Earlier this week, on June 1, the Department of Justice published its latest version of “Evaluation of Corporate Compliance Programs.” Like the versions before it, the revised Guidance essentially lays out what the DOJ wants to see in a company’s compliance program in order to afford that company a favorable resolution in a criminal matter, whether it be a declination, a non-prosecution agreement or a deferred prosecution agreement.
The revised version is much like the prior versions, but there are certain changes worth noting.
1. Adequate resources need to be allocated
The focus on “implementation” of the compliance program is made more specific by asking whether “adequate resources” were allocated to the compliance program and whether it was “empowered to function.” For example, whereas in the past a company could receive credit for having implemented a compliance program even when a violation in a low-risk area occurred, under the new Guidance, even when there is a violation in a high-risk area, the company can receive credit provided the program was “well resourced” for such high-risk transactions. What this means is that it will be prudent for companies to look at the dollars they budget for compliance as compared with their total budget and ask whether the comparison suggests their compliance program is well resourced. As part of that equation, it would also make sense to review compliance personnel salaries against sales or marketing personnel salaries.
2. Tone at the top may not be enough
Whereas in the prior versions, a compliant tone at the top was a very important factor DOJ considered, the newest version adds a new wrinkle. The expanded tone at the top includes the tone in middle management. It may no longer be sufficient for a company seeking leniency from the DOJ to produce evidence that shows that the board and senior management, such as the CEO and COO, support compliance. A company seeking credit for its compliance program may now need to get buy-in from—and active involvement by—middle management.
3. Results, results, results
The new Guidance focuses on whether there are processes in place that require the company to track the success of its compliance program. For example, the Guidance suggests that a program include the following:
- Periodic review of the program, including a process for tracking whether policies and procedures are changed as a result of the review;
- A process for tracking violations by other companies in the same industry, which should trigger a review of policies and procedures and revising them, if needed, to proactively address the possibility of similar violations at the company;
- A process to review how training impacts employees’ behavior—in other words, a process to gauge whether the training was successful, and
- A process to periodically review the hotline to see whether it works—do employees use it, and when they do, do investigations result that ultimately result in a change of policies and procedures?
4. Due diligence of third parties at onboarding may not be enough
The Guidance revised the term “due diligence of third parties” to “third party management,” requiring review of a third party’s compliance throughout the life of the relationship—a particularly heavy lift if the third party is located on a different continent. For global corporations with third-party relationships scattered throughout many countries, this alone may significantly increase the resources needed to be allocated to compliance. Nowhere will targeted risk assessments be more important to contain costs while remaining compliant.
5. Data resources and access
Which brings us to a brand-new paragraph in this latest version on data resources and access. Do compliance personnel have access to relevant sources of data to timely test and monitor? To meet this new factor, it would be prudent for a company to consider gathering its stakeholders in sales, marketing, finance, manufacturing and other business groups with its legal and compliance teams to review the various data sets available within the company and determine which of those compliance should get access to in order to do its job.
For more information about the Guidance or staying compliant, please contact John Libby, Jacqueline Wolff or another member of Manatt’s investigation and white collar defense team.