In April of 2019, the Department of Justice issued its game-changing Evaluation of Corporate Compliance Programs guidance. The guidance was a feast for the compliance profession. The format of the guidance came in questions a prosecutor would ask in an investigation, which in turn signaled the answers a company would be expected to give.
On June 1, 2020, the DOJ updated its guidance document to reflect, as Assistant Attorney General Brian Benczkowki said, “additions based on our own experience and important feedback from the business and compliance communities.[i]”
The new language in the guidance is fascinating because it sets out the updated expectations of prosecutors. Companies are once again on notice that the line in the sand has shifted, and they need to respond now to meet those new expectations. Following are the top ten lessons compliance officers can learn from the new guidance, and what to do now to update your program based on this new information.
Lesson One: Today’s Best Practices are Becoming Expectations Already
At Spark Compliance Consulting, when we do compliance program reviews we include recommendations for immediate changes, as well as more aspirational best practices that we’ve seen in very mature programs. The new DOJ guidance includes references to many of these best practices, meaning that they are likely to become expectations in the very near future. These best practices include:
Ensuring that online training programs have “a process by which employees can ask questions arising out of the training.”
Conducting post-acquisition auditing at newly acquired entities.
Ensuring that the “company engage(s) in risk management of third-parties throughout the lifespan of the relationship.”
Making micro-training available. The guidance notes that companies have “invested in shorter, more targeted training sessions to enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management function.”
Evaluating “the extent to which the training has an impact on employee behavior.”
There are challenges here. Most online training programs do not have the capacity to pass questions along automatically to the compliance department, and many training companies do not yet have micro-learning available. In addition, tracking how training affects employee behavior is a big undertaking.
WHAT TO DO NOW: Review the list above and determine whether you can implement any of these practices. If you can, do so. If you cannot, begin planning to implement them in the future. Contact the technology providers with which you have relationships and ask them when their technology will be updated to accommodate these expectations.
Lesson Two: You Need Access to Data
The DOJ is clear: you need data, and good data comes from good technology. While most of the updates in the guidance come in the form of single sentences, the section on data comes in a whole new paragraph. Prosecutors are to ask, “Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions?” These points about data dovetail with the multiple mentions of monitoring and metrics in the guidance. Without good data, good monitoring can’t take place. Without good monitoring, the effectiveness of the program is almost impossible to judge.
WHAT TO DO NOW: Inventory all existing programs that can give you data. Don’t just look at the programs you interact with each day – look at the programs available to Human Resources, Information Technology, Information Security, Procurement, Legal, and Audit. Find out whether the data their programs track could be useful to you. Prosecutors included the question, “Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?” Use this question to your benefit if you receive pushback from getting the data you need.
Lesson Three: You Need Good Technology for Your Policy Management
The promotion of many current best practices into expectations comes at a cost, and that cost is an investment in technology. While the investment in technology isn’t explicitly spelled out, it underpins several of the new questions in the guidance. For instance, prosecutors are told to ask, “Have the policies and procedures been published in a searchable format for easy reference?” Many companies have unsearchable policies housed in PDFs in some dark corner of the company’s intranet – or worse – on a SharePoint no one accesses. The new guidance also asks prosecutors to ask which policies and procedures “are attracting more attention from relevant employees.” This task requires IT to help with click tracking.
WHAT TO DO NOW: First, go to the Information Technology team and ask if they have the capacity to make your policies searchable. Then ask if they can track how many clicks each policy receives in the month/quarter. If they can’t, go out to the market to find policy management software to implement. While these programs can be pricey, they can also help you to manage policies effectively. Policy management can save you headaches in the future, and help you to defend against an employee who still has the 1998 version of the gifts and hospitality policy and said they didn’t know there was an update.
Lesson Four: You Need a Culture Survey (or its Equivalent)
The new guidance includes the question, “Does the company take measures to test whether employees are aware of the hotline and feel comfortable using it?” Culture surveys can be expensive, but obtaining information from the employee population and aggregating it see whether employees really trust management and know how to report misconduct can save millions upon millions in fines later on.
Whistleblower hotlines are even more important now than they usually are. Steven Peikin, co-director of the SEC’s enforcement division reported that the SEC received 4,000 whistle-blower tips, complaints, and ref
errals of possible corporate wrongdoings from mid-March to mid-May of this year, which represented a 35% increase from the same time last year. The Wall Street Journal quoted Peikin in its analysis, finding that, while many reports are COVID-19-related, many others are in “traditional areas.”[ii]
WHAT TO DO NOW: Talk to management about the possibility of performing a culture and ethics survey across the organization. If you can’t get approval, try to get whistle-blower-related questions included in the annual engagement survey. If you still can’t get any buy-in, you can either launch your own survey through services like Survey Monkey or Survey Anyplace, or you can conduct focus groups representative of the company’s employee population to get the information you need.
Lesson Five: You Must Document WHY You Make the Choices You Make
There’s nothing like contemporaneous notetaking to show a prosecutor why you made the choices you made. In two different parts of the new guidance, prosecutors are told to inquire about why and how choices were made. Under the section on risk assessments, prosecutors are told to “endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.” Later in the guidance, the new question is asked, “What are the reasons for the structural choices the company has made?”
WHAT TO DO NOW: Take stock of how the compliance program began, and how it has evolved over time, then write down a timeline of how the program has changed. For many companies, compliance was born from a subset of activities assigned to the Legal Department that evolved into a full-blown, independent program. Write down how and why these changes were made. In the future, as the program expands or contracts, keep notes about why those decisions were made.
Lesson Six: You Need a Plan for Post-Acquisition Integration of the Compliance Program
The original DOJ guidance focused extensively on the need for companies to involve the compliance function in pre-merger/acquisition due diligence. The new guidance takes this one step further to focus on post-acquisition integration of the compliance function into the newly acquired entity. The new guidance states that companies should have “a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.” The new guidance also states that “Flawed or incomplete pre- or post-acquisition due diligence and integration can allow misconduct to continue at the target company, causing resulting harm to a business’ profitability and reputation and risking civil and criminal liability.”
WHAT TO DO NOW: If your company is in the process of making an acquisition, or if your company has recently completed an acquisition, create and execute a plan for integrating the compliance program and associated controls at the new company. If there is currently no plan for an acquisition, create a basic outline for post-acquisition compliance program integration, and write it out. With the economic fallout from COVID, there will likely be a contraction in industries, and merger and acquisition activity may heat up quickly. It is important to have a plan for when it does.
Lesson Seven: Make Sure You Have a Continuing Education Budget
One of the brightest spots for compliance officers in the updated guidance is the addition of the question, “How does the company invest in further training and development of the compliance and other control personnel?” Companies that don’t provide continuing education budgets and invest in the upskilling of their compliance teams will be put on the spot by prosecutors who expect this type of investment.
WHAT TO DO NOW: If you don’t have a continuing education budget, go to your management and explain to them that the DOJ expects that compliance teams have continuing education. Be specific in your requests. Eventually, conferences will return, but in the meantime, try to get budget for webinars, virtual events, or online classes (like the Wildly Effective Compliance Officer Newcomer Course, available now, or Risk Assessments Made Easy, available at the end of June).
Lesson Eight: Keep Up-to-Date on Benchmarking and Prosecutorial Actions
The new guidance puts the onus on compliance officers to know what is going on in their company, as well as in other similarly-situated companies. Indeed, one new paragraph asks, “Does the company have a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region?” Later in the guidance is the question “Does the company review and adapt its compliance program based upon the lessons learned from its own misconduct and/or that of other companies facing similar risk?”
WHAT TO DO NOW: Go over your investigations reports and root cause analyses for the past three years to ensure that the lessons you’ve learned have been incorporated into the compliance program – then document your review. Ensure that you have a robust network of compliance officers in similar industries or geographical regions to reach out to. If you don’t have such a network now, contact compliance officers in your industry and/or region via LinkedIn so that you can benchmark the risks facing your industry/geography. Lastly, follow major actions by prosecutors in the risk areas that you manage. You can read court opinions, deferred prosecution agreements, and prosecutorial guidance to obtain this information. You can also get legal alerts from law firms and advice from consulting firms to help you.
Lesson Nine: Update, Update, Update
The word “update” appears seven times in the 18 substantive pages of the guidance, with two new mentions on page three alone. Prosecutors were already tasked with asking whether the company’s risk assessment was “current and subject to periodic review.” Now prosecutors will follow up with the question, “Has the periodic review led to updates in policies, procedures, and controls?”
WHAT TO DO NOW: Look
at the investigations and control failures you’ve had in the past three years. Review the latest regulatory guidance, court decisions, and deferred prosecution agreements to see patterns, then update your policies, procedures, and risk assessment to reflect the lessons learned from your review. Be sure to use version control or date stamps to show that the policies and procedures were updated. Even if you don’t make changes, note the date the previous review was done so you have a paper trail evidencing your ongoing commitment to updating the program.
Lesson Ten: If You have a Multinational Program, Document Your Response to Non-US Laws
The very end of the updated guidance has a paragraph instructing prosecutors to “consider whether certain aspects of the compliance program may be impacted by foreign law.” When a compliance department has made decisions about its program based on non-US law, “Prosecutors should ask the company the basis for the company’s conclusion about foreign law, and how the company has addressed the issue to maintain the integrity and effectiveness of its compliance program while still abiding by foreign laws.”
WHAT TO DO NOW: Look for areas of your program to which non-US law made a difference. Did you disallow facilitation payments to comply with the UK Bribery Act? Did you update your global privacy program to meet the requirements of the European General Data Protection Regulation (GDPR)? Have you responded to EU sanctions with an enhanced screening program? Wherever you have considered “foreign” law, be sure to write down where you received information about the law or counsel on its meaning, and how you made the decisions you did about the program in response to that advice. A best practice is to tailor your program to the strictest law so that you have a consistent program across the world, and so that you meet the threshold requirements of any less-strict law to which the company is subject.
The updated DOJ guidance is helpful because the edits and additions provide a window into what prosecutors have found since the publishing of the original guidance over a year ago. Although the changes are in some places quite subtle, those changes can mean the difference between receiving mitigating credit and multi-billion dollar fines. The DOJ has spoken again, and it is critical that all of us in the compliance profession listen and respond accordingly.
*Many thanks to Matt Kelly of Radical Compliance for providing the redline of the guidance: http://www.radicalcompliance.com/wp-content/uploads/2020/06/DOJ-Guidance-2020-compared.pdf