The U.S. Department of Justice (“DOJ”)’s Criminal Fraud Section recently issued guidance for corporate compliance programs in a document titled Evaluation of Corporate Compliance Programs (“Fraud Section Guidance”), which reflects a number of notable differences from prior guidance on similar issues. The Fraud Section Guidance contains a list of topics and questions used by the Fraud Section in evaluating corporate compliance programs. As several commentators have noted—and the Fraud Section acknowledges—many of the topics contained in this recent guidance are consistent with, among other things, the Resource Guide to the U.S. Foreign Corrupt Practices Act (“FCPA Guide”) and the current U.S. Sentencing Guidelines, both of which outline desired aspects of a corporate compliance program “best practices.” But it is the differences—areas where the DOJ has expanded on prior commentary—that may provide key insights into DOJ areas of concern.
Specifically, the Fraud Section Guidance provides more detail than prior guidance on three key topics, thereby providing companies with a roadmap for how to strengthen their compliance programs—at least from a DOJ perspective—through increased focus on (1) compliance functions, (2) training programs, and (3) testing of compliance programs.
1. Greater Focus on Compliance Function. As in prior public commentary, the Fraud Section Guidance reiterates that the compliance function should:
(1) be delegated to specific individuals within the organization who have day-to-day responsibility for the compliance and ethics program;
(2) be autonomous, i.e., have direct reporting lines to the board of directors; and
(3) have adequate resources.
The Fraud Section Guidance, however, emphasizes the role of the compliance function within a company much more than the FCPA Guide or the U.S. Sentencing Guidelines. For example, the recent guidance indicates that the Fraud Section may consider (and companies should therefore evaluate):
• The compliance function’s stature within the company, including whether (1) the compliance function’s compensation levels and rank/title are comparable to other strategic functions, (2) there has been a high turnover rate for compliance personnel, and (3) the compliance function is involved in strategic and operational decisions.
• The experience and qualifications of compliance personnel, and, in particular, whether their experience and qualifications are commensurate with their roles and responsibilities.
• “Empowerment” of the compliance function, in other words, whether the company takes the compliance function seriously. Among other things, in evaluating the compliance function’s role, a company should consider (1) whether compliance previously raised concerns with respect to wrongdoing and, if so, how the company responded to such concerns; and (2) whether specific transactions or deals have been stopped or modified as a result of compliance concerns.
2. Enhanced Training – Should Not be “One Size Fits All.” The recent guidance again emphasizes the importance of compliance training for employees, but appears to place more emphasis on “risk-based” trainings. The Fraud Section Guidance highlights questions regarding whether companies:
• Analyze training needs, i.e., determine (1) who should be trained and, in particular, whether there are high-risk employees who should receive additional training; and (2) whether different employees should be trained on different compliance topics.
• Provide additional training for “key gatekeepers,” such as employees who issue payments or review approvals, to ensure they are familiar with the company’s control processes.
3. Higher Expectations for Testing and Updating Compliance Programs. The recent guidance builds on what companies already know from the FCPA Guide and the Sentencing Guidelines: companies should periodically review and update their compliance programs to ensure that they are effective. The Sentencing Guidelines state that an “organization shall take reasonable steps . . . to evaluate periodically the effectiveness of” its compliance program, U.S.S.G. § 8B2.1(b)(5), and the FCPA Guide advises companies to “regularly review and improve their compliance programs,” FCPA Guide at 62.
The Fraud Section Guidance goes even further by providing more detail about what the DOJ Fraud Section thinks that review-and-improvement process should look like. In particular, that companies should conduct regular, holistic reviews of compliance programs that include (1) testing controls; (2) collecting and analyzing compliance data; (3) interviewing employees and relevant third parties to assess the implementation of, and familiarity with, policies and procedures; and (4) reporting the results of such review and tracking action items.
Although the Fraud Section Guidance is largely consistent with prior compliance-program guidance, it provides companies an opportunity to re-evaluate their compliance programs to ensure that they are in line with the DOJ’s view of best practices, with a focus on their compliance functions, trainings, and testing of their compliance programs. To do so, a company should, at a minimum, undertake the following five steps.
1. Ensure that it has certain key components of a compliance program, including:
• Commitment from senior leaders to a culture of compliance;
• A comprehensive set of compliance policies and procedures tailored to the particular risks facing the company;
• A third-party management process that requires proportionate due diligence of third parties, necessary third-party contract terms, and ongoing monitoring of third-party relationships; and
• A mechanism for employees to report potential misconduct confidentially.
2. Evaluate the role of its compliance function, focusing on its stature and empowerment within the company.
3. Analyze the training that employees and third parties receive on compliance policies and procedures to ensure that it is risk-based, and revise training programs as necessary.
4. Evaluate the way in which the company tests its compliance program to ensure that the review is holistic and includes (a) testing controls; (b) collecting and analyzing compliance data; (c) interviewing employees and relevant third parties to assess the implementation of, and familiarity with, policies and procedures; and (d) reporting the results of such review and tracking action items.
5. Update its compliance program as needed based on, among other things, the results of testing the compliance program, identification of control failures, or new risk assessments.