Gabriel L. Imperato (firstname.lastname@example.org) is the Managing Partner of the Fort Lauderdale office of Nelson Mullins Broad and Cassel and the Team Leader of the firm’s Health Care Criminal and Civil Enforcement, Litigation and Compliance Practice.
The United States Department of Justice (DOJ) recently released documents with guidelines for evaluating corporate compliance programs and cooperation credit and self-disclosure in both criminal and civil enforcement actions. The DOJ Criminal Fraud Section updated its existing guidance entitled Evaluation of Corporate Compliance Programs for its criminal prosecuting attorneys, and the Civil Fraud Branch further elaborated on guidance for cooperation credit and self-disclosure to DOJ attorneys in civil False Claims Act (FCA) cases. These documents emphasize important aspects and best practices for organizational compliance programs and highlight the need for effective corrective action to prevent and detect future occurrences of underlying noncompliant conduct.
Evaluating compliance programs
The DOJ released a comprehensive guidance document entitled Evaluation of Corporate Compliance Programs during 2017. This recently updated guidance is intended to assist federal prosecutors in making decisions about whether and to what extent an organization’s compliance program was effective for the purposes of determining:
Whether criminal charges should be filed against the company,
Whether and in what amount a fine should be levied against the company, and
Whether a monitor or some other compliance obligation should be imposed on the company.
The guidance document also offers valuable insight for compliance professionals and reinforces the fact that prosecutors will assign significant weight to compliance programs when determining whether to charge, fine, or impose monitorships on companies that have engaged in wrongdoing.
The guidance document states that DOJ does not use a “rigid formula” to assess the effectiveness of a company’s compliance program, but it does lay out three “fundamental questions” that a criminal prosecutor should answer.
1. Is the compliance program well-designed?
The guidance states that prosecutors should first make a threshold determination about whether a company’s compliance program is appropriately designed to detect the types of misconduct that are most likely to occur in the company’s line of business (i.e., risk assessment). An examination should also be made of the company’s policies and procedures to ensure that they address key compliance risks and that they are effectively communicated to employees through regular training. Additionally, prosecutors are instructed to determine whether a company has an “efficient and trusted” system for the confidential reporting of potential violations, as well as for investigating such reports. Finally, prosecutors should determine whether a compliance program includes procedures for performing meaningful due diligence on its third-party business partners and/or acquisition targets.
The updated guidance calls for the following design features of the organization’s compliance program to be evaluated:
Risk assessment is the starting point for any company’s compliance program. It means conducting an initial risk assessment and having a predetermined “investigations playbook” that addresses how a company determines which issues merit further investigation and who should conduct an investigation.
Policies and procedures are clearly written, well known, and accessible to employees and third-party partners, including any incentive or disciplinary policies and procedures.
Resources are appropriately allocated depending on the size of the company. The general rule of thumb is the larger the organization, the more formal its compliance operation should be.
Training and communication are integrated through periodic training and certification of all directors, officers, relevant employees and third-party partners. DOJ may credit the quality and effectiveness of a risk-based compliance program, even if it ultimately fails to prevent an infraction.
Confidential reporting structures are a new addition from the 2017 guidance. The DOJ will evaluate the organization’s systems that allow employees to anonymously or confidentially report allegations of misconduct or other breaches of a company’s policies, procedures, or code of conduct.
Managing third parties by applying a company’s risk-based due diligence to its relationships with outside partners, agents, consultants, and distributors is essential.
Mergers and Acquisitions require due diligence, and any acquisition should include the target company’s compliance program to identify any potential misconduct that could harm profitability or brand reputation, or risk civil or criminal liability.
2. Is the compliance program implemented effectively?
Even a well-designed compliance program can be unsuccessful if it is implemented incorrectly. Thus, prosecutors are instructed to determine whether a company’s compliance program is “implemented, reviewed, and revised…in an effective manner.” In order to do so, prosecutors should first determine whether management has clearly articulated the company’s ethical standards, demonstrated adherence to these standards, and encouraged employees to follow them. Prosecutors should also evaluate whether the employees who are responsible for compliance have sufficient experience, seniority, resources, and autonomy. Finally, prosecutors should assess what happens after compliance issues are detected—that is, whether the company has disciplinary procedures in place, whether these procedures are consistently and effectively enforced, and whether the company’s compliance program is adapted or revised, as necessary.
3. Does the compliance program work in practice?
One of the most difficult things for a prosecutor to do after misconduct has occurred is to try to determine whether a compliance program was working effectively, especially if the misconduct was not immediately detected. The guidance document notes that “the existence of misconduct does not, by itself, mean that a compliance program did not work or was ineffective at the time of the offense.” In order to assess whether a compliance program was effective at the time that misconduct occurred, prosecutors should consider, “whether and how the misconduct was detected, what investigation resources were in place to investigate suspected misconduct, and the nature and thoroughness of the company’s remedial efforts.” Prosecutors should also consider whether and how a company’s compliance program “evolved over time to address existing and changing compliance risks.” Prosecutors are also instructed to consider any remedial actions taken by a company in the wake of the discovery of misconduct, including disciplinary actions against individual violators.
Compliance professionals and company management would be wise to pay attention to DOJ’s updated guidance for the evaluation of corporate compliance programs. The guidance document is easily the most detailed articulation of how DOJ will analyze corporate compliance programs when determining whether criminal charges, fines, or monitorships are warranted. This document is a reminder to organizations of the ever-increasing emphasis that the DOJ places on compliance. As Assistant Attorney General Brian Benczkowski noted in a speech announcing the issuance of the guidance document, “The importance of corporate compliance cannot be overstated.”