DOJ updates “Evaluation of Corporate Compliance Programs” guidelines

The U.S. Department of Justice (“DOJ”) updated on March 02, 2023, its guidance on the “Evaluation of Corporate Compliance Programs”, which establishes guidelines for evaluating the effectiveness of compliance programs.

The update aims to incorporate guidelines on two sections of the document:

(i) The section “Incentives and Disciplinary Measures” is now entitled “Compensation Structures and Consequence Management,” and includes assessment criteria on monitoring the effectiveness of disciplinary measures and compliance incentive systems.

(ii) The section “Investigation of Misconduct” now includes guidelines on the independence and empowerment of the employees in charge of internal investigations, as well as on policies regarding the use of personal devices and communication channels.

The section now entitled “Compensation Structures and Consequence Management” reinforces the need for companies to demonstrate existing incentives for compliance, in addition to consequence management procedures in cases of non-compliance. In addition, it is important to emphasize that companies must have the means to monitor the effectiveness and consistency of internal investigations and disciplinary measures.

DOJ reinforces the importance of establishing compensation structures that impose sanctions for non-compliance and that reward compliant conduct, such as rendering the receipt of compensation/bonus subject to proper compliance with company policies and values. In this regard, DOJ will assess whether the compensation and consequence management structures implemented demonstrate a positive compliance culture.

As of the updates on the “Investigation of Misconduct” section regarding internal investigations policies and procedures, DOJ now establishes that employees responsible for investigating and applying disciplinary measures must have independence and empowerment. For this purpose, the DOJ guide states that compensation for such employees, including bonuses and promotions, should be structured to guarantee the enforcement of the policies and the ethical values of the company.

In addition, DOJ included the requirement of implementing policies and procedures to provide for the use of personal devices and communication/messaging applications within the context of mechanisms for identifying, reporting, investigating and remediating potential misconduct and violations. According to DOJ, such policies must be tailored to the company’s risk profile and business needs and must ensure that business-related electronic data and communications are accessible, managed and preserved by the company.

The DOJ evaluation will involve the assessment of the proper dissemination of policies, as well as the analysis of the enforcement of the policies on a regular and consistent basis.

By publishing these guidelines, DOJ sets standards that companies must take into consideration when implementing and evaluating the effectiveness of their compliance programs, which are also expected to serve as guidance for Brazilian authorities to evaluate the effectiveness of compliance programs.

Demarest’s Compliance and Investigations team is available to provide any further clarifications that may be necessary on the topic.