On June 1, 2020, the United States Department of Justice (DOJ) released revised guidelines that it will use when its prosecutors evaluate your corporate compliance program and make corporate charging decisions, including whether to come after your corporation or individual employees civilly or criminally.
Maybe you remember that the original version of these DOJ instructions came out in 2017, and that they were refined in 2019. Now, this new clarification. So, what does this all mean to you as a corporate officer or compliance professional? It means that DOJ is learning as it goes along and is giving us some insight into what they are looking for in a corporate compliance program, and what they won’t find acceptable.
Here is a working executive summary from Steptoe & Johnson’s White-Collar Compliance Team.
The DOJ will look at three questions when taking a 30,000-foot view of what you are doing or not doing.
Does your program prevent and detect wrongdoing by employees? Does corporate management enforce the program, or is it tacitly encouraging or pressuring employees to engage in misconduct; in other words, are you willfully blind? DOJ prosecutors are required to look at whether you have genuinely tried to assess your risk and tailored your compliance budget to really ferret out problems. Your policies and procedures should be designed to be comprehensive, accessible to everyone (including relevant third parties), and structured to provide adequate training and authority to your “gatekeepers.” You should have a confidential reporting structure and investigation process that is really designed to work.
The compliance mindset starts at the top, in the C-Suite. Top management must both talk the talk and walk the walk. You must have a compliance officer who is a little bit of a pit bull, by which we mean a pit bull with teeth and a reasonable amount of leash. The compliance office has to be a part of the senior leadership team, must have autonomy and support from the very top of the organization chart, and has to have the resources to really do the job.
The Principles of Federal Prosecution of Business Organizations require prosecutors to measure “the adequacy and effectiveness of the corporation’s compliance program at the time of the offense, as well as at the time of a charging decision.” So, it’s a look back in time and a snapshot at the time the prosecutor decides what to do. The fact that misconduct occurred does not necessarily mean that the program was ineffective. No compliance program can find and stop every bit of misconduct. Did the program evolve over time, in order to take a look at new and changing compliance risks? Did you do an honest root cause analysis when you found something? Did you periodically review and test your program? And did you do an objective investigation and correct and control any underlying misconduct?
There is also one newest of the new question: Does the compliance function monitor its investigations and resulting discipline to ensure consistency? This additional attention to consistency in discipline is to ensure that the same misconduct is punished at the same levels throughout the organization. If the CEO’s fair-haired favorite gets a slap on the wrist when anybody else would be carrying a box of their possessions to the parking lot, that sends the wrong compliance message.
Of course, the devil is always in the details, but we hope this explanation has been helpful in spurring thought about compliance and renewing your company’s diligence in staying out of trouble.
For the wonkiest among our readership, click here to view the DOJ’s updated Evaluation of Corporate Compliance Programs.