While the Federal Sentencing Guidelines’ definition of an effective compliance and ethics program continues to be the most influential set of guidelines regarding how to structure a program, a number of additional, important directives have been promulgated by the US government, multinational organizations (such as the Organisation for Economic Cooperation and Development (OECD) and the United Nations), and other governments. Many of these standards build on the guidelines’ definition of an effective program, although, in some cases they also add considerable additional detail to the guidelines’ definition.
What follows is a discussion of some of the more important standards that have been promulgated by government (and other) bodies, beginning with several standards that come from the United States, including those issued by the U.S. Department of Justice and those contained in the Sarbanes-Oxley Act, the New York Stock Exchange (NYSE), and Nasdaq corporate governance rules, and a memorandum promulgated in 2012 by the Department of Justice and the Securities and Exchange Commission. This chapter then discusses the standards contained in the OECD’s Good Practice Guidance on Internal Controls, Ethics, and Compliance; the Adequate Procedures Guidance promulgated by the United Kingdom’s Ministry of Justice pursuant to the UK Bribery Act; the French Competition Authority Guidance; and Mexico’s Model Program for Corporation Integrity. The above is just a sampling of the guidance promulgated by various authorities.
US Standards Relating to Compliance Programs
Department of Justice Evaluation Guidance
In April 2019, the U.S. Criminal Division of the Department of Justice (DOJ) released a memorandum titled Evaluation of Corporate Compliance Programs (DOJ 2019 Guidance) containing detailed guidance regarding how prosecutors should evaluate the effectiveness of a compliance and ethics program. This guidance updated a set of evaluation questions posted on the website of the DOJ’s Fraud Section in February 2017. The 2019 guidance document adds a number of factors to and expands upon the list of evaluation questions contained in the 2017 publication.
The DOJ 2019 Guidance begins with the US government’s familiar refrain that compliance programs must be evaluated within the context of a particular criminal investigation, and the government therefore does not apply a “rigid formula” to assess a program. The memo then repeats the three questions that the government has long indicated will frame its evaluation of programs: (1) Is the program well-designed? (2) Is the program applied earnestly and in good faith? And (3) Does the compliance program work in practice? The memo then discusses a number of specific factors and questions that the DOJ may consider in evaluating any given compliance program, with the caveat that, “[i]n any particular case, the topics and questions set forth below may not all be relevant, and others may be more salient given the particular facts at issue.”
Under the primary question of whether a company’s program is well-designed, the guidance begins with a discussion of the effectiveness of the organization’s risk assessment process, including the methodology the company uses to assess the particular risks it faces and how the information obtained in a risk assessment has informed the compliance program. The guidance also asks whether the risk assessment is current and subject to periodic review.
The guidance next tackles the topic of compliance policies and procedures, including the process for designing and implementing policies and procedures, the company’s methods of communicating policies and procedures and accessibility to employees and others, the extent to which policies and procedures have been integrated into the company’s operations, and what guidance and training have been given to the gatekeepers in the control processes, meaning those who have responsibility for approvals and certifications.
The next topic in the program design section of the guidance is training and communications. Here, the guidance asks a number of important questions, including:
What training have employees in relevant control functions received?
Have supervisory employees received different or supplementary training?
What analysis has the company undertaken to determine who should be trained and on what subjects?
Has training been offered in the form and language appropriate for the audience?
Has training addressed lessons learned from prior compliance incidents?
How has the company measured the effectiveness of its training?
How has the company addressed employees who fail all or a portion of the testing?
What communications have there been generally when an employee is terminated or otherwise disciplined for failure to comply with the company’s policies, procedures, and controls (e.g., anonymized descriptions of the type of misconduct that leads to discipline)?
How has the company assessed whether its employees know when to seek advice and whether they would be willing to do so? 
The guidance then discusses the company’s confidential reporting structure and investigation process. With respect to a company’s reporting procedures, the evaluation questions include how reporting mechanisms are publicized to employees; how the company assesses the allegations it receives; whether the compliance function has full access to reporting and investigative information; and how the company collects, tracks, analyzes, and uses information from its reporting mechanisms. With respect to investigations, the guidance asks how the company ensures that investigations are properly scoped; what steps are taken to ensure investigations are independent, objective, appropriately conducted, and properly documented; and the process for monitoring the outcome of investigations and ensuring accountability for the response to any findings or recommendations, and whether investigating mechanisms are sufficiently funded.
The guidance contains a subsection on the application of a company’s compliance program to its third parties, including questions regarding the due diligence conducted on third parties; how the company ensures an appropriate business rationale and appropriate contract terms of a relationship; and how compliance of third parties is managed. The guidance also asks questions related to how companies consider compliance in the due diligence process for mergers and acquisitions and how they integrate newly acquired companies into their compliance programs.
The second primary question that prosecutors are instructed to ask about compliance programs—whether the program is being implemented effectively—includes discussions of management commitment and support, autonomy and resources, and incentives and disciplinary measures. With respect to management commitment and support of the program, the guidance instructs prosecutors to “examine the extent to which senior management have clearly articulated the company’s ethical standards, conveyed and disseminated them in clear and unambiguous terms, and demonstrated rigorous adherence by example. Prosecutors should also examine how middle management, in turn, have reinforced those standards and encouraged employees to abide by them.” The guidance also asks what compliance expertise has been available on the board of directors, whether the internal or external auditors have held executive or private sessions with the compliance and control functions, and what types of information the board and senior management have examined in their exercise of oversight in the area in which misconduct occurred.
The subtopic of “Autonomy and Resources” contains some of the most important questions addressed in the guidance. This section instructs prosecutors to consider the sufficiency of the personnel and resources within the compliance function, in particular, and whether those responsible for compliance have: (1) sufficient seniority within the organization; (2) sufficient resources, namely staff, to effectively undertake the requisite auditing, documentation, and analysis; and (3) sufficient autonomy from management, such as direct access to the board of directors or the board’s audit committee. Some of the specific questions asked in this subsection include the following:
Where within the company is the compliance function housed (e.g., within the legal department, under a business function, or as an independent function reporting to the CEO and/or board) and to whom does the compliance function report?
Is the compliance function run by a designated chief compliance officer or another executive within the company, and does that person have other roles within the company?
How does the compliance function compare with other strategic functions in the company in terms of stature, compensation levels, rank/title, reporting line, resources, and access to key decision-makers?
What role has compliance played in the company’s strategic and operational decisions?
Do compliance and control personnel have the appropriate experience and qualifications for their roles and responsibilities?
Do the compliance and relevant control functions have direct reporting lines to anyone on the board of directors and/or audit committee?
How does the company ensure the independence of the compliance and control personnel?
In the last subtopic of this section, “Incentives and Disciplinary Measures,” the guidance states that “some companies have found that publicizing disciplinary actions internally, where appropriate, can have valuable deterrent effects. At the same time, some companies have also found that providing positive incentives—personnel promotions, rewards, and bonuses for improving and developing a compliance program or demonstrating ethical leadership—have driven compliance. Some companies have even made compliance a significant metric for management bonuses and/or have made working on compliance a means of career advancement.”
The final primary question that prosecutors are asked to address—whether the program works in practice—explores three subtopics: (1) continuous improvement, testing, and review; (2) investigation; and (3) analysis and remediation of misconduct. With respect to the area of continuous improvement, the guidance contains the helpful commentary that:
One hallmark of an effective compliance program is its capacity to improve and evolve. The actual implementation of controls in practice will necessarily reveal areas of risk and potentialadjustment. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the applicable industry standards. Accordingly, prosecutors should consider whether the company has engaged in meaningful efforts to review its compliance program and ensure that it is not stale. Some companies survey employees to gauge the compliance culture and evaluate the strength of controls, and/or conduct periodic audits to ensure that controls are functioning well, though the nature and frequency of evaluations may depend on the company’s size and complexity.
In addition to posing questions about compliance auditing, control testing, and risk assessment, the guidance also discusses whether and how organizations measure their culture of compliance. Specifically, it asks how often and how the company measures its culture of compliance; whether the company seeks input from all levels of employees to determine whether they perceive senior and middle management to be committed to compliance, and what steps the company has taken in response to its measurement of compliance culture.
The final area of program review also addresses C&E investigations and response to misconduct. These sections pose questions related to the efficacy of the investigation process and “the extent to which a company is able to conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes.”
Department of Justice Antitrust Division Guidance
In July 2019, the Antitrust Division of the U.S. Department of Justice announced a new policy (and a reversal of its longstanding former policy) that requires Antitrust Division prosecutors to evaluate an organization’s compliance and ethics program in determining whether to charge the organization and whether to adjust any resulting sentence. For decades, the Antitrust Division had utilized an all-or-nothing approach, granting corporate leniency to the first company to self-report an antitrust violation, but giving no compliance program credit to others, regardless of the efficacy of their programs. Under the new policy, companies with strong compliance programs may be eligible for deferred prosecution agreements even where they were not the first to self-report. This landmark change to the Antitrust Division’s approach to crediting compliance programs came after years of urging by members of the C&E community, led by Joseph Murphy.
The new policy is contained in a memorandum titled “Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations.” The memo also contains extensive guidance on what the Division considers to be the important elements of an effective compliance program. The memo lists nine factors that the Antitrust Division asks prosecutors to consider when evaluating the effectiveness of an antitrust compliance program, including (1) the design and comprehensiveness of the program; (2) the culture of compliance within the company; (3) responsibility for, and resources dedicated to, antitrust compliance; (4) antitrust risk assessment techniques; (5) compliance training and communications to employees; (6) monitoring and auditing techniques, including continued review, evaluation and communication of the antitrust compliance program; (7) reporting mechanisms; (8) compliance incentives and discipline; and (9) remediation methods.
The memo contains a list of questions that prosecutors may ask about an antitrust compliance program for each of the nine program factors listed above. For example, with respect to the culture of compliance within the company, the memo asks, among other questions:
What is the company’s senior leadership doing to convey the importance of antitrust compliance to the company’s employees?
How have senior leaders, through their words and actions, encouraged (or discouraged) antitrust compliance?
What concrete actions have senior leaders taken to demonstrate leadership in the company’s antitrust compliance or remediation efforts, if relevant?
Department of Justice Prosecution Standards
Twenty years prior to the promulgation of the extensive guidance discussed above, in June 1999, the DOJ issued its first formal incentive and guidance for organizations to implement compliance programs. It was in the form of a memo instructing federal prosecutors to consider the existence of an organization’s compliance program when determining whether to charge an organization for the misconduct of its employees and agents. The memo, entitled “Federal Prosecution of Corporations,” became known as the Holder Memo after its author, then Deputy Attorney General Eric Holder. The Holder Memo became the Thompson Memo when it was revised in 2003 (after then Deputy Attorney General Mark Thompson), then the McNulty Memo in December 2006 (after Deputy Attorney General Paul J. McNulty), and finally, in 2008, was again revised and incorporated into the United States Attorneys’ Manual, which has since been renamed the JusticeManual.
The DOJ Prosecution Standards state that, in determining whether to charge a corporation for criminal misconduct, prosecutors should consider the same factors they would consider in determining whether to charge individuals, including the sufficiency of the evidence; the likelihood of success at trial; the probable deterrent, rehabilitative, and other consequences of conviction; and the adequacy of non-criminal approaches. In addition, because of the special nature of corporations and other organizations, prosecutors should consider the following when determining whether to charge an organization:
The nature and seriousness of the offense, including the risk of harm to the public;
The pervasiveness of wrongdoing throughout the corporation, including the complicity of management;
The corporation’s history of similar conduct;
The corporation’s willingness to cooperate, including as to potential wrongdoing by its agents
The adequacy and effectiveness of the corporation’s compliance program at the time of the offense, as well as at the time of a charging decision
The corporation’s timely and voluntary disclosure of wrongdoing;
The corporation’s remedial actions, including, but not limited to, any efforts to implement an effective corporate compliance program or to improve an existing one;
Collateral consequences, including whether there is disproportionate harm to shareholders, pension holders employees, and others not proven personally culpable, as well as impact on the public arising from the prosecution ;
The adequacy of remedies such as civil or regulatory enforcement actions, including remedies resulting from the corporation’s cooperation with relevant government agencies; and
The adequacy of the prosecution of individuals responsible for the corporation’s malfeasance. 
Thus, in making a prosecution decision, prosecutors are instructed to consider (among other things) whether the company had and the adequacy of its pre-existing compliance program, and whether, after the alleged misconduct, the company implemented or took measures to improve its compliance program.
While explicitly stating that the DOJ has “no formulaic requirements regarding corporate compliance programs,” the standards provide that the fundamental questions any prosecutor should ask are: “Is the corporation’s compliance program well designed? Is the program being applied earnestly and in good faith? Does the corporation’s compliance program work?” To answer these questions, prosecutors are instructed to consider whether the corporation has established corporate governance mechanisms that can effectively detect and prevent misconduct, such as whether directors exercise independent review, whether directors are provided with information sufficient to enable the exercise of independent judgment, whether internal audit functions are conducted at a level sufficient to ensure their independence and accuracy, and whether directors have established an information and reporting system reasonably designed to provide management and the board of directors with timely and accurate information regarding compliance. Prosecutors are also directed to determine:
Whether a corporation’s compliance program is merely a “paper program” or whether it was designed and implemented in an effective manner;
Whether the corporation has provided for a staff sufficient to audit, document, analyze, and utilize the results of the corporation’s compliance efforts;
Whether the corporation’s employees are adequately informed about the compliance program and are convinced of the corporation’s commitment to it; and
Whether the program is designed to detect the particular types of misconduct most likely to occur in a particular corporation’s line of business. 
The Sarbanes-Oxley Act of 2002 (Sarbanes-Oxley), which passed in response to the massive corporate failures at companies such as Enron and WorldCom in the first part of this century, contains requirements regarding codes of ethics and reporting procedures—two essential components of compliance programs. The legislation is important in part because it is a federal congressional directive regarding certain aspects of compliance programs that is broadly applicable (to US issuers).
Section 406 of Sarbanes-Oxley requires issuers of securities to disclose in periodic reports whether they have adopted a code of ethics for senior financial officers, and if not, to explain why not. The Securities and Exchange Commission (SEC) regulations broaden the applicability of the section 406 code of ethics to include the chief executive officer (as well as the chief financial officer and controller, as provided by the legislation). Section 406 defines a code of ethics to mean written standards that are reasonably designed to deter wrongdoing and to promote (i) honest and ethical conduct, including the ethical handling of conflicts of interest; (ii) full, fair, accurate, timely, and understandable disclosure in reports and documents filed with or submitted to the SEC and in other public communications; (iii) compliance with applicable laws, rules, and regulations; (iv) prompt internal reporting of code violations to an appropriate person; and (v) accountability for adherence to the code.
Sarbanes-Oxley also requires that any amendments to or waivers of the code be immediately disclosed in a public filing with the SEC on a Form 8-K or on a company’s internet site. If posted on the internet, the disclosure must remain posted for 12 months and be available to the SEC for another 5 years thereafter. The law also requires that the code of ethics be publicly available (i) as an exhibit to a company’s annual report; (ii) on the company’s internet site; or (iii) by providing an undertaking in a company’s annual report to provide a copy of the code to any person without charge upon request.
Whiles section 406 does not require organizations to have codes (but instead to make a disclosure regarding whether they have them and if not, why they do not), it has—not surprisingly—led to the adoption of codes for many organizations. In addition, the requirement that organizations publicly disclose waivers of the 406 code (that apply to an organization’s chief executive officer, chief financial officer, or controller) has caused organizations to focus closely on the language and import of these codes in a way that they may not otherwise have done. The legislation has, in other words, increased the importance of both the existence and contents of codes for many organizations.
Another provision of Sarbanes-Oxley (section 301) concerns reporting procedures. Section 301 directs the national securities exchanges and associations to prohibit the listing of securities of any company where: 1) the audit committee of the company has not established procedures for the receipt, retention, and treatment of complaints received by the company regarding accounting, internal accounting controls, or auditing matters; and 2) the confidential, anonymous submission by employees of concerns regarding questionable accounting or auditing matters. In the regulations promulgated pursuant to the law, the SEC states that it does not mandate specific requirements for reporting procedures because companies should be provided with flexibility to develop those procedures that are most appropriate to their circumstances.
This section of Sarbanes-Oxley is interesting in a couple of different respects. First, it places the onus on the audit committee of the board to establish the prescribed reporting procedures. This placement of responsibility is consistent with Delaware case law regarding a board of director’s responsibilities for oversight of an organization’s compliance program. (Note, however, that while Sarbanes-Oxley requires audit committees to establish reporting procedures, neither the legislation nor the implementing regulations require audit committees to have a management role in their implementation.) Second, the legislation specifically discusses the requirement that a company’s reporting procedures include means for employees to make confidential, anonymous submissions. This provision of Sarbanes-Oxley resulted in a substantial number of organizations developing or enhancing their hotlines and other reporting procedures. For those organizations operating in Western Europe, it also created tension between organizations’ desire to comply with this provision of Sarbanes-Oxley and European privacy laws.
New York Stock Exchange and Nasdaq Governance Rules
In 2003, again in response to Enron, WorldCom and other corporate debacles of that time, the SEC approved corporate governance rules proposed by the NYSE and Nasdaq, including a requirement that listed companies adopt and disclose a code of business conduct and ethics applicable to all directors, officers and employees. The NYSE rules recommend that codes address the following topics: (i) conflicts of interest; (ii) corporate opportunities; (iii) confidentiality; (iv) fair dealing; (v) protection and proper use of company assets; (vi) compliance with laws, rules and regulations, including insider trading laws; and (vii) reporting illegal or unethical behavior. Similar to Sarbanes-Oxley, NYSE rules require that waivers of the code for directors and executive officers be made only by the board of directors or a board committee and be promptly disclosed to shareholders.
Nasdaq rules require the codes adopted by Nasdaq-listed companies satisfy the definition of a code of ethics as set forth in section 406(c) of Sarbanes-Oxley and the regulations promulgated thereunder by the SEC (discussed in the previous paragraph). Nasdaq rules also require that the code contain an enforcement mechanism, protection for reporting persons, clear and objective standards for compliance, and a fair process to determine violations, and that waivers for executive officers and directors be approved by the board and publicly disclosed.
DOJ and SEC Resource Guide to the Foreign Corrupt Practices Act
In November 2012, the DOJ and SEC released a joint document that provides extensive guidance on compliance programs—A Resource Guide to the U.S. Foreign Corrupt Practices Act (Resource Guide). The Foreign Corrupt Practices Act (FCPA) is a US law that prohibits individuals and organizations from bribing officials of non-US governments and certain non-governmental organizations.
Anti-bribery laws have been particularly fertile ground for the issuance of guidance on compliance programs, as evidenced in discussions later in this article regarding the OECD’s Good Practice Guidance, and the Adequate Procedures Guidance under the UK Bribery Act. In the United States, the DOJ and SEC have created requirements for specific anti-bribery programs in the form of deferred and non-prosecution agreements. However, the compliance program standards contained in the Resource Guide are of note because they are widely applicable and contain extensive information about what the DOJ and SEC consider to be the hallmarks of an effective C&E program. While the Resource Guide is directed specifically at FCPA compliance, it contains a wealth of more general C&E program information.
The Resource Guide’s discussion of C&E programs is consistent with and in many ways tracks the Federal Sentencing Guidelines’ definition of an effective C&E program. The Resource Guide’s discussion begins with an examination of the importance of risk assessment, recommending that compliance programs “be tailored to an organization’s specific needs, risks, and challenges.” It also warns against a check-the-box program, stating that the government’s directives on C&E program criteria should not be considered a substitute for a company’s own assessment of its particular program needs.
The Resource Guide contains an extensive discussion of C&E policies and codes of conduct, emphasizing the significance of both having clear and accessible policies and of periodic revision. The Resource Guide provides that “[t]he most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” The Resource Guide also discusses the importance of providing policies in the local language. “[I]t would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it.” With respect to periodic review and revision, the Resource Guide provides that, “[w]hen assessing a compliance program, DOJ and SEC will review whether the company has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code.”
The Resource Guide includes a fairly extensive discussion of C&E training, providing that “Such training typically covers company policies and procedures, instruction on applicable laws, practical advice to address real-life scenarios, and case studies.” The guide emphasizes the importance of presenting training information “in a manner appropriate for the targeted audience, including providing training and training materials in the local language.” The guide goes on to provide that “companies may want to consider providing different types of training to their sales personnel and accounting personnel with hypotheticals or sample situations that are similar to the situations they might encounter.” This type of role-based training holds particular promise for increasing the effectiveness of C&E training.
The DOJ and SEC discuss C&E incentives in some detail in their Resource Guide. “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance program, and rewards for ethics and compliance leadership. Some organizations, for example, have made adherence to compliance a significant metric for management’s bonuses so that compliance becomes an integral part of management’s everyday concern. Beyond financial incentives, some companies have highlighted compliance within their organizations by recognizing compliance professionals and internal audit staff. Others have made working in the company’s compliance organization a way to advance an employee’s career.”
The Resource Guide emphasizes both disciplinary procedures and consistency and fairness in discipline for violations of applicable law and company policies. The guide provides that the government will consider “whether, when enforcing a compliance program, a company has appropriate and clear disciplinary procedures, whether those procedures are applied reliably and promptly, and whether they are commensurate with the violation.” The Resource Guide also endorses the practice of publicizing disciplinary decisions—a practice that many companies have not yet implemented. “Many companies have found that publicizing disciplinary actions internally, where appropriate under local law, can have an important deterrent effect, demonstrating that unethical and unlawful actions have swift and sure consequences.”
The Resource Guide also discusses the importance of helplines and other reporting procedures, providing that “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.” The guide specifically mentions anonymous hotlines and ombudsmen as two appropriate types of reporting procedures.
The Resource Guide also discusses the importance of appropriate investigations, providing that, “once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken. Companies will want to consider taking “lessons learned” from any reported violations and the outcome of any resulting investigation to update their internal controls and compliance program and focus future training on such issues, as appropriate.”
Lastly, the Resource Guide discusses the importance of periodic review and revision of a company’s C&E efforts. As the guide asserts, “a good compliance program should constantly evolve.” The DOJ and SEC note that an organization’s changing circumstances (including changes to its business, the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its industry) necessitate changes in its C&E measures. The guide also notes that C&E programs will “inevitably uncover compliance weaknesses and require enhancements.” Review and improvement are therefore essential components of any program.