Updated Guidelines for Evaluating Corporate Compliance Programs

Related

Justice Turns up the Heat in Miami

The U.S. Department of Justice Criminal Division has updated its guidelines for evaluating corporate compliance programs, which prosecutors use to determine whether to bring charges against a company and negotiate plea or other agreements. The guidelines include factors such as the adequacy and effectiveness of a corporation's compliance program at the time of the offense and its remedial efforts to improve the program.

The guidelines, which were updated in March 2023, are intended to help prosecutors make informed decisions about the appropriate form of resolution or prosecution, monetary penalties, and compliance obligations for a corporation.

The Criminal Division recognizes that each company's risk profile warrants particularized evaluation, but has identified three fundamental questions that prosecutors should consider:

1. Is the corporation's compliance program well designed?
2. Is the program being applied earnestly and in good faith, with sufficient resources and empowerment to function effectively?
3. Does the corporation's compliance program work in practice?

To answer these questions, prosecutors may evaluate the company's performance on various topics, including risk management, policies and procedures, training and communication, reporting structure and investigation process, due diligence for third-party relationships and mergers and acquisitions, and consequences for non-compliance.

While the sample topics and questions provided by the Criminal Division are not a checklist or formula, they offer guidance for evaluating a company's compliance program on a case-by-case basis. The Criminal Division acknowledges that some topics may be more salient than others given the particular facts of a case.

Summary of Guidelines

To enhance your corporate compliance program, consider the following advice for leadership:

1. Ensure the program is comprehensive and well-integrated, with clear messages against misconduct and policies that address identified risks.
2. Regularly review and update the compliance program, tailoring it to the company's risk profile and business needs.
3. Implement risk management processes, risk-tailored resource allocation, updates and revisions, and incorporate lessons learned from your own and others' experiences.
4. Design comprehensive and accessible policies and procedures, and ensure they are integrated into the company's operations.
5. Provide tailored training and communication, establish a confidential reporting structure, and maintain an effective investigation process.
6. Implement risk-based due diligence for third-party relationships and comprehensive due diligence for mergers and acquisitions.
7. Allocate sufficient resources and empower the compliance function to operate effectively, ensuring commitment from senior and middle management.
8. Evaluate the compliance function's structure, seniority, experience, qualifications, funding, data resources, access, and autonomy.
9. Establish clear incentives for compliance and disincentives for non-compliance, including consistent disciplinary measures and financial incentive systems.
10. Continuously improve and sustain the compliance program through periodic testing and review, internal audits, and control testing, fostering a culture of compliance.

By prioritizing these areas, your company can develop and maintain an effective compliance program that minimizes risks, promotes ethical behavior, and fosters a culture of accountability and transparency.

The full 21 page document can be foud on the Justice website [here]