On April 30, 2019, Assistant Attorney General Brian Benczkowski announced that the Department of Justice (“DOJ”) had published an updated version of the Criminal Division’s 2017 guidance publication “Evaluation of Corporate Compliance Programs.” In making the announcement, Assistant Attorney General Benczkowski said the update was designed to “better harmonize the prior Fraud Section publication with other Department guidance and legal standards.” He noted that DOJ also sought “to provide additional transparency in how [it] will analyze a company’s compliance program.”
The updated guidance document focuses on answering three principal questions:
- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?
- Does the corporation’s compliance program work in practice?
The new guidance addresses the topic areas from the original publication – some of which have been re-phrased – by grouping them under one of these three questions. It also raises additional questions prosecutors should ask when evaluating compliance programs and adds one new topic, “Investigation of Misconduct.”
- Is the corporation’s compliance program well-designed?
Under the updated DOJ guidance, “the starting point for the prosecutor’s evaluation of whether a company has a well-designed compliance program is to understand the company’s business from a commercial perspective, how the company has identified, assessed, and defined its risk profile, and the degree to which the program devotes appropriate scrutiny and resources to the spectrum of risks.” Notably, specificity is key: the DOJ asks whether the program is “designed to detect the particular types of misconduct most likely to occur in a particular corporation’s line of business and complex regulatory environment.”
Additionally, DOJ will focus on an entity’s programs, policies and procedures to assess such things as comprehensiveness, how the policies and procedures are communicated to employees and third parties, who has ownership responsibility for integrating the policies and procedures and whether there are gatekeepers (i.e., is guidance and training provided by individuals with approval authority or certification responsibilities).
DOJ will also look at the organization’s training and communications efforts and will evaluate how the organization integrates its policies and procedures into its operations. This includes determining whether there is risk-based training, assessing the form, content and effectiveness of the training, the availability of guidance to employees and communications about potential misconduct. In other words, what senior management has “done to let employees know the company’s position concerning misconduct and whether there are communications when an employee is terminated or otherwise disciplined for failure to comply.”
Another key element DOJ looks for is a confidential reporting mechanism that employees can use to report concerns. When evaluating the effectiveness of the reporting program, prosecutors take into account whether employees are able to make reports anonymously and whether qualified employees are involved in the investigation of the reported concerns through properly scoped investigations that ensure that the correct issue is examined. Beyond just evaluating the results of a compliance function, this requires an assessment of how investigations are responded to, whether the corporation allocates appropriate resources to the investigation, and how the company monitors status.
Finally, DOJ wants to know how an entity is managing third party partners, including “agents, consultants, and distributors who are commonly used to conceal misconduct.” This means an assessment of the third-party management process, whether appropriate controls were in place regarding use of third parties and how the third-party relationship was managed.
Of particular note, the update reminds corporations that DOJ has a continuing interest in mergers and acquisitions, and it expects that a well-designed program conducts “comprehensive due diligence of any acquisition targets.” Believing that this pre M&A due diligence puts the company in a better position to evaluate potential issues, DOJ will want to see how the compliance function has been integrated into the M&A process, and whether there is a crosswalk in place to connect it to due diligence implementation. Put plainly, how does the company track and remediate any misconduct identified as part of the due diligence?
- Is the Corporation’s Compliance Program Being Implemented Effectively?
DOJ evaluates whether the corporate compliance program is effectively implemented and engrained in the company’s culture so that it affects employee behavior. A corporation must actively foster a culture of ethics and compliance that originates from the top—that is, Boards of Directors, executives, and senior management. Not only must employees be informed about compliance processes, but they should also be convinced the company is committed to compliance based on the words and actions of the corporate leadership.
Prosecutors next look at the structure of the compliance program, specifically, whether the personnel tasked with implementing the program have sufficient seniority, resources, and autonomy from management to be effective. As with many other factors detailed in the update, each corporation’s implementation is dependent upon the size, structure, and risk profile of the particular entity. Regardless of program structure, the guidance stresses empowerment of the compliance personnel: a corporation must ensure that the compliance program has “adequate resources, appropriate authority” and direct access to the governing authority or a subgroup thereof.
Finally, prosecutors evaluate the program’s incentive structure to determine whether it adequately motivates compliance. Again, the methodology chosen should be specific to each company’s culture: whether it comes in the form of publicizing disciplinary actions as a deterrent or providing financial and career advancement as positive incentives is dependent upon the outcomes observed by a company.
- Does the Corporation’s Compliance Program Work in Practice?
DOJ acknowledges that the third question—whether a company’s well-designed and implemented corporate compliance program is effective in practice—may be difficult to assess, particularly when misconduct that becomes the focus of an investigation is not immediately detected by the compliance program. The guidance instructs prosecutors that the mere presence of misconduct does not indicate that the compliance program is ineffective. Indeed, if the misconduct was identified through the compliance program’s mechanisms, this factor may weigh in favor of a defendant’s compliance efforts.
Prosecutors may need to address this third question both at the time of the misconduct and at the time of a charging decision or resolution. Different concerns are evaluated at each stage. At the time of misconduct, prosecutors should evaluate “whether and how the misconduct was detected, what investigation resources were in place to investigate suspected misconduct, and the nature and thoroughness of the company’s remedial efforts.”
Corporate compliance obligations do not end once the misconduct has been identified; effective corporate compliance programs “improve and evolve” over time in response to business changes and new areas of risk. Prosecutors may re-assess the compliance program at the time of charging or resolution, addressing “whether the program evolved over time to address existing and changing compliance risks” and “whether the company undertook an adequate and honest root cause analysis to understand both what contributed to the misconduct and the degree of remediation needed to prevent similar events in the future.”
Second, DOJ asks whether there are effective (and funded) mechanisms for timely and thoroughly investigating allegations or suspicions of misconduct. Ensuring that investigations into misconduct are independent, objective, and documented is essential to an effective compliance program.
Finally, DOJ assesses the corporation’s root-cause analysis and remediation of any misconduct identified. The guidance underscores the importance of the corporation engaging in its own remedial actions, including appropriate disciplinary actions, even after DOJ is involved.
The DOJ has provided a detailed update to its guidance and framed the key questions that it will ask during an investigation when evaluating compliance program effectiveness. This update provides insight into the steps that any health care entity can proactively take to ensure it receives the benefit of a robust and effective compliance program should misconduct occur. DOJ has signaled that being proactive, rather than reactive, is what is expected. In particular, DOJ will look at what a company did in the face of an allegation of misconduct as part of its evaluation of the compliance function when determining an appropriate remedy – or in deciding to forego one. It is also clear that DOJ does not view compliance as a “one size fits all” enterprise, and will be looking at how a company adapts its program to its own specific risk profile. It also expects the compliance function to operate independently and that the organization fosters a “culture of compliance.” Companies should review their corporate compliance programs to ensure that they are current, disseminated on a regular basis to all employees, and a central, visible focus throughout the organization.