DOJ Updates Corporate Compliance Guidance
The US Department of Justice published updated guidance on how it evaluates corporate compliance programs when conducting investigations, making charging decisions, and negotiating pleas or other agreements. The document, entitled “Evaluation of Corporate Compliance Programs,” was first released in February 2017 and was last updated in April 2019.
The latest revisions to the guidance continue to focus on risk, reporting, and training while ensuring compliance programs are periodically reviewed, tested, and adapted to fit changing circumstances. The updated guidance also emphasizes that for a compliance program to be applied “earnestly and in good faith,” it should be “adequately resourced and empowered to function effectively.” The focus on “empowerment” seems designed to prevent business leaders from ignoring concerns voiced by in-house lawyers and compliance professionals regarding problematic transactions.
Other notable updates include the following:
- DOJ expects compliance and control personnel to have “sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions[.]” In two instances, the updated guidance adds language to make clear that DOJ will look closely at corporate assertions of impediments based on foreign regulation, including as it relates to impediments to data transfer.
- The guidance highlights that when managing third-party relationships, companies should not stop at assessing risk during the onboarding process but continue risk management throughout the lifespan of the relationship.
- With respect to acquisitions, DOJ now elaborates that comprehensive pre-acquisition due diligence of targets should be followed by “timely and orderly” post-acquisition compliance integration and compliance audits of newly acquired entities.
- Simply making compliance policies and procedures accessible online is no longer sufficient to satisfy DOJ, which also expects companies to monitor the use of policies and procedures by employees “to understand what policies are attracting more attention from relevant employees.”
- Building on prior guidance regarding compliance training, DOJ now suggests that companies consider “more targeted training sessions” designed “to enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management functions.”
- To establish that reporting mechanisms such as hotlines work, DOJ wants companies to be prepared to show on-going efforts to test employees’ awareness of and comfort using them, suggesting that companies should test hotlines, “for example by tracking a report from start to finish.”