The Department of Justice issued additional clarification and revised guidance on June 1, 2020, for corporate program compliance programs. The additional guidance doesn’t introduce substantive changes; however, it emphasizes the need to demonstrate program effectiveness and incorporate lessons learned. Simply having a compliance program is not sufficient.
The DOJ updated its guidance for evaluating effective compliance programs on Monday, adding new material about how often a company reviews the structure of its program, a compliance officer’s access to data, and how companies integrate acquisitions into their existing programs.
The Justice Department posted the update without fanfare Monday afternoon and made no hints beforehand that an update was in the works. This new version supersedes the prior guidance unveiled in April 2019 and is the third incarnation since the Justice Department first offered guidance about effective compliance programs in 2017.
This new version is a few pages longer than the prior version, although most of the material is identical. Only through a close reading do the changes become clear.
Updating Your Program
More new material was added in the section about how corporate compliance programs work in practice. Under the heading “Evolving Updates,” the guidance tacked on a new question at the end of the paragraph. Additions to the previous guidance appear in bold text; nothing was deleted from the old:
How often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? Has the company undertaken a gap analysis to determine if particular areas of risk are not sufficiently addressed in its policies, controls, or training? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries? Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?
First, that new question strikes me as something corporate compliance monitors would be likely to ask.
Second, that whole paragraph seems especially apt given the COVID-19 crisis. The virus has changed companies’ risks dramatically, so performing a fresh risk assessment should be a high priority.
After all, this guidance is likely to be in force by 2023 or so, when prosecutors are making charging decisions about misconduct that happened today. If your company went through the profound crisis of COVID-19 and economic recession without considering how those things might undermine your policies and internal controls... Well, good luck having that conversation with prosecutors in a few years.
Access to Data
A third significant addition came in the section about the compliance officer’s autonomy and resources. The Justice Department added an entire paragraph about access to data:
Data Resources and Access – Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?
This new material shouldn’t really be a surprise. In several speeches over the last year or so, the Justice Department has talked about the importance of data analytics when looking for misconduct. Last fall, Justice Department functionary Matt Miner gave a speech about corporate enforcement where he warned "[I]f misconduct does occur, our prosecutors are going to inquire about what the company has done to analyze or track its own data resources — both at the time of the misconduct, as well as at the time we are considering a potential resolution."
The new paragraph reflects what Miner was saying. My question is more about how compliance officers can use this point — that you should have the access and technology you need to find relevant data — to advance the compliance program’s influence in your organization.
For example, say you want to configure SAP so it blocks payments to third parties that haven’t yet completed due diligence. From a technical standpoint, that’s a fairly straightforward IT exercise, and automating that blacklist can cut your risk of improper payments substantially.
But do you, the compliance officer, have the technology you need to identify all those third parties that haven’t completed due diligence? And do you then have sufficient clout within the company to get the IT, accounting, and sales teams to agree to your SAP change?
I know CCOs who don’t, even today.
A line-by-line text analysis of the new guidance available for download, if you want to see the exact changes made.
An edited version of this post was originally published on the website Radical Compliance on 6/2/20.