On June 1, 2020, the Criminal Division of the U.S. Department of Justice released updated guidance to its prosecutors on how to evaluate the design, implementation, and effective operation of corporate compliance programs.
The guidance remains focused on three “fundamental questions” that provide structure to the analysis:
- “‘Is the corporation’s compliance program well designed?’”
- “‘Is the program being applied earnestly and in good faith?’ In other words, is the program adequately resourced and empowered to function effectively?”
- “‘Does the corporation’s compliance program work’ in practice?”
Data Access is Critical
Of special note are the changes to the language from the U.S. Department of Justice, that created a bias towards compliance programs that are driven by “continuous access to operational data and information across functions”.
On June 1, 2020, the U.S. Department of Justice released updated guidance to its prosecutors… The 2020 guidance contemplates companies undertaking data-driven periodic reviews and asks: “Is the periodic review limited to a ‘snapshot’ in time or based upon continuous access to operational data”
– Harvard Law, June 20, 2020
In order to effectively implement a compliance program, the departments and individuals responsible for oversight and the day-to-day functioning of the compliance program must have the appropriate resources to carry out their mission with sufficient authority and autonomy from management, i.e., the compliance officer should have a direct reporting relationship to the board of directors (or board compliance committee). The Guidance Update refined its previously worded question (“Is the compliance program being implemented to function effectively?”) to “Is the compliance program resourced and empowered to function effectively.” This revision draws additional attention to
- the amount and quality of resources dedicated to the compliance function, and
- the ability of the compliance department to effectively carry out its mission by ensuring management buy-in and a tool chest that allows the compliance program to both incentivize compliance and disincentivize non-compliance.
Proactive Monitoring Recommended
With respect to adequate resources, the Guidance Update asks whether an organization is investing in the development and training of its compliance personnel and whether compliance has enough access to relevant sources of organization data so that it can adequately monitor and/or test policies, controls and transactions. The Guidance Update also added language to highlight the need for demonstrated commitment by management at all levels of the organization, including middle management. The Compliance Program Guidance has always included a recommendation that a compliance program make use of incentives (to promote compliance) and a disciplinary process (to discourage non-compliance). Because consistency in applying these tools is paramount, the Guidance Update suggests that companies should be proactively monitoring its investigations and resulting discipline to ensure that measures taken are consistently applied.