On April 30, the US Department of Justice updated its Evaluation of Corporate Compliance Programs, guidance that it provides to federal prosecutors for their use to assess an organization’s efforts to implement and maintain effective compliance management.
• What are the changes to these evaluation criteria?
• Further, what’s the significance of this guidance in the first place?
• Finally, why should businesses find value in this update?
To provide appropriate context to these questions, first let’s revisit the development of guidance for federal prosecutors and judges regarding evaluation of an organization’s compliance program.
The Federal Sentencing Guidelines
In 1991, the US Sentencing Commission updated its own guidance to federal judges. The Commission is part of the federal judiciary and charged with providing guidelines to federal judges for sentencing organizations convicted of federal criminal misconduct.
Broadly, these Sentencing Guidelines are intended to help judges determine a sentence for an organization convicted of criminal conduct. (This is related to similar sentencing guidelines for individuals convicted of criminal conduct, which would apply to an organization’s officials and other employees.) These Guidelines provide the judge a framework for making this evaluation and, in doing so, creates consistency among judges across cases and federal districts.
The Guidelines chiefly take into account the significance of the criminal conduct, its duration, and the organization’s complicity in the conduct. But the Guidelines also offer a “carrot and stick” with respect to compliance: an organization’s sentencing can be reduced or exacerbated based on the degree to which the organization maintained an effective compliance program.
This section of the Guidelines, “Criteria for an Effective Compliance Program,” quickly became the de facto framework for how US businesses institute and manage legal compliance. The criteria included seven essential components of compliance management. These have been updated three times since 1991 and today address such criteria as the following:
• Commitment by leadership to ethics and compliance
• Assurance that senior staff are reviewed for a propensity to engage in misconduct
• Assessment of the organization’s compliance risks
• Standards and procedures
• Training and communications
• Compliance monitoring and auditing
• Systems for reporting suspected misconduct confidentially and anonymously
• Procedures to respond to identified misconduct
In the ethics and compliance profession, these criteria are often referenced as the US Sentencing Guidelines or Federal Sentencing Guidelines and have been very influential in similar frameworks developed by other areas of the federal government, including the Department of Health & Human Services’ Office of Inspector General and the Department of Justice.
DOJ Principles for Federal Prosecution
Starting in 1999, the Department of Justice began issuing a series of memoranda to provide federal prosecutors with guidance when pursuing cases against and charging organizations with criminal conduct (Holder, Thompson, McNulty, Filip memos). This guidance became the basis for today’s Principles for Federal Prosecution of Business Organizations. These Principles take their cue from the US Sentencing Guidelines with respect to criteria that prosecutors should consider as to whether an organization has made efforts to institute an effective compliance program. These Principles influence prosecutors:
• Whether to pursue a case against an organization
• Whether to charge an organization with civil or criminal conduct (and separate from whether to charge its employees with this conduct)
• What sentencing to recommend to the judge for organizations found guilty of criminal conduct
In 2015, the Department of Justice began working with Hui Chen, a former federal prosecutor and corporate compliance expert, to help the Department better determine how to aid prosecutors in evaluating organizations’ compliance efforts. This resulted in the first “Evaluation of Corporate Compliance Programs” in 2017. These criteria laid out the following structure:
Two prominent examples of where this framework demonstrated value to businesses follow:
• In 2012, The Department of Justice declined to prosecute Morgan Stanley when one of its executives bribed Asian officials in a real estate deal. Prosecutors signaled that the firm’s efforts to train and communicate compliance requirements to this executive demonstrated the firm’s commitment to compliance. (The executive was charged separately.)
• Earlier this year, the Department declined to charge Cognizant with criminal conduct over a bribery scheme by its CFO and chief compliance officer in securing a location site in India, largely because of the company’s compliance efforts and its quick reporting of a bribery scheme. (see blog)
DOJ Updated Evaluation Criteria
With the April 30 release of the DOJ’s updated Evaluation of Corporate Compliance Programs, the DOJ has evolved how it sees successful organizational compliance. This both sets challenges for and offers gifts to businesses.
As the ethics and compliance field matures, its frameworks will move in tandem, creating a more sophisticated and nuanced way of addressing how organizations should demonstrate responsible conduct. This evolution has moved from a reactive stance to one that is increasing proactive, with expectations that organizations not only maintain hard controls, such as segregation of duties and management sign-offs, but also soft controls, such as communications and management commitment. Companies that don’t want to run afoul of regulators’ focus will need to keep pace with these changes and develop their own compliance efforts in line with regulators’ expectations.
The gift is twofold.
First, by developing criteria in the first place, the DOJ provides a helpful roadmap for what businesses should do to demonstrate compliance. They need not ‘read the tea leaves’ of prior criminal cases and sentencing memos to divine what the Department expects; through these criteria, the Department is speaking rather clearly about its intentions.
Second, indirectly, businesses now have an improved means to manage compliance risk. By using the Department’s (or the US Sentencing Commission’s) criteria for effective compliance, businesses benefit themselves by better managing risk: preventing it, detecting it early, taking quick steps to mitigate its damages, and then proactively improving processes to prevent its recurrence.
Part 2 of this series will address the changes in the updated DOJ Criteria versus its earlier criteria.
Part 3 will address the new Criteria’s implications for organizations’ compliance training and communications efforts.