Department of Justice Guidance on Corporate Compliance Programs

Earlier this summer, the Fraud Section of the Department of Justice (DOJ) Criminal Division updated its guidance on the Evaluation of Corporate Compliance Programs first published in early 2017. The updates reflect the DOJ’s expectation that compliance programs should not be stagnant and need to change with the company’s risk profile. 

In its analysis, the DOJ looks at the effectiveness of the corporation’s compliance program at the time of the offense and at the time of the resolution of the matter.  The Justice Manual notes that there are three “fundamental questions” a prosecutor should ask:

1. “Is the corporation’s compliance program well designed?”
2. “Is the program being applied earnestly and in good faith?” Meaning, is the program adequately resourced and empowered to function effectively?
3. “Does the corporation’s compliance work” in practice?

See JM 9-28.800

The first question focuses on whether the corporation built a compliance program that is risk-based or one that is generic to check the compliance box.  Central to the sufficiency of the program is the risk assessment and “lessons learned” that the company employs in updating “…policies, procedures, and controls. The 2020 Guidance also points out the sufficiency of compliance resources, which is central to the efficacy of any compliance program.  Another characteristic of a well-designed compliance program is suitable training and communications. Prosecutors should ask whether the program is “adequately resourced and empowered to function effectively.”

The DOJ recognizes the emergence of data as a key aspect of a compliance program.  The compliance team should have “sufficient direct or indirect access to relevant sources of data” to effectively measure compliance.  There is an expectation that the compliance program evolves over time “based upon continuous access to operational data and information across functions.”

New to the 2020 Guidance is applying due diligence to oversight and monitoring of third parties. This includes ensuring  contractual terms specifically describe the services to be performed, that the third party is actually performing the work, and that the compensation is consistent with the work being furnished in that industry and location.  Given the trend in outsourcing in the insurance industry, companies will have to ensure enough control and supervision over third parties.   

The DOJ recognizes mergers and acquisitions and calls out the need for effective due diligence so a company has “a process for timely and orderly integration of the acquired entity into existing compliance program structures…” and performing post-transaction audits.

The expectation is that both senior leadership and the Board of Directors set the tone for the rest of the company. This is active v. passive undertaking, …the company’s “governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight” of it and shall ensure that the company “has an effective compliance and ethics program.” 

Notwithstanding the financial pressures that financial services companies are facing due to the pandemic, companies including boards of directors should evaluate their compliance programs under this revised guidance and make appropriate updates to their program. 

If you'd like to evaluate your corporate compliance program, download our comprehensive checklist to assist.