DOJ Updates Corporate Compliance Guidance, Continues Focus on Risk, Reporting, and Training
The document, entitled “Evaluation of Corporate Compliance Programs,” was first released in February 2017. Before this week’s update, the guidance was last published in April 2019.
Lest you were expecting the DOJ to soften its tone around corporate compliance, the substance of the guidance remains largely unchanged. As Assistant Attorney General Brian Benczkowski reportedly said in a statement, “the updates we have made are in keeping with our continued efforts as prosecutors to improve our own policies and practices to ensure transparency and the effective and consistent enforcement of our laws.”
The latest revisions to the guidance primarily add details that focus on ensuring compliance programs are not static, but rather, are periodically reviewed, tested, and adapted to fit changing circumstances. The updated guidance also emphasizes that for a compliance program to be applied “earnestly and in good faith,” it should be “adequately resourced and empowered to function effectively.” The focus on “empowerment” seems designed to avoid the troubling, yet recurring situation where concerns voiced by in-house lawyers and compliance professionals regarding problematic transactions are ignored by business leaders.
Other notable changes to the guidance include the following:
- DOJ expects compliance and control personnel to have “sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions[.]” In two instances, the updated guidance adds language to make clear that DOJ will look closely at corporate assertions of impediments based on foreign regulation, including as it relates to impediments to data transfer.
- The guidance highlights that when managing third-party relationships, companies should not stop at assessing risk during the onboarding process but continue risk management throughout the lifespan of the relationship.
- With respect to acquisitions, DOJ now elaborates that comprehensive pre-acquisition due diligence of targets should be followed by “timely and orderly” post-acquisition compliance integration and compliance audits of newly acquired entities.
- Simply making compliance policies and procedures accessible online is no longer sufficient to satisfy DOJ, which also expects companies to monitor the use of policies and procedures by employees “to understand what policies are attracting more attention from relevant employees.”
- Building on prior guidance regarding compliance training, DOJ now suggests that companies consider “more targeted training sessions” designed “to enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management functions.”
- To establish that reporting mechanisms such as hotlines work, DOJ wants companies to be prepared to show on-going efforts to test employees’ awareness of and comfort using them, suggesting that companies should test hotlines, “for example by tracking a report from start to finish.”
Arent Fox can work with you to assess whether your company’s existing compliance program meets DOJ’s updated expectations and, if necessary, discuss how best to adjust your program. If your company has yet to implement a compliance program, it is never too late to start.
- Related Practices