May 3, 2019
On April 30, 2019, the U.S. Department of Justice (“DOJ”), Criminal Division, released updated guidance to DOJ prosecutors on how to assess corporate compliance programs when conducting an investigation, in making charging decisions, and in negotiating resolutions. The pronouncement, “Evaluation of Corporate Compliance Programs,” updates earlier guidance that DOJ’s Fraud Section issued in February 2017 (covered in our 2017 Mid-Year FCPA Update). This guidance emphasizes DOJ’s laser focus on compliance programs, requiring companies under investigation to carefully evaluate, test, and likely upgrade their programs well before the investigation is over.
The updated Evaluation document has been restructured around the three “fundamental questions” from the Justice Manual that DOJ prosecutors should assess:
Under these three categories, the updated Evaluation groups 12 topics and sample questions that DOJ considers relevant in evaluating a corporate compliance program. Much like the earlier Evaluation articulation, these topics relate to common elements of effective compliance programs, including policies and procedures, training, reporting mechanisms and investigations, third-party due diligence, tone at the top, compliance independence and resources, incentives and disciplinary measures, and periodic testing and review. Several of these core standards can be found in other compliance program guidance materials, such as the Resource Guide to the U.S. Foreign Corrupt Practices Act and, very recently, the “Framework for OFAC Compliance Commitments” issued by OFAC on May 2, 2019, pursuant to the Agency’s promise to provide more guidance on its expectations for sanctions compliance programs.
The following chart captures how the 12 compliance topics in the updated Evaluation are grouped under DOJ’s three core questions.
Is the Program Well Designed?
DOJ will assess whether the program is appropriately tailored to the company’s business model and the particularized risks that accompany it, considering factors like the company’s locations, industry sectors, and interactions with government officials.
Policies and Procedures
DOJ will assess whether the company has established appropriate policies and procedures, the processes for doing so and disseminating them to the workforce, and the guidance and training provided to “key gatekeepers in the control processes.”
Training and Communications
DOJ will assess the compliance training provided to directors, officers, employees, and third parties, as well as efforts to communicate to the workforce about the company’s response to misconduct, and the availability of resources to provide compliance guidance to employees.
Confidential Reporting Structure and Investigation Process
DOJ will assess the company’s reporting channels and investigative mechanism.
DOJ will examine whether the company’s third-party due diligence process is risk-based and includes controls and monitoring related to the qualifications and work of its third parties.
Mergers and Acquisitions
DOJ will examine the company’s M&A pre-acquisition due diligence and post-acquisition integration processes.
|Is the Program Implemented Effectively?||
Commitment by Senior and Middle Management
DOJ will evaluate the commitment by company leadership to a culture of compliance, including management’s messaging and promotion of compliance and the board’s role in overseeing compliance. The OFAC Compliance Framework similarly emphasizes the importance of management’s commitment to, and support of, a company’s compliance program.
Compliance Autonomy and Resources
DOJ will assess whether the compliance function has sufficient seniority, resources, and autonomy commensurate with the company’s size and risk profile. Notably, DOJ will ask whether the company outsourced all or parts of its compliance function to an external firm or consultant. If so, DOJ will probe the level of access that the external firm or consultant has to company information.
Incentives and Disciplinary Measures
DOJ will assess whether the company has clear disciplinary procedures that are enforced consistently, as well as whether and how the company incentivizes ethical behavior.
|Does the Program Work in Practice?||
Continuous Improvement, Periodic Testing, and Review
DOJ will consider how the company has reviewed and evaluated its compliance program to ensure it is current, including changes made to the program in light of lessons learned. DOJ also will assess the internal audit function and how the company measures its culture of compliance. Effective training also is called out specifically in the OFAC Compliance Framework.
Investigation of Misconduct
DOJ will assess the effectiveness and resources of the company’s investigative function. Notably, this is the second instance in the updated Evaluation calling for DOJ to assess a company’s investigative function.
Analysis and Remediation of Any Underlying Misconduct
DOJ will consider whether the company conducts root-cause analyses of misconduct and takes timely and appropriate remedial action against violators. Under the heading “Accountability,” the updated Evaluation includes a question about whether disciplinary actions for failures in supervision have been considered by the company.
The updated Evaluation covers many of the same topics as the prior version, yet the addition of certain questions signals added emphasis or expectations compared to the prior guidance. Although non-exhaustive, the following list outlines key takeaways from the updated Evaluation that companies should consider in building, maintaining, and enhancing their compliance programs.
Like its predecessor, the updated Evaluation guidance is an important resource for companies both for reactively defending their compliance programs in the context of a DOJ investigation and for proactively benchmarking or enhancing their programs. Clearly, this refined prism will provide the template for DOJ Filip Factor presentations.
The following Gibson Dunn lawyers assisted in preparing this client update: F. Joseph Warin, Richard Grime, Patrick Stokes, Christopher Sullivan, Oleh Vretsona, Abbey Bush, and Alexander Moss.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues. We have more than 110 attorneys with FCPA experience, including a number of former federal prosecutors and SEC officials, spread throughout the firm’s domestic and international offices. Please contact the Gibson Dunn attorney with whom you work, or any of the following:
F. Joseph Warin (+1 202-887-3609, email@example.com)
Richard W. Grime (+1 202-955-8219, firstname.lastname@example.org)
Patrick F. Stokes (+1 202-955-8504, email@example.com)
Judith A. Lee (+1 202-887-3591, firstname.lastname@example.org)
David Debold (+1 202-955-8551, email@example.com)
Michael S. Diamant (+1 202-887-3604, firstname.lastname@example.org)
John W.F. Chesley (+1 202-887-3788, email@example.com)
Daniel P. Chung (+1 202-887-3729, firstname.lastname@example.org)
Stephanie Brooker (+1 202-887-3502, email@example.com)
M. Kendall Day (+1 202-955-8220, firstname.lastname@example.org)
Stuart F. Delery (+1 202-887-3650, email@example.com)
Adam M. Smith (+1 202-887-3547, firstname.lastname@example.org)
Christopher W.H. Sullivan (+1 202-887-3625, email@example.com)
Oleh Vretsona (+1 202-887-3779, firstname.lastname@example.org)
Courtney M. Brown (+1 202-955-8685, email@example.com)
Jason H. Smith (+1 202-887-3576, firstname.lastname@example.org)
Ella Alves Capone (+1 202-887-3511, email@example.com)
Pedro G. Soto (+1 202-955-8661, firstname.lastname@example.org)
Reed Brodsky (+1 212-351-5334, email@example.com)
Joel M. Cohen (+1 212-351-2664, firstname.lastname@example.org)
Lee G. Dunst (+1 212-351-3824, email@example.com)
Mark A. Kirsch (+1 212-351-2662, firstname.lastname@example.org)
Alexander H. Southwell (+1 212-351-3981, email@example.com)
Lawrence J. Zweifach (+1 212-351-2625, firstname.lastname@example.org)
Daniel P. Harris (+1 212-351-2632, email@example.com)
Robert C. Blume (+1 303-298-5758, firstname.lastname@example.org)
John D.W. Partridge (+1 303-298-5931, email@example.com)
Ryan T. Bergsieker (+1 303-298-5774, firstname.lastname@example.org)
Laura M. Sturges (+1 303-298-5929, email@example.com)
Debra Wong Yang (+1 213-229-7472, firstname.lastname@example.org)
Marcellus McRae (+1 213-229-7675, email@example.com)
Michael M. Farhang (+1 213-229-7005, firstname.lastname@example.org)
Douglas Fuchs (+1 213-229-7605, email@example.com)
Winston Y. Chan (+1 415-393-8362, firstname.lastname@example.org)
Thad A. Davis (+1 415-393-8251, email@example.com)
Charles J. Stevens (+1 415-393-8391, firstname.lastname@example.org)
Michael Li-Ming Wong (+1 415-393-8333, email@example.com)
Benjamin Wagner (+1 650-849-5395, firstname.lastname@example.org)
Patrick Doris (+44 20 7071 4276, email@example.com)
Charlie Falconer (+44 20 7071 4270, firstname.lastname@example.org)
Sacha Harber-Kelly (+44 20 7071 4205, email@example.com)
Philip Rocher (+44 20 7071 4202, firstname.lastname@example.org)
Steve Melrose (+44 (0)20 7071 4219, email@example.com)
© 2019 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.