Gabriel L. Imperato (gabriel.imperato@nelsonmullins.com) is the Managing Partner of the Nelson Mullins Fort Lauderdale office and Anne Novick Branan (anne.branan@nelsonmullins.com) is Of Counsel in the firm’s Fort Lauderdale office.
On June 1, 2020, the Criminal Division of the United States Department of Justice (DOJ) issued an update to its guidance in the Evaluation of Corporate Compliance Programs (Guidance) used by prosecutors to probe corporate compliance programs.[1] DOJ’s Fraud Section first released the Guidance in February 2017,[2] incorporating principles from the DOJ’s Justice Manual. Prior to the 2020 revisions, DOJ revised the Guidance in April 2019, expanding its applicability to the entire DOJ Criminal Division.
The “Principles of Federal Prosecution of Business Organizations” in the DOJ’s Justice Manual describe specific factors that prosecutors should consider when conducting an investigation of a corporation, determining whether to bring charges, or negotiating plea or other agreements. These factors include “the adequacy and effectiveness of the corporation’s compliance program at the time of the offense, as well as at the time of a charging decision” and the corporation’s remedial efforts “to implement an adequate and effective corporate compliance program or to improve an existing one.”[3]
The 2020 Guidance updates appear to reflect DOJ’s recent experience and feedback from compliance and business communities that have shaped its current approach to evaluating compliance programs. The updates reveal DOJ’s evolving considerations of key compliance themes such as the evolution of compliance programs over time, the adequacy of compliance program resources, the effectiveness of training and communication programs, the need for monitoring of third parties, and considerations related to foreign-law compliance.
Healthcare companies intending to use the Guidance in assessing their own compliance programs would do well to understand its purpose. The Guidance is intended to assist prosecutors in making informed decisions as to whether, and to what extent, a corporation’s compliance program was effective at two points in time: (1) at the time of the offense and (2) at the time of a charging decision or resolution. Prosecutors will use such a decision to determine the appropriate form of any resolution or prosecution; monetary penalty, if any; and compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations).[4]
Previous versions of the Guidance instructed prosecutors to assess the effectiveness of a company’s compliance program by answering three questions:
-
Is it well designed?
-
Is it implemented effectively?
-
Does it actually work in practice?
The new Guidance revised the second question. Instead of solely focusing on the conclusion—whether the program is implemented effectively—the updated Guidance puts more importance on the process—whether the program is “adequately resourced and empowered to function effectively.”
The Guidance is not a checklist or a compliance program best practice guide. In fact, it notes that the sample questions and topics discussed are not a checklist or a formula and may not even be relevant in some cases. The goal of the Guidance’s questions is to assess whether the compliance program being presented to the prosecutors established four basic pillars: credibility, measurable results, accountability, and continuous improvement.[5] Keeping the intent of the Guidance in mind and armed with the updated information in the new version, healthcare providers should reassess the effectiveness of their compliance programs in preventing, detecting, and correcting misconduct in their organizations.
Evolution of compliance programs over time
One theme throughout the latest update is that compliance programs must be dynamic and evolving. Specifically, DOJ directs prosecutors to look unfavorably on a company that lets its compliance policies, procedures, and controls lie stagnant. In assessing the three “fundamental questions,” the Guidance now states that DOJ has frequently found it relevant to evaluate the compliance program “both at the time of the offense and at the time of the charging decision and resolution” and expects companies to do the same.[6] As such, DOJ places the responsibility on each company to continually monitor, track, and test the various components of its compliance program. Companies are then expected to internalize the results of this ongoing review and update their compliance policies and processes accordingly.
The updates make clear that DOJ will inquire about how a company uses information and data obtained from internal and external sources to evolve its compliance program. In particular, the Guidance adds emphasis on whether the company’s risk assessment process is employed and effective in facilitating updates and revisions in compliance program policies, procedures, and controls. The risk assessment process should be based on continuous access to operational data and information across functions, rather than limited to a “‘snapshot’ in time.” DOJ guides prosecutors to ask whether the company tracks, reviews, and adapts its compliance program processes based upon lessons learned from its own misconduct and/or that of other companies in the same industry and/or geographic region facing similar risks. Yet, the Guidance no longer offers credit for merely updating policies and procedures based on lessons learned. DOJ now will ask whether a company’s internal review of its compliance program is “based upon continuous access to operational data and information across functions” and expects the company to have a formalized process to track its own and industry-wide compliance developments.
In this vein, prosecutors will assess companies’ effectiveness in providing access to their compliance program policies and procedures by asking whether the companies publish policies in a searchable format and whether companies track access to various policies to understand which policies attract more attention. This update further reflects DOJ’s recognition that effective compliance programs must be data-driven. Therefore, companies that have not already incorporated data analytics into their compliance functions should consider doing so. Over and over, DOJ’s additional language emphasizes the notion that a company’s compliance program must be dynamic and that the company should employ data-driven processes to ensure that the compliance program is not static.
Adequate resources for compliance functions
Previous versions of the Guidance directed prosecutors to ask whether a compliance program has been “implemented effectively,” whereas the 2020 update directs prosecutors to ask whether the compliance program is “adequately resourced and empowered to function” effectively. With this change, DOJ acknowledges that even a well-designed compliance program may be unsuccessful in implementation and practice if it is under-resourced. Individuals with day-to-day operational responsibility for a company’s compliance—the compliance officer and compliance department personnel—must have adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority. The compliance officer must be able to go directly to the board of directors with concerns. Moreover, the chief compliance officer must be at a senior enough level and have sufficient autonomy and independence from management within the company to effect changes as needed to promote compliance. The compliance officer should not be subordinate to the chief financial officer or legal counsel in the organization, and the compliance and legal functions should operate independently of each other. More concretely, providing adequate resources for compliance functions includes adequate compliance department funding and qualified staff to meet the compliance program objectives. DOJ will also examine whether compliance professionals and staff have access to all relevant information, systems, sources of data, and personnel within the company to perform compliance functions effectively. New language in the Guidance directs prosecutors to ask whether a company invests in further training and skill development of the compliance and other control personnel. This increased focus on compliance program resources likely resulted from DOJ having seen too many companies skimping on resourcing the compliance function. Clearly, DOJ expects companies to dedicate adequate autonomy and corporate financial resources to compliance programs.
Third-party relationship management
In its most recent updates, DOJ emphasizes that its prosecutors should assess a company’s third-party relationship management and ask whether such management continues after a transaction is completed. Updates to the Guidance clarify that DOJ expects companies to engage in risk management of third parties throughout the lifespan of the relationship, not only during the onboarding process. DOJ wants companies to recognize and address risks that arise in mergers and acquisitions, as well as in relationships with third-party vendors providing services and supplies to the companies. Third-party due diligence and management procedures must be commensurate to the compliance risk associated with each third party and transaction. For example, DOJ will ask, “What has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process?” and “What has been the company’s process for implementing compliance policies, procedures, and controls and conducting post-acquisition audits at newly acquired entities?” DOJ continues to encourage a company-wide approach to the management of third-party risk, meaning the compliance and legal departments should share the burden of managing such risks by leveraging assistance from the company’s business, financial, and internal audit functions. Additionally, the updated Guidance instructs prosecutors to assess whether a company knows the business rationale for needing the third-party transaction, and the risks posed by third-party partners. Unchanged is DOJ’s expectation that companies will be ready to demonstrate they have ensured that third-party vendors are actually performing the work called for in the vendor contracts and that the compensation paid to third parties is commensurate with the work being provided in that industry and geographic area. In sum, a company’s third-party management practices are a factor that prosecutors will assess to determine whether a compliance program is, in fact, able to detect and minimize the risk of types of misconduct most likely to occur because of third-party relationships in a company’s line of business.
Compliance program training and communication effectiveness
Based on the new language in the 2020 Guidance, companies are well advised to take another look at the effectiveness of their training programs and communication processes if they expect to pass the DOJ muster. The updated Guidance increases expectations in several specific areas of compliance training and communications. First, DOJ clarifies that prosecutors should assess whether a company has “invested in shorter, more targeted training sessions to enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management functions.” New questions in the Guidance direct prosecutors to ask whether there is a process by which employees can ask questions arising out of the training, regardless of whether the training is provided in person or online. Companies will be asked to explain how they have evaluated the extent to which the compliance training has an impact on employee behavior or operations.
Prosecutors will also examine whether companies have relayed information about the compliance program in a manner tailored to the specific audience’s size, sophistication, language, or subject-matter expertise. With more training taking place online, particularly in large decentralized workforces, companies can increase effectiveness of online training by ensuring that such training modules are targeted to the specific audience and job duties and are interactive with scenario-based learning. For example, billers and coders need specific training on compliance with government payer rules, as well as accuracy and transparency in these functions. Managers should receive specific training on anti-retaliation policies and procedures to be well equipped to handle complaints and compliance-related reports without retribution. Also, compliance training programs should keep employees engaged, test their understanding of the material, and provide opportunities to ask questions, during or after the training, through email or other internal communication methods. Finally, effective training incorporates informal and ongoing communication about compliance issues through avenues such as newsletters, email blasts, and staff meeting discussions.
In the new Guidance language, DOJ places added emphasis on assessing the effectiveness of communication regarding compliance reporting systems and processes. It is not enough for companies to implement a compliance hotline or other reporting process allowing persons with concern an avenue to report them. Now, companies will be asked whether they publicize their reporting mechanisms to third-party agents, as well as employees. Additional new questions ask, “Does the company take measures to test whether employees are aware of the hotline and feel comfortable using it?” and “Does the company periodically test the effectiveness of the hotline—for example, by tracking a report from start to finish?” Companies should test its workforce’s awareness of, and comfort level with, the companies’ reporting methods though periodic surveys. Most importantly, to ensure employees’ willingness to make reports of potential wrongdoing, a company must assure its employees that they will not suffer retaliation for reporting compliance concerns and that the company will take action on credible reports made in good faith. Savvy companies will assess their training and communications processes considering this updated Guidance.
Addressing compliance with foreign law
The updated Guidance instructs prosecutors to inquire whether companies’ compliance programs address the complexities of adherence of foreign laws applicable to their business. Specifically, DOJ stated that where a company asserts that it has structured its compliance program in a particular way or has made a compliance decision based on requirements of foreign law, prosecutors should ask the company the basis for the company’s conclusion about foreign law and how the company has addressed the issue to maintain the integrity and effectiveness of its compliance program while still abiding by foreign law. In other words, companies will be asked about the basis for any compliance decisions they have made in light of foreign laws. Today’s global companies must wrestle with how to structure compliance programs with consideration of laws and circumstances in the various countries in which they do business. Companies should be prepared to defend their compliance decisions affected by foreign laws and how those decisions maintain integrity of the company’s business and effectiveness of its compliance program.
Forward-looking companies will take note of changes in the 2020 version of the Guidance and assess their compliance programs bearing in mind DOJ’s updated expectations. However, despite significant new emphasis areas in the updates, the overarching point of DOJ’s Guidance remains unchanged: companies should adopt risk-based compliance programs, based on robust and periodic assessments of the companies’ risk profiles, develop preventive and detective controls tailored to those particular risks, and then be data driven in monitoring the effectiveness of those controls.
Takeaways
• Despite significant updates, Department of Justice’s intent of the updated Evaluation of Corporate Compliance Programs guidance remains the same.
• Compliance programs must be evolving, not stagnant.
• Companies should ensure training and communication are effective.
• Compliance risk arising from vendors and acquired companies must be managed.
• Foreign law considerations must be defensible.