On Thursday, July 30, Brian Rabbitt, Acting Assistant Attorney General for the Criminal Division of the U.S. Department of Justice (DOJ), participated in a Q&A session with the Ethics and Compliance Initiative (ECI). During the event – his first public speaking engagement since his appointment earlier this month – Rabbitt discussed the recent updates to both the Evaluation of Corporate Compliance Programs and the FCPA Resource Guide.
The discussion revealed much about the DOJ’s thoughts concerning the challenges currently facing the compliance community, why they are releasing new guidance now, and how all organizations should be thinking about compliance program design, implementation, and review.
Creating accountability through transparency
One of the first questions asked concerned the DOJ’s purpose behind its latest publications. What, exactly, did the DOJ seek to accomplish with the updates to its Evaluation of Corporate Compliance (last revisited in April of 2019) and the second edition of its Resource Guide (published jointly with the SEC and last updated in November of 2012)? The answer, according to Rabbitt, could be summarized in a single word: Transparency.
"A company’s true commitment to compliance is demonstrated in how it’s tracking and monitoring its program, and in how it’s working to improve, based on past experiences."
Most companies, Rabbitt said, want to obey the law. That means that DOJ should approach its task with “a measure of humility,” acting thoughtfully about what type of conduct it reviews and the enforcement measures it pursues. To that end, the department didn’t want there to be any “secrets” about what it expects.
The latest guidance, based on the considered feedback from compliance professionals and prosecutors alike, reflects this thinking. Its aim, according to Rabbitt, is to work with compliance programs to help identify and prevent misconduct before it occurs. “We want to enlist the compliance community to help us detect and deter wrongdoing…Compliance programs can deter fraud before it begins, eliminating the need for us to get involved in the first place.”
Transparency, however, is a 2-way street. Just as the DOJ is committed to clearly communicating its evaluation criteria, organizations are expected to transparently engage with their own past compliance issues and present vulnerabilities. This can be seen in the guidance’s emphasis on “lessons learned,” which calls on companies to adapt their programs based on internal risk assessments, program audits, industry benchmarks, and prior compliance failures – documenting everything in the process. Rabbitt insists that, contrary to some concerns, this expectation of documenting mistakes and uncovering problem areas “isn’t about ‘tricking’ or ‘trapping’ companies. It’s about improvement and evolution…We want companies to avoid repeating the mistakes of the past, or those of other companies.”
Moreover, the increased transparency offered by the DOJ means companies that fail to adhere to the guidance will be held accountable. According to Rabbitt, investigators pursuing compliance failures will critically examine whether programs followed the best practices outlined in the guidance – and prosecute accordingly. As he put it, “If a company didn’t do that, and they wind up across the table from us, we’ll want to know why.”
The importance of program design, implementation and review
If there was one overriding theme present throughout the Q&A session, it was the need for compliance programs to continually evolve and improve in response to real-world measures of performance. As Rabbitt aptly put it, “Risk isn’t static, which means compliance programs can’t be, either.”
Key to this dynamism is the long-established trifecta of good program design, implementation, and review. “The importance of a strong, effective, well-implemented, and adequately resourced program can’t be overstated,” Rabbitt said. “And a well-implemented compliance program is always seeking to improve based on reactive and prospective information.”
The first of these elements, design, is a major focus of the new updates. The latest version of the guidance now includes new language calling on prosecutors to “endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.” Special attention is paid to the design of third-party risk management controls. Per the update, investigators are instructed to assess “whether the company knows the business rationale for needing the third party in the transaction” and if “the company engage[s] in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?”
Arguably the biggest changes to the guidance have to do with implementation. Up front, the key question “is the program being implemented effectively?” has been updated to “is the program adequately resourced and empowered to function effectively?” This emphasis on resources and empowerment occurs throughout the document, especially with respect to data access. Changes include new questions about whether compliance programs have “continuous access to operational data” and if compliance has “sufficient direct or indirect access” to relevant data sources.
Ultimately, say DOJ officials, these changes should result in actionable data that organizations use to unceasingly inform, refine and improve their compliance function. Have periodic reviews led to updates in policies, procedures, and controls? How does the company review and adapt its compliance program based upon lessons learned from its own misconduct or that of other companies facing similar risks? In short, what has the compliance function done to measure the effects of its policies, and how has it used that information to grow?
Show, don’t tell
Of course, every company is different, and the responses to the questions outlined above will be unique to each organization. Regulators have recognized this, stating that individual determinations will be made in every case based on factors including company size, industry, geographic footprint, regulatory landscape, etc.
This makes it all the more important that every company undertake the hard work of answering these questions for themselves. As Rabbitt stated, if companies find themselves within the crosshairs of the DOJ – or other regulatory bodies – the best thing they can do is demonstrate what they have learned and how they have applied it over time. “It’s about showing, not telling,” he said. “You could have the best program on paper, but the devil is in the details.”
Ultimately, Rabbitt affirmed the central question that underpins the guidance, as well as regulators’ approach: “Is the program being applied earnestly and in good faith?” As Rabbitt put it, “A company’s true commitment to compliance is demonstrated in how it’s tracking and monitoring its program, and in how it’s working to improve, based on past experiences.” Ultimately, organizations that work to demonstrate this commitment will not only have a better chance of satisfying regulators in the event of a compliance failure – they will be less likely to suffer such failures in the first place.