In the span of the last 18 months, the topic of corporate compliance programs has gotten considerable attention from the Department of Justice  (“DOJ”) and now finally, DOJ has published significant details about how it is likely to measure the sufficiency of any company’s compliance program.

First, some background.  In September 2015, the Yates memo was published, see DOJ Sets Its Sights on Officers and Directors for more details. In short, then Deputy Attorney General Yates reminded the DOJ offices nationwide, if a corporation has violated the law,  its level of cooperation will be measured, in large part, by whether it provides “all” the relevant details, which means did the company identify the individuals whose actions or inactions resulted in the violations under consideration, and provide supporting documentation to show what happened and how those individuals were involved. If the company did not do so, it does not get full credit under the Sentencing Guidelines.

The Sentencing Guidelines are issued by the U.S. Sentencing Commission and provide judges with the guidelines to apply when sentencing for each conviction. They were first issued in 1987 and have been updated just about yearly since then. Section 8B2.1 of the 2016 Sentencing Guidelines defines as “effective compliance and ethics program” as one that will: “(1)  exercise due diligence to prevent and detect criminal conduct; and (2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law”, and goes on to state: “[s]uch compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct. The failure to prevent or detect the instant offense does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct.”

The Yates memo was followed in April 2016  by the Weissman letter.  Andrew Weismann as   Chief of the Fraud Section, Criminal Division, U.S. Department of Justice, issued a letter providing more details about what constitutes a robust compliance program. We addressed this topic here – The Art of Self-Defense. As we said then, the goal of a robust compliance program is to: “ensure the  adequacy of internal enforcement of that program … underscoring the compliant nature of the company and mitigating the consequences of any misdeeds which may occur, in the face of enforcement action by any of the federal agencies with jurisdiction over your company”.

Mr. Weissman’s defined the components as:

  1. A well-defined/well-documented compliance program;
  2. Adequate training of affected employees and related internal and external stakeholders about your compliance program;
  3. Proper internal enforcement, including discipline/consequences, for those that violate its provisions; and
  4. Timely disclosure of violations to the appropriate authoritative body.

DOJ also acknowledged the size and resources of a company are a factor, but key points are a culture of compliance, sufficient resources dedicated to compliance,  the quality and experience of the compliance personnel and their independence, that the compliance program performs an effective risk assessment, that it is tailored accordingly, how compliance personnel are compensated and promoted, adequate auditing, and an appropriate reporting structure for compliance personnel within the company.

The next occasion when compliance was addressed occurred in October 2016 when DOJ’s National Security Division published: Guidance Regarding Voluntary Self-Disclosures, Cooperation, and Remediation in Export Control and Sanctions Investigations Involving Business Organizations.  This notice confirmed the principals being applied to evaluate the effectiveness of compliance programs in the Foreign Corrupt Practices Act context also applied to export violations and further made clear that full disclosure meant exactly that: what happened and who caused it?  When it comes to export violations, DOJ gives a priority to those involving willful export control and sanctions violations. Perhaps the only portion of the notice which was not previously so clearly articulated was the list of aggravating factors:

 Exports of items controlled for nuclear nonproliferation or missile technology reasons to a proliferator country;

 Exports of items known to be used in the construction of weapons of mass destruction;

 Exports to a terrorist organization;

 Exports of military items to a hostile foreign power;

 Repeated violations, including similar administrative or criminal violations in the past;

 Knowing involvement of upper management in the criminal conduct; and

 Significant profits from the criminal conduct, including disproportionate profits or

margins, whether intended or realized, compared to lawfully exported products and services.

The Guidance also included some hypotheticals to illustrate how its provisions should be applied.  The Guidance in its entirety can be found at: DOJ Export Violation Guidance.

Now, finally, on February 8, 2017, DOJ issued its Evaluation of Corporate Compliance Programs.  This document was quietly posted to DOJ’s website, on the Strategy, Policy and Training, Compliance Initiative page without any public comment.  Given the Attorney General was sworn in the next day, it is always possible its contents will be revised in the new administration. Even if the evaluation were to be unpublished or otherwise overruled by Mr. Sessions, the criteria it contains provide reasonable guidance for all companies when measuring their compliance efforts.

Due to its detailed nature, we are providing a link to the full document which can be found here: Compliance Program Evaluation. The document lists a number of questions under topics which DOJ will ask about when evaluating any compliance program, and the list is neither the only questions which might be asked nor does each factor apply in all circumstances.  The questions address these topics: Analysis and Remediation of Underlying Misconduct; Senior and Middle Management; Autonomy and Resources; Policies and Procedures; Operational Integration; Risk Assessment; Training and Communications; Confidential Reporting and Investigation; Incentives and Disciplinary Measure; Continuous Improvement, Periodic Testing and Review; Third Party Management; and Mergers and Acquisitions.

Companies are advised to carefully review this latest publication from DOJ in order to make sure they meet the highest standards when it comes to compliance programs.  Given this DOJ publication, it is likely the standards it articulates are those which will be relied upon not only by DOJ, but also civil enforcement action taken by any agency, and also any lawyers prosecuting and defending civil lawsuits. Does your compliance program measure up?