On February 8, 2017, the United States Department of Justice (“DOJ”), Fraud Section, issued guidance on its evaluation of corporate compliance programs in the context of criminal investigations of corporate entities. By way of background, the United States Attorneys’ Manual outlines various principles federal prosecutors need to consider in deciding whether criminal charges against corporate entities should be pursued and how such charges should be resolved. These principles include “the existence and effectiveness of the corporation’s pre-existing compliance program” and the corporation’s remedial efforts “to implement an effective corporate compliance program or to improve an existing one.” United States Attorney’s Office, United States Attorneys’ Manual § 9-28.300 (1997).
The recent guidance from DOJ provides greater context for corporate entities that are the subjects or targets of criminal investigation and find their compliance policies under scrutiny. The DOJ’s guidance does not, however, lay out bright-line rules or affirmative instructions to corporate entities. Rather, it lists eleven high-level topics that DOJ has frequently found to be relevant in evaluating corporate compliance programs, as well as sample questions that DOJ may consider during its evaluation of such programs. DOJ Fraud Section, Evaluation of Corporate Compliance Programs
(2017) (the “Compliance Evaluation Guidance”).
The DOJ emphasized that its guidance was flexible and not a “rigid formula,” noting that certain topics and questions may not be relevant to certain entities or matters.
The Compliance Evaluation Guidance is organized into eleven high-level categories. The categories, along with a brief description, are set forth below:
- Analysis and Remediation of Underlying Misconduct;
- Senior and Middle Management – i.e., “tone from the top” including words and actions of senior management and board involvement;
- Autonomy and Resources – primarily relating to the Compliance-related segments;
- Policies and Procedures – including implementation and accessibility;
- Risk Assessment – focusing on measures taken to identify the risk of the conduct at issue;
- Training and Communication – including training received by employees in control functions and how the company’s position as to the misconduct has been communicated to employees;
- Confidential Reporting and Investigation – primarily relating to the company’s responses to allegations it has received;
- Incentives and Disciplinary Measures – focusing on the company’s response to the misconduct it identified;
- Continuous Improvement, Periodic Testing and Review – relating to past internal audits and assessment of control areas that covered the incidents at issue and related updates;
- Third-Party Management – focusing largely on third-party vendors or consultants who contributed to the misconduct; and
- Mergers and Acquisitions – relating to diligence performed on prior acquisitions and integration of policies/procedures to the acquired entity.
While the topics and questions in the Compliance Evaluation Guidance are relatively granular, the Guidance highlights DOJ’s focus on whether the company has policies and procedures in place that would have prevented the alleged wrongful conduct, how the company responded to the particular alleged misconduct at issue and how the company evaluates its policies/procedures that relate to this alleged misconduct. Of particular note:
- The Guidance stresses the need for independence of a company’s compliance group and how that group is perceived within the company. The Autonomy and Resources section, for example, contains questions relating to the individuals or divisions responsible for reviewing the compliance function, including their compensation. Similarly, the Guidance includes questions about whether the compliance function has a direct reporting line to the board of directors and asks how frequently it meets with the board of directors.
- The Guidance addresses how a company identifies and addresses risks, including the metrics the company uses to detect misconduct and the reporting mechanism in place to track allegations of wrongdoing.
- The Guidance also emphasizes the importance of evaluating the remedial actions taken in response to the misconduct, and whether managers were held accountable for misconduct that occurred under their supervision. The DOJ also asks whether the disciplinary actions were fairly and consistently applied across the organization.
- The Compliance Evaluation Guidance provides further granularity in its Continuous Improvement, Periodic Testing and Review section, which asks whether a company has audited its compliance program and what the results of the audit(s) were. Similarly, another section of the guidance asks how the company updates and reviews its compliance policies, procedures and practices.
The Guidance does not reflect a sea change from past DOJ statements about compliance over the last few years. For example, in May 2016, officials of the SEC and DOJ spoke at a compliance conference and stressed the need for a compliance department to be cognizant of its weaknesses and strive to improve. See
Shearman & Sterling LLP, SEC and DOJ Officials Comment on Expectations of Compliance Professionals
, May 31, 2016, available at http://www.lit-wc.shearman.com/sec-and-doj-officials-comment-on-expectations-of-
The recent Guidance from the DOJ provides useful guideposts and considerations for any company that learns of potential misconduct or that receives inquiries or is under investigation by DOJ or state or federal regulators – and, more broadly, for any company in considering its compliance program and potential further enhancements.