On 1 June 2020, the US Department of Justice (DOJ) released the latest update to its ‘Evaluation of Corporate Compliance Programs’ policy, which was first released in 2017 (DOJ Guidance).
The DOJ Guidance provides companies with detailed guidance on how the DOJ will review the adequacy and effectiveness of compliance programmes when making charging and resolution decisions. It is a must-read for anyone involved in building, implementing or testing compliance programmes.
The latest changes emphasise the ever-increasing focus on compliance programmes being designed – and enhanced – based on a dynamic risk assessment informed by detailed data analysis and a continuous evaluation of issues facing other companies in the same industry and/or region (as well as the company’s own issues). Read our article setting out the key takeaways from a US perspective here.
The DOJ Guidance is significantly more detailed – and provides more practical guidance – than the SFO Guidance. There are notable parallels with Airbus’ compliance enhancements as set out in the UK Deferred Prosecution Agreement (DPA) judgment (see our article on the Airbus DPA here) but the DOJ guidance goes much further.
We have set out below six key points from a UK perspective:
- Compliance resourcing and reporting lines: the DOJ Guidance states that the compliance programme must be adequately resourced and compliance personnel “empowered” in order to function effectively. The revisions emphasise that a company needs to be prepared to justify decisions regarding how its programme has been structured within the overall business. Prosecutors will be looking to see that a company provides compliance and control personnel with sufficient access to data in order to conduct timely and effective monitoring and testing, and that appropriate investments are made in the training and development of compliance personnel. This resonates with the Airbus and Rolls-Royce DPAs:
- “Further, the Airbus Ethics and Compliance teams have been restructured to ensure functional independence from the business. Amongst other things, there has been a merger of legal and compliance functions and the change of the reporting line to the newly appointed General Counsel; the creation of a subcommittee of the Board, entitled the Ethics & Compliance Committee to provide independent oversight of the company’s Ethics & Compliance programme; and appointed a new Ethics & Compliance Officer with changed reporting lines directly to the General Counsel and the Ethics & Compliance Committee… Airbus has…created numerous new compliance roles and extensively recruited highly experienced senior compliance professionals” (Airbus Judgment, paras 79-80).
- “…organisation and governance has been improved by the recruitment of experienced compliance personnel in key positions (including Head of Risk and Head of Compliance) as well as additional Compliance Officers and the appointment of designated Local Ethics Advisers. There has been a significant reorganisation of reporting lines which ensures that compliance officers are independent of business divisions.” (Rolls Royce Judgment, para 44).
- Periodic risk assessments resulting in changes to policies and procedures: US prosecutors will be looking to see an evolution of policies and procedures informed by regular, periodic risk assessments. This echoes both the SFO’s Guidance, which emphasises that risk assessments, and policies and procedures informed by them, should evolve with the business, and the Airbus DPA under which Airbus “agreed to continue to review, and where necessary and appropriate, modify its compliance programme, including internal controls, compliance policies, and procedures” (Airbus DPA, para 30). Interestingly, the DOJ Guidance also states that a company must have a process to track and incorporate into its risk assessments lessons learned from issues facing other companies in the same industry and/or region (as well as the company’s own issues). Companies will also be expected to monitor employee access to policies/procedures.
- Training: The DOJ Guidance also: (i) directs prosecutors to examine whether the company is evaluating the effect of its training on employee behaviour or operations; and (ii) makes clear that any training format used (including e-learning) must provide a mechanism for employees to ask questions arising out of the training materials.
- WB/Speak up lines: The DOJ Guidance emphasises that a company’s reporting mechanism should be publicised to relevant third parties. It also indicates that a company will be expected not only to test whether its WB/Speak up line has been used but also to test employees’ awareness of the hotline, including whether they “feel comfortable” using it, and the hotline’s effectiveness. Further, prosecutors will be instructed to examine how internal investigations and discipline arising from hotline reports are monitored by the compliance team to ensure consistency.
- Third party management: The DOJ Guidance continues the trend of emphasising that third-party management is not just about onboarding due diligence, but management of the risks posed by the third-party relationship throughout the “lifespan of the relationship”. This theme runs throughout the Airbus DPA and related judgment. For example, paras 24 and 25 of the Airbus Judgment note that, during the period covered by the DPA, Airbus had a “detailed due diligence process to be undertaken in relation to the appointment of [third parties]” and “operated a series of committees which had the responsibility for reviewing the use of [third parties] and payment to third parties”. However, such committees were “not able to provide effective or properly informed oversight” (Airbus Judgment, para 27) as a result of alleged deficiencies in both the onboarding due diligence and, crucially, the information provided as part of Airbus’ ongoing management of its third party relationships.
- Impact of foreign law considerations: The DOJ Guidance directs prosecutors specifically to consider how non-US law considerations affect the structure of a company’s compliance programme. If a company makes decisions about compliance or about the structure of a compliance programme based on the demands of non-US law, it must be prepared to justify its analysis and explain “how the company has addressed the issue to maintain the integrity and effectiveness of its compliance program while still abiding by foreign law”. An obvious example of this may be data privacy law in the EU and elsewhere, which may impact on the use of data in compliance and investigations.