It’s been a couple of weeks since the Department of Justice released its latest version of the “Evaluation of Corporate Compliance Programs” (2020 Guidance). The guidance, first issued in February 2017 and updated last April (2019 Guidance), enumerates the factors that federal prosecutors weigh when assessing the effectiveness of a company’s compliance program. “Effectiveness” is a critical standard in determining whether a company will avoid criminal prosecution, and companies use the guidance as a framework or checklist for regular pre-enforcement self-assessment.
2020 Guidance vs. 2019 Guidance
I’ve reviewed several great insights about the updated guidance, but I decided to look at this update differently—comparing the 2020 and 2019 versions to get a better sense of what changed. What stood out to me was how the 2020 publication was released, its relative size, its changes to the fundamental questions, its use of certain terms, and its introduction of new questions. I also flagged some key themes that seemed relevant in the context of the current pandemic crisis.
It’s not an exact science, but below is a summary of what I discovered.
The 2020 Guidance was published very quietly on June 1, with no formal press release like its predecessor. We did get a statement from Assistant Attorney General Brian Benczkowski that his division made the update to reflect its experience and feedback from the business and compliance communities. A few days later, Benczkowski announced he was leaving the DOJ. This may explain the low-key release of the update.
The 2020 Guidance is a longer document than its predecessor, with not only more words to account for the expanded page count but also more questions comprising the evaluation process.
The 2020 Guidance still relies on the “three fundamental questions” used in prior versions to inform the substance of the effectiveness inquiry: (1) “Is the corporation’s compliance program well designed?” (2) “Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?” (3) “Does the corporation’s compliance program work” in practice?
However, the 2020 Guidance revised the second question by including the words “adequately resourced and empowered to function effectively.” This change may have influenced the 2020 version’s increased references to specific terms, new questions, and greater emphasis on key themes, as discussed below.
Several of the changes in the 2020 Guidance focus on specific terms that seem to be of particular importance during the current pandemic. I flagged a few examples (or variations of them) to highlight this point. For example, “access,” “data,” “resources,” and “time.”
These terms show up more frequently in the 2020 version than in the 2019 version.
Could it be that the pandemic prompted these changes? Consider that these terms are always important, but even more so when they may be in short supply.
As noted above, the 2020 Guidance added 16 new questions. They are strewn throughout the document and can be summarized as follows. You’ll note there the specific terms are factored into a number of these questions.
Risk Assessments. There is one multi-part question about periodic reviews in the “updates and revisions” discussion, and one question in the new “lessons learned” discussion. The “lessons learned” question focuses on a company’s process for tracking and incorporating lessons learned from its own issues or from other companies into its risk assessment process.
Policies and Procedures. There are two new questions related to access to policies and procedures. One question focuses on the ability to search these standards. The other question asks if access to them can be tracked to know which ones are getting more attention.
Training and Communications. There are two new questions in the “form and content” discussion to assess the interactive nature (whether there are opportunities to ask questions) and the impact of training (whether a company can measure if training affects employee behavior or operations).
Confidential Reporting Structure and Investigation Process. There are two new questions on employee hotlines. One question asks if a company can confirm employee awareness of the hotline and their comfort in using it. The other question is whether the company is periodically testing the effectiveness of this tool (e.g., by using a tracking report).
Third-Party Management. There is one new question in the “management of relationships” discussion centering on whether the risk assessment of third parties is done throughout the lifespan of the relationship, or just during the onboarding process.
Mergers and Acquisitions. There is one new question in the “due diligence process” discussion to confirm whether due diligence was done during the pre-acquisition stage, and, if not, determine the basis for not being able to do so.
Autonomy and Resources. There are a few new questions here, including a whole new section on data and resources. In the “experience and qualifications” discussion, a question considers whether a company invests in the training and development of compliance and other control personnel. In the “structure” discussion, there is now a direct query on the reasoning behind the company’s structural choices involving compliance reporting lines. In the new “data resources and access” discussion, the two questions cover the ability and limitation of compliance and control personnel to access data needed to carry out monitoring and testing responsibilities.
Incentives and Disciplinary Measures. There is one new question in the “consistent application” discussion to determine if compliance monitors investigations and resulting discipline for consistency.
Continuous Improvement, Periodic Testing, and Review. There is one new question in the “evolving updates” discussion to see if the company uses a “lessons learned” exercise based on its own or others’ misconduct to help improve its compliance program.
In terms of themes, the 2020 Guidance puts greater emphasis on existing ones from prior iterations, but also gives more prominence to data, as summarized below.
Basis. The 2020 Guidance seeks more detail about the reasoning behind certain decisions. In one example, the guidance now says that prosecutors will want to know “why the company has chosen to set up the compliance program the way it has, and why and how the company’s compliance program has evolved over time.” In another example, the guidance now includes consideration of foreign law on a compliance program. Strange that it is placed in an endnote (No. 2, p. 18).
No One-Size-Fits-All. The 2020 Guidance provides that the DOJ will assess the effectiveness of a compliance program in consideration of a “reasonable individualized” determination. This determination will take into account: “the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.” These criteria are not new, but the emphasis is an important reminder that there is no one model or formula for assessing the effectiveness of corporate compliance programs.
Lessons Learned. The 2020 Guidance cites more “lessons learned” exercises, as noted in some of the examples of the additional questions discussed above. Calls for these reviews are in the maintenance and assessment measures. Also, in conducting these reviews, the updated guidance recommends using not just the company’s own issues but those from other companies.
Significance of Data. The 2020 Guidance gives data more prominence as a critical factor in maintaining compliance programs. The increased focus underscores the importance the DOJ is putting on letting compliance have the information it needs to do its job (probably more so now, with so many working remotely). The DOJ is not alone in its interest in the use and access to data. FINRA just posted a report seeking input on the use of data, particularly incorporating artificial intelligence into a growing number of services by financial firms, including compliance processes.
Last month, as part of our mid-year Bloomberg Law 2020 series, I cautioned against compliance programs becoming another casualty of the pandemic. What I found in comparing the substance of the two DOJ guides appears to support this warning.
Companies should use the 2020 Guidance to assess their compliance controls. Compliance should highlight the changes to underscore its role and needs. Importantly, the updated guidance continues to be a useful tool to help with periodic, proactive reviews of compliance controls instead of addressing them when an inevitable failure happens. This assessment is even more necessary during the current crises, and an effective compliance program even more essential to an organization’s success.
If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content.