Evaluation of Corporate Compliance Programs – Criminal Division of the U.S. Department of Justice (DOJ)

On June 1, 2020, the Criminal Division of the U.S. Department of Justice (“DOJ”) published a new version of the guidance “Evaluation of Corporate Compliance Programs”.

The DOJ first published guidance on how it evaluates corporate compliance programs in 2017 and again in 2019. This updated guidance contains certain changes, aiming to emphasize the dynamic and evolving nature of compliance best practices, while reinforcing the importance that the DOJ attributes to the effectiveness of a compliance program when negotiating agreements with companies for the practice of wrongdoing, such as violations of the Foreign Corrupt Practices Act (“FCPA”).

Below are some key insights this recently published guidance provides, which DOJ prosecutors will consider when negotiating agreements with companies:

– Understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.

– Evaluate compliance programs both at the time of the offense and at the time of the charging decision and resolution.

– Determine whether the company’s compliance program is adequately resourced and empowered to function effectively.

– Check if the company’s policies and procedures are published in a searchable format for easy reference, as well as if the company is able to track access to various policies and procedures to understand what policies are attracting more attention from relevant employees.

– Verify if the company reviews and adapts its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks.

– Verify if the company has a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region.

– Evaluate if the company not only has a reporting system but takes measures to test whether employees are aware of the hotline and feel comfortable using it.

– Evaluate if the company periodically tests the effectiveness of the hotline, for example by tracking a report from start to finish.

– Evaluate if the company engages in risk management of third parties throughout the lifespan of the relationship, rather than primarily during the onboarding process.

While the guidance is intended to guide white-collar criminal investigations and prosecutions, it sets standards that companies should take into consideration when implementing and evaluating the effectiveness of their own compliance programs.

The DOJ’s Evaluation of Corporate Compliance Programs (Updated June 2020) can be accessed through this link.