wall Street J. (June 1, 2020), available .

[5] �������� 2020 Guidance, at 14.

[6] �������� �������Client Memorandum, Paul, Weiss, Rifkind, Wharton & Garrison LLP, DOJ Releases Guidance for Evaluating �鶹��Ƶ Compliance Programs (Mar. 20, 2017), ��������������������here.

[7] �������� �������Client Memorandum, Paul, Weiss, Rifkind, Wharton & Garrison LLP, DOJ Updated Guidance for Evaluating �鶹��Ƶ Compliance Programs Focuses on Effectiveness (May 6, 2019), ��������������������here.

[8] �������� See 2020 Guidance, at 1.

[9] �������� U.S. Dep’t of Just., Justice Manual, 9-28.000 Principles of Federal Prosecution of Business Organizations, available .

[10] ������ 2020 Guidance, at 2.

[11] ������ Id. at 3.

[12] ������ Id. at 4.

[13] ������ Id.

[14] ������ Id.

[15] ������ Id.

[16] ������ Id. at 7.

[17] ������ Id. at 8.

[18] ������ Id.

[19] ������ Id. at 9.

[20] ������ Id. at 2.