Treliant can help institutions of all types and sizes ensure that they meet the expectations of regulators and law enforcement when designing and operating sustainable compliance programs. These programs include not only consumer, economic sanctions/OFAC, AML/BSA, anti-bribery/corruption, but in fact all corporate compliance programs.
On June 1, 2020, the U.S. Department of Justice (DOJ), Criminal Division, issued an update to its Evaluation of Corporate Compliance Programs guidance document (Guidance). The Guidance provides direction for prosecutors to consider when assessing corporate compliance programs, conducting an investigation, making corporate charging decisions, and negotiating appropriate resolutions. Although it specifically applies to prosecutorial decisioning, it is also a roadmap for all regulators when evaluating potential enforcement actions.
The Guidance is an update from the original 2017 document and from another version published in April 2019. Three new themes that come through the Guidance include, evaluating compliance programs in the context of a company’s risk profile, the adequacy of resourcing, and the importance of effective third-party risk management.
- Company’s Risk Profile: The DOJ added language that notes that prosecutors should make individualized determinations and consider various factors, including the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, when assessing a company’s compliance program.
- Adequacy of Resourcing: There is an increased focus in the Guidance on appropriately resourcing and the empowerment of the compliance function within an organization, including headcount, qualifications, types of compliance activity (e.g. monitoring and investigations) and, most notably, access to data resources.
- Third-Party Risk Management: The Guidance includes a heightened focus on third-party risk and how this is managed through the compliance program. The DOJ makes clear that they expect companies to know the business rationale for needing a third party in a transaction, and the risks posed by third-party partners, including the third-party partners’ reputations and relationships with foreign officials. The Guidance also emphasizes the importance of effective risk management of third parties throughout the lifecycle of the relationship.
Companies of all types and sizes, irrespective of whether they are in a regulated industry, should take note of the new elements of the Guidance. The Guidance contains detailed topics to consider in the development of effective compliance programs and it also continues to be leveraged by federal prosecutors and judges, and by extension, regulators when making enforcement related decisions.
The Guidance provides further awareness of how the DOJ is evaluating compliance programs through its 12 compliance program topics. We highlight the following 10 key areas where updates were made by the DOJ:
- Evaluating Corporate Compliance Programs: The DOJ clarifies Question 2 of the three “fundamental questions” in the Justice Manual that a prosecutor should ask when evaluating a corporate compliance program:
- Importance of Risk Assessment: The Guidance reinforces a company’s risk assessment as the starting point of a prosecutor’s evaluation. The DOJ asks prosecutors to understand why the company has chosen to set up the compliance program in the way that it has, and how the company’s compliance program has evolved over time. The updates in the Guidance focus on the importance of periodic reviews and lessons learned:
- Periodic Review: Is the review limited to a “snapshot” in time or is it based upon continuous access to operational information across functions? Has the review led to changes in the company’s policies, procedures, and controls?
- Lessons Learned: Is the company tracking and incorporating into its risk assessments lessons learned from its own prior issues or from those of other companies operating in the same industry or geographical area?
- Policies and Procedures: The design and accessibility of policies and procedures, continues to be an area of focus for the DOJ:
- What is the company’s process for updating existing policies and procedures and has that process changed over time? Who has been involved in the design of policies and procedures? Have business units been consulted prior to rolling them out?
- Are these policies and procedures accessible to appropriate personnel? Have they been published in a searchable format for ease of use? Does the company track access to policies and procedures to understand what policies are attracting more attention from relevant employees
- Training Program: The Guidance added language that notes that some companies have invested in more targeted training sessions that enable employees to more timely identify and raise issues to the risk related management functions within the company. Further, new expectations are added regarding the content and effectiveness of the training program. For example:
- Is there a process by which employees can ask questions arising out of the trainings, regardless of whether the training is delivered online or in person? How has the company addressed employees who do not successfully complete the training? Has the company evaluated the effectiveness of the training in terms of the impact it has had on employee behavior or the company’s operations?
- Confidential Reporting: Companies are expected to demonstrate that they have established corporate governance mechanisms that can effectively detect and prevent misconduct. The Guidance introduces new anonymous reporting expectations, including:
- How is the reporting mechanism specifically applied to other third parties?
- Does the company take measures validate whether employees are in fact aware of the hotline and feel comfortable using it?
- Does the company test the effectiveness of the Hotline?
- Third-Party Management: The DOJ places further emphasize on risk-based due diligence for a company’s third-party relationships.
- Prosecutors should assess whether the company knows the business rationale for needing the third party in the transaction, and the risks posed by using third-party partners.
- Prosecutors should also assess whether the company engages in effective risk management through the entire lifecycle of the relationship with the third party.
- Mergers & Acquisitions: A well-designed compliance program should include comprehensive due diligence when undertaking mergers and acquisitions. To that end, the DOJ added the following elements in the Guidance:
- Is there a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls?
- Was the company able to complete pre-acquisition due diligence and, if not, why not?
- What has been the company’s process for conducting post- acquisition audits for newly acquired entities?
- Autonomy and Resources: The DOJ strengthens the evaluation of whether those charged with the compliance program’s day- to-day oversight act with adequate authority, stature and resources to function effectively. The Guidance places increased emphasis on:
- Experience and Qualifications;
- Access to Data Resources that allows for timely and effective monitoring and testing of policies, controls, and transactions.
- Incentives and Disciplinary Measures: Prosecutors are led to focus on whether disciplinary actions and incentives are fairly and consistently applied across the organization and specifically expecting monitoring activity.
- Evolving Updates: The Guidance makes plain that companies should review and conform their compliance program based on lessons learned from both their own experience and from other companies facing similar challenges.
The Guidance updated what the DOJ believes are best practices for the design and effectiveness of compliance programs. It should be used by compliance professionals when designing, implementing, testing, and evaluating their compliance programs.