Quick Read: What you need to know about the DOJ Fraud Section’s new 'Evaluation of Corporate Compliance Programs' guidance
06 March 2017
In February 2017, the U.S. Department of Justice (“DOJ”), through the Fraud Section of the Criminal Division, issued new guidance on how it evaluates corporate compliance programs, available here. The Guidance details sample topics and questions that the DOJ is likely to ask in evaluating the strength of a corporate compliance program, which is of particular importance in FCPA cases where a company often relies on the strength of its compliance program when advocating for more lenient results, such as a deferred or non-prosecution agreement or a reduction in penalties. A strong compliance program is also critical for a company trying to convince the DOJ that the company should not be subject to a monitorship. The Guidance follows a recent trend in enhancing transparency in the enforcement process, including the DOJ’s new FCPA pilot program for self-reporting and cooperation, which is approaching its one-year anniversary.
The Guidance is divided among 11 topics and includes 119 “sample” questions. The Guidance relies on and cites to a number of existing resources, such as the United States Attorney’s Manual (and the well-known "Filip Factors"), the Sentencing Guidelines, the 2012 DOJ and SEC FCPA Guide, and OECD resources. While the topics are not particularly surprising, ranging from analysis and remediation of underlying misconduct to risk assessment and third-party management, the sample questions are increasingly specific, demonstrating an effort to get under the hood of a compliance program and not simply rely on a “check the box” exercise. This is not surprising given the increased focus on the sophistication of corporate compliance programs and the DOJ’s hiring of a dedicated compliance expert. The Guidance provides companies with more specific direction as to how to build and enhance their compliance function and also how to respond to and remediate potential issues as they arise.
Although the document is undated, it was reportedly added to the DOJ’s website on February 8, 2017. The Guidance has received some attention from commentators as it is the first guidance issued during the new Presidential administration, which commenced on January 20, 2017. The new Attorney General, Jeff Sessions, was confirmed by the Senate on February 8 and sworn in on February 9, 2017—the day after the guidance was apparently made public. While the Guidance was issued during President Trump’s administration, the enforcement priorities and views of Attorney General Sessions remain to be seen.
While the general approach to evaluating a corporate compliance program is not novel, the specificity of evidence sought in the Guidance is informative. A few examples indicate that the purpose of the Guidance is to provide practical, real-world advice instead of relying on generic assertions:
- Tone from the Top: Rather than vague references to the importance of so-called “tone from the top,” the Guidance gets specific and includes questions that ask how senior leaders have “through their words and actions, encouraged or discouraged the type of misconduct in question” and seeks examples of “concrete actions they have taken to demonstrate leadership.” The Guidance also asks whether the Board has held private sessions with compliance and control functions and for examples of the types of information examined by the Board.
- Risk-based compliance program: Rather than mere assertions that a compliance program should be tailored and risk-based to the company’s profile, the questions in the Guidance request the methodology the company relied upon to identify, analyze, and address its particular risk and for the information or metrics the company has collected and used to identify misconduct and inform the compliance program.
- Monitoring and testing: Rather than simply stating that effective monitoring and testing is a key component of a robust compliance program, the questions in the Guidance hone in on internal audit, control testing, and the regularity of updates to the company’s risk assessments, policies, procedures, and practices. For example, the questions in the Guidance ask for a description of the types of audits that would have identified issues relevant to the misconduct; whether such audits occurred; when and what information about the audits was escalated to management and the board; and their response. The questions related to control testing also focus on a data-driven exercise: how have controls been tested and how has the compliance data been collected, analyzed, reported, and tracked.
Fundamentally, the questions across the 11 topics seek concrete examples and data-driven analysis of the compliance program’s effectiveness. The collection of topics and specificity of the questions is noteworthy and provides insight into the lines of questions one would expect in the context of an enforcement matter. A company, including its Board, senior management, and legal and compliance functions, should collect data points and information regarding these components of its compliance program and rectify potential gaps.