A&M's Yannine Robledo and David Cappellina provide insight on the DOJ's June 2020 update to the Corporate Compliance Programs Evaluation Guide:

In June 2020, The Criminal Division of the U.S. Department of Justice updated the guidance on how it evaluates corporate compliance programs when making charging decisions. Although there is no checklist, formula, or universal methodology to assess the effectiveness of a compliance program, the guidance provides prosecutors with best practices in the form of compliance-related questions and sets the bar for minimum expectations.

What does this DOJ update mean for compliance professionals? We suggest that you refresh your understanding of the guidance and focus on the key additions such as an evolving compliance program which incorporates lessons learned and, efficiently and appropriately utilizes data resources. Ask yourself if your current compliance program is on par with the company’s risk appetite. Is the program dynamic and able to adapt to changing environments? Does it appropriately address employee training and understanding of reporting protocols? Does it speak to sufficient staffing of the compliance department, operate with autonomy, and have access to relevant data? Do you have processes and internal controls that operationalize your compliance program and allow for effective monitoring and audits?

The FCPA Blog provided a valuable redlined version of the guidance, which exhibits all of the changes from the previous iteration (April 2019) of the guidance. The updated DOJ guidance, Evaluation of Corporate Compliance Program, can be downloaded here.

Key additions to the updated guidance:

  • Addition of company specific risk profile factors such as the company’s size, industry, geographic footprint, regulatory landscape, and other factors that might impact its compliance program
  • Prosecutor consideration of compliance program setup and subsequent evolution over time
  • Dynamic program subject to periodic review and revisions with a strong focus on lessons learned
    • Process for tracking and incorporating lessons learned into periodic risk assessment
  • Communication, accessibility, and distribution of policies and procedures
  • Trainings for employees to raise questions, tracking of evaluations of trainings, and evaluation of training impact to employee behavior or operations
  • Program must now address the reporting mechanisms for employees and other third parties as well as testing its effectiveness
  • Business rationale for third parties and the risks posed by those third parties, especially as it pertains to bribes of foreign officials
  • As it relates to M&A, timely and orderly integration into compliance program and internal controls
    • Pre-acquisition due diligence and post-acquisition audits
  • Adequately resourced and empowered corporate compliance program
  • Culture of ethics and compliance at all levels of the company and high level commitment from the middle and top
  • Autonomy, experience, and further training of compliance and control personnel
    • Sufficient and timely access to data resources for effective monitoring, testing, and consideration of limitations
  • Consistent application of monitoring, investigations, and disciplinary actions