On June 1, 2020, the United States Department of Justice (DOJ) issued a revised version of its guidance titled "Evaluation of Corporate Compliance Programs" (ECCP), which federal prosecutors use to evaluate corporations under criminal investigation. The updates to the ECCP add detail recognizing that compliance programs should be staffed with empowered personnel and be both tailored to the company and capable of adapting in real time using data analytics. These changes encourage companies to adopt dynamic, customized compliance programs rather than "off the shelf" products. DOJ has thus amplified its goal of fostering a "culture of compliance" in companies that is equal to financial profit in priority and not just a "check the box" exercise secondary to the bottom line.
Overview of the ECCP
The DOJ issued the ECCP in 2017 as a resource for prosecutors to evaluate corporate compliance programs for enforcement purposes. DOJ updated the ECCP last year, and again in these most recent revisions. This guidance is of great importance, as federal prosecutors investigating an organization consider the effectiveness of the company's compliance program when (1) making charging decisions and exercising discretion, (2) making sentencing recommendations, and (3) deciding whether to appoint a compliance monitor or impose reporting requirements as part of a case resolution. Thus, while companies are expected to deploy compliance programs that prevent misconduct, prosecutors nevertheless give credit to an organization's compliance efforts even if the company's program failed to prevent the conduct under investigation. Beyond this important enforcement function, the ECCP provides direction to companies seeking to design and implement a program that prosecutors will judge favorably.
The ECCP directs prosecutors to ask three questions of a compliance program when analyzing it:
1. Is the corporation's compliance program well-designed?
The ECCP states that an effectively-designed compliance program must have "not only a clear message that misconduct is not tolerated, but also policies and procedures … that ensure the compliance program is well integrated into the company's operations and workforce." Such a compliance program (1) prioritizes the risks that are most serious and most likely occur given the company's business and geographic reach, adapting as risks change over time; (2) contains comprehensive and accessible written policies that are updated regularly; (3) incorporates training that has been tested to ensure that the program is being effectively communicated to company personnel; (4) employs a confidential reporting and investigation process; and (5) manages third parties.
2. Is the program being applied earnestly and in good faith?
The ECCP recognizes that a well-designed compliance program cannot be successful unless it is "implemented, reviewed, and revised, as appropriate, in an effective manner." Senior and middle management must be committed to fostering a culture of compliance. The ECCP asks whether the company's compliance personnel are not only experienced, well-funded, and well-staffed, but have sufficient stature and autonomy within a company. The company also needs to implement incentives and disciplinary measures that encourage compliance.
3. Does the corporation's compliance program work in practice?
The ECCP puts a premium on compliance programs' real-world results. To ensure those results are achieved, a company should conduct regular testing and audits of its program. Qualified personnel should investigate allegations and suspicions of misconduct. And the company should address issues identified when misconduct occurs, responding by both holding individuals accountable and makings changes to its practices.
June 2020 Updates
The key changes to the ECCP add further detail focusing on (1) the use of data; (2) the empowerment of compliance staff; and (3) recognizing the individual place of a company within its industry and geographic location. Importantly, the updated ECCP directs prosecutors to analyze how a company's compliance program has changed over time from "the time of the offense" to "the time of the charging decision" and finally at the time of the resolution. The changes seek to help prosecutors assess whether the organization has embraced compliance rather than merely going through the motions.
Use of Data
One of the ways in which the updates encourage a living, adaptable program is to focus on the use of data. The updated ECCP asks whether compliance and control personnel have sufficient funding and access to relevant data sources to "effectively audit, document, analyze, and act on the results of the compliance efforts." For example, the ECCP now directs compliance personnel to track the outcomes of its investigation and discipline to ensure consistency. While the prior version of the ECCP emphasized the importance of regular updates to a company's compliance program, the updated version makes clear that the review should not be limited to a "'snapshot' in time," but rather based upon "continuous access to operational data and information across functions." The ECCP also now asks whether the organization publishes its policy and procedure material in an easily accessible, searchable format, and whether the company tracks access to the resources to understand which policies are "attracting more attention from relevant employees." Finally, an effective compliance program must take into account "lessons learned" from misconduct by its employees and employees of other companies in the same industry or geographical region.
Empowerment of Compliance Personnel
Another area of emphasis in the updated ECCP is whether the organization has given its compliance personnel the tools to succeed. DOJ has changed the title of the second section of the ECCP from "Is the Corporation's Compliance Program Being Implemented Effectively?" to "Is the Corporation's Compliance Program Adequately Resourced and Empowered to Function Effectively?" This change recognizes that adequate funding is a necessary but not sufficient attribute of an effective compliance program. Compliance personnel must also have the training, experience, authority, autonomy, and access to the tools necessary to achieve their mission. Relatedly, the ECCP has been updated to suggest effective training methods compliance personnel can deploy, encouraging evaluation of training effectiveness and tools that allow feedback from company employees.
The updated ECCP further defines the factors a prosecutor should consider when making "particularized evaluations" of organizations' compliance programs. Those factors include, but are not limited to, "the company's size, industry, geographic footprint, regulatory landscape, and other factors both internal and external to the company's operations." This addition should remind companies that as their profiles change in terms of size, geographic footprint, etc., their compliance programs must change as well.