Skip to main content
|

Add a bookmark to get started

Bookmarks info
  • Home
  • Insights
  • DOJ updates guidance on evaluation of corporate compliance programs three takeaways
Abstract view of building
3 June 20206 minute read

DOJ updates guidance on evaluation of corporate compliance programs: three takeaways

Written by:Jonathan HarayJohn HillebrechtBrett Ingerman

Earlier this week, the Department of Justice updated its guidance on how prosecutors are to evaluate corporate compliance programs.  Presented as a series of questions, the DOJ Evaluation of Corporate Compliance Programs (the Guidance) first published in 2017 and last updated by DOJ in 2019 provides valuable insight to both in-house and outside counsel as to how federal prosecutors will assess a compliance program in the context of a DOJ investigation.  The strength of a company’s compliance program is one of the key factors a prosecutor must consider when deciding how to proceed with a criminal case against a company.

The recent update largely preserves the substance of the previous iterations but reflects a refinement of the DOJ’s perspective on what constitutes an effective compliance program.  Companies would be wise to consider DOJ’s perspective on compliance programs when implementing their own programs, since this provides a roadmap for how DOJ will approach issues of compliance in the event of an inquiry.  Below is a summary of three key takeaways to keep in mind when updating your compliance policies for 2020.

1. There is no one-size-fits-all compliance program. Previous incarnations of the Guidance directed prosecutors to assess the efficacy of a company’s compliance program by answering three direct questions:

(1) Is it well-designed?

(2) Is it implemented effectively? and

(3) Does it actually work in practice? 

The new Guidance has revised question #2.  Instead of solely focusing on the conclusion whether the program is implemented effectively—the updated Guidance puts heightened value on the process whether the program is “adequately resourced and empowered to function effectively.” The Guidance also directs prosecutors to ask “why the company has chosen to set up the compliance program the way it has” and “what are the reasons for the structural choices the company has made.”  Directing prosecutors to expand their inquiry to consider why a company might want a bespoke compliance program rather than an out-of-the-box model gives companies more flexibility in developing a compliance function that is appropriately tailored to their business.  This is further reflected in the newly-added introductory language which commits prosecutors to making a “reasonable, individualized determination in each case that considers various factors including, but not limited to, the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.” Guidance at pg. 1 (newly-added text emphasized). 

2. Compliance programs cannot lay stagnant. The most dominant theme through the latest update is that compliance programs must be dynamic and evolving.  In particular, the DOJ has made clear that prosecutors will look unfavorably on a company that lets its compliance policies, procedures, and controls gather dust.  In assessing the three “fundamental questions,” the Guidance now states that the DOJ has frequently found it relevant to evaluate the compliance program “both at the time of the offense and at the time of the charging decision and resolution.”  In this vein, the DOJ places the onus on each company to continually monitor, track, and test the various components of its compliance program.  For instance, the Guidance queries not only whether companies conduct periodic reviews of their compliance programs but whether those reviews are “limited to a ‘snapshot’ in time or based on continuous access to operational data and information across functions.”  Similarly, it is not alone sufficient that a company create a whistleblower hotline as the prosecutor is directed to further inquire whether the company “periodically test[s] the effectiveness of the hotline” and has taken “measures to test whether employees are aware of the hotline and feel comfortable using it.”  Companies are then expected to internalize the results of this ongoing review and update their policies accordingly.

In particular, prosecutors will be looking for whether the company has “a process for tracking and incorporating” lessons learned not only from its own issues or  past conduct but also from “other companies operating in the same industry and/or geographical region.”  That companies are to continuously review and improve their compliance function also extends to third party relationships as companies are expected to engage in risk management not only during the onboarding process but also “throughout the lifespan of the relationship.”

3. Data is king.  This next point comes as no surprise to practitioners in this field:  in the modern age, it is impossible to pressure test the effectiveness of a compliance program or conduct an investigation without access to the relevant data.  DOJ has thus added an entirely new subsection entitled, “Data Resources and Access,” which asks whether “personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls and transactions?”  and “do any impediments exist that limit access to relevant sources of data and, if so what is the company doing to address the impediments?”  Although the focus on data is limited to this one new subsection, impeded access to data will certainly cripple a company’s ability to fulfil the other hallmarks of an effective compliance program.

In sum, while these changes are not a departure from prior DOJ Guidance, they contain important elements that companies should consider when evaluating their internal compliance program, and provide from valuable insights in factors upon which DOJ prosecutors are likely to focus.  In particular, companies should consider the following issues in light of the recent Guidance:

  • A company’s compliance program should be tailored and appropriate given its size and the nature of its business.
  • A company should document and be prepared to justify why it implemented its compliance program as it did.
  • A compliance program should include controls and processes that allow a company to measure its effectiveness and account for evolving issues or concerns. It is also important to benchmark against industry and varying geographic standards.
  • Companies should develop and implement information systems that facilitate a dynamic compliance program.

*             *             *

Learn more about the implications of the Guidance by contacting any of the authors.

Related Capabilities

Financial ServicesCorporate
Print
Legal noticesPrivacy policyCookie policyModern slaveryFraud AlertSitemap

DLA Piper is a global law firm operating through various separate and distinct legal entities. For further information about these entities and DLA Piper's structure, please refer to the Legal Notices page of this website. All rights reserved. Attorney advertising.

© 2025 DLA Piper