White Collar & Corporate Investigations Alert
June.15.2020
New guidance for prosecutors from the U.S. Department of Justice (“DOJ”), Criminal Division, highlights increasing expectations that companies continuously and in real-time reassess fraud and corruption risk and adjust their compliance programs in response. In particular, the revisions shift away from a “snapshot” or point-in-time risk assessment model to a data-driven model focusing on identifying issues and responding to risks. In other words, a program well designed five years ago may not work in practice for your business today.
This guidance frames how prosecutors will evaluate corporate compliance programs—and can be considered throughout an FCPA investigation as well as when the DOJ determines charges to bring and the appropriate form of resolution (such as the size of a monetary penalty and/or or compliance obligations to be imposed). Originally published in 2017, and significantly reframed and expanded in April 2019, the updated guidance is styled as a series of questions prosecutors may use to evaluate whether corporate compliance programs (1) are well designed, (2) are applied earnestly and in good faith, and (3) work in practice.
The updated guidance provides companies with a road map on how to best reshape their compliance and risk-based programs amidst the changing global environment. Self-evaluation is critical, as the guidance encourages prosecutors to consider how companies improve their programs to build on lessons learned over time.
Key changes to the guidance include:
Design: Prosecutors will consider whether a company engages in continuous, data-driven risk assessment to design a program tailored and responsive to the company’s own operational risks. For example, the revised guidance asks whether the company mines “operational data” to identify and anticipate areas of risk for the program to address. The guidance also asks whether the program has a process in place to track and incorporate “lessons learned” from its prior conduct and that of its competitors to improve the program over time. Id. at 3–4, 16.
The enhanced focus on real-time risk evaluation is particularly timely given the unique risks created by the COVID-19 pandemic and continuing global disruption and unrest. In recent remarks at a Virtual DOJ, SEC & FBI Town Hall, conducted May 20, 2020, leaders of the DOJ’s Criminal Division, and U.S. Securities and Exchange Commission’s Enforcement Division, indicated that companies should: (1) take the time during the slowdown stemming from the COVID-19 disruption to test their internal controls, reexamine their risk profiles, and update their compliance programs accordingly; and (2) document and be prepared to explain to regulators how new risks were considered in any decisions to change or adjust a program—including to reallocate resources.
Resources and Empowerment: The guidance now emphasizes that programs must be adequately resourced and compliance personnel should be empowered within the company. Rather than asking whether a program is “implemented effectively,” prosecutors should now ask themselves whether it is “adequately resourced and empowered to function effectively.” Beyond adequate funding, companies should invest resources to ensure compliance and control personnel (which can include, for example, finance gatekeepers) have access to relevant sources of data and are adequately trained. Additionally, a high-level commitment to fostering and implementing “a culture of ethics and compliance” is critical from the middle to the top of the company. Id. at 2, 9–13.
These changes further highlight the need for companies to be thoughtful when adjusting compliance resources like budget and staffing, and to document the risk-based justification for those changes during the COVID-19 pandemic.
Evaluation: Across nearly all elements of an effective program, the revisions make clear that the DOJ expects companies to mine available data to determine if the program is in fact operating as designed:
Policies and Procedures: Policies and procedures should be accessible to employees and searchable, and the guidance instructs prosecutors to consider how the company uses data related to policy use and accessibility to improve the program. Id. at 4.
Training: The guidance instructs prosecutors to consider how the Company uses data to evaluate the effectiveness of its training program, and how any improvements are implemented. Id. at 5–6.
Reporting Hotline: To the extent companies have hotlines in place for confidential reporting, the guidance asks prosecutors to consider whether the hotline is accessible to third parties, in addition to employees, and whether the company evaluates employee awareness of the hotline and periodically tests its effectiveness. Id. at 6–7.
Discipline: Prosecutors should consider whether the company evaluates its disciplinary action to ensure similar conduct is treated (or handled) consistently. Id. at 13.
Third Party Management: The revisions emphasize that companies should continue to manage third-party risk through the life of the third-party relationship, not only during onboarding. Id. at 8.
Timely Monitoring: Related to resourcing, the revisions add a new factor—“Data Resource and Access”—that specifically addresses whether compliance teams are sufficiently resourced to access and use data sources for timely and effective “monitoring and/or testing of policies, controls, and transactions.” Id. at 12.
Effective corporate compliance programs mitigate criminal, regulatory, and reputational risk—and potentially massive penalties—by preventing issues before they arise and/or by earning a company valuable credit with its regulators after such an issue is disclosed or discovered. More than that, a robust compliance program can improve the bottom line by reducing costly fraud, by increasing efficiencies, and by burnishing a company’s reputation in the market as one that prioritizes integrity, even in the most challenging of times.