While the government is writing checks to companies to cope with recent pandemic losses, it simultaneously updated its internal guidance for scrutinizing a company’s corporate compliance program.  Earlier this week, the Department of Justice (DOJ) issued to prosecutors an update to its guidance document for the “Evaluation of Corporate Compliance Programs.”  DOJ counsel has long considered the existence and adequacy of a company’s corporate compliance program when determining whether, and to what extent, charges should be brought against that company, as well as how investigations should be resolved.

This guidance document, originally published in 2017, assists government counsel with that evaluation process.  While primarily intended for use in the criminal context, the same guidance could undoubtedly be considered during a civil investigation against a company, such as in a False Claims Act investigation.  The guidance document and its updates are excellent resources for a company to use in the company’s ongoing evaluation of its compliance program.

Purposefully tailoring the compliance program to your company.  Many DOJ updates reinforce the notion that a company should create a corporate compliance program that is tailored to that specific company, based upon its evaluation of its particular risks and anecdotes.  For instance, the update clarifies that government counsel should consider “the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.”  And when evaluating whether the compliance program is well designed for a particular company, government counsel is directed “to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.”

Continually evaluating and updating your compliance program.  The DOJ’s updates also suggest that companies should not be afraid to learn from mistakes and to continually revise and improve their compliance programs, even perhaps, when missteps are discovered during the pendency of an investigation.  For instance, government counsel are directed to ask:

  • “Does the company have a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region?”
  • “Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?”
  • “Does the compliance function monitor its investigations and resulting discipline to ensure consistency?”
  • Has the company made any changes to its compliance program between the time of its alleged offense and the time of the government’s charging decision against the company, or resolution of the case?

Providing adequate resources to ensure the program functions properly.  The guidance document also lists three “fundamental questions” that government counsel should ask when evaluating a compliance program.  Significantly, the updates changed one of these three fundamental questions from “Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?” to “Is the program being applied earnestly and in good faith?  In other words, is the program adequately resourced and empowered to function effectively?”

This change, along with others in the guidance document, stresses that a company must not only expend financial resources but functional resources as well.  For example, the updates tell government counsel to ask questions such as: How does the company invest in further training and development of compliance personnel?  Do impediments exist that limit compliance personnel’s access to relevant data and, if so, what has the company done to address those?  Does the company track employees’ access to compliance policies and procedures to determine which ones the employees find most relevant?  Are employees trained on the proper use of the compliance hotline, do they feel comfortable using it, and has the efficacy of this hotline been tested?

Ensuring due diligence.  Finally, a company’s compliance program should also promote due diligence of other entities with whom the company does business.  In particular, the DOJ’s updates stress due diligence when dealing with third-party vendors and during a merger or acquisition.  In the third-party vendor context, government counsel may ask:

  • Does the company understand the “business rationale for needing the third party” within that company’s line of business as well as the risks posed by the third-party vendor?
  • Does the company’s compliance program mandate due diligence of the third party during the relationship or only at the beginning of it?

And in the mergers and acquisition context, government counsel are encouraged to ask:

  • “Was the company able to complete pre-acquisition due diligence and, if not, why not?”
  • Does the company have a process for integrating the acquired company into the existing compliance program?

These recent updates to the DOJ’s guidance document demonstrate that, during a time when more companies than ever are utilizing federal funds made available through the CARES Act, the DOJ remains focused on whether companies have effective compliance programs designed to identify and remediate mistakes.  The updates reiterate that companies must be ready to demonstrate thoughtful and continuous compliance efforts and that the mere existence of a compliance program as a formality will be deemed insufficient.  A company should instead continue to test and evaluate its program, tailor the program to the company’s specific and identified needs, ensure that its program has adequate resources to function properly, and make all necessary changes and remediation—all of which reflect that the compliance efforts are thoughtful, deliberate, effective, and importantly, evident.

A document showing this week’s updates to the guidance document is available for download here.  If you have any questions about how to improve your company’s compliance program, please contact the authors.