In a notable but quiet development, the Department of Justice's Fraud Section recently issued additional information about how DOJ prosecutors evaluate a business's compliance program "in conducting an investigation …, determining whether to bring charges, and negotiating plea or other agreements." Released without any fanfare or even a press release, the "Evaluation of Corporate Compliance Programs" publication provides valuable insights into how DOJ is thinking about compliance programs, suggests a number of "best practices" and provides a useful primer on how to talk about compliance issues with DOJ and other regulators.
The Guidance, issued on February 8, 2017, is broadly consistent with previous insights issued by DOJ as well as the Securities and Exchange Commission (including in A Resource Guide to the U.S. Foreign Corrupt Practices Act) and by other sources (including the United States Sentencing Guidelines). As such, it provides another opportunity for companies to take note of clear warning from DOJ as to what it expects in the way of compliance programs and cultures―and to act upon those warnings. In DLA Piper's 2016 Compliance & Risk Report―based on a survey of more than 75 General Counsels, Chief Compliance Officers and other compliance professionals and senior in-house counsels from top public and private corporations around the country ―79 percent of the senior compliance and legal personnel that participated indicated that they had not made changes to their company’s compliance program in response to the Yates memorandum and the DOJ's hiring of Hui Chen as a dedicated compliance resource. (See DLA Piper's 2016 Compliance & Risk Report, Q3.)
While nothing in those particular DOJ moves necessarily required any such changes, this new Guidance, which reemphasizes the government’s commitment to scrutinize corporate compliance programs and provides significant detail as to their expectations circa 2017, should be taken as a strong reminder that the US government expects companies to undertake continuous improvement efforts to enhance their compliance programs. Prudent companies should take heed and review their programs accordingly.
The publication provides a consolidated list of sample topics and questions used by prosecutors in evaluating compliance programs. Given its detail, length, and breadth, the list will serve as a useful tool for attorneys involved in internal investigations and corporate compliance. Although the Guidance cautions that it provides "neither a checklist nor a formula," compliance professionals would be well served to utilize it as a sort of a template in assessing, designing and enhancing compliance functions, and as a useful roadmap to assist in any presentations to regulators.
The sample questions are broken out into 11 topics, such as "Analysis and Remediation of Underlying Misconduct," "Autonomy and Resources," "Training and Communications," and "Continuous Improvement, Periodic Testing, and Review." Within each of the 11 topics are sub-topics with multiple questions under each. Taken together, the eight-page, single-spaced document covers the waterfront of compliance elements that DOJ has discussed in the past and provides helpful focus on potentially problematic areas. A number of familiar but crucial common themes appear throughout the different topics and questions, including:
- Effective compliance programs start at the top. Senior managers need to encourage compliance through their words and actions. The Guidance focuses on "concrete actions" taken by senior leaders and asks about "specific actions" taken by senior management and other stakeholders (e.g., Procurement, HR, et cetera) to demonstrate the importance of a compliance culture.
- Companies must devote appropriate resources to their compliance programs. The rank, compensation, and qualifications of a company's compliance team, as well as financial resources devoted to compliance, are all indications of a company's commitment to compliance. In contrast, in our 2016 Compliance program survey, 27 percent of the respondents indicated that their budget was not sufficient to accomplish the goals necessary for an adequate compliance program. (See DLA Piper’s 2016 Compliance & Risk Report, Q12.)
- Compliance must be independent and have access to key decision makers. Factors prosecutors will look to include regularity of board access, reporting lines, and access to information and resources.
- Compliance measures should be integrated into a company's business. Companies should identify gatekeepers, such as people who issue or approve payments and ensure they are adequately trained and incentivized in a way that encourages compliance. Compliance should confirm that training is offered a manner that is effective for its intended audience and that it has had its intended effect―that employees understand the company’s policies and will be supported if they speak up.
- Companies must continuously improve their compliance program. Proactive assessments should be used to identify and address potential compliance issues. Companies must also modify their training, policies, and procedures to avoid repeating compliance violations.
The sample topics and questions revolve around a desire to determine whether a company's compliance program is superficial or engrained within the corporate culture. An active and effective program forestalls or mitigates compliance problems through training and monitoring, effectively investigates issues as they arise, consistently and appropriately punishes those involved in compliance violations, and continually improves its operation. The Guidance repeatedly stresses the importance of periodic stress-testing, "kicking the tires" on the program to be certain that the written policies and procedures are being understood and implemented in the field. This is easier said than done. Sixty-six percent of our 2016 Compliance program survey respondents identified monitoring as the weakest element of their compliance program. (See DLA Piper's 2016 Compliance & Risk Report, Q29.) The Guidance also highlights the importance of documenting instances where controls and procedures had an actual impact and where "specific transactions or deals that were stopped, modified, or more closely examined as a result of compliance concerns."
Importantly, the Guidance stresses that the sample topics and questions are not exclusive or exhaustive. In each instance, the government will conduct an individualized assessment of a company's compliance program against the background of the individual company's risk profile and history. Nonetheless, the Guidance provides additional and important insights of broad applicability and it is a must-read communication.