Top Ten Lessons for Compliance Officers from the Update to the DOJ’s Compliance Program Evaluation Guidance, Part 2


Post By: Kristy Grant-Hart, Chief Executive Officer, Spark Compliance Consulting

On June 1, 2020, the DOJ updated its guidance document to reflect, as Assistant Attorney General Brian Benczkowki said, “additions based on our own experience and important feedback from the business and compliance communities.[iii]

This is the second of two posts outlining the lessons from the updated guidance document. For Part I of this two-part blog post, click here.

Lesson Six:  You Need a Plan for Post-Acquisition Integration of the Compliance Program

The original DOJ guidance focused extensively on the need for companies to involve the compliance function in pre-merger/acquisition due diligence.  The new guidance takes this one step further to focus on post-acquisition integration of the compliance function into the newly acquired entity.  The new guidance states that companies should have “a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.”  The new guidance also states that “Flawed or incomplete pre- or post-acquisition due diligence and integration can allow misconduct to continue at the target company, causing resulting harm to a business’ profitability and reputation and risking civil and criminal liability.”

WHAT TO DO NOW:  If your company is in the process of making an acquisition, or if your company has recently completed an acquisition, create and execute a plan for integrating the compliance program and associated controls at the new company.  If there is currently no plan for an acquisition, create a basic outline for post-acquisition compliance program integration, and write it out.  With the economic fallout from COVID, there will likely be a contraction in industries, and merger and acquisition activity may heat up quickly.  It is important to have a plan for when it does.

Lesson Seven:  Make Sure You Have a Continuing Education Budget

One of the brightest spots for compliance officers in the updated guidance is the addition of the question, “How does the company invest in further training and development of the compliance and other control personnel?”  Companies that don’t provide continuing education budgets and invest in the upskilling of their compliance teams will be put on the spot by prosecutors who expect this type of investment.

WHAT TO DO NOW:  If you don’t have a continuing education budget, go to your management and explain to them that the DOJ expects that compliance teams have continuing education.  Be specific in your requests.  Eventually, conferences will return, but in the meantime, try to get budget for webinars, virtual events, or online classes.

Lesson Eight:  Keep Up-to-Date on Benchmarking and Prosecutorial Actions

The new guidance puts the onus on compliance officers to know what is going on in their company, as well as in other similarly-situated companies.  Indeed, one new paragraph asks, “Does the company have a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region?”  Later in the guidance is the question “Does the company review and adapt its compliance program based upon the lessons learned from its own misconduct and/or that of other companies facing similar risk?”

WHAT TO DO NOW:  Go over your investigations reports and root cause analyses for the past three years to ensure that the lessons you’ve learned have been incorporated into the compliance program – then document your review.  Ensure that you have a robust network of compliance officers in similar industries or geographical regions to reach out to.  If you don’t have such a network now, contact compliance officers in your industry and/or region via LinkedIn so that you can benchmark the risks facing your industry/geography.  Lastly, follow major actions by prosecutors in the risk areas that you manage.  You can read court opinions, deferred prosecution agreements, and prosecutorial guidance to obtain this information.  You can also get legal alerts from law firms and advice from consulting firms to help you.

Lesson Nine:  Update, Update, Update

The word “update” appears seven times in the 18 substantive pages of the guidance, with two new mentions on page three alone.  Prosecutors were already tasked with asking whether the company’s risk assessment was “current and subject to periodic review.”  Now prosecutors will follow up with the question, “Has the periodic review led to updates in policies, procedures, and controls?”

WHAT TO DO NOW: Look at the investigations and control failures you’ve had in the past three years.  Review the latest regulatory guidance, court decisions, and deferred prosecution agreements to see patterns, then update your policies, procedures, and risk assessment to reflect the lessons learned from your review.  Be sure to use version control or date stamps to show that the policies and procedures were updated.  Even if you don’t make changes, note the date the previous review was done so you have a paper trail evidencing your ongoing commitment to updating the program.

Lesson Ten:  If You have a Multinational Program, Document Your Response to Non-US Laws

The very end of the updated guidance has a paragraph instructing prosecutors to “consider whether certain aspects of the compliance program may be impacted by foreign law.”  When a compliance department has made decisions about its program based on non-US law, “Prosecutors should ask the company the basis for the company’s conclusion about foreign law, and how the company has addressed the issue to maintain the integrity and effectiveness of its compliance program while still abiding by foreign laws.”

WHAT TO DO NOW: Look for areas of your program to which non-US law made a difference.  Did you disallow facilitation payments to comply with the UK Bribery Act?  Did you update your global privacy program to meet the requirements of the European General Data Protection Regulation (GDPR)?  Have you responded to EU sanctions with an enhanced screening program?  Wherever you have considered “foreign” law, be sure to write down where you received information about the law or counsel on its meaning, and how you made the decisions you did about the program in response to that advice.  A best practice is to tailor your program to the strictest law so that you have a consistent program across the world, and so that you meet the threshold requirements of any less-strict law to which the company is subject.

The updated DOJ guidance is helpful because the edits and additions provide a window into what prosecutors have found since the publishing of the original guidance over a year ago.  Although the changes are in some places quite subtle, those changes can mean the difference between receiving mitigating credit and multi-billion dollar fines.  The DOJ has spoken again, and it is critical that all of us in the compliance profession listen and respond accordingly.


Comments are closed.