The general framework of the 2017 evaluation document originates from various previously-issued U.S. enforcement policies, which seek to encourage companies to establish and maintain internal compliance programmes. The discussion of compliance programmes dates back to at least 1991, when the U.S. Organization Sentencing Guidelines were adopted by the Sentencing Commission. According to those sentencing guidelines, in determining criminal sentences, U.S. judges should take into account a company’s compliance programme as a mitigating factor. The sentencing guidelines include a high-level description of the major components of compliance programmes. These guidelines were later followed by the United States Attorney’s Manual (USAM), which instructed prosecutors to consider compliance programmes when deciding whether to investigate, charge or otherwise resolve fraud cases involving companies. In its evaluation, the USAM specifically emphasised the vital importance of the programme’s effectiveness. Further guidance followed in various DOJ speeches and publications, such as the highly-publicised Resource Guide to the U.S. Foreign Corrupt Practices Act.
The 2017 evaluation document addresses eleven dimensions of corporate compliance programmes; for each of these eleven areas, the document specifies questions typically considered by the DOJ when evaluating the existence and effectiveness of corporate compliance programmes in the context of criminal investigations. Similarly to previously published DOJ policies and memos, the 2017 evaluation document recognises that companies differ from one another, and so do their compliance programmes. Hence, the document clarifies that the set of questions referred to may require some adjustments in evaluating concrete compliance policies.
The Guidance focuses on the following eleven topics:
- Analysis and remediation of underlying misconduct – focusing on determining the cause of the misconduct, and identifying whether earlier signals of the possible misconduct existed.
- Senior and middle management – evaluating the actions taken by the corporate management in demonstrating their commitment to compliance.
- Autonomy and resources – assessing the level of independence, experience and budget made available for the company’s compliance function.
- Policies and procedures – focusing on adopting an effective compliance policy and integrating this into a well-functioning operational framework
- Risk assessment – evaluating the company’s risk management process and procedures for identifying company-specific risks.
- Training and communication – assessing the effectiveness of employee training programmes and communication related to misconduct between the management and employees.
- Confidential reporting and investigation – evaluating the available mechanisms for reporting potential misconduct and the company’s response and investigative procedures.
- Incentives and disciplinary measures – focusing on the use of incentives for employees regarding compliance and the disciplinary actions a company may take to address compliance failures.
- Continuous improvement, periodic testing, and review – assessing the type and frequency of internal audits to ensure that compliance programmes are effective.
- Third-party management – evaluating the effectiveness of third party due diligence and assessing whether managers are properly trained on third party compliance risks.
- Mergers and acquisitions – dealing with policies and procedures related to due diligence in order to seek compliance risks in merger and acquisition transactions.
Compliance programmes provide companies with various benefits. First and foremost, they may reduce unlawful conduct and could help avoid reputational and financial damage. A well-designed compliance system can also be beneficial in cultivating the right culture of compliance, and promoting ethical conduct by their employees. In addition, meeting regulatory and enforcement authorities’ expectations with respect to the design and implementation of compliance programmes can prove highly useful for companies in mitigating their liability and reputation exposure.
In an effort to encourage companies to implement effective compliance programmes, regulatory and enforcement authorities consider corporate compliance programmes when determining enforcement actions; a rigorous and up-to-date compliance programme may lead enforcement authorities to abandon enforcement actions against the company altogether (see, for instance, Morgan Stanley). Similarly, such programmes may be taken into consideration when prosecutors decide whether to enter into an NPA or DPA, and when determining the terms and conditions of a settlement, including when deciding whether to require the appointment of a corporate monitor as part of the settlement.
On various occasions, the DOJ has clarified that to be seriously considered as a factor in the determination of enforcement actions, corporate compliance policies must be effective; that is, they must be well-designed and genuinely implemented in order to properly address the unique corporate risk profile. The DOJ’s 2017 evaluation document provides yet another reminder of the multifaceted dimensions of compliance programmes. Together with existing tools, such as the ISO 37001, the evaluation document not only provides companies with a benchmark for the evaluation of their compliance programmes, but also emphasises the importance of keeping relevant compliance records and making a company’s efforts to ensure compliance demonstrable to enforcement authorities in case of investigation (for more information on ISO 37001, see also In context November 2016).