DOJ Issues Guidance on Evaluating Corporate Compliance Programs
On February 8, 2017, the United States Department of Justice (“DOJ”) issued guidance on the “Evaluation of Corporate Compliance Programs” (the “Compliance Evaluation Guidance”).1 In deciding whether to charge a business organization, the DOJ asks these “common questions” regarding an organization’s pre-existing compliance program and its remedial efforts.
What is the Context of Evaluating a Compliance Program?
The Compliance Evaluation Guidance notes that there is no “rigid formula” to assess the effectiveness of a compliance program. Different companies face different risks, “warrant[ing] particularized evaluation.” While the 2012 Resource Guide2 provided helpful information about “aspects of compliance programs that the DOJ and SEC assess,”3 the Compliance Evaluation Guidance offers more insight into how the DOJ views compliance programs in the context of criminal investigations. As would be expected, a compliance program is “evaluated in the specific context of a criminal investigation.” The questions included make clear that evaluation is carried out with respect to the particular misconduct being investigated, and not simply in terms of benchmarking against objective criteria. Indeed, of the forty-six subtopics that comprise the Compliance Evaluation Guidance, more than half (twenty-four) refer to “the misconduct at issue,” “the misconduct in question,” or similar phrases.
What are the main topics of the guidance?
There are 11 topics which are further divided into 46 sub-topics resulting in almost 120 questions.
- Analysis and Remediation of Underlying Misconduct includes three subtopics: root cause analysis, prior indications, and remediation. This topic was not covered in the 2012 Guidance. It makes clear that companies pursuing DOJ resolutions must analyze the root cause of any misconduct and the reasons opportunities to prevent it were missed. Remediation should be based at least in part on that analysis.
- Senior and Middle Management includes three subtopics: conduct at the top, shared commitment and oversight. As the title of the topic makes clear an analysis of “tone at the top” includes both the commitment by senior management and how that commitment is transmitted through the ranks. Two specific questions confirm that, in the context of a potential DOJ resolution, this topic is broader than merely a communications strategy: (1) “How have senior leaders, through their words and actions, encouraged or discouraged the type of misconduct in question?” and (2) “what compliance expertise has been available on the board of directors?” The Compliance Evaluation Guidance contains no further indication of the DOJ’s expectations, but the DOJ is clearly interested in how senior management might have encouraged misconduct as well as whether the board has compliance expertise.
- Autonomy and Resources includes seven subtopics: compliance role; stature; experience and qualifications; autonomy; empowerment; funding and resources; and outsourced compliance functions. The related set of 24 questions will be of particular interest to professionals. This section of the Compliance Evaluation Guidance goes beyond the compliance function to include “compliance or relevant control functions (e.g., Legal, Finance, or Audit).” Moreover, the questions make clear that people are as important as funding, specifically asking “what has been the turnover rate for compliance … personnel?” The set of six questions associated with “outsourced compliance functions” also underscores that a company retains significant responsibility for any decision to outsource all or part of its compliance functions.
- Policies and Procedures includes nine subtopics divided into two groups, design and accessibility and operational integration. The nine subtopics are: designing compliance policies and procedures; applicable policies and procedures; gatekeepers; accessibility; responsibility for integration; controls; payment systems; approval/certification process; and vendor management. This section goes far beyond a list of policies and their dissemination. The questions suggest that more than imposing a good policy is required. Instead, the business must be consulted about the draft policy and later involved in its integration. The subtopic “gatekeepers” specifies that certain employees in roles relating to, for example, issuing payments or reviewing approvals, should receive special guidance.
- Risk Management includes three subtopics: Risk Management Process, Information Gathering and Analysis and Manifested Risks. As elsewhere, the questions associated with this topic focus primarily on the specific type of misconduct being investigated.
- Training and Communications includes four subtopics: risk-based training; form/content/effectiveness of training; communications about misconduct; and availability of guidance. The subtopic “Risk-Based Training” reflects that training for employees in relevant controls functions and high risk employees should be tailored to their function or risk.
- Confidential Reporting and Investigation includes three subtopics: effectiveness of the reporting mechanism; properly scoped investigation by qualified personnel; and response to investigations. The Compliance Evaluation Guidance makes clear that investigations should not only determine whether misconduct has occurred, but also should be used to “identify root causes, system vulnerabilities, and accountability lapses.”
- Incentives and Disciplinary Measures includes four subtopics: accountability; human resources process; consistent application; and incentive system. Most of the questions related to this topic are straightforward. But note that the DOJ asks “[d]id the company’s response consider disciplinary action for supervisors’ failure in oversight?” without regard to whether or not the supervisor was involved in the misconduct.
- Continuous Improvement, Periodic Testing and Review includes three subtopics: internal audit; control testing and evolving updates. Most of the related questions will not be new to compliance professionals. One question, however, suggests that one purpose of a compliance review is to make sure a company is not overdoing compliance by instituting policies that don’t apply to parts of their business. Specifically, companies should ask “whether policies/procedures/practices make sense for particular business segments/ subsidiaries?”
- Third Party Management: includes four subtopics: risk-based and integrated process; appropriate controls; management of relationships; and real actions and consequences. As third parties are the most common cause of enforcement actions, the risks associated with third parties and possible procedures for reducing those risks are comparatively better known. The first question under appropriate controls is particularly important in evaluating third parties, but quite often overlooked, namely, “what was the business rationale for the use of the third parties in question?”
- Mergers and Acquisitions includes three subtopics: due diligence process; integration in the M&A process; and process connecting due diligence to implementation. In the FCPA context, the M&A process has been examined at length in a series of enforcement actions and in the DOJ’s Opinion Release 08-02 (the Halliburton opinion) and 14-02. The Compliance Evaluation Guidance reconfirms these opinion releases, emphasizing the importance of compliance due diligence, implementation of an effective compliance program at the target and post-transaction monitoring of risks identified in the due diligence process.
What do you think of the DOJ’s approach as seen through this new Guidance?
The Compliance Evaluation Guidance provides a useful roadmap regarding how the DOJ will assess a compliance program in the context of a criminal investigation.
What questions does it raise?
First, is it appropriate or fair to focus so much on “the misconduct at issue?” In terms of evaluating the effectiveness of an existing program, focusing on specific misconduct puts a heavy thumb on the scale of finding deficient what might otherwise be a best-in-class program. This tendency potentially results in an assessment grounded in hindsight rather than one based on objective factors. We have noted in the past that this is a risk associated with enforcement of the FCPA’s internal controls provisions.4 The fact that misconduct occurred almost necessarily means that something else could have been done, but that does not mean that DOJ should not consider more generally the excellence of a company’s compliance program and reward such investment.
Second, and relatedly, evaluating an existing compliance program and remediating a specific instance of misconduct are not the same exercise, but they are not clearly delineated in the Compliance Evaluation Guidance. The focus on “the misconduct at issue,” risks encouraging companies to “fight the last war,” focusing on instituting procedures to prevent past behavior rather than focusing on emerging threats.
Third, the Compliance Evaluation Guidance consists of eleven topics, forty-six subtopics and nearly 120 questions, which expressly are samples of the types of questions that the DOJ could ask in the context of a criminal investigation. As the document notes, “[i]n any particular case, the topics and questions … may not all be relevant, and others may be more salient given the particular facts at issue.” The Compliance Evaluation Guidance, therefore, will be of great use to companies preparing to report to the DOJ. It is less clear how useful the Compliance Evaluation Guidance will prove to be in other contexts.
Any specific advice for Compliance officers?
it would certainly be useful for a Chief Compliance Officer (or other company representative) to consider many of these questions and the likely answers. Of course, completing this exercise in a systematic way would require some dedication of time and resources, and the absence of additional DOJ commentary likely would result in some frustration in a company’s trying to evaluate the appropriateness of its answers. It is also potentially significant in this context that the DOJ published the Compliance Evaluation Guidance on the Compliance Initiative portion of its website and not the FCPA portion. Although the Compliance Evaluation Guidance acknowledges at the outset that an effective compliance program must be particularized, there is the risk that these nearly 120 questions may imply for some that the definition of an effective compliance program has perhaps become too complex for all but the largest and best-resourced companies.
This interview is based on an article which appeared in the Debevoise and Plimpton February Client Update. You can download a copy of the full article here.
1. United States Department of Justice, Criminal Division, Fraud Section, “Evaluation of Corporate Compliance Programs,”
https://www.justice.gov/criminal-fraud/strategy-policy-and-training-unit/compliance-initiative. A link to the Compliance Evaluation
Guidance does not appear in the FCPA section of the DOJ website, but on the Strategy and Policy section.
2. United States Department of Justice and Securities and Exchange Commission, “A Resource Guide to the Foreign Corrupt Practices Act” at 57 (2012) (“Individual companies may have different compliance needs depending on their size and particular risks associated with their
businesses, among other factors.”).
4. See, e.g., Paul R. Berger, Andrew M. Levine, Bruce E. Yannett, and Philip Rohlik, “SEC brings First FCPA Enforcement Actions of 2016,” FCPA Update, Vol. 7, No. 7 (Feb. 2016); Colby A. Smith, Andrew M. Levine, and Philipe Rohlik, “Charitable Donations as FCPA Violations: SEC settles with Nu Skin Over Donation by Chinese Subsidiary,” FCPA Update, Vol. 8, No. 2 (Sept. 2016) (“more often, as we have noted, the existence of an improper payment is taken as ‘evidence’ that controls were insufficient, citing controls that, had they been in place, might have prevented the payments.”).
Debevois & Plimpton, New York
Andrew M. Levine
Debevoise & Plimpton, New York
Debevoise & Plimpton, Shanghai
Sean Hecker is an experienced trial lawyer whose practice focuses on white collar criminal defense, internal investigations and complex civil litigation. Mr. Hecker has conducted many internal investigations of alleged FCPA violations and regularly advises companies on anti-corruption compliance. He is a member of the firm’s Management Committee.
Andrew Levine is a litigation partner who focuses his practice on white collar and regulatory defense, internal investigations and a broad range of complex commercial litigation. Mr. Levine frequently advises companies on compliance matters, including with respect to the U.S. Foreign Corrupt Practices Act, and the assessment and management of risks presented by potential mergers, acquisitions and other transactions.
Philip Rohlik is a member of the firm’s Litigation Group whose practice focuses on international investigations, securities law and dispute resolution. Mr. Rohlik’s varied practice has included representation of U.S. and multinational companies in complex litigation and investigations, with a particular focus on Asia.
The ETHIC Intelligence Expert’s Corner is an opportunity for specialists in the field of anti-corruption compliance to express their views on approaches to and developments in the sector. The views expressed in these articles are those of the authors.
Is your anti-corruption compliance program up to international best practices standards ?
Strengthen, benchmark and communicate positively on your program through certification.
Reach international standards. Get results.
Anti-corruption compliance questions ? comments ?Contact us!
How to think politically about anti-corruption: A crash course
Joseph Pozsgai Alvarezread more
What are the workforce challenges specific to China in corruption prevention?
Richard Bistrong, CEO, Front-Line Anti-Bribery LLCread more
Keep abreast of anti-corruption compliance news
Sign up to receive our monthly newsletter