Ty E. Howard (thoward@bradley.com) is a Partner and Elise K. Reecer (ereecer@bradley.com) is an Associate in the Nashville offices of Bradley Arant Boult Cummings LLP.
On April 30, 2019, Assistant Attorney General (AAG) Brian A. Benczkowski issued an updated version of the Department of Justice’s (DOJ) guidance document “Evaluation of Corporate Compliance Programs,”[1] which is intended to assist prosecutors in evaluating corporate compliance programs and guide corporations in creating them. The new guidance rewrites a prior version issued in February 2017[2] and consolidates several DOJ sources used to evaluate compliance programs. DOJ’s stated goal in this recent update is to “better harmonize the guidance with other Department guidance and standards while providing additional context to the multifactor analysis of a company’s compliance program.”[3]
Compliance as preventive medicine
As healthcare companies know all too well, the DOJ is often the ultimate arbiter of a business’s compliance program, regardless of industry or business size. Accordingly, although written for prosecutors, the guidance provides a helpful road map for businesses reviewing and updating their compliance plans and should be considered mandatory reading for those operating in highly regulated industries, such as healthcare, life sciences, financial services, and energy. As the healthcare industry regularly accounts for the vast majority of collections from DOJ’s civil enforcement (more than $2.5 billion—nearly 87% of the total recoveries in FY 2018), compliance remains critically important as preventive medicine for providers. As such, this guidance is instructive not only for companies that are currently under government scrutiny, but also for companies that are building or updating their compliance programs.
Prosecution of business organizations
For companies and prosecutors looking to analyze a compliance program, the new guidance is intended to be comprehensive. Though neither binding law nor a “rigid formula”[4] that prosecutors must follow, the guidance does reveal design and implementation elements that create a strong corporate compliance program from DOJ’s perspective.
Several DOJ documents already inform how prosecutors and courts assess a corporation’s compliance program. For example, the Justice Manual (formerly known as the U.S. Attorney’s Manual), the main source of DOJ policies and procedures, includes “Principles of Federal Prosecution of Business Organizations.”[5] Those principles—often referred to as the “Filip Factors” from their author, then Deputy Attorney General Mark Filip—are factors that prosecutors should consider when assessing a compliance program and deciding whether to prosecute. These factors include “the adequacy and effectiveness of the corporation’s compliance program” at both the time of the offense and the time of the charging decision, and remedial efforts to “implement an adequate and effective corporate-compliance program or to improve an existing one.”[6]
In February 2017, DOJ’s Fraud Section provided insight into how federal prosecutors evaluate the adequacy of a compliance program by releasing 119 “common questions that [DOJ] may ask in making an individualized determination” regarding corporate compliance programs.[7] The 2017 guidance offered some general questions that prosecutors might ask to make an assessment, but it did not provide the corresponding answers on compliance program effectiveness, nor did it offer a checklist or formula for evaluating a program.
The effectiveness of compliance programs currently appears in other DOJ policy memoranda as well as in the U.S. Sentencing Guidelines Manual (USSG), although there is no substantial guidance for prosecutors. Specifically, USSG §§ 8B2.1, 8C2.5(f), and 82C.8(11) provide that, when calculating an appropriate fine, prosecutors should give consideration to whether a corporation had an effective compliance program in place at the time of misconduct.[8] In addition, in October 2018, AAG Benczkowski issued a new memorandum entitled, “Selection of Monitors in Criminal Division Matters,” which applies to Criminal Division matters.[9] The memo instructs prosecutors to consider, at the time of resolution, whether the corporation has made “significant investments in, and improvements to, its corporate compliance program and internal controls systems,” and whether “remedial improvements to the compliance program” have been tested to demonstrate that the program would prevent or detect similar misconduct.[10]
Evaluation of corporate compliance programs
In light of the updated guidance, corporate boards and individual officers alike would benefit from comparing their own compliance programs against the considerations outlined in the guidance and updating their programs as appropriate. The new guidance counsels that prosecutors assessing a corporate compliance program should centralize their analysis along the following three fundamental questions.[13]
Is the corporation’s compliance program well designed?
This question focuses on how companies should tailor their compliance programs to the particular risks of the business. In this respect, the guidance notes that the “starting point for a prosecutor’s evaluation” of a compliance program is to “understand the company’s business from a commercial perspective, how the company has identified, assessed, and defined its risk profile, and the degree to which the program devotes appropriate scrutiny and resources to the spectrum of risks.”[14] According to DOJ, businesses should appropriately design a compliance program to detect the particular types of misconduct most likely to occur in a corporation’s business or regulatory environment.
Under this guidance, prosecutors will look to a company’s compliance policies and procedures to assess whether the program has a code of conduct that sets forth the company’s commitment to compliance with federal laws. DOJ also expects appropriate training and communications, with a focus on certification of employees in control functions and high-risk areas. Employees should have a clear mechanism through which they can anonymously and confidentially report breaches of the company’s code of conduct, policies, or other misconduct, and there should be an appropriate process for investigating these reports. The guidance also expects comprehensive compliance plans to involve due diligence of third-party partners and acquisition targets. Although the focus on third-party partners may add more compliance pressure-testing for some corporations, it appears to be DOJ’s baseline expectation and no longer an aspirational goal.
Is the program being applied earnestly and in good faith?
The guidance emphasizes that compliance programs should evidence a “culture of compliance.”[15] In this respect, DOJ considers whether the compliance program is “accessible and applicable to all company employees” and incorporated into day-to-day operations.[16] Tone at the top remains a key consideration, as the guidance recognizes that a “company’s top leaders—the board of directors and executives—set the tone for the rest of the company.”[17] Accordingly, prosecutors will ask whether the company has demonstrated a commitment to the compliance program by senior and middle management. This also involves asking whether the compliance program has appropriate autonomy and resources, and whether human resources processes are developed and consistently applied.
Does the corporation’s compliance program work in practice?
The final inquiry highlights the importance of effective implementation and evaluation measures. Put another way, is the compliance program a “paper program” or one “implemented, reviewed, and revised, as appropriate, in an effective manner?”[18] Regular, rigorous, and consistent review of compliance programs is now the expectation. The guidance focuses on establishing and using a confidential reporting system for employees to voice concerns that, in turn, fosters a “workplace atmosphere without fear of retaliation, appropriate processes for the submission of complaints, and processes to protect whistleblowers.”[19] Where USSG § 8B2.1(a) indicates that misconduct in and of itself does not mean that a program is ineffective,[20] the new guidance clarifies that prosecutors should view identification of misconduct by a compliance program as a “strong indicator that the compliance program was working effectively.”[21] Accordingly, having an anonymous reporting system is a necessary step for any compliance program.
Conclusion
Although the DOJ’s new guidance notably focuses on these three main questions, it also emphasizes that there is no one-size-fits-all approach to evaluating a company’s compliance program. Instead, the guidance clarifies that prosecutors should assess “each company’s risk profile and solutions to reduce its risks warrant particularized evaluation.”[22] The message is that DOJ will not only judge a company’s compliance policies but also whether and how the compliance program has evolved over time. This reflects a more nuanced approach to determining the effectiveness of a program, and DOJ clearly expects companies to examine their risk in deciding how much to invest in a compliance program. The size and shape of a company may vary, but a “paper program” is not enough, and companies should seek to devote resources to their programs in a way that addresses high-risk activities in both a reactive and proactive way.
Accordingly, companies operating in highly regulated industries should consider this guidance as an important benchmark for their compliance efforts. Among the key concepts are:
-
Tailor the plan. Consider which types of misconduct are most likely to occur in the business and tailor compliance programs to devote appropriate resources to high-risk transactions.
-
Track and monitor. Invest in designing programs capable of measurement through collection, testing, tracking, and analysis of investigative and internal reporting.
-
Review and refresh often. Don’t let a compliance program get stale. Continuously evaluate the program with counsel to ensure it evolves with the company’s risk profile.
-
Tone at the top. Senior management sets the tone for the company. Management must visibly demonstrate commitment to a culture of compliance through positive incentives or publicizing disciplinary actions.
-
Follow through. Be prepared to show that the company responds to reported misconduct with remedial and corrective action, through targeted discipline, reporting, and training.
An effective corporate compliance program may not only save a corporation from prosecution when criminal conduct transpires but can also help stop criminal conduct from occurring in the first place.
Takeaways
-
DOJ recently issued important new guidance on compliance plans that updates previously issued guidance.
-
The guidance includes detailed descriptions and requirements that act as a checklist for companies operating in heavily regulated industries.
-
The guidance counsels prosecutors to evaluate compliance programs based on design, accessibility, culture, implementation, and evolution over time.
-
DOJ is becoming more sophisticated about the nuances of compliance programs and expects the same from the business community.
-
There is no one-size-fits-all approach to evaluating a company’s compliance program.