The Department of Justice’s Gift That Keeps on Giving – Part 2

The newly updated 2019 DOJ Evaluation of Corporate Compliance Programs criteria offer some valuable advances to how prosecutors should look at an organization’s compliance efforts.

 

First, it warrants noting that these updated criteria were issued by the DOJ’s Criminal Division; the 2017 criteria were issued by the Fraud Division, which is just one part of the Criminal Division.  So, the updated criteria apply to a larger pool of prosecutors and broader range of criminal offenses.

 

Second, the new criteria introduce three leading questions, in which all criteria are placed:

  1. Is the corporation’s compliance program well designed?
  2. Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?
  3. Does the corporation’s compliance program work in practice?

 

This structure reinforces the point that “paper programs” with no substance and follow-through supporting them will not pass the test. DOJ wants to see programs with “teeth,” those that not only are well designed but also are well applied with tangible results.

 

Third, prosecutors will evaluate a compliance program as to its effectiveness when the relevant offense occurred and at the time of charging or other resolution. This assessment will weigh on the decision to prosecute or otherwise resolve the offense, any financial penalty, and any further compliance requirements. So, while a business should take proactive steps to build an effective compliance program, it still has some opportunity to build or reinforce these efforts after prosecutors begin to investigate. Though, why a company would bother to wait until this late in the game remains a mystery given all the benefits that come from avoiding an investigation, or an offense in the first place.

 

Fourth, the updated criteria are just over twice as long as the 2017 criteria (18 pages versus 8 pages), so they cover more criteria and in greater depth, providing prosecutors with more precise guidance and businesses with greater insight into how the DOJ views effective compliance.

 

Instead of listing each criteria separately as it did in 2017, the updated guidance places each criteria under a major heading. This emphasizes the importance of the design, implementation and follow-through of a compliance program. Here is the new structure of these criteria:

 

  1. Is the corporation’s compliance program well designed?
    1. Risk assessment
    2. Policies and procedures
    3. Training and communications
    4. Confidential reporting structure and investigation process
    5. Third party management
    6. Mergers and acquisitions

 

  1. Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?
    1. Commitment by senior and middle management
    2. Autonomy and resources
    3. Incentives and disciplinary measures

 

  1. Does the corporation’s compliance program work in practice?
    1. Continuous improvement, periodic testing, and review
    2. Investigation of misconduct
    3. Analysis and remediation of any underlying misconduct

 

Immediately, we can see the similarity with the criteria for an effective compliance and ethics program under the US Sentencing Guidelines.

 

Without running through a line-by-line analysis of the differences between the 2017 and 2019 criteria (which anyone can perform using a MS Word document comparison function), suffice it to say that

  • The substance of the 2017 criteria are preserved.
  • Certain additional items are added to the 2019 criteria that expand on each topic.
  • Greater commentary is provided regarding each topic to help organizations understand the DOJ’s purpose for the topic and which helps to clarify its intent.

 

In the end, these updated criteria offer organizations a compelling roadmap for designing, instituting and maintaining an ethics and compliance program. Leadership need not stew over what the DOJ wants to see—they’re telling it more explicitly than before. So, if an organization wants to place itself in the best possible position should it be investigated, charged with an offense, have its executives charged, or be prosecuted, this is the gift.

 

While certain executives will believe they never have to worry about these risks, it’s worth pointing out that, as these criteria become more fully adopted by businesses and other organizations, it raises the bar for effective ethics and compliance management.

 

Part 3 will address the new Criteria’s implications for organizations’ compliance training and communications efforts.

The Department of Justice’s Gift That Keeps on Giving

On April 30, the US Department of Justice updated its Evaluation of Corporate Compliance Programs, guidance that it provides to federal prosecutors for their use to assess an organization’s efforts to implement and maintain effective compliance management.

• What are the changes to these evaluation criteria?
• Further, what’s the significance of this guidance in the first place?
• Finally, why should businesses find value in this update?

To provide appropriate context to these questions, first let’s revisit the development of guidance for federal prosecutors and judges regarding evaluation of an organization’s compliance program.

The Federal Sentencing Guidelines 

In 1991, the US Sentencing Commission updated its own guidance to federal judges. The Commission is part of the federal judiciary and charged with providing guidelines to federal judges for sentencing organizations convicted of federal criminal misconduct.

Broadly, these Sentencing Guidelines are intended to help judges determine a sentence for an organization convicted of criminal conduct. (This is related to similar sentencing guidelines for individuals convicted of criminal conduct, which would apply to an organization’s officials and other employees.) These Guidelines provide the judge a framework for making this evaluation and, in doing so, creates consistency among judges across cases and federal districts.

The Guidelines chiefly take into account the significance of the criminal conduct, its duration, and the organization’s complicity in the conduct. But the Guidelines also offer a “carrot and stick” with respect to compliance: an organization’s sentencing can be reduced or exacerbated based on the degree to which the organization maintained an effective compliance program.

This section of the Guidelines, “Criteria for an Effective Compliance Program,” quickly became the de facto framework for how US businesses institute and manage legal compliance. The criteria included seven essential components of compliance management. These have been updated three times since 1991 and today address such criteria as the following:
• Commitment by leadership to ethics and compliance
• Assurance that senior staff are reviewed for a propensity to engage in misconduct
• Assessment of the organization’s compliance risks
• Standards and procedures
• Training and communications
• Compliance monitoring and auditing
• Systems for reporting suspected misconduct confidentially and anonymously
• Procedures to respond to identified misconduct

In the ethics and compliance profession, these criteria are often referenced as the US Sentencing Guidelines or Federal Sentencing Guidelines and have been very influential in similar frameworks developed by other areas of the federal government, including the Department of Health & Human Services’ Office of Inspector General and the Department of Justice.

DOJ Principles for Federal Prosecution

Starting in 1999, the Department of Justice began issuing a series of memoranda to provide federal prosecutors with guidance when pursuing cases against and charging organizations with criminal conduct (Holder, Thompson, McNulty, Filip memos). This guidance became the basis for today’s Principles for Federal Prosecution of Business Organizations. These Principles take their cue from the US Sentencing Guidelines with respect to criteria that prosecutors should consider as to whether an organization has made efforts to institute an effective compliance program. These Principles influence prosecutors:
• Whether to pursue a case against an organization
• Whether to charge an organization with civil or criminal conduct (and separate from whether to charge its employees with this conduct)
• What sentencing to recommend to the judge for organizations found guilty of criminal conduct

In 2015, the Department of Justice began working with Hui Chen, a former federal prosecutor and corporate compliance expert, to help the Department better determine how to aid prosecutors in evaluating organizations’ compliance efforts. This resulted in the first “Evaluation of Corporate Compliance Programs” in 2017. These criteria laid out the following structure:

Two prominent examples of where this framework demonstrated value to businesses follow:
• In 2012, The Department of Justice declined to prosecute Morgan Stanley when one of its executives bribed Asian officials in a real estate deal. Prosecutors signaled that the firm’s efforts to train and communicate compliance requirements to this executive demonstrated the firm’s commitment to compliance. (The executive was charged separately.)
• Earlier this year, the Department declined to charge Cognizant with criminal conduct over a bribery scheme by its CFO and chief compliance officer in securing a location site in India, largely because of the company’s compliance efforts and its quick reporting of a bribery scheme. (see blog)

DOJ Updated Evaluation Criteria

With the April 30 release of the DOJ’s updated Evaluation of Corporate Compliance Programs, the DOJ has evolved how it sees successful organizational compliance. This both sets challenges for and offers gifts to businesses.

The Challenge

As the ethics and compliance field matures, its frameworks will move in tandem, creating a more sophisticated and nuanced way of addressing how organizations should demonstrate responsible conduct. This evolution has moved from a reactive stance to one that is increasing proactive, with expectations that organizations not only maintain hard controls, such as segregation of duties and management sign-offs, but also soft controls, such as communications and management commitment. Companies that don’t want to run afoul of regulators’ focus will need to keep pace with these changes and develop their own compliance efforts in line with regulators’ expectations.

The Gift

The gift is twofold.

First, by developing criteria in the first place, the DOJ provides a helpful roadmap for what businesses should do to demonstrate compliance. They need not ‘read the tea leaves’ of prior criminal cases and sentencing memos to divine what the Department expects; through these criteria, the Department is speaking rather clearly about its intentions.

Second, indirectly, businesses now have an improved means to manage compliance risk. By using the Department’s (or the US Sentencing Commission’s) criteria for effective compliance, businesses benefit themselves by better managing risk: preventing it, detecting it early, taking quick steps to mitigate its damages, and then proactively improving processes to prevent its recurrence.

Part 2 of this series will address the changes in the updated DOJ Criteria versus its earlier criteria.

Part 3 will address the new Criteria’s implications for organizations’ compliance training and communications efforts.