DOJ updates roadmap to effective compliance programmes

considers various factors including, but not limited to, the company's size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company's operations, that might impact its compliance program.

While these revisions may not affect how a company builds its compliance programme, they may be useful touchpoints for effective advocacy during an investigation.

New questions, clearer direction

In posing a plethora of new questions, the DOJ offers additional building blocks to corporations seeking to refine their compliance programmes. Many of these questions are directed at emphasising the importance of data analytics and continuous evolution in the design and implementation of compliance programmes. Among the new questions are the following, grouped by subject matter:

• Risk assessments:
  • Is the period review limited to a snapshot in time or based on continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures and controls?
  • In addition, does the company have a process for tracking and incorporating into its period risk assessment lessons learned from the company's own prior issues or from those of other companies which operate in the same industry or geographical region?
• Data and resources:
  • Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and testing of policies, controls and transactions? Do any impediments limit access to relevant sources of data and, if so, what is the company doing to address these?
• Policies and training:
  • Have the company's policies and procedures been published in a searchable format for easy reference? Does the company track access to various policies and procedures to gain an understanding of which policies are attracting more attention from relevant employees?
  • Whether online or in-person, is there a process by which employees can ask questions arising out of the training?
• Whistleblowing:
  • How is the company's anonymous reporting mechanism (to the extent that there is one) publicised to other third parties? Does the company take measures to test whether employees are aware of the hotline and feel comfortable using it? Does the company periodically test the effectiveness of the hotline (eg, by tracking a report from start to finish)?
• Lifecycle management of third parties:
  • Does the company engage in risk management of third parties throughout the lifespan of the relationship or primarily during the onboarding process?
• Consistency in disciplinary action:
  • Does the compliance function monitor its investigations and resulting discipline to ensure consistency?

As the DOJ acknowledges, not all questions will be relevant to all companies. Nevertheless, the updated compliance guidance reveals the DOJ's expectations for effective compliance programmes and can thus serve as a guide for companies looking to improve or create their own programmes.

Comment

These refinements are only the latest in a series of updates to the DOJ guidance and policies that have, broadly speaking, improved the clarity and transparency of the DOJ's exercise of prosecutorial discretion. For instance, in February 2017 the DOJ's Fraud Section issued its first compliance guidance document, which was then updated in April 2019 and again now. In 2018, then-Deputy Attorney General Rod Rosenstein issued a memorandum entitled "Policy on Coordination of Corporate Resolution Penalties", directing DOJ attorneys to "consider the totality of fines, penalties, and/or forfeiture imposed by all [DOJ] components as well as other law enforcement agencies and regulators in an effort to achieve an equitable result" – in other words, to help prevent undue 'piling on' by multiple enforcement authorities. Thereafter, in October 2018 Assistant Attorney General Brian A Benczkowski issued a memorandum entitled "Selection of Monitors in Criminal Division Matters", providing clarity as to the criteria to be considered when determining whether a corporate compliance monitor is warranted. In 2019 the DOJ issued a new guidance memorandum entitled "Evaluating a Business Organisation's Inability to Pay a Criminal Fine or Criminal Monetary Penalty", concerning how the DOJ's Criminal Division evaluates companies' claims that they cannot pay a proposed criminal fine or monetary penalty. Further, in 2019 the DOJ clarified certain policies governing voluntary self-disclosures in Foreign Corrupt Practices Act and export control and sanctions cases.

Beyond their clarifications, the June 2020 updates are consistent with an effort to account for the practical realities associated with investigations and enforcement actions against corporations. Just as important, they are another piece of an increasingly clear roadmap for companies looking to implement, enhance, defend or gain mitigation credit for their compliance programmes.

For further information on this topic please contact Peter S Spivack or Jennifer Brechbill at Hogan Lovells US LLP's Washington DC office by telephone (+1 202 637 5600) or email (peter.spivack@hoganlovells.com or jennifer.brechbill@hoganlovells.com). Alternatively, contact Megan Dixon at Hogan Lovells US LLP's San Francisco office by telephone (+1 415 374 2300) or email (megan.dixon@hoganlovells.com). The Hogan Lovells US LLP website can be accessed at www.hoganlovells.com.

Matthew Sullivan, counsel, assisted in the preparation of this article.