In April 2019, the Criminal Division of the Department of Justice (DOJ) issued new guidance on how it will evaluate corporate-compliance programs when deciding charges and negotiating settlements. The new guidance supplanted the Fraud Section’s 2017 guidance of the same name and now applies to the entire Criminal Division, as opposed to just the Fraud Section. It is the department’s most detailed guidance on the evaluation of corporate-compliance programs to date. As such, companies developing compliance programs or preparing “Filip Factors” presentations should consider the new guidance a vital resource.
Notably, the guidance does not recommend that companies adopt a specific set of policies or procedures. Rather, it instructs prosecutors to assess whether a company has “incorporate[d] the culture of compliance into its day-to-day operations.” And compared to the 2017 guidance, this new guidance places significantly more weight on company ethics and the “tone set at the top” in determining whether a compliance program is comprehensive and effective. For example, the new guidance states: “As a threshold matter, prosecutors should examine whether the company has a code of conduct that sets forth, among other things, the company’s commitment to full compliance with relevant federal laws that is accessible and applicable to all company employees.”
The new guidance’s focus on company culture has not come out of left field. In the past few years, the Department has repeatedly expressed in various speeches and written statements that “compliance is a culture, not just a policy.” Hui Chen, the department’s first-ever compliance-counsel expert, who is largely credited with developing the department’s current views on compliance, said in a 2015 presentation that companies should ask themselves, “Does [our] firm have a culture where people feel secure to be raising complaints?” and “Do [we] have an open door type of policy?” when evaluating compliance.
While the DOJ has signaled that company culture will be a key factor in deciding whether a compliance program is effective going forward, compliance professionals may be wondering how to meet the department’s high standards, especially because “company culture” is an amorphous concept that can take on different meanings between industries. Thankfully, the new guidance provides the following practical recommendations for instilling a culture of compliance:
- Start at the top. The guidance stresses that effective implementation of compliance programs requires that the company’s top leaders set the tone for the rest of the company. Tone can be established by both management’s articulation of the compliance standards and its enforcement of those standards. The key is to show that company leaders have taken “concrete actions” to “demonstrate leadership in the company’s compliance and remediation efforts,” which includes modeling proper behavior. Chen advised in a separate statement that companies should be prepared to show more than just the number of formal statements that management has issued on compliance. Rather, companies should be able to demonstrate how leadership commitments were perceived and understood by all employees.
- Commit at all management levels. While the 2017 guidance touched on the role of senior management in creating effective compliance programs, the updated guidance expands the framework to include all “senior leaders and middle-management stakeholders.” Accordingly, the guidance recommends companies consider the tone that 1) the board of directors, 2) executives, 3) business and operational managers, 4) financial personnel, 5) procurement staff, 6) the legal department, and even 7) human resources set for the rest of the company.
- Demonstrate that commitment. The guidance makes clear that management’s words regarding effective compliance alone are not enough. Instead, management is expected to lead by example, especially in the face of competing business interests. When examining programs, prosecutors will specifically assess whether managers have tolerated “greater compliance risks in pursuit of new business or greater revenues,” “encouraged employees to act unethically to achieve a business objective,” or “impeded compliance personnel from effectively implementing their duties.”
- Solicit feedback. Finally, the department will evaluate how frequently and comprehensively the company assesses its own compliance culture. It is important to seek feedback from all levels of employees and respond to any concerns. The guidance also suggests that management consult compliance experts when creating or enforcing compliance policies. Prosecutors will examine whether the “board of directors and/or external auditors held executive or private sessions with the compliance and control functions” and “what types of information have the board of directors and senior management examined in their exercise of oversight in the area in which [past] misconduct occurred.”
The DOJ has made clear that it will no longer accept a “checklist” approach to compliance. Instead, the department expects to build a corporate-compliance program that is robust and demonstrates a deep commitment to compliance. Therefore, compliance officers and corporate counsel should consider how to best implement the recommendations listed above to ensure that the company’s compliance program is not perceived as just a paper program.