The U.S. Department of Justice (DOJ) has updated its policy governing the evaluation of corporate compliance programs. The newly issued guidance provides helpful clarity on what factors federal prosecutors, going forward, will rely on when making charging decisions and assessing whether to give a corporation credit for the quality and effectiveness of its compliance program.
Specifically, the updated policy enumerates four factors prosecutors conducting criminal investigations should take into account in making an individualized assessment of the overall effectiveness of a company’s compliance program: (1) the size of the company; (2) the industry; (3) the company’s geographic footprint; and (4) the regulatory landscape. The policy does not elaborate on how these factors should be taken into account, but presumably, the larger the company, the more expansive its geographic footprint, and the more complex and highly regulated the industry, the more robust prosecutors will expect its compliance program to be.
The revised DOJ policy instructs prosecutors to ask three fundamental questions in evaluating the effectiveness of a corporation’s compliance program:
-
Is the corporation’s compliance program well designed?
-
Is the program being applied earnestly and in good faith?
-
Does the corporation’s compliance program work in practice?
Most significantly, the updated policy has substantially modified how the second question is evaluated. In assessing whether a company’s policy was being applied earnestly and in good faith, the previous version of the policy instructed prosecutors to evaluate whether the program was “being implemented effectively.” That language has now been scrapped and in its place the policy instructs prosecutors to evaluate whether a company’s program is “adequately resourced and empowered to function effectively.” This clarified language has the benefit of being more specific. Most importantly, the amended language gives a company greater latitude to show that this factor is satisfied even where the program failed to prevent a significant violation of company policy. Indeed, the policy now specifically makes clear that where appropriate resources have been devoted to compliance in high risk areas, prosecutors may credit the quality and effectiveness of that program even if the program fails to prevent an infraction in that area.
In evaluating whether a company’s policy is adequately resourced, the updated policy focuses on two key factors. It asks (1) whether the company invests in ongoing training and development of compliance and control personnel, and (2) whether these personnel have sufficient access to relevant data sources to effectively monitor compliance, ongoing investigations, and the resulting discipline to ensure consistent enforcement of the company’s program.
The policy also sets out several specific metrics for evaluating the first question—how well designed a corporation’s compliance program is. The clarified policy instructs prosecutors to evaluate whether a company’s program was specifically designed to target high risk areas. Prosecutors are further instructed to assess whether the company continuously updates its program based on new information it receives about its greatest compliance risks, lessons learned from breaches of its own policies, and lessons learned from other companies in the industry. Under the updated policy, companies are expected to be able to explain “why and how the company’s compliance program has evolved over time.”
Other new metrics in assessing the design of a company’s compliance program focus on personnel training and the robustness and availability of reporting mechanisms. Specifically, the updated policy focuses on whether a company’s training program gives employees the opportunity to ask questions arising out of trainings. Further, the policy focuses on how accessible a company’s reporting mechanisms are, how aware employees are of these mechanisms, and whether the company takes steps to regularly assess how accessible and well known its reporting mechanisms are to company personnel.
Notably, the updated policy clarifies that prosecutors may evaluate the company’s performance on these questions “both at the time of the offense and at the time of the charging decision and resolution[.]” That update is particularly significant, because it signifies the DOJ may give meaningful credit to companies even in the event of an infraction if they make timely efforts, in the wake of an infraction, to update and reinforce their compliance program to prevent a similar incident from happening.
In sum, these changes underscore the paramount importance for companies, large and small, not only to implement a robust compliance program early, but also to make regular efforts to update the program as new information becomes available, to leverage available data, and to reinforce company policies in the wake of breaches to strengthen their effectiveness.