On June 1, 2020, the Department of Justice (DOJ) Criminal Division published an update to the U.S. Department of Justice Criminal Division Evaluation of Corporate Compliance Programs. The Corporate Compliance Evaluation Guideline assists prosecutors with making decisions regarding a corporation’s compliance program effectiveness at the time of an offense, and the effectiveness of its compliance program at the time of a charging decision or resolution for the purpose of determining:
- form of any resolution or prosecution
- monetary penalty (if any)
- compliance obligations contained in any corporate criminal resolution
One of the (3) Fundamental Questions that a Prosecutor should ask is “tweaked” in the Update:
- “Is the corporation’s compliance program well designed?”
- “Is the program being applied earnestly and in good faith? “In other words, is the program adequately resourced and empowered to function effectively?”
- “Does the corporation’s compliance program work “in practice?”
Understanding what is New in the Update
The Update centers around the areas of adequate resources, effectiveness in processes, training, use of technology (data analytics), third party management and the implications of foreign laws. The Update states: “we make a reasonable, individualized determination in each case that considers various factors including, but not limited to, the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program”.
Here are the new questions presented in the update:
- “Is the periodic review limited to a ‘snapshot-in-time’ or based upon continuous access to operational data and information across functions?”
- “Has the periodic review led to updates in policies, procedures, and controls?”
- “Does the company have a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region?”
- “Have the policies and procedures been published in a searchable format for easy reference?
- Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?”
- “Whether online or in-person, is there a process by which employees can ask questions arising out of the trainings?”
- “Has the company evaluated the extent to which the training has an impact on employee behavior or operations?”
- “How is the reporting mechanism publicized to the company’s employees and other third parties?
- “Does the company take measures to test whether employees are aware of the hotline and feel comfortable using it?
- “Does the company periodically test the effectiveness of the hotline—for example, by tracking a report from start to finish?”
- “Does the company engage in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?”
- “Was the company able to complete pre-acquisition due diligence and, if not, why not?”
- “What has been the company’s process for implementing compliance policies and procedures, and conducting post acquisition audits, at newly acquired entities?”
- “What are the reasons for the structural choices the company has made regarding experience and qualifications?”
- “How does the company invest in further training and development of the compliance and other control personnel?”
- “Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions?”
- “Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediment”?
- “Does the compliance function monitor its investigations and resulting discipline to ensure consistency?”
- “Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?”
Consult your Corporate Governance Compliance Expert
Given the current uncertain and volatile environment, a FI’s risk assessment process and ensuring that it is adequately resourced is critical to an effective well-designed corporate compliance program. A company ought to reinforce and update all compliance efforts, policies, and procedures related to its size, industry, geographic footprint, and regulatory landscape. Employee training, regular tested continuing education and data analytics are imperative to mitigate risks.