Key takeaways:

• The U.S. Department of Justice has issued an updated version of its guidance to federal prosecutors on evaluating corporate compliance programs when making charging decisions.
• Although the revised guidance contains no radical changes, it incorporates additional valuable insights regarding compliance best practices and reflects regulators’ increasing expectations of corporate compliance programs.
• With this updated guidance, DOJ continues to raise the bar on what it expects from companies’ compliance programs. Particularly in the wake of COVID-19, this will prove a challenge for some companies, though ensuring that a compliance program is effective is even more essential amidst such unprecedented disruptions.

On June 1, 2020, the U.S. Department of Justice issued an updated version of its guidance to federal prosecutors on evaluating corporate compliance programs. DOJ relies on this guidance when making charging decisions involving companies, including how to resolve or prosecute matters, what penalties to seek, and what, if any, compliance obligations to impose, including potentially a monitor. While the updated Evaluation of Corporate Compliance Programs (the “2020 Guidance”) contains no radical changes, it incorporates additional valuable insights regarding compliance best practices and reflects regulators’ increasing expectations of corporate compliance programs.

The Fraud Section of DOJ’s Criminal Division issued the original Evaluation of Corporate Compliance Programs in February 2017. This guidance provided prosecutors with an extensive list of compliance-related questions to ask companies under investigation, but included limited overall context for assessing the quality of a corporate compliance program. In April 2019, DOJ issued a revised version of the guidance, organized around three core questions derived from the Justice Manual, namely whether a compliance program is: (1) “well designed”; (2) “being applied earnestly and in good faith”; and (3) “work[s] in practice.”

As we detailed at the time, DOJ’s 2019 revisions to the Evaluation of Corporate Compliance Programs introduced a more coherent organizational framework for prosecutors’ analysis and added important guidance in several areas. Within each of these three overarching questions, DOJ identified several sub-categories. For example, with respect to a program’s design, DOJ focused on risk assessment, development and review of policies and procedures, training and communication, confidential reporting structure and investigation process, third-party management, and handling of mergers and acquisitions.

The 2020 Guidance includes several noteworthy updates:

Further Consideration of Each Company’s Unique Circumstances. When it comes to compliance, one size definitely does not fit all. Continuing to move away from the antiquated model of a generic, “off-the-shelf” compliance program, the 2020 Guidance doubles down on the importance of risk assessments. It underscores the importance of prosecutors understanding each company’s unique circumstances and how they have influenced the development of its compliance program. For example, prosecutors “should endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.”

Sufficiency of Compliance Resources. The 2020 Guidance also places greater emphasis on the adequacy of compliance resources, which of course is essential for any program’s effective functioning. Regarding a compliance program’s application (the second key question above), DOJ elaborated that prosecutors should ask whether the program is “adequately resourced and empowered to function effectively.” Put differently, even the most artfully constructed program is doomed to fail without sufficient funding, qualified compliance personnel, and widespread support throughout all levels of an organization. In that regard, DOJ also now calls for considering specifically how compliance personnel are trained.

Critical Importance of Data. The 2020 Guidance reflects the increasingly sophisticated ways in which companies are leveraging data in designing, implementing, and operationalizing their compliance programs. The updated guidance advises prosecutors to assess whether compliance personnel have “sufficient direct or indirect access to relevant sources of [company] data” to conduct effective monitoring of compliance. Additionally, DOJ asks whether the enhancement and evolution of a company’s compliance program over time is “based upon continuous access to operational data and information across functions.” For many companies, this may pose a challenge.

Need for Periodic Review and Enhancement. To be effective, a compliance program must regularly be reviewed and enhanced, including to address adequately ever-changing risks. DOJ endorses such review and enhancement based not only on operational data, as noted above, but also “lessons learned” from a company’s experience and that of others operating in the same industry and geographies. Under the 2020 Guidance, prosecutors also will scrutinize whether a company’s periodic reviews actually have led to meaningful changes in its compliance program.

Monitoring of Third-Party Agents. DOJ again underscores the value of careful oversight of any third-party agents that act on a company’s behalf. The 2020 Guidance includes a question asking whether “the company engage[s] in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process.” This is an area in which many companies fall short, carefully vetting agents before retaining them but failing to monitor sufficiently such agents’ conduct during the course of the relationship, which may span many years.

Integration of Acquisitions. The updated guidance expressly recognizes that pre-transaction due diligence may be limited or constrained in certain circumstances. The 2020 Guidance expressly asks whether “the company [was] able to complete pre-acquisition due diligence and, if not, why not.” In addition to the factors already outlined in the previous edition of the guidance, DOJ now instructs prosecutors to consider whether the company has “a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls” as well as for conducting post-acquisition audits.

Assessment of Program Then and Now. DOJ makes explicit the already-standard practice that prosecutors should consider a company’s compliance program “both at the time of the offense and at the time of the charging decision and resolution.”

With its latest update, DOJ continues to raise the bar on what it expects from companies’ compliance programs. For some companies, particularly in the wake of COVID-19, this will prove a challenge. As we discussed in a recent article, companies are confronting new compliance risks while also making difficult decisions about compliance priorities and the allocation of limited resources as they grapple with the effects of the global pandemic. If anything, ensuring that a compliance program is effective is even more essential amidst such unprecedented disruptions. As companies contend with these extraordinary challenges, they would be well advised to consider carefully the 2020 Guidance, which reflects numerous best practices and recent developments in the field. At the same time, regulators hopefully will recognize how companies practically must temper aspirations of compliance perfection in light of real-world constraints.