DOJ Creates New Burden for Compliance Officers

On June 1, 2020, the U.S. Department of Justice (DOJ) released an updated version of its “Evaluation of Corporate Compliance Programs” (the Guidance). Among the many changes made to the Guidance since the previous April 2019 version is new language that will create a new responsibility for compliance officers to document the evolution of the company’s compliance program. The Guidance states that “prosecutors should endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.”

While this new instruction is ostensibly directed at prosecutors, it simultaneously creates a corresponding new burden for compliance officers because, moving forward, compliance officers will need to document how and why their company’s compliance program changes over time in order to better meet prosecutorial expectations.

Practically speaking, this single sentence addition creates a complicated web of new considerations for compliance officers. In the event of future misconduct, DOJ prosecutors will look to the company’s compliance department for information on the evolution of the company’s compliance program, including an explanation of any changes made. But tracking and documenting this evolution could be difficult, because compliance programs change for various reasons, including organic changes that do not result from a targeted corporate effort to modify the compliance program.

Why Might a Compliance Program Change?

There are several reasons why a compliance program might change, and it would be impossible to name them all. Even so, there are a few common reasons to note:

• Recent merger or acquisition – After a major corporate change, the different compliance programs may also merge to create a single program incorporating aspects of both programs.
• Change in senior personnel – New management, such as a new Chief Compliance Officer (CCO), brings unique personal experiences and fresh insights that could lead to program change.
• Decision to enter or leave a geographic market – Each market presents particularized compliance risks to which the company is exposed. A company will often respond to the risks of different markets with appropriate modifications to its compliance program.
• Change in products – Company risks vary depending on the products and services offered; when those change, the compliance program may also adjust.
• Benchmarking – Industry benchmarking can prompt changes in a company’s compliance program as a company seeks to match industry standards.
• Remedial responses – Misconduct, as well as an allegation of misconduct, can trigger a remedial change to the company’s compliance program in the hope of preventing future violations.
• Periodic risk assessments and compliance program reviews – Companies may also conduct periodic risk assessments and compliance program reviews generating revisions to program elements.
• Response to government guidance or enforcement actions – As reflected by the theme of this article, guidance issued by government agencies as well as lessons learned from enforcement actions (such as Foreign Corrupt Practices Act (FCPA) resolutions) may prompt companies to review and update their compliance programs.
• Legal advice – A company may make a compliance program change on the advice of counsel, perhaps in conjunction with any of the above-listed reasons.

The reasoning behind these program changes may often be discernible from the larger context. For instance, if a compliance program changes shortly after a new CCO is hired, it is probably safe to assume that the change stems from the CCO’s new leadership. However, under the DOJ’s new guidance, it will be important for the “why and how” to be explicitly documented and preserved in case of a future investigation.

In particular, a decision to scale back any compliance program components requires memorializing the rationale to establish the reasonableness. The DOJ recognizes that a company should tailor its compliance program to respond to its unique risk profile. Thus, the decision to scale back compliance procedures or eliminate unduly burdensome aspects of a compliance program may often be reasonable given the circumstances. Documentation of these decisions will help bridge the gap between companies and prosecutors, making the decision clearer to external observers.

In determining whether to prosecute misconduct, the DOJ typically evaluates the corporate compliance program both at the time of the offense and at the time of the resolution. In fact, language cementing this practice was also added to the June 2020 Guidance. While the DOJ may broadly recognize that companies adjust their programs according to circumstances, the new guidance on documenting program evolution suggests that the DOJ will likely evaluate with greater scrutiny those companies that have scaled back their compliance procedures between the time of the alleged conduct and the time of the resolution. As a result, documentation of program changes will play a more critical role in those circumstances.

The added responsibility of documenting the compliance program’s evolution interacts closely with another burden placed on companies and their compliance officers by the DOJ’s updated guidance: Prosecutors will now also consider whether compliance personnel “have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls and transactions.” As a compliance department maximizes its use of this data, it may frequently tweak the compliance program in response to trends regarding the program’s implementation and effectiveness. Compliance officers may now consider memorializing these changes and the reasoning behind them to satisfy the new demand for documentation of a program’s evolution. This means that small compliance changes could actually create large projects for compliance officers.

Tracking and documenting the evolution of a compliance program ultimately has the potential to save companies from harsh treatment for reasonable changes to its compliance program if the company can adequately explain why the changes were made. Failing to document these changes or being unable to offer a reasonable explanation for the change could have the opposite effect.

What Steps Might a Compliance Officer Take in Response to the DOJ’s Guidance?

Document any change to the company’s compliance program — no matter why the change occurred.

Many compliance departments may decide to enact more robust documentation policies as a result of the DOJ’s Guidance. In drafting these new policies, compliance officers may want to consider that the DOJ will likely expect that all program changes are documented and explained, regardless of the size or gravity of the change. Even minor tweaks could capture the attention of prosecutors during the investigation of an alleged violation; therefore, it could be beneficial to have even those minor modifications explained clearly. Similarly, even though the DOJ evaluates the effectiveness of a company’s compliance program taking into account “various factors including, but not limited to, the company’s size, industry, geographic footprint [and] regulatory landscape,” there is no indication in the Guidance that the same individualized consideration will extend to the DOJ’s expectations related to the company’s documentation of program evolution. Thus, it appears that the compliance department of a small company faces the same burden as that of a large company in attempting to sufficiently record changes to its compliance program and document the underlying rationale.

To assist with the documentation process, compliance officers may consider leveraging existing reporting mechanisms. For instance, to log program evolution, a compliance officer could utilize the company’s current framework of quarterly reports to the audit committee or minutes from compliance committee meetings where compliance program changes are already being explained internally. These and similar tools can help memorialize program changes and explain the reasoning without creating additional record-keeping procedures that could further strain compliance officers.

Follow up on risk assessment findings.

Ensuring that the findings of risk assessments are thoroughly reviewed and deliberated is another practical step that compliance officers may want to consider given the DOJ’s updated Guidance. The DOJ’s added language about documented program evolution appears in the risk assessment section of the Guidance in the context of instruction to prosecutors to be mindful of each company’s individual circumstances and risk profile when evaluating the effectiveness of its compliance program. Given the updated Guidance, follow through on risk assessment findings may become especially important as the DOJ looks more closely at the evolution of a compliance program. It may be the case that a company follows through on a risk assessment finding by deciding not to implement a change. In other cases, the company will implement the enhancement proposed by the risk assessment. Either way, under the DOJ’s Guidance, it will likely be beneficial for companies to thoroughly document their decision-making processes related to risk assessment findings.

Ensure that written policy changes are implemented and enforced internally.

A written change to a compliance program becomes meaningless if the change is not effectively implemented and enforced. A company may satisfy the DOJ’s interest in records of the program’s evolution, but prosecutors will also evaluate the effectiveness of those changes. For instance, in June of 2019, the DOJ and Walmart Inc. signed a non-prosecution agreement for Walmart’s FCPA-related conduct in Mexico, Brazil, China and India. The agreement required the imposition of an independent compliance monitor, in part because, according to facts found by the DOJ, Walmart had not “sufficiently implemented” the 2008 and 2010 versions of its own updated global anti-corruption policy. Thus, the appearance of a strong compliance program with adequate documentation supporting any revisions is still insufficient if a company’s revised compliance standards are not effectively implemented and enforced.

Incorporate lessons learned from the company’s prior issues or the issues of similarly situated companies.

Compliance officers may respond more deliberately to “lessons learned” from the company’s own experiences or those of similarly situated companies. The June 2020 Guidance established a more robust evaluation of whether the company has tracked these “lessons learned” from misconduct. Paired with the added evaluation of the evolution of a company’s compliance program, these “lessons learned” become important opportunities for a company not only to improve its compliance program, but also to document the changes and demonstrate its thoughtfulness in developing a compliance program that is responsive to industry risk and the company’s particularized risks.