The recent updated guidance issued by the DOJ provides more substance on how compliance programs will be evaluated. It prompts companies to focus on whether their compliance programs are well designed; implemented effectively; and work in the cold light of day. What the DOJ appear to be testing is not only whether a compliance program looks good on paper but also whether it works in practice - have you kicked its tyres?
In the UK there are well known defenses around “adequate procedures,” in a case of bribery and “reasonable procedures” and in a case of facilitation of tax evasion. However, with no UK case law, yet, these guidelines from the DOJ should be of use, regardless of whether a business has operations in the U.S. Of course, if they do, it is essential that these guidelines are fully taken on board.
The Latham & Watkins team pull out nine key elements from the DOJ guidance that UK businesses should consider when assessing their own compliance programs: culture, prior failings, risk, staying up to date, comprehensiveness, training, the scope of any investigation, how an investigation is responded to and how to track results.
It is important that businesses continually evaluate their compliance programs and two key elements of that should include an independent assessment carried out at regular intervals - that goes further than a policy and procedure review and actually tests whether it works or not; and the use of data analytics to help assess risk, identify issues that need addressing and evaluate controls. Using a business' own data really does help evaluate whether policies and procedures are working as it works off of the actual transactions - something that can be very revealing.
UK corporates looking to scope and evaluate their compliance programs — particularly those with a multi-jurisdictional focus — can now look to this guidance for at least one regulator’s perspective on what would be considered “adequate procedures” or “reasonable procedures.”