Highlights of the 2020 DOJ Compliance Program Guideline Updates

New Questions; Increased Focus on Evidence of Effectiveness

The U.S. Department of Justice (DOJ) released an update to its guidance on the Evaluation of Corporate Compliance Programs (2020 Guidance), which is intended to assist prosecutors in determining whether a company’s compliance program was effective at the time of an offense and whether it is effective at the time prosecutors are making charging decisions. The DOJ notes that additions are based on agency experience and important feedback from the business and compliance communities.

Past DOJ guidance set forth a list of 119 “common questions that the Fraud Section may ask in making an individualized determination” regarding the effectiveness of corporate compliance programs. The DOJ continues to utilize a list-of-questions format and has preserved much of the 2019 guidance. The 2020 Guidance follows the same three basic inquiries as the U.S. Sentencing Guidelines and the DOJ’s Justice Manual: (1) whether a corporation’s compliance program is well designed; (2) whether the program is being applied earnestly and in good faith; and (3) whether the program works in practice.

New questions have been added that reflect a maturing and nuanced understanding of corporate compliance programs based upon the agency’s experience. The DOJ acknowledges that compliance programs must adapt to changing circumstances using data and technology and be designed and implemented based on the maturity, size, industry, geography, and other risk factors of a company. The 2020 Guidance encourages companies to not take a “cookie-cutter” or “check the box” approach in designing a compliance program, but rather to consider their specific risks and circumstances and the reasons for structural choices, resource allocation, and enhancements. It includes the following new topic areas:

• What rationale was behind the way the compliance program was structured?
• Why was the compliance program designed the way it is?
• Why and how has the compliance program evolved over time?
• How were structural choices, e.g., department, reporting, and responsibilities, made for the compliance program?
• Are periodic reviews limited to a “snapshot” in time, or is there continuous monitoring using evaluation of data?
• Are “lessons learned” incorporated through a process from periodic internal risk assessments?
• Are policies and procedures being periodically reviewed and updated?
• Is there enough data available to allow for monitoring and testing policy effectiveness?
• Have the policies and procedures been published in a searchable format for easy reference?
• Is there a means by which employees can ask questions arising out of trainings?
• What evaluations are there regarding impacts of compliance training on employees and operations?
• Are there periodic tests of hotline effectiveness, and are reports tracked from start to finish?
• How are compliance requirements disseminated in education and training programs?
• Is there risk management of third parties throughout the lifespan of the relationship, or is it limited to the onboarding process?
• Is third-party due diligence performed only at engagement outset, or throughout its life?
• Has there been well-designed, comprehensive due diligence of acquisition targets?
• Does the compliance program include a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls?
• When pre-acquisition due diligence cannot practically be performed, is there a post-acquisition compliance due diligence review and audit on the part of an acquirer’s integration plan?

Strategic Management compliance consultants have over 40 years of experience in providing research, analysis, and program support for privacy and security rule compliance. Call us at (703) 683-9600 or contact us online for a tailored assessment of your organization’s particular needs.