Amid COVID-19, DOJ Issues Updated Guidance on the “Evaluation of Corporate Compliance Programs”

On June 1, 2020, the Criminal Division of the U.S. Department of Justice (“DOJ”) released an Evaluation of Corporate Compliance Programs (“2020 Guidance”), which updates the DOJ’s framework for assessing the effectiveness of a company’s compliance program.^[1] This updated guidance has implications for how corporate compliance programs seek to address a variety of areas including antitrust, Foreign Corrupt Practices Act (“FCPA”), and sanctions.

The timing of the update, only a year after the DOJ’s last published guidance and during the COVID-19 pandemic, underscores the importance of corporate compliance programs especially during times of upheaval. Although the DOJ made no explicit mention of the additional compliance risks facing companies due to the pandemic, its updated guidance crystalizes the need for companies to continue to commit sufficient and ongoing resources—including staffing and accessibility—to their compliance departments.

The core questions when evaluating a company’s compliance policy remain the same: 

1. Is the corporation’s compliance program well designed?
2. Is the program being applied earnestly and in good faith?
3. Does the corporation’s compliance program work in practice? 
   
   

But, the 2020 Guidance expands on question two—the application of compliance programs. Specifically, the new guidance asks whether compliance programs are “adequately resourced and empowered to function effectively”—a more precise formulation of the DOJ’s prior focus on whether programs are “implemented effectively.”   

While the DOJ will consider a company’s individualized risk profile, the new guidance indicates that programs that address some legal risks but not others—i.e. where a compliance program has strong controls to address FCPA risks, but not antitrust concerns—will not fare well under the DOJ’s evaluation. Compliance programs must cohesively address all areas of law rather than addressing one legal risk at the expense of others.   

Key Takeaways from the 2020 Guidance 

Although non-exhaustive, the list below highlights additional areas for companies to consider when formulating, implementing, and revising their compliance programs based on the 2020 Guidance: 

• Individualized Approach. The 2020 Guidance identifies company-specific factors to be considered when assessing a company’s compliance program including “the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.” Consideration of these individualized factors allows for a deeper assessment of the structure of a company’s compliance program and limitations a company may face.

• Resources for an Evolving Program. The DOJ has previously declared that “[o]ne hallmark of an effective compliance program is its capacity to improve and evolve.” This is further highlighted in the 2020 Guidance, which focuses on the need for adequate resources for continuing adaptation of compliance programming. The new guidance asks directly whether “risk assessments are based on a ‘snapshot’ in time or based on continuous monitoring of operational data and new information” or if companies are incorporating “lessons learned” from their own prior issues or those of their peers. The 2020 Guidance encourages companies to commit necessary resources to monitor and test their compliance programs, and modify their structure and policies when necessary.

• Structural Considerations. The 2020 Guidance further emphasizes the structure of a company’s compliance program, asking why a company has chosen to structure its program in a particular way and how this structure has evolved over time to account for changing risks. Structure of a compliance program can relate to where a program is physically housed (i.e. in the general counsel’s office or as a standalone department) and the access compliance personnel have to management or other key decision makers.

• Training. The key consideration for evaluating a training program is “whether the company has relayed information in a manner tailored to the audience’s size, sophistication, or subject matter expertise.” To further assess the effectiveness of compliance training, the 2020 Guidance incorporates new questions that consider whether training is interactive, how the company handles employees who fail compliance training testing, and whether the company evaluates the impact of training on employee behavior.  

• Reporting. The 2020 Guidance focuses on the adequacy and actual utilization of reporting mechanisms, such as anonymous hotlines. The guidance targets whether companies publicize their reporting lines for misconduct to both employees and third parties, how companies determine their employees are sufficiently comfortable with using the official reporting lines, and whether companies actively test official reporting lines to evaluate their effectiveness by tracking reports from start to finish.  

• Third Parties. Additional emphasis is also placed on continued risk management of third parties—e.g., agents, consultants, and distributors—not only at the inception of a business relationship, but throughout the “lifespan” of that relationship and questions what auditing processes companies employ with respect to third parties.

• Mergers and acquisitions. The 2020 Guidance clarifies that in addition to due diligence concerning any acquisition targets, a well-designed compliance program should also include “a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.” It also emphasizes the significance of conducting both pre- and post-acquisition due diligence.

• Data Resources. Finally, the 2020 Guidance sets forth new considerations as to whether compliance personnel are granted sufficient access to different sources of data to effectively and timely monitor the company’s operations and how the company is addressing any impediments to such access.  

Even if a company is not currently facing a legal compliance issue, the DOJ’s 2020 Guidance on the Evaluation of Corporate Compliance Programs makes clear that, once the DOJ begins an investigation, it will consider not just the existence and original implementation of a compliance program, but also how a company has updated and revised its program over time. The 2020 Guidance supports companies that continuously reevaluate and test their compliance programs and that evolve to address both the results of internal evaluations as well as changes to external circumstances. The DOJ will not be satisfied by a “paper program” that relies on stale, outdated assessments of risk that may no longer be relevant to the company’s operations. The efficacy of a company’s compliance program in the coming months is critical as the DOJ and other government agencies manage reopening post-COVID-19 and companies navigate new challenges.

---

^[1] _{U.S. DEP’T OF JUST., CRIMINAL DIVISION, EVALUATION OF CORPORATE COMPLIANCE PROGRAMS (2020), https://www.justice.gov/criminal-fraud/page/file/937501/download.}