No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

DOJ Creates New Burden for Compliance Officers

How the Revised Compliance Guidance Will Impact COs

by James Tillen, Ann Sultan and Brittany Neihardt
August 7, 2020
in Compliance, Featured
illustration of businessman laboring under heavy burden

Miller & Chevalier’s James Tillen, Ann Sultan and Brittany Neihardt discuss the effect the DOJ’s revised guidance will have on compliance officers and those in the compliance space.

On June 1, 2020, the U.S. Department of Justice (DOJ) released an updated version of its “Evaluation of Corporate Compliance Programs” (the Guidance). Among the many changes made to the Guidance since the previous April 2019 version is new language that will create a new responsibility for compliance officers to document the evolution of the company’s compliance program. The Guidance states that “prosecutors should endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.”

While this new instruction is ostensibly directed at prosecutors, it simultaneously creates a corresponding new burden for compliance officers because, moving forward, compliance officers will need to document how and why their company’s compliance program changes over time in order to better meet prosecutorial expectations.

Practically speaking, this single sentence addition creates a complicated web of new considerations for compliance officers. In the event of future misconduct, DOJ prosecutors will look to the company’s compliance department for information on the evolution of the company’s compliance program, including an explanation of any changes made. But tracking and documenting this evolution could be difficult, because compliance programs change for various reasons, including organic changes that do not result from a targeted corporate effort to modify the compliance program.

Why Might a Compliance Program Change?

There are several reasons why a compliance program might change, and it would be impossible to name them all. Even so, there are a few common reasons to note:

  • Recent merger or acquisition – After a major corporate change, the different compliance programs may also merge to create a single program incorporating aspects of both programs.
  • Change in senior personnel – New management, such as a new Chief Compliance Officer (CCO), brings unique personal experiences and fresh insights that could lead to program change.
  • Decision to enter or leave a geographic market – Each market presents particularized compliance risks to which the company is exposed. A company will often respond to the risks of different markets with appropriate modifications to its compliance program.
  • Change in products – Company risks vary depending on the products and services offered; when those change, the compliance program may also adjust.
  • Benchmarking – Industry benchmarking can prompt changes in a company’s compliance program as a company seeks to match industry standards.
  • Remedial responses – Misconduct, as well as an allegation of misconduct, can trigger a remedial change to the company’s compliance program in the hope of preventing future violations.
  • Periodic risk assessments and compliance program reviews – Companies may also conduct periodic risk assessments and compliance program reviews generating revisions to program elements.
  • Response to government guidance or enforcement actions – As reflected by the theme of this article, guidance issued by government agencies as well as lessons learned from enforcement actions (such as Foreign Corrupt Practices Act (FCPA) resolutions) may prompt companies to review and update their compliance programs.
  • Legal advice – A company may make a compliance program change on the advice of counsel, perhaps in conjunction with any of the above-listed reasons.

The reasoning behind these program changes may often be discernible from the larger context. For instance, if a compliance program changes shortly after a new CCO is hired, it is probably safe to assume that the change stems from the CCO’s new leadership. However, under the DOJ’s new guidance, it will be important for the “why and how” to be explicitly documented and preserved in case of a future investigation.

In particular, a decision to scale back any compliance program components requires memorializing the rationale to establish the reasonableness. The DOJ recognizes that a company should tailor its compliance program to respond to its unique risk profile. Thus, the decision to scale back compliance procedures or eliminate unduly burdensome aspects of a compliance program may often be reasonable given the circumstances. Documentation of these decisions will help bridge the gap between companies and prosecutors, making the decision clearer to external observers.

In determining whether to prosecute misconduct, the DOJ typically evaluates the corporate compliance program both at the time of the offense and at the time of the resolution. In fact, language cementing this practice was also added to the June 2020 Guidance. While the DOJ may broadly recognize that companies adjust their programs according to circumstances, the new guidance on documenting program evolution suggests that the DOJ will likely evaluate with greater scrutiny those companies that have scaled back their compliance procedures between the time of the alleged conduct and the time of the resolution. As a result, documentation of program changes will play a more critical role in those circumstances.

The added responsibility of documenting the compliance program’s evolution interacts closely with another burden placed on companies and their compliance officers by the DOJ’s updated guidance: Prosecutors will now also consider whether compliance personnel “have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls and transactions.” As a compliance department maximizes its use of this data, it may frequently tweak the compliance program in response to trends regarding the program’s implementation and effectiveness. Compliance officers may now consider memorializing these changes and the reasoning behind them to satisfy the new demand for documentation of a program’s evolution. This means that small compliance changes could actually create large projects for compliance officers.

Tracking and documenting the evolution of a compliance program ultimately has the potential to save companies from harsh treatment for reasonable changes to its compliance program if the company can adequately explain why the changes were made. Failing to document these changes or being unable to offer a reasonable explanation for the change could have the opposite effect.

What Steps Might a Compliance Officer Take in Response to the DOJ’s Guidance?

Document any change to the company’s compliance program — no matter why the change occurred.

Many compliance departments may decide to enact more robust documentation policies as a result of the DOJ’s Guidance. In drafting these new policies, compliance officers may want to consider that the DOJ will likely expect that all program changes are documented and explained, regardless of the size or gravity of the change. Even minor tweaks could capture the attention of prosecutors during the investigation of an alleged violation; therefore, it could be beneficial to have even those minor modifications explained clearly. Similarly, even though the DOJ evaluates the effectiveness of a company’s compliance program taking into account “various factors including, but not limited to, the company’s size, industry, geographic footprint [and] regulatory landscape,” there is no indication in the Guidance that the same individualized consideration will extend to the DOJ’s expectations related to the company’s documentation of program evolution. Thus, it appears that the compliance department of a small company faces the same burden as that of a large company in attempting to sufficiently record changes to its compliance program and document the underlying rationale.

To assist with the documentation process, compliance officers may consider leveraging existing reporting mechanisms. For instance, to log program evolution, a compliance officer could utilize the company’s current framework of quarterly reports to the audit committee or minutes from compliance committee meetings where compliance program changes are already being explained internally. These and similar tools can help memorialize program changes and explain the reasoning without creating additional record-keeping procedures that could further strain compliance officers.

Follow up on risk assessment findings.

Ensuring that the findings of risk assessments are thoroughly reviewed and deliberated is another practical step that compliance officers may want to consider given the DOJ’s updated Guidance. The DOJ’s added language about documented program evolution appears in the risk assessment section of the Guidance in the context of instruction to prosecutors to be mindful of each company’s individual circumstances and risk profile when evaluating the effectiveness of its compliance program. Given the updated Guidance, follow through on risk assessment findings may become especially important as the DOJ looks more closely at the evolution of a compliance program. It may be the case that a company follows through on a risk assessment finding by deciding not to implement a change. In other cases, the company will implement the enhancement proposed by the risk assessment. Either way, under the DOJ’s Guidance, it will likely be beneficial for companies to thoroughly document their decision-making processes related to risk assessment findings.

Ensure that written policy changes are implemented and enforced internally.

A written change to a compliance program becomes meaningless if the change is not effectively implemented and enforced. A company may satisfy the DOJ’s interest in records of the program’s evolution, but prosecutors will also evaluate the effectiveness of those changes. For instance, in June of 2019, the DOJ and Walmart Inc. signed a non-prosecution agreement for Walmart’s FCPA-related conduct in Mexico, Brazil, China and India. The agreement required the imposition of an independent compliance monitor, in part because, according to facts found by the DOJ, Walmart had not “sufficiently implemented” the 2008 and 2010 versions of its own updated global anti-corruption policy. Thus, the appearance of a strong compliance program with adequate documentation supporting any revisions is still insufficient if a company’s revised compliance standards are not effectively implemented and enforced.

Incorporate lessons learned from the company’s prior issues or the issues of similarly situated companies.

Compliance officers may respond more deliberately to “lessons learned” from the company’s own experiences or those of similarly situated companies. The June 2020 Guidance established a more robust evaluation of whether the company has tracked these “lessons learned” from misconduct. Paired with the added evaluation of the evolution of a company’s compliance program, these “lessons learned” become important opportunities for a company not only to improve its compliance program, but also to document the changes and demonstrate its thoughtfulness in developing a compliance program that is responsive to industry risk and the company’s particularized risks.


Tags: DOJ
Previous Post

Privacy Shield is Dead! Long Live Standard Contractual Clauses! (For Now…)

Next Post

Workplace Surveillance: Can Companies Keep a Closer Eye on Employees?

James Tillen, Ann Sultan and Brittany Neihardt

James Tillen, Ann Sultan and Brittany Neihardt

James Tillen is the Chair of the International Department at Miller & Chevalier, where he works on Foreign Corrupt Practices Act (FCPA), money laundering and other international corporate compliance matters.
Ann Sultan is a Member at Miller & Chevalier, where she focuses on internal and government investigations, corporate compliance and white-collar defense related primarily to the FCPA and anti-money laundering laws and regulations.
Brittany Neihardt is a 2020 Summer Associate at Miller & Chevalier and 2021 J.D. candidate at Georgetown University Law Center.

Related Posts

doj sign front

4 Practical Tips for Complying With Monaco Memo

by Jennifer Kennedy Park
January 25, 2023

Preparing for expectations under the Monaco memo is easier said than done, but Jennifer Kennedy Park, an expert in white-collar...

Danske Bank: Money Laundering at Its Finest

Danske Bank: Money Laundering at Its Finest

by Corporate Compliance Insights
January 23, 2023

Something rotten in Denmark: Unpack the $2B settlement Danske Bank made with the U.S. government DOJ, SEC Settlements & Fines...

Paul Weiss Antitrust 2023_f

Paul | Weiss State of U.S. Antitrust Enforcement

by Corporate Compliance Insights
January 23, 2023

2022 was an active year for antitrust enforcement; what will 2023 hold? Where Do We Stand in 2023? The State...

doj new front

DOJ Set to Deploy More Carrots in Corporate Enforcement

by Staff and Wire Reports
January 20, 2023

Companies accused of corporate crimes will have more incentives to disclose misconduct they uncover and cooperate with federal investigations, Assistant...

Next Post
Eye symbol in digital background / A concept of virtual reality or internet surveillance

Workplace Surveillance: Can Companies Keep a Closer Eye on Employees?

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT