The US Department of Justice (DOJ) just can’t seem to get compliance off its mind. On April 30, 2019, the DOJ updated its guidance entitled “Evaluation of Corporate Compliance Programs,” which is designed to inform prosecutors about how they should evaluate the effectiveness of corporate compliance programs for purposes of determining:
- appropriate resolution of matters involving corporate wrongdoing;
- penalties to be assessed;
- additional compliance obligations to be imposed on a corporation; and
- additional oversight that may be necessary, such as a monitorship.
I have posted an outline of the guidance on my website.
The DOJ’s guidance is good for industry because it:
- Levels the regulatory playing field by providing specific factors that a corporation’s compliance department can proactively implement and test;
- Validates the importance of compliance;
- Indicates that prosecutors should review the performance of compliance over time (i.e., can the company detect and mitigate bad behavior under its current compliance program); and
- Recognizes the risk-based approach to compliance.
Leveling the Playing Field
Perhaps most importantly, the guidance levels the regulatory playing field by establishing minimum compliance standards for corporate compliance departments.
Perhaps most importantly, the guidance levels the regulatory playing field by establishing minimum compliance standards for corporate compliance departments. The DOJ has put everyone on notice of what it expects.
Fortunately, the guidance bucks the recent trend of regulation by enforcement, in which regulators make examples of companies in order to achieve policy goals and discourage malfeasance across an industry. Under the regulation by enforcement approach, regulatory enforcement orders are intended as guides for other corporations to avoid similar violations.
Corporations have grown frustrated with regulation by enforcement because:
- Corporations may not be on notice about prohibited activity until they are under investigation, and it’s too late;
- It is difficult and confusing to enhance compliance efforts by reacting to an extreme set of facts involving another company; and
- Corporations in the government’s crosshairs have concerns that they have been singled out and will have to compete against firms not subject to the same amount of scrutiny or set of rules.
I think the DOJ has gone a long way to ensure compliance across industries by publishing the guidance. It level sets compliance expectations. With the guidance, companies can get to work performing gap analysis and improving their compliance efforts instead of reviewing every enforcement action for clues on what to do.
Compliance Remains Important
The DOJ wants to make sure that corporations involved in malfeasance have not only stopped the wrongdoing but also invested enough resources and attention to its compliance program to detect and prevent the wrongdoing from happening in the future.
The DOJ wants to make sure that corporations involved in malfeasance have not only stopped the wrongdoing but also invested enough resources and attention to its compliance program to detect and prevent the wrongdoing from happening in the future. If not, the need for additional remedial measures, including enhanced compliance requirements or an independent corporate monitorship may be a term of the settlement or enforcement action.
Two Pertinent Review Periods
[P]rosecutors should evaluate the effectiveness of a corporate compliance program both at the time of the offense and the resolution of the matter.
The guidance makes clear that prosecutors should evaluate the effectiveness of a corporate compliance program both at the time of the offense and the resolution of the matter. Thus, the benefit and necessity of establishing and maintaining a robust compliance program does not go away after the initial discovery or investigation of wrongdoing. The guidance gives corporations a better understanding of how its remedial compliance efforts will be assessed and worthwhile.
Risk Based Approach
… the guidance acknowledges the risk-based approach and iterative nature of a corporate compliance program …
Importantly, the guidance acknowledges the risk-based approach and iterative nature of a corporate compliance programwhen it states:
Prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction in a low-risk area. Prosecutors should therefore consider, as an indicator of risk-tailoring, “revisions to corporate compliance programs in light of lessons learned.”
The guidance does not establish a strict liability standard for corporate compliance. It makes room for corporations to devote compliance resources to its highest risk areas and acknowledges that infractions in low risk areas are not necessarily indicative of an ineffective compliance program.
I applaud Assistant Attorney General Brian A. Benczkowski and the DOJ for bridging the gap between industry and government by publishing compliance guidance. The guidance allows lawyers and compliance professionals to be proactive in development and enhancement of compliance programs, as opposed to reacting to an order. Further, it should be a more effective deterrent of malfeasance as it is clear that the guidance should apply to any federal prosecutor’s review of a corporate compliance program. Ultimately, the guidance will serve as a checklist of items to ensure the corporation’s compliance program is properly designed, documented, tested, audited and working.
The guidance allows lawyers and compliance professionals to be proactive in development and enhancement of compliance programs, as opposed to reacting to an order.
The best response to the new DOJ compliance guidelines is to:
- Engage knowledgeable compliance counsel because any legal advice rendered can be privileged.
- Have counsel assess the sufficiency and effectiveness of the compliance program in light of the new guidance.
- Work with counsel to develop effective and actionable recommendations and implement those recommendations.
I have spent the last 15 years working with corporations to leverage their existing compliance strategy and approach to successfully implement enhancements. Please let me know if I can be of service to your firm with the new guidance or other compliance issues.
– John Tyson
John Tyson is an attorney licensed to practice law in Texas and New York and Certified Regulatory Compliance Manager. John has over 15 years’ experience spearheading initiatives at major financial institutions to support multi-jurisdictional regulatory compliance.