The Criminal Division of the Department of Justice released a guidance document for white-collar prosecutors on the evaluation of corporate compliance programs. The Guidance describes specific factors that prosecutors should consider in evaluating the effectiveness of corporate compliance programs. The Guidance is a follow up to a February 2017 Fraud Section guidance, and it broadens and provides greater clarity and specificity with respect to how the Criminal Division should evaluate a company’s compliance program.
The Guidance seeks to harmonize its recommendations with other DOJ guidance and standards while providing additional context to the multifactor analysis of a company’s compliance program.
The Guidance is built around three questions that the Criminal Division has frequently found relevant in evaluating a corporate compliance program.
- Is the program well-designed?
- Is the program effectively implemented?
- Does the compliance program actually work in practice?
Is the Program Well-Designed?
The Guidance recommends that a prosecutor’s evaluation of whether a company has a well-designed compliance program is to consider whether it includes the following elements:
- Robust risk assessment and management process, with appropriately allocated resources
- Policies and procedures that are risk-based, comprehensive, accessible and understandable
- Training and communications that are tailored to audience size, sophistication and subject matter expertise; that include practical advice and real-life situations and scenarios; and that contain information about misconduct, investigations and related disciplinary actions
- A confidential reporting structure and robust investigations process, staffed by qualified individuals and documented in an appropriate manner
- Risk-based due diligence activities focused on ensuring that a company knows its third parties, has a robust business rationale for the third-party engagement and has implemented controls around the management of third-party relationships
- Due diligence activities for acquisition targets
Is the Program Effectively Implemented?
The Guidance further instructs prosecutors to evaluate a company’s culture of compliance, including whether (i) the compliance program is a “paper program” or one implemented in an effective manner; (ii) whether there is sufficient staff to audit, document, analyze and utilize the results of the corporation’s compliance efforts; and (iii) whether employees are adequately informed of the compliance program, by assessing the following:
- Demonstration of commitment to the compliance program by senior and middle management, including through conduct, messaging, shared commitment and oversight
- Ability of compliance personnel to act autonomously and with authority to make decisions about how the compliance program is structured, implemented and resourced
- Qualifications and experience of compliance personnel
- Adequacy of funding and resources
- Establishment of incentives and consistent disciplinary measures
Does the Compliance Program Actually Work in Practice?
The most difficult part of a prosecutor’s assessment is to determine whether a company’s compliance program was working at the time of the misconduct. To do that, prosecutors must evaluate a number of factors, including whether:
- The compliance program had the ability to evolve, improve and change to address evolving risk and business activities
- The audit plan focused on appropriate risks, control activities were appropriately tested and results were communicated to management and the board
- The company measured its culture of compliance and took steps in response to such measures
- Investigations were appropriately staffed and scoped, and remedial actions were taken to analyze root causes, system vulnerabilities and accountability