On Monday, 1 June 2020, the U.S. Department of Justice (“DoJ”), published an updated version of their guidance on Evaluating Corporate Compliance Programs (the “DoJ Guidance”) which reflects the DoJ’s “experience and important feedback from the business and compliance communities.” The DoJ Guidance can be accessed here.
The amendments, although not many in number, are significant in terms of the clarification they provide to companies in relation to the key aspects which will be taken into consideration by prosecutors when evaluating a company’s compliance programme.
It is clear from the DoJ Guidance that companies need to ensure that their compliance programme is not ‘static’, but rather in constant evolution and routinely adjusted to adequately address the risks faced by the company at different points in time.
The DoJ Guidance does recognise, however, that there is no ‘one size fits all’ when evaluating compliance programmes and that reasonable and individualised determinations will be made in each case, taking into consideration “various factors including, but not limited to, the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.”
The changes, therefore, are aimed at ensuring that compliance programmes are effective in practice, and not a mere “box ticking exercise”, and focus on the effectiveness of training, communication, third-party risk assessment, and monitoring and review.
A similar approach was adopted by the UK Serious Fraud Office (“SFO”). The SFO’s guidance on Evaluating Compliance Programmes (the “SFO Guidance”), published in January 2020, provides that “…compliance arrangements vary in scope, depending on the size of the organisation and the nature of the business…”, and that a “…key feature of any compliance programme is that it needs to be effective and not simply a ‘paper exercise…” [Read our article on the SFO’s Guidance here, and the guidance itself here.]
Companies are encouraged to use, therefore, both the DoJ and the SFO Guidance when designing, implementing, and updating their compliance programmes. In particular, companies should take into account not only their own prior experience and internal feedback, but also the issues faced by, and misconduct committed by, other companies operating in the same sector or jurisdictions.