In addition to the United States Department of Justice’s recently issued guidelines related to cooperation in FCA enforcement actions, the Department of Justice (DOJ)’s Criminal Division recently revised its guidance pertaining to assessment of corporate compliance programs.  The revised guidance will inform DOJ’s approach to criminal investigations, charging decisions, plea agreements, and sentencing in cases involving alleged corporate noncompliance or wrongdoing.

DOJ previously published guidance on its evaluation of corporate compliance programs in 2017.  As with the previous version, the revised guidance eschews a “rigid formula” for assessing compliance programs.

Nonetheless, the new guidance seeks to reframe the analysis to emphasize three “fundamental questions” prosecutors should ask when they evaluate a corporate compliance program:

  1. Is the compliance program effectively structured?
  2. Is the compliance program effectively implemented?
  3. Is the compliance program effectively evaluated and monitored?

This new guidance provides key insights for corporate compliance professionals to consider when structuring, implementing, and evaluating a corporate compliance program:

  1. Structuring Compliance Programs Effectively

The first “fundamental question” a prosecutor should ask about a corporate compliance program is whether the corporation’s compliance program is “well designed.”  To make that assessment, DOJ considers the extent to which the corporation has proactively sought to identify and prioritize the most significant compliance risks facing the company in light of its line of business and the particular regulatory landscape.

DOJ also considers the corporation’s explicit commitments to compliance as evidenced by its code of conduct, written policies, trainings, and employee communications.  DOJ expects these commitments to be more than mere lip service, but rather to represent an active and considered approach to ensuring that the corporation guards against the particular compliance risks faced by the subject corporation.

DOJ also emphasizes the importance of a confidential reporting mechanism to a well-organized compliance program.  Complaints should be regularly reviewed, routed to the appropriate personnel, and promptly investigated.  Hotline complaints should be tracked and analyzed to identify potential patterns of misconduct or other “red flags.”

Finally, DOJ expects that corporations will be mindful of their compliance with respect to their relationships with third parties and in the context of mergers and acquisitions.  The corporation should exercise due diligence in contracting with third parties and undertaking merger or acquisition activity to ensure compliance risks are effectively identified and managed.

  1. Implementing Compliance Programs Effectively

The second “fundamental question” a prosecutor should consider when assessing a compliance program is whether the program is “being applied earnestly and in good faith.”  DOJ clarified in the revised guidance that this question focuses on an objective inquiry – whether the program is “being implemented effectively” – as opposed to a subjective assessment of the corporation’s purposes and intent in implementing its compliance program.  In making that determination, DOJ considers whether the company’s middle and senior management have consistently worked to foster a “culture of ethics and compliance.”  Senior executives and management are expected to “set the tone” for the organization, and middle management should “reinforce” those standards and norms by encouraging their teams to focus on compliance.

According to DOJ, equipping a compliance department with appropriate staff and resources to address the compliance risks faced by the company represents another hallmark of an effective compliance program.  Corporations should not only provide their compliance arm with an adequate budget, but should also ensure they have access to sufficient expertise to identify and appropriately address compliance issues.  The requisite expertise can come from employees with appropriate compliance experience or from outsourced professionals if appropriate safeguards are employed.  In addition to financial resources and expertise, DOJ assesses whether a company’s compliance function has “sufficient seniority” and “sufficient autonomy from management” to effectively exercise in the crucial oversight function of a compliance department.  DOJ specifically recommends that the compliance department should have “direct access” to the company’s governing authority or a subgroup thereof.

Finally, DOJ assesses the implementation of a compliance program by analyzing the incentives and disciplinary measures a company puts into place to encourage compliance and discourage high-risk or noncompliant conduct.  Companies should clearly and regularly message their disciplinary policies throughout the organization, and those policies should be applied evenhandedly across the organization.  Further, DOJ cautions that discipline associated with high-risk or noncompliant behavior should be “commensurate with the violations” of the company’s policies.

Monitoring Compliance Programs Effectively

The final “fundamental question” prosecutors should probe to assess a corporate compliance program is whether the program works “in practice.”  This question focuses on the company’s ability to identify “red flags” and to effectively mitigate any risk of noncompliance in advance.  DOJ emphasizes that an effective monitoring of a compliance program is typically accompanied by a progressive approach that “evolve[s] over time to address existing and changing compliance risks.”  Put another way, DOJ expects companies to learn from their past mistakes.

DOJ encourages companies to undertake “honest root cause analysis” to identify the source of any noncompliance that was not caught by existing compliance procedures.  Once the company identifies the root cause of a given compliance issue, DOJ expects the company to undertake meaningful efforts to put structures or procedures into place to avoid similar noncompliance in the future.

DOJ also assesses whether a compliance department is focused on “continuously improving” its ability to identify and prevent noncompliance.  Specifically, DOJ focuses on whether the compliance department regularly tests and audits its procedures for effectiveness.  In addition, DOJ suggests that companies should regularly revisit their risk assessments in light of changing business lines and regulatory landscapes to ensure existing processes and procedures used to ensure compliance continue are effective.

Finally, DOJ expects companies to make good on their commitments to compliance in view of the compliance departments investigations and findings.  To that end, the corporation should take seriously the findings of compliance department investigations and take appropriate next steps to ensure future compliance.  This can be as simple as adopting formal policies to guard against newly identified compliance risks or as serious as terminating longstanding business relationships that continually create compliance risks.

Regular Evaluation of Compliance Programs is Critical

In sum, it is increasingly clear that DOJ expects entities operating in regulated industries and contracting with the government to have effective compliance programs and to act as partners in its efforts to investigate compliance concerns.  Thus, companies without a compliance function should conduct an honest risk assessment and strongly consider implementing a compliance program.  Similarly, companies with established compliance programs should re-evaluate those programs regularly with counsel to ensure continued effectiveness in accordance with the DOJ’s newly revised guidance – namely that all compliance functions are applied earnestly and in good faith and have been demonstrated to work in practice.

To stay up to date on government guidance related to compliance programs and on related government enforcement efforts, subscribe to this blog or contact a member of Bass, Berry & Sims’s Healthcare Fraud Task Force or Compliance & Government Investigations group.