May 3, 2019
On April 30, 2019, the U.S. Department of Justice (“DOJ”), Criminal Division, released updated guidance to DOJ prosecutors on how to assess corporate compliance programs when conducting an investigation, in making charging decisions, and in negotiating resolutions. The pronouncement, “Evaluation of Corporate Compliance Programs,” updates earlier guidance that DOJ’s Fraud Section issued in February 2017 (covered in our 2017 Mid-Year FCPA Update). This guidance emphasizes DOJ’s laser focus on compliance programs, requiring companies under investigation to carefully evaluate, test, and likely upgrade their programs well before the investigation is over.
The updated Evaluation document has been restructured around the three “fundamental questions” from the Justice Manual that DOJ prosecutors should assess:
Under these three categories, the updated Evaluation groups 12 topics and sample questions that DOJ considers relevant in evaluating a corporate compliance program. Much like the earlier Evaluation articulation, these topics relate to common elements of effective compliance programs, including policies and procedures, training, reporting mechanisms and investigations, third-party due diligence, tone at the top, compliance independence and resources, incentives and disciplinary measures, and periodic testing and review. Several of these core standards can be found in other compliance program guidance materials, such as the Resource Guide to the U.S. Foreign Corrupt Practices Act and, very recently, the “Framework for OFAC Compliance Commitments” issued by OFAC on May 2, 2019, pursuant to the Agency’s promise to provide more guidance on its expectations for sanctions compliance programs.
The following chart captures how the 12 compliance topics in the updated Evaluation are grouped under DOJ’s three core questions.
Core Questions |
Compliance Topic (Core Focus) |
Is the Program Well Designed? |
Risk Assessment DOJ will assess whether the program is appropriately tailored to the company’s business model and the particularized risks that accompany it, considering factors like the company’s locations, industry sectors, and interactions with government officials. |
Policies and Procedures DOJ will assess whether the company has established appropriate policies and procedures, the processes for doing so and disseminating them to the workforce, and the guidance and training provided to “key gatekeepers in the control processes.” |
|
Training and Communications DOJ will assess the compliance training provided to directors, officers, employees, and third parties, as well as efforts to communicate to the workforce about the company’s response to misconduct, and the availability of resources to provide compliance guidance to employees. |
|
Confidential Reporting Structure and Investigation Process DOJ will assess the company’s reporting channels and investigative mechanism. |
|
Third-Party Management DOJ will examine whether the company’s third-party due diligence process is risk-based and includes controls and monitoring related to the qualifications and work of its third parties. |
|
Mergers and Acquisitions DOJ will examine the company’s M&A pre-acquisition due diligence and post-acquisition integration processes. |
|
Is the Program Implemented Effectively? |
Commitment by Senior and Middle Management DOJ will evaluate the commitment by company leadership to a culture of compliance, including management’s messaging and promotion of compliance and the board’s role in overseeing compliance. The OFAC Compliance Framework similarly emphasizes the importance of management’s commitment to, and support of, a company’s compliance program. |
Compliance Autonomy and Resources DOJ will assess whether the compliance function has sufficient seniority, resources, and autonomy commensurate with the company’s size and risk profile. Notably, DOJ will ask whether the company outsourced all or parts of its compliance function to an external firm or consultant. If so, DOJ will probe the level of access that the external firm or consultant has to company information. |
|
Incentives and Disciplinary Measures DOJ will assess whether the company has clear disciplinary procedures that are enforced consistently, as well as whether and how the company incentivizes ethical behavior. |
|
Does the Program Work in Practice? |
Continuous Improvement, Periodic Testing, and Review DOJ will consider how the company has reviewed and evaluated its compliance program to ensure it is current, including changes made to the program in light of lessons learned. DOJ also will assess the internal audit function and how the company measures its culture of compliance. Effective training also is called out specifically in the OFAC Compliance Framework. |
Investigation of Misconduct DOJ will assess the effectiveness and resources of the company’s investigative function. Notably, this is the second instance in the updated Evaluation calling for DOJ to assess a company’s investigative function. |
|
Analysis and Remediation of Any Underlying Misconduct DOJ will consider whether the company conducts root-cause analyses of misconduct and takes timely and appropriate remedial action against violators. Under the heading “Accountability,” the updated Evaluation includes a question about whether disciplinary actions for failures in supervision have been considered by the company. |
The updated Evaluation covers many of the same topics as the prior version, yet the addition of certain questions signals added emphasis or expectations compared to the prior guidance. Although non-exhaustive, the following list outlines key takeaways from the updated Evaluation that companies should consider in building, maintaining, and enhancing their compliance programs.
Like its predecessor, the updated Evaluation guidance is an important resource for companies both for reactively defending their compliance programs in the context of a DOJ investigation and for proactively benchmarking or enhancing their programs. Clearly, this refined prism will provide the template for DOJ Filip Factor presentations.
The following Gibson Dunn lawyers assisted in preparing this client update: F. Joseph Warin, Richard Grime, Patrick Stokes, Christopher Sullivan, Oleh Vretsona, Abbey Bush, and Alexander Moss.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues. We have more than 110 attorneys with FCPA experience, including a number of former federal prosecutors and SEC officials, spread throughout the firm’s domestic and international offices. Please contact the Gibson Dunn attorney with whom you work, or any of the following:
Washington, D.C.
F. Joseph Warin (+1 202-887-3609, [email protected])
Richard W. Grime (+1 202-955-8219, [email protected])
Patrick F. Stokes (+1 202-955-8504, [email protected])
Judith A. Lee (+1 202-887-3591, [email protected])
David Debold (+1 202-955-8551, [email protected])
Michael S. Diamant (+1 202-887-3604, [email protected])
John W.F. Chesley (+1 202-887-3788, [email protected])
Daniel P. Chung (+1 202-887-3729, [email protected])
Stephanie Brooker (+1 202-887-3502, [email protected])
M. Kendall Day (+1 202-955-8220, [email protected])
Stuart F. Delery (+1 202-887-3650, [email protected])
Adam M. Smith (+1 202-887-3547, [email protected])
Christopher W.H. Sullivan (+1 202-887-3625, [email protected])
Oleh Vretsona (+1 202-887-3779, [email protected])
Courtney M. Brown (+1 202-955-8685, [email protected])
Jason H. Smith (+1 202-887-3576, [email protected])
Ella Alves Capone (+1 202-887-3511, [email protected])
Pedro G. Soto (+1 202-955-8661, [email protected])
New York
Reed Brodsky (+1 212-351-5334, [email protected])
Joel M. Cohen (+1 212-351-2664, [email protected])
Lee G. Dunst (+1 212-351-3824, [email protected])
Mark A. Kirsch (+1 212-351-2662, [email protected])
Alexander H. Southwell (+1 212-351-3981, [email protected])
Lawrence J. Zweifach (+1 212-351-2625, [email protected])
Daniel P. Harris (+1 212-351-2632, [email protected])
Denver
Robert C. Blume (+1 303-298-5758, [email protected])
John D.W. Partridge (+1 303-298-5931, [email protected])
Ryan T. Bergsieker (+1 303-298-5774, [email protected])
Laura M. Sturges (+1 303-298-5929, [email protected])
Los Angeles
Debra Wong Yang (+1 213-229-7472, [email protected])
Marcellus McRae (+1 213-229-7675, [email protected])
Michael M. Farhang (+1 213-229-7005, [email protected])
Douglas Fuchs (+1 213-229-7605, [email protected])
San Francisco
Winston Y. Chan (+1 415-393-8362, [email protected])
Thad A. Davis (+1 415-393-8251, [email protected])
Charles J. Stevens (+1 415-393-8391, [email protected])
Michael Li-Ming Wong (+1 415-393-8333, [email protected])
Palo Alto
Benjamin Wagner (+1 650-849-5395, [email protected])
London
Patrick Doris (+44 20 7071 4276, [email protected])
Charlie Falconer (+44 20 7071 4270, [email protected])
Sacha Harber-Kelly (+44 20 7071 4205, [email protected])
Philip Rocher (+44 20 7071 4202, [email protected])
Steve Melrose (+44 (0)20 7071 4219, [email protected])
Paris
Benoît Fleury (+33 1 56 43 13 00, [email protected])
Bernard Grinspan (+33 1 56 43 13 00, [email protected])
Jean-Philippe Robé (+33 1 56 43 13 00, [email protected])
Munich
Benno Schwarz (+49 89 189 33-110, [email protected])
Michael Walther (+49 89 189 33-180, [email protected])
Mark Zimmer (+49 89 189 33-130, [email protected])
Hong Kong
Kelly Austin (+852 2214 3788, [email protected])
Oliver D. Welch (+852 2214 3716, [email protected])
São Paulo
Lisa A. Alfaro (+5511 3521-7160, [email protected])
Fernando Almeida (+5511 3521-7093, [email protected])
Singapore
Grace Chow (+65 6507.3632, [email protected])
© 2019 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.