Evaluation of Corporate Compliance Programs

May 2nd, 2019

On April 30, 2019, the Criminal Division of the US Department of Justice released updated guidance on its Evaluation of Corporate Compliance Programs (“the 2019 Guidance”), replacing prior guidance released in February 2017 (“the 2017 Guidance”).

Steele remains committed to keeping its clients, potential clients, and the broader corporate compliance community up-to-date on events such as this. Steele offers the following commentary and insight into the newly issued 2019 Guidance:

The purpose of the 2017 and 2019 Guidance documents is to assist prosecutors in what factors to consider when conducting an investigation of the effectiveness of a corporation’s compliance program.  Naturally, the 2017 Guidance was, and the 2019 Guidance will be, used by corporations, as well as third party vendors and service providers, as a blueprint for the elements of a successful compliance program even though the topics and questions “are neither a checklist nor a formula” according to the DOJ.

The 2019 Guidance, in tandem with the Principles of Federal Prosecution of Business Organizations in the Department of Justice’s Justice Manual, poses three fundamental questions:

  1. Is the corporation’s compliance program well designed?
  2. Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?
  3. Does the corporation’s compliance program work in practice?

While the 2017 Guidance merely listed topics and sample questions, the 2019 Guidance provides much greater detail – topics, additional context, and questions under each of the fundamental questions.  This is invaluable guidance for companies as to how to implement and follow its compliance program.

Most relevant for compliance officers is the discussion in subsection E: Third Party Management, under question I: Is the corporation’s compliance program well designed?  The 2019 Guidance further indicates:

A well-designed compliance program should apply risk-based due diligence to its third-party relationships.  Although the degree of appropriate due diligence may vary based on the size and nature of the company or transaction, prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions.  Prosecutors should also assess whether the company knows its third-party partners’ reputations and relationships, if any, with foreign officials, and the business rationale for needing the third party in the transaction….Prosecutors should further assess whether the company engaged in ongoing monitoring of the third-party relationships, be it through updated due diligence…  (p. 6-7).

The 2019 Guidance poses four (4) different sub-topics and questions within third party management.

  • Risk-based and integrated processes. No modifications or changes from 2017 Guidance.
  • Appropriate controls. The 2019 Guidance includes questions regarding not only the business rationale for using third parties involved in misconduct, but how does the company ensure the rationale is appropriate?
  • Management of relationships. The 2019 Guidance includes questions on whether the company has considered the incentive structure, including compensation, for third parties.  Not only does the company monitor third parties, but how? Does the company have audit rights to the accounts of the third parties, and have these rights been exercised?
  • Real actions and consequences. This section differed the most from 2017 to 2019 Guidance.  The 2019 Guidance poses questions not only on whether there were red flags identified from third party due diligence conducted but asks whether the flags were tracked and addressed.  The 2019 Guidance also poses questions on whether the company tracks third parties that did not pass a due diligence review or were terminated to ensure that they are not hired.

It is clear from the 2019 Guidance that having a third-party management program on paper is not enough. The DOJ’s emphasis has shifted to the implementations and actions taken in connection with the compliance program. Companies must participate in the elements outlined and take actions as necessary and appropriate in advance of any offense and be able to document those actions.  It is further evident that reviewing a third party for compliance-related risks is not enough; third parties must be monitored on an on-going basis. Corporations must perform due diligence reviews that go beyond scratching the surface and review, as applicable, agents, consultants, and distributors as third parties, as well as review the relationships of a third party with foreign officials. Finally, prosecutors will want to see whether the compliance program actually results in fewer instances of misconduct; or in swift, appropriate measures when misconduct does occur. This means compliance officers need to think about measurements of program effectiveness, and changes in policy or procedure based on what those measurements say.

Steele will continue to follow any new developments related to the release of the 2019 Guidance, as well as any relevant compliance-related news.

View the DOJ press release here.