DOJ Revises Guidance on Corporate Compliance Programs

Companies need to be aware of updated guidelines issued by the U.S. Department of Justice (DOJ) Criminal Division governing how the agency will evaluate corporate compliance programs. Released on June 1, 2020, the “Evaluation of Corporate Compliance Programs” (“2020 Revisions”) aids prosecutors in assessing the adequacy and effectiveness of compliance programs when deliberating whether to prosecute or resolve a matter, whether to seek monetary penalties and/or whether to impose corporate monitoring or reporting obligations.

The DOJ has set forth that “in assessing whether a company’s compliance program was effective at the time of the misconduct, prosecutors should consider whether and how the misconduct was detected, what investigation resources were in place to investigate suspected misconduct and the nature and thoroughness of the company’s remedial efforts.” The 2020 Revisions set forth 20 pages of guidance and highlight the substantial benefits for corporations to be proactive about compliance.

Relying on the DOJ’s Justice Manual and its “Principals of Federal Prosecution of Business Organizations,” the 2020 Revisions continue to rely upon three “fundamental questions” for prosecutors to consider when evaluating corporate compliance programs:

1. Is the corporation’s compliance program well-designed?
2. Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
3. Does the corporation’s compliance program work in practice?

As opposed to prior versions of the guidance, the 2020 Revisions more pointedly focus prosecutors on evaluating each company’s compliance program through the lens of the individual circumstances of that company, including the “company’s size, industry, geographic footprint [and] regulatory landscape.” Therefore, companies must do the same and be able to demonstrate their ongoing commitment to ensuring that their compliance program is effective based on these criteria.

The 2020 Revisions’ Emphasis and Focus

A major emphasis in the 2020 Revisions is that corporations must continue to review and update their compliance programs in light of changing circumstances within the company and also within their industries.

In issuing the updated guidance, the DOJ emphasized that prosecutors will evaluate the effectiveness of compliance programs “both at the time of the offense and at the time of the charging decision and resolution.” This means that prosecutors will not just consider the program as it was in effect at the time of purported misconduct, but also how the program “has evolved.” Therefore, a company should be able to demonstrate through well-documented activities that a compliance program has been developed to address relevant risk areas and is part of the company’s culture.

The 2020 Revisions set forth that prosecutors will also investigate and consider why the company has structured the program in the way it had been used. Companies should be prepared to demonstrate the rationale and ongoing effectiveness of their compliance program. The DOJ’s emphasis on evolution presents an opportunity for companies that have uncovered wrongdoing to proactively revise their compliance programs.

Two areas highlighted by the 2020 Revisions are (1) a revised focus on third-party management and (2) mergers and acquisitions. The 2020 Revisions emphasize that a corporation’s responsibility extends to understanding “the risks posed by third-party partners.” The DOJ will look to see whether the company has risk-based due diligence with respect to third-party relations, whether the company has appropriate controls, whether the company only investigates risk at the initiation of the third-party relationship or if the company actively manages risk throughout the duration of the relationship.

Consistent with the 2020 Revisions’ focus on continual monitoring of risk, the new guidelines highlight the merger and acquisition process and show an evolution of the DOJ’s concern about corporate responsibility in the M&A process. For the first time, the guidelines recognize that thorough pre-acquisition due diligence is not always possible. However, the DOJ has made clear that when integrating a new entity into the corporate structure, companies must be mindful of due diligence not only just before acquisition, but also post-acquisition. Prosecutors will consider what steps a company has taken to audit and investigate how the new entity has assimilated into the overall compliance program.

The 2020 Revisions seek to ensure that, once designed, a company has enabled its compliance program to be successful. The 2020 Revisions also make clear that prosecutors will expect that this includes buy-in and appropriate leadership support from middle and senior management to create a culture of compliance, along with providing sufficient resources for the program to be effective. An adequately resourced compliance program includes ensuring that compliance personnel have access to the data and information they need to effectively monitor and test the policies and controls. A company should also invest in developing and training its compliance personnel and other employees with responsibilities that involve higher-risk areas. For example, for health care entities, billing and coding personnel should keep abreast of evolving regulations and requirements of all federal health care programs. Similarly, sales and marketing personnel should be aware of recent settlements and fraud alerts specific to their interactions with health care professionals. In addition, personnel that work in any areas where remuneration flows to health care providers should be aware of federal and state anti-kickback statutes, Stark law and relevant industry-level codes.

Part of the monitoring process of a company’s compliance program should ensure that the program is applied “fairly and consistently across the organization;” this includes senior management. The 2020 Revisions set forth prosecutors’ concern that investigations and resulting discipline must not be haphazardly enforced and should be considered when updating the company’s policies and procedures, training and auditing and monitoring activities.

Questions to Consider

When beginning to review and incorporate the 2020 Revisions, consider asking these questions as a first step:

• What is the company’s “tone at the top?” Is support for compliance set forth in words and in action?
• Do senior management and middle management send a clear message of support for compliance activities and emphasize that misconduct will not be tolerated?
• Does the company have a dedicated compliance officer who has visibility, authority and appropriate resources within the company?
• Does the compliance officer have unfettered access to the board of directors?
• Has the company conducted a comprehensive risk assessment?
• Does the company revise its compliance program and pivot its activities based on external and internal risk factors that change after the initial risk assessment was conducted (i.e., conduct periodic risk assessment updates and revise its compliance program accordingly)?
• Does the company’s auditing and monitoring plan focus on high-risk activities as identified in the comprehensive risk assessment, as opposed to areas that have lower risk?
• Does the company update its auditing and monitoring activities based on high-risk areas that are identified either internally or through updated external guidance?
• Has the company updated its policies and procedures to address its risk areas, and are these documents easily understood and accessible by all employees and other relevant third parties?
• How will the company demonstrate the effectiveness of its compliance program?
• Does the company’s training reflect the risks within its industry? When was the training last updated, and can the company demonstrate that the training is effective?
• Does the company have a mechanism to confidentially capture compliance concerns, and can employees and third parties report anonymously and without fear of retaliation?
• Is there a process by which employees can ask questions arising out of training?
• Have the policies and procedures been published in a searchable format for easy reference? Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?
• Does the company have a demonstrable and effective compliance communication and awareness program?
• Has the company established key performance indicators for higher-risk and foundational compliance program elements?
• How does compliance program information flow to middle and senior management and the board of directors?

In light of the 2020 Revisions to the “Evaluation of Corporate Compliance Programs” guidelines, companies must ensure they are flexible and adaptive with their compliance programs. Companies cannot sit back after establishing a program and let it run on autopilot. Instead, compliance programs must evolve and pivot as companies proactively learn more about risks and misconduct within their company and in their industry.