It took a while, but the U.S. Department of Justice is getting ever smarter about analyzing compliance programs. Compliance Systems Legal Group Partner Win Swenson describes this historical trend, explains why it is happening and highlights important takeaways from the DOJ’s recently revised criteria.
In 1995, four years after promulgation of the Organizational Sentencing Guidelines – the first law or government policy to provide credit for corporate compliance programs – Senator Edward M. Kennedy addressed a large audience of government policymakers, private lawyers and compliance professionals. Kennedy, a chief sponsor of the law that created the Sentencing Commission, followed the Guidelines closely, and he had a concern:
“Unless prosecutors … have the expertise to assess compliance program effectiveness, there is a risk that companies without substantial programs will get a free ride, and those with strong programs will not get the credit they deserve.”
Kennedy was early in raising this concern, and he was right. Not only was compliance a new area of endeavor in 1995, but federal prosecutors had historically lacked real-word corporate experience and therefore an understanding of the environments in which compliance programs operate.
Some years later, I was asked to provide a training session on compliance credit under the Guidelines to federal prosecutors at the National Advocacy Center in Columbia, South Carolina. At the start of the session, I asked how many of the Assistant United States Attorneys in attendance had spent part of their professional life inside a corporation. In an audience of about 80, three hands went up.
And so here is the truth: while federal prosecutors typically are highly capable lawyers, they seldom come to the table with firsthand knowledge about managing a business.
In the 2000s, the concern that prosecutors lacked expertise to evaluate compliance programs became even more relevant as prosecutors increasingly used deferred and non-prosecution agreements to resolve cases, largely cutting out federal judges who would otherwise be applying the Guidelines and sorting out credit for compliance programs in a more traditional, and public, adversarial setting.
By 1999, the DOJ formally adopted a policy that compliance programs should play a role in prosecutorial decision-making, but it still took until 2015 for the Department of Justice to acquire relevant compliance expertise; it did so with the hiring of a DOJ consultant, Hui Chen, a lawyer with strong corporate compliance experience.
Hui led the effort to issue the DOJ’s first Evaluation of Corporate Compliance Programs criteria in May 2017, but she left the Department a few months later and there have been two additional iterations of the evaluation criteria in the three years since, in April 2019 and June 2020.
These later iterations show increased sophistication about the nuances of effective compliance programs, and the interesting thing is that they were developed without the benefit of a replacement for Hui Chen – that is, without a designated expert on compliance inside the DOJ.
So how is the Department’s knowledge of compliance growing? In a world obsessed with innovations in artificial intelligence, we may forget that there is a human analog: The Department, and the SEC along with it, are being regularly schooled on effective programs by reviewing the presentations of companies coming before them to resolve FCPA and other alleged legal violations.
Companies that have had compliance issues of this kind, and before deferred and non-prosecutions are finalized, typically do their utmost to ensure their programs are state-of-the-art. At stake if their programs fail to impress the government are the possibility of having a monitor imposed and almost certainly higher penalties; so, for months, while their cases are pending, these companies enhance their programs and work on their pitch to the government to show how well their programs work.
What the government gets out of this is a continuing education about the smartest innovations in compliance.
Putting details aside for the moment, that should be the biggest takeaway from the DOJ’s recently revised evaluation criteria – an understanding that the bar is truly going up; any company that wants insurance that its compliance program will be favorably viewed by the government, should the occasion ever arise, should be paying very close attention to evolving best practices. Because the DOJ is.
Compliance programs are, of course, a holistic sum of their parts. There is no one thing to concentrate on. However, turning to the details, here are some areas that get emphasis in the updated, ever “smarter” evaluation criteria:
This area seems clearly to have been derived from companies coming to the DOJ with state-of-the-art, increasingly digital programs. It is no longer enough to merely have policies; the DOJ criteria now state they should be “published in a searchable format for easy reference,” and the “company [should] track access to various policies and procedures to understand what policies are attracting more attention from relevant employees.”
Also reflecting evolving best practices, the DOJ criteria now recognize that long-form, learn now, but apply later training may be less effective than “shorter, more targeted training sessions to enable employees to timely identify and raise issues to appropriate … functions.” Elsewhere, the criteria emphasize that training – even if online – should allow trainees to ask questions, be assessed for impact on behavior and also have more targeted versions applicable to personnel in control functions.
The evaluation criteria return again and again to the theme that risk assessment is key, must be ongoing – not merely a “snapshot” – and that it must rely on a regular flow of “operational data and information across functions.” Companies are well-advised to take this guidance to mean, among other things, that risk assessment should be granularized as much as possible, taking into account differences by business units and geographies when it comes to things like gifts and hospitality spending, third-party sales agent commissions and charitable donations.
Monitoring and Data Analytics
The DOJ’s focus on ongoing risk assessment can also be thought of as continuous monitoring informed by strong data. The evaluation criteria state, for example:
- “Data Resources and Access – Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls and transactions? Do any impediments exist that limit access to relevant sources of data, and if so, what is the company doing to address the impediments?”
- “Third-Party Management – Does the company engage in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?”
- “Effectiveness of the Reporting Mechanism – … Does the company take measures to test whether employees are aware of the hotline and feel comfortable using it?”
Incentives and Discipline
For the first time, the 2020 DOJ criteria ask: “Does the compliance function monitor its investigations and resulting discipline to ensure consistency?” This signals that compliance should have a seat at the table when disciplinary decisions are being made – which we have found to be a good, but not always applied, practice.
Tone in the Middle
Although receiving less new discussion than other areas, the evaluation criteria do double down on the idea that while tone at the top is critical, a culture of ethics and compliance must be established at “all levels of the company,” which means “from the middle” as well as the top. And the criteria ask, “have supervisory employees received different or supplementary training?”
Senator Kennedy raised an important concern in 1995. Twenty-five years later, it is evident that the DOJ and other governmental entities are increasingly able to distinguish “companies without substantial programs” from those with “strong” ones. As intended by the Guidelines’ original “carrot and stick” philosophy, this is good news for companies that work hard to get it right – and not-so-good news for companies that do not.
 Keynote Address by Senator Edward M. Kennedy, Proceedings of the Second Symposium on Crime and Punishment in the United States, “Corporate Crime in America: Strengthening the Good Citizen Corporation,” U.S. Sentencing Commission (September 7-8. 1995).