The US Department of Justice (DOJ) Fraud Section has published new guidance for corporate entities on corporate compliance programs. The guidance, titled, “Evaluation of Corporate Compliance Programs” (Compliance Program Evaluation) provides companies – and their compliance teams – with key insights into how government regulators will assess efforts taken to develop, implement and evaluate the program. The Compliance Program Evaluation provides the first DOJ guidance issued under Attorney General Jeff Sessions and the new administration and should signal that DOJ will continue to adhere to the principles set forth in the United States Attorney’s Manual and other publications in its assessment of corporate compliance programs.
The Compliance Program Evaluation begins by noting that it is nothing new. Rather, the DOJ urges that it be understood in the familiar context of the United States Sentencing Guidelines and the U.S. Attorney’s Manual requirements for evaluating whether to charge business organizations. In addition, the Compliance Program Evaluation invokes the Resource Guide to the Foreign Corrupt Practices Act, jointly published by the Securities and Exchange Commission and the DOJ, published corporate resolutions and other compliance guidance. However, the Fraud Section, with its own compliance consultant in place hired to assist the Section in program evaluation, has now provided helpful and comprehensive direction to companies.
The Compliance Program Evaluation recognizes that an assessment of the effectiveness of a compliance program is an “individualized determination.” However, in the view of the Fraud Section, there are topics and questions its prosecutors “frequently found relevant” in their review of compliance programs. The questions have been divided into the following 11 sections:
- Analysis and Remediation of Underlying Conduct
- Senior and Middle Management
- Autonomy of Resources
- Policies and Procedures
- Risk Assessment
- Training and Communications
- Confidential Reporting and Investigation
- Incentives and Disciplinary Measures
- Continuous Improvement; Periodic Testing and Review
- Third-Party Management
- Mergers and Acquisitions
These topical sections make clear the DOJ, in its assessment of a compliance program, will examine the effectiveness of a program through a process that covers all aspects of the program’s operations and functions. These include the tone set by management, the commitment of a board and managers, and the resources provided to those with responsibility for the program. How can the Compliance Program Evaluation be applied, in substance, to developing and sustaining a program that is effective in light of the industry, risk profile and needs of the company? Here are three key points.
It Begins At the Top
Government regulators continually have made it clear that effective compliance programs begin with a commitment from company leadership that it is clear and apparent through affirmative actions of the CEO, the board and company leaders. Senior managers are expected to inspire a strong ethical culture that permeates through the entire organization. This can be accomplished by proactive audits, corrective action, remediation where there are red flags, or direct examinations of questionable conduct, for example. The Compliance Program Evaluation refers to the relevant Sentencing Guidelines chapter, which enumerates carrots and sticks that senior leaders should employ to ensure all employees are acting lawfully.
Risk and Resources
Risk assessments are critical. One potential question that could be posed by the DOJ will be”[w]hat methodology has the company used to identify, analyze and address the particular risks it faced?” This question highlights that regulators will review the operations of a company’s compliance function to determine whether the company properly evaluated its risks in all segments of the business. And, after such an assessment, the Compliance Program Evaluation evaluates whether the company appropriately adopted policies, practices and procedures to manage the identified risks.
Train, Test and Improve
Once a compliance program is implemented and the compliance personnel are in place is not the time for a company to turn its attention away from the importance of the compliance function. As set forth in the Resource Guide, “DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” Regular review, updates and training requires use of internal and sometimes external resources to test, examine and reevaluate whether the program effectively helps a company manage its risks.
The Evaluation of Corporate Compliance Programs presents a useful tool for compliance professionals as they work to assess and put in place the resources necessary to manage a credible program that may one day face government scrutiny. It also provides an important tool for discussions with and among those who have a fiduciary obligation to monitor the corporate governance functions of a company.