DOJ’s Fraud Section Issues Revised Corporate Compliance Guidelines
White-Collar Criminal Practice Update
Date: June 03, 2020
On June 1, 2020, with little fanfare, the Department of Justice’s Criminal Division, Fraud Section published a revised version of its guidance document, “Evaluation of Corporate Compliance Programs.” This 20-page memo is the key measuring stick federal prosecutors use when conducting an analysis of a company’s compliance program in the context of “conducting an investigation of a corporation, determining whether to bring charges, and negotiating plea or other agreements.” The Fraud Section first released this guidance in February 2017, with one prior update in April 2019.
With these new revisions, DOJ has shown that it is growing more exacting in its expectations for companies and is increasingly expecting companies who seek leniency due to the strength of their compliance program to have a sophisticated and data-oriented approach to compliance. Gone are the days that companies with the bare minimum in compliance policies and procedures could expect any compliance-related benefits from DOJ.
Here are some notable takeaways from the revisions:
- Ensuring the Compliance Function Has Actual Resources and Power. Under the prior guidelines, in assessing whether the company’s compliance program was being applied in “good faith,” DOJ asked only whether a company’s program was “being implemented effectively.” Now, the new guidelines ask whether the program is “adequately resourced and empowered to function.” This is a much higher and more concrete standard. The DOJ will assess whether the company is giving money, personnel and authority to the compliance department to perform its function.
- Focus on Lessons Learned by the Company Itself – and the Industry and the Geographic Region. In two passages, DOJ asks whether the company has a process for tracking “lessons learned,” both from the company’s own prior issues and those in the same “industry and/or geographic region.” This places a premium on companies learning from their own past problems, as well as displaying situational awareness in their industry’s and region’s space. This revision effectively denies any compliance credit to companies that ignore industry risks or believe if a problem did not happen specifically to their company, then they don’t have to understand or respond to inherent risks. Companies now must not only monitor their own programs, but also monitor enforcement actions brought against their competitors and business partners.
- Need for Continuous Third-Party Monitoring. Always a hot area for compliance, especially in the Foreign Corrupt Practices Act space, the revised guidance adds an additional expectation that companies will perform continuous due diligence on the third parties they hire. The new guidance asks if the company engages “in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?”
- A Need to Justify Any Compliance Impediments Based on Foreign Law. The revised guidance in two places makes clear that DOJ will critically examine a company’s assertions that it structured its compliance program in a way that hewed to the “company’s conclusion about foreign law.” With this edit, DOJ is signaling that it expects companies not to skimp on compliance for reasons purportedly relating to foreign law. The DOJ still expects that the company will maintain the integrity and effectiveness of the program, even if foreign law requirements are less stringent.
- The Compliance Function’s Realistic Access to Company Data. A new section discusses whether the compliance and control personnel have “access to data” sufficient to allow them to monitor compliance. This underscores the importance DOJ is placing on the “boots on the ground” reality surrounding whether a company’s compliance officers can actually gain access to the company’s sensitive and proprietary data for testing and monitoring, or if the corporation impedes such access in favor of running the business. Access to data can be quite challenging, especially if a company has acquired other businesses recently and has not yet integrated accounting systems. Access to data will be an especially critical component to managing a compliance program.
Companies who are on, or have been on, DOJ’s radar screen or operate in high-risk or highly regulated industries are well advised to review and implement the guidance, as appropriate to their business. With these new changes, DOJ has made clear that its compliance expectations are growing increasingly heightened. Notably, DOJ released the revised guidance in the midst of the COVID-19 pandemic and nationwide civil unrest, protests and looting, signaling to companies that its expectations for more robust and meaningful compliance programs are durable even in the face of national and international turmoil.
FOR MORE INFORMATION
For more information, please contact:
Sarah M. Hall
Samir D. Varma
This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.
This document may be considered attorney advertising in some jurisdictions.
© 2020 THOMPSON HINE LLP. ALL RIGHTS RESERVED.