Evaluation of a Corporate Compliance Program – the DOJ approach

The U.S. Department of Justice (DOJ) describes in a Justice Manual the factors prosecutors should consider in conducting an investigation of a corporation – the so-called « Filip factors« . Two of these factors relate to Corporate Compliance Programs (CCPs):

·       “The adequacy and effectiveness of the CCP at the time of the offence, as well as at the time of the charging decision ».

·       The company’s remedial efforts « to implement an adequate and effective CCP or to improve an existing one ».

The guidance for the evaluation of CCP was updated by the DOJ Criminal Division in March 2023 and follows the release of a new policy entitled « further revisions to corporate criminal enforcement policies following discussions with Corporate Crime Advisory Group » on September 15th, 2022. The guidance identifies three relevant questions to evaluate a company’s performance (see next page):

· Is the CCP well designed?

· Is the CCP adequately resourced and empowered to function effectively?

· Does the CCP work in practice?

This guidance update was the focus of remarks delivered by Lisa Monaco, Deputy Attorney General (DAG), in early March 2023. She clearly identified two priorities and areas of particular focus:

·       An approach to promote self-disclosure, in addition to extensive cooperation from companies, as well as a comprehensive review of the CCP, as illustrated by the recent DPA (deferred prosecution agreement) case with ABB Limited.

·       New approaches to compensation and the use of claw backs: a) compliance-promoting criteria are encouraged in companies’ remuneration and bonus systems, and b) the DOJ will grant fine reductions to companies seeking to claw back compensation from corporate wrongdoers. The aim is clearly to reinforce individual responsibility (« skin in the game »), in addition to corporate responsibility: the examples of Bankman-Fried (FTX) or Holmes (Theranos) were cited: « we are serious about taking individual wrongdoers to trial ».

DAG Monaco also highlighted the growing intersection between corporate crime and national security. In her view, « sanctions are the new FCPA« , citing the example of Lafarge SA and its payment to ISIS. Additional resources within the DOJ will enable the investigation and prosecution of sanctions evasion, export control violations and similar economic crimes. In addition, joint advisories will be issued with the Commerce and Treasury Departments.

In summary, there are several benefits to this updated DOJ guideline:

·       More than ever, companies need to strengthen not only their compliance resources, but also their corporate culture: good compliance programs are good for business.

·       The guideline is comprehensive and stipulates best practices. It should serve as the basis for appropriate training and awareness programs, whether or not a company operates in the USA.

· Internal auditors and external controllers can easily use the guideline as a basis for their review.

Note: this article is a free interpretation of the DOJ guidelines and in no way constitutes a legal analysis or recommendation. Please refer to the original documents available on the U.S. Department of Justice website https://www.justice.gov/criminal-fraud/page/file/937501/download

Appendix: Detailed structure of DOJ’s PCC assessment guidelines

The guidance identifies three questions relevant to evaluating a company’s performance:

– Is the PCC well designed?

o   Risk assessment: risk management processes, risk-tailored allocation of resources, updates and revisions, lessons learned.

o   Policies and procedures: design, completeness and accessibility, responsibility for operations integration and gatekeepers.

o   Training and communications: risk-based training, form, content and effectiveness of training, communications on misconduct, availability of guidance.

o   Confidential reporting structure and investigation process: effectiveness of reporting mechanism, properly scoped investigations conducted by qualified personnel.

o   Investigation response, resources and tracking of results.

o   Third-party management: integrated, risk-based process, appropriate controls

o   Relationship management, actual actions, and consequences

o   Mergers and acquisitions: due diligence process, integration into M&A process, process linking due diligence to implementation.

– Is the CCP adequately resourced and empowered to function effectively?

o   Commitment by senior and middle management: conduct at the top, shared commitment, and oversight

o   Autonomy and resources: structure, seniority and stature, experience and qualifications, funding and resources, data resources and access, autonomy, outsourced compliance function.

o   Compensation structures and consequence management: human resources processes, disciplinary measures, consistent application, financial incentive system, effectiveness.

– Does PCC work in practice?

o   Continuous improvement, periodic testing, and review: internal audit, control testing, evolving updates, culture of compliance.

o   Investigations of misconduct: properly scoped investigations by qualified personnel, response to investigations, independence, and empowerment.

o   Use of personal devices, communication platforms, messaging applications: communication channels, policy environment, risk management.

o   Analysis and remediation of any underlying misconduct: root cause analysis, previous weaknesses, payment systems, vendor management, prior indications, remediation, accountability.

Otras Notas

• The toxicity of sycophants: Internal Audit as a gatekeeper
• ECB on non-financial risks: severe conclusions from the annual analysis on outsourcing
• An Inspiring idea from Michael Diekmann, former Allianz Group CEO
• AML-CFT: 4 reasons to be optimistic about a stronger impact
• An Inspiring idea from Paul Boyle and James Turner, former Aviva and Prudential Plc CAEs