Articles - 27/07/20
US Department of Justice Criminal Division releases updated version of its Evaluation of Corporate Compliance Programs
The Criminal Division of the US Department of Justice (“DOJ”) periodically updates its guidance regarding the evaluation methods for the effectiveness of corporations compliance programs in the Evaluation of Corporate Compliance Programs. The last version of such document is dated June 2020.
The main objective of such guidance is to assist prosecutors in making informed decisions as to whether, and to what extend the corporation compliance program was adequate during the time of the offence or at the moment of the charging decision. The document gives background information so that prosecutors can assess: (i) the form of prosecution, (ii) the monetary penalty, if applicable, and (iii) the compliance obligations contained in the decision of any corporate case (such as enforcement or monitoring).
Even though the document does not have the force of law, it has significant persuasive value in the DOJ´s decisions and should be considered as a reference of great importance regarding corporate compliance guidelines that either US corporations or companies that have any connection to the US market should consider when elaborating, implementing and improving their compliance programs.
The DOJ´s guideline remark that there is no rigid formula to do the proposed evaluation, and recognizes that each company´s risk profile present unique circumstances and should receive a particularized evaluation. However, the document presents common questions that prosecutors should take into consideration in the course of making an individualized determination.
The new version covers much of the content of its predecessor. The following roadmap addresses the new implementations made to the guidelines that should be considerer for quality evaluation of corporate compliance programs within the context of each of the three key questions that set out the standards to perform such analysis.
Is the corporation´s compliance program well designed?
Risk Assessment: the topic “Updates and Revisions” has two new questions regarding the quality of the company´s periodic review, if consists in a “snapshot” in time or if it is based upon continuous approach to operational data and information across functions, and if the periodic review results reflect into changes into the company´s policies, procedures and controls.
A new topic entitled “Lessons Learned” was added to this section, bringing in a question about the existence of a process that tracks and incorporates into the company periodic risk assessment the lessons learned from the corporation own issues or from issues of other companies in the same industry and/or geographical region.
Policies and Procedures: the “Design” topic now mentions that it should also be taken into consideration what is the company´s design for updating existing policies and procedures. And the “Accessibility” section a has new question regarding the publication of policies and procedures, in the sense that prosecutors should assess if the company has an easy reference searchable format tool and if the there is a control to track which policies and procedures attract more attention from relevant employees.
Training and Communication: the “Form/Content/Effectiveness of Training” section establishes that prosecutors should assess if the company has a process available, whether online or in person, to employees to asks questions regarding trainings received. Moreover, it should be considered if the corporation evaluated how the training has impacted employees behavior or operations.
Confidential Reporting Structure and Investigation Process: in the “Effectiveness of the Reporting Mechanism” topic third parties are mentioned, in the sense that they should also be aware of the company´s reporting mechanism. A new question was added so prosecutors analyze if the corporation tests whether their employees are aware of the hotline and feel comfortable using such tool.
The “Resources and Tracking of Results” section now explicitly has a question about the existence of a periodic test for the effectiveness of the company hotline.
Third Party Management: according to the updated version of the guidance, prosecutors should conduct their analyzes taking into consideration whether the corporation knows the business rationale for engaging in a third party transaction and the risks that come along with such relationship.
The “Management Relationships” section brings in a new question to whether the company engages in risk management of third parties throughout their relationship or primarily during the onboarding process.
Mergers and Acquisitions: in this topic it was included a new standard to assess what is considered a well-designed compliance program regarding M&A matters, which is the existence of a process for orderly and timely integration of the entity acquired into existing compliance program structures and internal controls. It is also mentioned that the due diligence should be conducted pre or post-acquisition and the integration procedures of the new company should be considered in the analyzes.
These new standard was reflected in the subsections “Due Diligence” and “Process Connection Due Diligence to Implementation” into questions about the ability of the company to complete pre-acquisition due diligence and the necessity to exposed reasons if that task was not full filled, and about the company´s ability to conduct post-acquisition audits at the acquired entity.
(ii) Is the corporation´s Compliance Program adequately resourced and empowered to function effectively?
Autonomy and Resources: in the topic “Structure” it was added a question asking about the reason for the structural choices the company made. In the “Experience and Qualifications” topic prosecutors should now also assess if the corporation invests in further training and development of the compliance team and other control personnel.
Also, a brand new topic was created, entitled “Data Resources and Access”, which emphasizes the importance of compliance and control personnel to have direct access to relevant data to allow an effective and timely monitoring and/or testing of the corporations policies and questions, also it should be perceived if there are impediments that limit access to important data and, if so, if the company addresses such situation.
Incentives and Disciplinary Measures: the section “Consistent Application” brings a new question to whether the compliance function monitors its own investigations and discipline measures imposed in order to assure consistency.
(iii) Does the corporation´s Compliance Program work in practice?
Continuous Improvement, Periodic Testing, and Review: in the subsection “Evolving Updates” was included a new question that gives relevance to the company review and adaptation of its compliance program based on the lessons learned for its own misconduct or that of companies facing comparable risks.