Ron Cresswell, J.D., CFE, CIPP/US
ACFE Research Specialist
In April 2019, the U.S. Department of Justice (DOJ) issued new guidance designed to assist federal prosecutors in evaluating corporate compliance programs. In criminal cases, prosecutors will use the new guidance to determine whether a company’s compliance program was adequate and effective. This determination is important because companies can receive more lenient treatment if they had an effective compliance program in place at the time of the offense.
The new guidance is an 18-page document entitled “Evaluation of Corporate Compliance Programs,” and it updates previous DOJ guidance issued in February 2017. While it is not a significant departure from the 2017 version, the new guidance offers more detail and provides a clear framework for prosecutors to follow.
According to the new guidance, prosecutors should focus on three questions when evaluating the adequacy and effectiveness of a company’s compliance program.
1. Is the Compliance Program Well Designed?
The first question requires a determination of whether the compliance program is “adequately designed for maximum effectiveness.” To aid in making this judgment, the guidance lists the following six factors for prosecutors to consider:
Risk Assessment. A corporate compliance program must devote “appropriate scrutiny and resources” to the company’s particular “spectrum of risks.” Therefore, companies must conduct periodic risk assessments. There should be evidence that the company has identified and defined its “risk profile” (i.e., the types of misconduct most likely to occur) based on the company’s line of business and regulatory environment.
Policies and Procedures. The company should have a code of conduct and “policies and procedures that incorporate the culture of compliance into its day-to-day operations.”
Training and Communications. The compliance program must include “appropriately tailored training and communications” to ensure that policies and procedures are communicated to employees and integrated into the company. This includes periodic training for directors, officers and employees, as well as agents and business partners where appropriate.
Confidential Reporting Structure and Investigation Process. The compliance program must include a reporting mechanism that permits employees to “anonymously or confidentially” report misconduct without fear of retaliation. Prosecutors will also assess the company’s process for investigating and resolving such reports.
Third-Party Management. The compliance program “should apply risk-based due diligence to its third-party relationships” with agents, consultants and distributors.
Mergers and Acquisitions. Where relevant, the compliance program should require “comprehensive due diligence of any acquisition targets.”
2. Is the Compliance Program Being Implemented Effectively?
The next question is whether the compliance program is being implemented effectively. To answer this question, prosecutors are instructed to consider:
The level of commitment to the program by senior and middle management
Whether the program is structured to give appropriate autonomy and resources to those charged with the program’s day-to-day oversight
The existence of “incentives for compliance and disincentives for non-compliance,” including whether the company consistently enforces its disciplinary policy
3. Does the Compliance Program Work in Practice?
The final question is whether the compliance program worked effectively at the time of the offense. This involves a determination of “whether and how the misconduct was detected, what investigation resources were in place to investigate suspected misconduct, and the nature and thoroughness of the company’s remedial efforts.” The guidance also instructs prosecutors to determine whether the compliance program is working at the time of the charging decision (i.e., whether the program changed after the offense).
According to the guidance, the following factors indicate that the compliance program is working in practice:
The company engages in periodic testing and review of the program to ensure its continuous improvement.
The company appropriately investigates misconduct.
The company engages in analysis and remediation of any underlying misconduct.
The new guidance offers valuable insight into what the DOJ considers important in a corporate compliance program. Compliance professionals should read the guidance carefully and use it to evaluate and improve their own company’s compliance program.