The Department of Justice’s Criminal Division began June 2020 by issuing revisions to its Evaluation of Corporate Compliance Programs guidance. First published in 2017, and later updated in April 2019, the guidance provides insight into how the Criminal Division assesses a company’s compliance program. Further, it allows companies to proactively implement and strengthen compliance programs to align closely with the DOJ’s considerations and focuses.
The substance and tenor of the guidance remains largely unchanged from its prior versions, but the revisions continue to reflect an ongoing commitment by the DOJ to provide transparency into its compliance program policies and priorities. For example:
- The revisions demonstrate the importance of a dynamic and evolving compliance program that emphasizes well-documented internal processes and continually incorporates lessons learned and solutions to issues as they are identified.
- While the prior version included language about individual determinations in each case, the update now specifies the factors the DOJ will consider in this determination.
- The revisions focus on the need to create a culture throughout all levels of the business, not just at the top.
Notwithstanding the many disruptions the coronavirus (COVID-19) pandemic has caused to businesses, it’s clear that legal compliance and corporate accountability remain a focus within the Criminal Division.
While the overall tone of the guidance remains the same, the update provides additional guidance in several key areas. The following are some notable revisions or additions to the April 2019 guidance:
- Individualized assessment – the DOJ articulated some of the specific factors it will consider in making each company’s individualized compliance program assessment, including the company’s size, industry, geographic footprint, and regulatory landscape.
- Resourced and empowered program – emphasis on ensuring a company’s compliance program is adequately resourced and empowered to effectively function.
- Access to data – emphasis on ensuring that compliance and control personnel have sufficient direct or indirect access to the relevant sources of data to ensure timely and effective monitoring and testing of the company’s compliance policies and controls.
- Lessons learned – emphasis on companies having a process for tracking and continually incorporating lessons learned from the company’s own prior issues or those of other companies operating in the same industry or region.
- Reporting and training – companies should ensure employees have a forum to ask questions during training and continue to test the company’s hotline and other resources.
- Culture of compliance – companies should demonstrate a commitment to compliance at all levels of the company, not just the top, and perform due diligence of third-party partners at onboarding and throughout the duration of the relationship.
Without significant change, the revisions continue to provide additional insight into the DOJ’s considerations for robust compliance programs. The DOJ’s decision to expressly require compliance functions to be adequately resourced is somewhat surprising, given the financial difficulties that many companies face during the coronavirus pandemic. And what is absent is any recognition of the current challenges that have come with the pandemic and companies’ inability to spend as much as they would otherwise want to on compliance functions while struggling to stay alive. However, the evolution of the guide over the past three years demonstrates the DOJ’s willingness to listen to the business community and provide more guidance based on feedback.
As the pandemic continues, we would hope that the DOJ will provide additional guidance that further expands on how compliance should or could change based on the crisis. Nevertheless, what is clear is that the DOJ remains focused on requiring companies to “show their work” and to be able to document compliance efforts through data. The DOJ’s decision to update this guidance now emphasizes that companies should continue to prioritize compliance programs even while dealing with the ramifications of the global pandemic.