In April 2019, the Department of Justice’s Criminal Division updated its guidance on how it assesses corporate compliance programs. This update revises guidance the DOJ first developed in 2017. The most notable change is that the prior guidance only applied to the Criminal Division’s Fraud Section, whereas the new guidance applies to the entire division.
Like its predecessor, the revised guidance provides a window into how federal prosecutors measure a company’s compliance operations in cases of corporate misconduct. The guidance provides a structure for shaping and strengthening corporate compliance policies and an outline for communicating with the DOJ’s Criminal Division.
In a speech, Assistant Attorney General Brian Benczkowski, the head of the DOJ’s Criminal Division, explained that the revised guidance was intended to “better harmonize” its predecessor with other DOJ guidance documents and legal standards. According to Benczkowski, the “importance of corporate compliance cannot be overstated” and helps prosecutors determine whether to charge the company, potential criminal fines, and the necessity of a corporate monitor. Touching on a recurring theme since the 2015 Yates Memo, Benczkowski also noted that an effective compliance program “promotes more effective enforcement against individual wrongdoers.”
The revised guidance includes the same 11 topics from its predecessor that outline the DOJ’s corporate compliance expectations. Each topic includes several questions that prosecutors can use to evaluate compliance programs. But the revision adds a twelfth topic,1 reshuffles some of the questions into different topics, and reorganizes each topic into broad categories to help answer three overarching questions:
- “Is the corporation’s compliance program well designed?”
- “Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?”
- “Does the corporation’s compliance program work in practice?”
Other than the fact that the guidance now applies to the entire Criminal Division, the most notable change is the addition of the new topic, “Investigation of Misconduct.” This new topic helps prosecutors query whether companies employ the right people to conduct properly scoped investigations and respond appropriately to any identified vulnerabilities.
The remaining topics have been rewritten and reorganized but are substantively similar to their 2017 predecessors. Key revisions to existing topics include the addition of new questions to help prosecutors evaluate whether:
- A company’s risk assessment is periodically updated and is “risk-tailored” to focus on “high-risk areas, such as questionable payments to third-party consultants, suspicious trading activity, or excessive discounts to resellers and distributors.”
- A company’s confidential reporting structure and investigation process is adequately funded and that the company is using past findings to identify “patterns of misconduct or other red flags for compliance weaknesses.”
- The compliance department is an independent unit within the company and has a dedicated chief compliance officer.
- The company takes proactive steps to foster a culture of compliance at all levels of the organization.
Like its predecessor, the revised guidance stresses that companies must do more than react to potential transgressions. Rather, the DOJ expects companies to broadly investigate and fix any identified issues with a stout compliance program. In deciding whether to proceed, prosecutors will carefully evaluate the methodology the company uses to identify and respond to the compliance risks it faces. But the revised guidance continues to acknowledge that companies face different “risk profile[s]” and that each compliance program therefore “warrant[s] particularized evaluation.”
The revised guidance—which now applies to the entire Criminal Division—further confirms that companies must exhibit meaningful compliance programs that are followed and enforced to limit corporate exposure. The topics addressed are a helpful roadmap for companies looking to bring their business practices into compliance with the expectations of the DOJ. Companies would be well-served to use the guidance as an opportunity to reevaluate their compliance programs and ensure that they are effective in detecting, preventing, and responding to potential misconduct.
1 These are: (1) Risk Assessment; (2) Policies and Procedures; (3) Training and Communications; (4) Confidential Reporting Structure and Investigation Process; (5) Third Party Management; (6) Mergers and Acquisitions; (7) Commitment by Senior and Middle Management; (8) Autonomy and Resources; (9) Incentives and Disciplinary Measures; (10) Continuous Improvement, Periodic Testing, and Review; (11) Investigation of Misconduct; and (12) Analysis and Remediation of Any Underlying Misconduct.