The U.S. Department of Justice (DOJ) released a revised version of its “Evaluation of Corporate Compliance Programs” guidance on June 1. While DOJ did not make any major changes to the guidance, it indicated that “the changes that were made reflect additions based on our own experience and important feedback from the business and compliance communities.” A subtle and important shift in the revised June 2020 guidance signals that DOJ is taking a hard look at whether corporations are merely taking a “snap shot” of compliance risk and then relying on outdated, static compliance responses or are developing and implementing an iterative compliance program that is constantly reassessing risks and actively adjusting compliance processes to mitigate the risks it finds.
Based on the June 2020 guidance, DOJ will focus on:
- Why a compliance program was originally structured as it was, and why and how it has evolved over time to address evolving risk environments.
- How companies manage and address risks associated with third-party relationships throughout the entire relationship and not just during the onboarding process.
- Whether the compliance program is adequately resourced and empowered to function effectively, with the support of both senior and middle management.
The June 2020 Revisions
The shift is driven by the guidance’s change to the second of three questions federal prosecutors ask themselves when evaluating a compliance program from “Is the program being implemented effectively?” to “Is the program adequately resourced and empowered to function effectively?” This stronger, more specific language signals that corporate compliance programs must be not only robust and well-funded but also respected and integrated into the business such that compliance programs are truly empowered to mitigate risk.
This change is evidenced by small changes throughout the various sections, which taken together indicate that DOJ is becoming a more sophisticated evaluator of corporate compliance programs and increasingly critical of whether corporate entities are “meeting the bare compliance minimum” or are fully committed to making compliance as well-funded and integrated as all other business functions. For example, the only entirely new section in the June 2020 guidance asks whether compliance personnel have direct access to the data needed to allow for compliance monitoring and, if there are impediments to directly accessing that data, what the company is doing to address the impediments.
The June 2020 guidance also made small but significant tweaks to the section on compliance training, emphasizing the need to gather feedback on the effectiveness of training, including whether employees are able to ask questions in compliance trainings and whether the company has a process for employees who “fail” compliance training.
With regard to third-party risk, the June 2020 guidance now specifically looks at whether third-party risk management is limited to onboarding or whether it is done “throughout the lifespan of the relationship.”
Other small revisions to the June 2020 guidance all suggest that DOJ is training its gaze on a corporation’s commitment to continually monitoring and strengthening its compliance processes. While not necessarily a significant change to prior versions, the June 2020 guidance leaves little doubt that DOJ expects companies to constantly monitor compliance risk and the effectiveness of corporate compliance programs in addressing this risk, and to take steps to actively adjust the corporate compliance response to account for the information gathered by compliance personnel, including updating corporate risk assessments, revising corporate compliance policies and tailoring compliance measures to the updated risk.