On June 1, 2020, the Criminal Division of the US Department of Justice (“DOJ”) released an updated guidance document for white-collar prosecutors on the evaluation of corporate compliance programs. The document, entitled Evaluation of Corporate Compliance Programs, updates a prior version issued in April 2019, and seeks to better assist prosecutors in assessing the effectiveness of a corporation’s compliance program for the purpose of determining how and whether to penalize the corporation as a result of a criminal investigation. This updated guidance follows various iterations of compliance measures established by DOJ to better ensure the integrity of corporate compliance programs.
Prior DOJ guidance on corporate compliance programs
In March 2017, the DOJ’s Fraud Section released a guidance document entitled Evaluation of Corporate Compliance Programs which sets forth “specific factors that prosecutors should consider in conducting an investigation of a corporate entity, determining whether to bring charges, and negotiating plea or other agreements.” The document sets forth 11 key compliance program evaluation topics, along with a series of “common questions that the Fraud Section may ask in making an individualized determination” regarding corporate compliance programs.
In April 2019, DOJ’s Criminal Division updated the document to better harmonize the guidance with other DOJ guidance and standards while providing additional context to the multifactor analysis of a company’s compliance program. That document sets forth topics that the Criminal Division has frequently found relevant in evaluating a corporate compliance program, organizing them around three overarching questions that prosecutors should ask in evaluating compliance programs: First, is the program well-designed? Second, is the program effectively implemented? And, third, does the compliance program actually work in practice?
Updated DOJ guidance
DOJ’s updated guidance revises and refines the evaluation factors for prosecutors to consider when assessing penalties against corporate wrongdoers arising out of criminal investigations. These factors include “the adequacy and effectiveness of the corporation’s compliance program at the time of the offense, as well as at the time of a charging decision” and the corporation’s remedial efforts “to implement an adequate and effective corporate compliance program or to improve an existing one.” Specifically, prosecutors are looking closely at a corporation’s compliance program to determine the appropriate (1) form of any resolution or prosecution; (2) monetary penalty, if any; and (3) compliance obligations contained in any corporate criminal resolution.
At the outset, the updated guidance recognizes that every criminal investigation is context-dependent, and that because risk profiles and solutions vary among companies, an “individualized determination” should be made in lieu of a “rigid formula.” Among the various individualized factors that should be considered include “the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.” Despite the individualized determinations, the guidance refers prosecutors to the three foundational questions: (1) is the program well-designed?; (2) is the program effectively implemented?; and (3) does the compliance program actually work in practice?
Is the corporation’s compliance program well designed?
Part I of the guidance discusses various hallmarks of a well-designed compliance program relating to risk assessment, company policies and procedures, training and communications, confidential reporting structure and investigation process, and third-party management. Within this framework, prosecutors should consider the following:
why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time;
whether the program is appropriately designed to detect the particular types of misconduct most likely to occur in a particular corporation’s line of business and complex regulatory environment;
[t]he effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment and whether its criteria are periodically updated;
whether the company has a code of conduct that sets forth, among other things, the company’s commitment to full compliance with relevant Federal laws that is accessible and applicable to all company employees;
whether the company has established policies and procedures that incorporate the culture of compliance into its day-to-day operation;
the steps taken by the company to ensure that policies and procedures have been integrated into the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners;
whether the compliance program is being disseminated to, and understood by, employees in practice in order to decide whether the compliance program is truly effective;
whether the company’s complaint-handling process includes proactive measures to create a workplace atmosphere without fear of retaliation, appropriate processes for the submission of complaints, and processes to protect whistleblowers;
the company’s processes for handling investigations of such complaints, including the routing of complaints to proper personnel, timely completion of thorough investigations, and appropriate follow-up and disciplines; and
the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions.
The guide also recognizes that an effective compliance program will include a robust and comprehensive due diligence program for any acquisition targets. This another factor prosecutors should consider when assessing the design of a compliance program, along with the company’s process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.
Is the corporation’s compliance program adequately resourced and empowered to function effectively?
Part II recognizes that even a well-designed compliance program may be unsuccessful in practice if its implementation is flawed. Thus, prosecutors are encouraged to ferret out whether the compliance program is a “paper program” or one “implemented, reviewed, and revised, as appropriate, in an effective manner.” Various factors are provided to assist in this regard, including a review of commitment by senior and middle management, autonomy and resources, and incentives and disciplinary measures. Within this framework, prosecutors should consider the following:
the extent to which senior management have clearly articulated the company’s ethical standards, conveyed and disseminated them in clear and unambiguous terms, and demonstrated rigorous adherence by example;
how middle management, in turn, have reinforced those standards and encouraged employees to abide by them;
how the compliance program is structured;
the sufficiency of the personnel and resources within the compliance function, in particular, whether those responsible for compliance have: (1) sufficient seniority within the organization; (2) sufficient resources, namely, staff to effectively undertake the requisite auditing, documentation, and analysis; and (3) sufficient autonomy from management, such as direct access to the board of directors or the board’s audit committee;
whether internal audit functions [are] conducted at a level sufficient to ensure their independence and accuracy, as an indicator of whether compliance personnel are in fact empowered and positioned to effectively detect and prevent misconduct;
[t]he resources the company has dedicated to compliance, [t]he quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk, and [t]he authority and independence of the compliance function and the availability of compliance expertise to the board;
whether the company has clear disciplinary procedures in place, enforces them consistently across the organization, and ensures that the procedures are commensurate with the violations; and
the extent to which the company’s communications convey to its employees that unethical conduct will not be tolerated and will bring swift consequences, regardless of the position or title of the employee who engages in the conduct.
Does the corporation’s compliance program work in practice?
Part III acknowledges that assessing the adequacy of the corporation’s compliance program at the time of the offense is a backward looking inquiry, and thus a difficult question for a prosecutor to answer. The guidance further acknowledges that the mere existence of misconduct does not automatically mean that the compliance program was ineffective at the time of the offense. In assessing whether a company’s compliance program was effective at the time of the misconduct, prosecutors should consider whether a corporation’s continuous improvement, periodic testing, and review, investigation of misconduct, and its analysis and remediation of any underlying misconduct. Within this framework, prosecutors should consider the following:
whether the company has engaged in meaningful efforts to review its compliance program and ensure that it is not stale;
whether a company has taken reasonable steps to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct, and evaluate periodically the effectiveness of the organization’s program;
the existence of a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents;
the extent to which a company is able to conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate the misconduct to address the root causes;
the extent and pervasiveness of the criminal misconduct; the number and level of the corporate employees involved; the seriousness, duration, and frequency of the misconduct; and any remedial actions taken by the corporation, including, for example, disciplinary action against past violators uncovered by the prior compliance program, and revisions to corporate compliance programs in light of lessons learned; and
any remedial actions taken by the corporation, including, for example, disciplinary action against past violators uncovered by the prior compliance program.
The FAR compliance requirements
In addition to the DOJ guidance addressing corporate compliance programs generally, the Federal Acquisition Regulation (“FAR”) emphasizes government contractors “must conduct themselves with the highest degree of integrity and honesty.” FAR 3.1002(a). In addition, contractors “should have” a written code of business ethics, a business ethics compliance training program, and an internal control system that is suitable to the size of the business and extent of its involvement in Government contracting. Pursuant to the FAR, an internal control system should “[f]acilitate timely discovery of improper conduct in connection with Government contracts” and “[e]nsure corrective measures are promptly instituted and carried out.” FAR 3.1002(b)(2) and (3).
FAR 52.203-13 entitled “Contractor Code of Business Ethics and Conduct” made the establishment of a compliance program mandatory for contracts and subcontracts with an expected value of more than $5 million and a performance period of 120 days or more. Regardless of whether a company is subject to the FAR requirements or not, the government has an array of penalties it may impose on companies for violations of federal laws and regulations. Thus, companies, whether or not they contract with the government, are incentivized to establish effective compliance programs.
A compliance program at its core consists of a set of policies and procedures put in place to ensure adherence to federal law. At a minimum, a compliance program should include a corporate code of ethics, mechanisms by which questionable activities are brought to the attention of management, and an education and training program for employees, and systematic review of existing practices and procedures. However, DOJ’s updated guidance illustrates that merely having a compliance program in place may not be enough—it needs to be reviewed, updated, and enforced periodically. It is important that companies develop and implement effective compliance programs in advance of government audits and investigations that contractors inevitably find themselves subject to. The ability to demonstrate an effective compliance program will be critical to contractors asking for reduced penalties to resolve government investigations. DOJ’s updated guidance provides a roadmap and a window into the process employed by prosecutors in assessing and examining compliance programs, of which contractor’s should be mindful when developing or updating their programs.
 DOJ has separate guidance addressing the Foreign Corrupt Practices Act. See https://www.justice.gov/criminal-fraud/fcpa-guidance.