Cleary Gottlieb Discusses DOJ Updates of Guidance on Corporate Compliance Programs

On April 30, 2019, the Criminal Division of the U.S. Department of Justice (“DOJ” or “the Department”) announced updated guidance for the Criminal Division’s Evaluation of Corporate Compliance Programs (“the Guidance”) in charging and resolving criminal cases.[1] Assistant Attorney General Brian A. Benczkowski (“Benczkowski”) made the announcement at the Ethics and Compliance Initiative (ECI) 2019 Annual Impact Conference in Dallas, Texas, noting the DOJ’s effort to “better harmonize the prior Fraud Section publication with other Department guidance and legal standards.”[2]

This memorandum highlights the key updates to the Guidance and discusses the themes present across versions of the Guidance. Overall, this newest version places greater emphasis on distilling “lessons learned” from misconduct and incorporating those lessons into the compliance program using objective metrics collected from monitoring and information gathering. The Guidance also reinforces the Department’s review of third-party management and the implementation of compliance tools in the M&A context.

In his speech, Benczkowski emphasized the Department’s continued focus on the role of compliance programs in early detection and thus potential voluntary disclosure and the role that effective compliance programs play in promoting the Department’s enforcement goals against individual wrongdoers.

He also stressed that the adoption of an effective corporate compliance program is relevant at three major decision points for prosecutors: (1) deciding whether or not, and how to bring a criminal case; (2) determining a company’s culpability score under the U.S. Sentencing Guidelines, which impacts the fine range; and (3) determining whether an independent monitor is needed post-resolution.

The Guidance is generally consistent in themes and topics with prior guidance issued by the DOJ Criminal Division Fraud Section in 2017. However, it differs dramatically in format and detail. Whereas the prior version was framed as a series of questions Justice Department lawyers should ask regarding corporate compliance programs, the Guidance is more prescriptive, contains detailed subtopic introductions, provides suggestions as to how the Department might view particular compliance programs, and sets forth additional questions for prosecutors and compliance officers alike to consider. But, as Benczkowski made clear in his speech, “As before, the topics and questions are neither a checklist nor a formula.” There is no one-size-fits-all prescription for a compliance program. Thus, in considering how to build corporate compliance programs that are responsive to DOJ’s considerations, companies should ensure that they focus not just on the specific questions in the Guidance but also on the context in which DOJ is applying the questions.

The Guidance

The updated guidance is framed along three main questions that permeated the prior guidance but have now been made explicit:

  1. Is the Corporation’s Compliance program well-designed?
  2. Is the program effectively implemented?
  3. Does the program actually work in practice?

I. Is the Corporation’s Compliance Program Well-Designed?

At the core of the DOJ’s assessment of whether a corporation’s compliance program is well-designed is the consideration of the comprehensiveness of the program. This includes whether the clear message that misconduct is not tolerated is reflected in the policies and procedures and in the company’s operations and work force. The Guidance has a much greater focus on risk factors in considering comprehensiveness than the prior version. It emphasizes the need to devote attention and resources to “high-risk” transactions, and recognizes that even a well-designed compliance program cannot prevent infractions in low-risk areas.

A. Risk Assessment

Noting that Risk Assessment is the “starting point” for the DOJ’s evaluation of whether the company has a well-designed program, the updated guidance now begins with this subtopic—whereas the prior guidance started with the underlying misconduct and asked its root cause and the reasons why it had not been detected. Building on the prior questions regarding risk management, the Guidance currently emphasizes the importance of tailoring compliance programs to the needs and risks of the company, including its market, industry and geographic “risk profile.” The Guidance not only addresses the availability of compliance resources for the identified risks but also whether they are being properly allocated: “Does the company devote a disproportionate amount of time to policing low-risk areas instead of high risk areas. . .?”[3] It notes that prosecutors may credit a “risk-based compliance program” if it “devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction in a low-risk area.”[4] In addition, the Guidance reflects a DOJ expectation that risk assessments will be routinely updated, including to reflect “lessons learned.” Identifying and implementing “lessons learned” is also reflected in the additional emphasis on the process of root cause analysis in response to incidents of non-compliance (discussed below).

B. Policies and Procedures

The Guidance does not require or recommend adoption of any specific policies. It does depart from the prior guidance on policies and procedures in subtle but nonetheless important ways. The prior guidance asked whether the “company had policies and procedures that prohibited the misconduct” and whether those policies and procedures had been effectively implemented. The Guidance has a different starting place in keeping with its emphasis on risk-based compliance programs. It identifies as a threshold question whether the company has a code of conduct that sets forth the company’s commitment to full compliance with relevant Federal laws (which ought to be identified) and whether that code is applicable to all company employees and accessible to employees and relevant third parties. The Guidance contains an expanded focus on the comprehensiveness of policies, which it ties directly to the Risk Assessment. The Guidance states that a well-designed compliance program addresses and aims to reduce risks identified by the company as part of its risk assessment process and explains that the policies and procedures should “reflect and deal with the spectrum of risks [the company] faces, including changes to the legal and regulatory landscape[.]”[5] Prosecutors are thus asked to consider how policies and procedures have evolved with changes both internal and external to the company and to consider how internal controls monitor compliance with policies and procedures in an evolving risk environment.

C. Training and Communications

As with the prior guidance, the Guidance continues to emphasize the importance of training, including periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners. The Guidance provides more detail than in the past on the Justice Department’s expectations in this regard. Prosecutors are directed to “assess whether the company has relayed information in a manner tailored to the audience’s size, sophistication, or subject matter expertise.”[6] Under the Guidance, training should not be cookie-cutter. It should be adapted to the particular function and seniority of the people being trained. Questions on the form and frequency of training and who is being trained are complemented by whether there is a process for assessing employee absorption of information. The Guidance highlights the importance of assessing whether employees are internalizing training, including. critically, whether employees are being evaluated on what they have learned. Consistent with the Guidance’s emphasis on “lessons learned,” prosecutors are asked to consider whether the training adequately covers prior compliance incidents and addresses lessons learned from those incidents.

D. Confidential Reporting Structure and Investigation Process

The Guidance confirms and makes explicit the DOJ’s expectation that companies will adopt anonymous, or at least confidential, reporting mechanisms. The section opens by stating that a “hallmark of a well-designed compliance program is the existence of an efficient and trusted mechanism by which employees can anonymously or confidentially report” [7] wrongdoing. It further notes, “prosecutors should assess whether the company’s complaint-handling process includes pro-active measures to create a workplace atmosphere without fear of retaliation” and such mechanisms are “highly probative of whether a company has ‘established corporate governance mechanisms that can effectively detect and prevent misconduct.’”[8] Prosecutors are directed to determine if the company has such a mechanism in place, and if not, why not. Focusing on the reach of the confidential reporting structure, prosecutors must consider employee familiarity and knowledge of the reporting mechanism, in addition to whether they use it in practice. As in other areas, the Guidance emphasizes metrics as evidence of whether reporting mechanisms are working, e.g., improvement in employee surveys over time, increased number of reports in high-risk areas. Further, the Guidance highlights the value of monitoring and recording the results of investigations into reports in a timely fashion. It asks, “Does the company apply timing metrics to ensure responsiveness? Does the company have a process for monitoring the outcome of investigations and ensuring accountability. . . Are the reporting and investigating mechanisms sufficiently funded?”[9]

The Guidance directs prosecutors to ask whether there are processes in place to ensure that investigations are properly scoped and sufficiently independent and objective, including by asking how the company determines who should conduct an investigation and who makes that determination.

Consistent with the theme of “lessons learned” and risk-based analysis, the Guidance focuses on whether the company periodically examines the reports on investigation findings to detect patterns of misconduct or other red flags for compliance weaknesses. The Guidance reflects an expectation that once such “red flags” are identified, the compliance program will be adjusted to address them.

E. Third-Party Management

As perhaps one of the most important areas of concern for corporations in the context of the Foreign Corrupt Practices Act (“FCPA”), the Guidance’s introductory paragraph on third-party management makes clear that a well-designed compliance program is one in which the company has an understanding of the qualifications and associations of third-party partners, including the reputations of those third parties and their relationships, if any, with foreign officials. The approach the Guidance suggests is, again, risk-based. It opens by stating the expectation that “the degree of appropriate due diligence may vary based on the size and nature of the company or transaction[.]”[10] The Guidance notes that a well-designed program has two components: effective controls before a third-party is hired and appropriate monitoring controls after the creation of a relationship with a third party. Besides conducting due diligence, companies should ensure that contract terms with third parties specifically describe the services to be performed, that the payment terms are appropriate, and that there is a sufficient business rationale for using a third party. Effective monitoring controls will ensure that the third party is actually performing the work and that red flags are being followed up on. Monitoring includes whether the company has audit rights over third parties, whether the company trains its third party relationship managers, and how well it can organize and leverage its information on these third parties and their relationships. Finally, monitoring third parties includes keeping track of those entities “that do not pass the company’s due diligence or that are terminated”[11] so that they are not re-hired at a later date.

F. Mergers and Acquisitions (M&A)

The Guidance states that “[a] well-designed compliance program should include comprehensive due diligence of any acquisition targets.”[12] It reflects DOJ’s concern that “[f]lawed or incomplete due diligence can allow misconduct to continue at the target company, causing resulting harm to a business’s profitability and reputation and risking civil and criminal liability.” [13] To that end, the Guidance reflects the DOJ’s expectation that a compliance function be integrated into the merger, acquisition, and integration process and that the company have a process for tracking and remediating misconduct or misconduct risks identified during due diligence and for implementing compliance policies and procedures at new entities.

II. Is the Corporation’s Compliance Program Being Implemented Effectively?

One of the DOJ’s primary goals is to separate a “paper program” from an effective corporate compliance program. The questions in this section are designed to determine whether the culture of compliance permeates throughout the company and whether ethics and compliance are embedded in employees’ values.

A. Commitment by Senior and Middle Management

Noting that “the company’s top leaders – the board of directors and executives – set the tone for the rest of the company,”[14] the Guidance encourages prosecutors to question instances where company leadership, including directors and senior and middle management, failed to clearly articulate ethical standards or de-prioritized compliance in pursuit of business goals. It thus places an emphasis on regular communications by senior management of the company’s ethical standards in clear and unambiguous terms and leading by example. Certain of the questions focus on new business or competing compliance and business objectives: “Have managers tolerated greater compliance risks in pursuit of new business or greater revenues? Have managers encouraged employees to act unethically to achieve a business objective, or impeded compliance personnel from effectively implementing their duties?”[15] This added detail acknowledges the potential tradeoff between compliance risk and business success, and specifies that directors, senior management, and middle management alike ought to project an ethical compliance culture.

B. Autonomy and Resources

Prosecutors are asked to evaluate the structure of the compliance program itself, and the reasons the company has given for choosing the structure that the company has selected. The Guidance recognizes that these choices will be informed by company size, risk profile, and corporate organization. Still, the Department will consider the seniority of compliance personnel, the sufficiency of staffing and resources and whether the compliance function is autonomous from company management – with direct reporting lines to either the Board of Directors or the Audit Committee. Prosecutors will assess where compliance is housed and whether that structural arrangement enables it to wield sufficient independence. Is there a Compliance Officer responsible for the single compliance function, or does that officer have other responsibilities? Similarly, is the compliance function just one among many duties of an executive officer within the company without a specific compliance function? As in other places in the Guidance, there is an emphasis on learning from experience. Among the questions asked are: “Has the level of experience and qualifications in these roles changed over time?”[16] and “Who reviews the performance of the compliance function and what is the review process?”[17]

C. Incentives and Disciplinary Measures

The Guidance continues the Department’s focus on incentives and disciplinary measures with an emphasis on clarity and consistency. It highlights the value of transparency in incentive and disciplinary actions: “By way of example, some companies have found that publicizing disciplinary actions internally, where appropriate, can have valuable deterrent effects. At the same time, some companies have also found that providing positive incentives. . . have driven compliance.”[18] It notes with approval that “[s]ome companies have even made compliance a significant metric for management bonuses and/or have made working on compliance a means of career advancement.”[19] Importantly, the newest version of the Guidance highlights two key insights into the administration of discipline, namely assessment of: (1) whether the same process is followed for each instance of misconduct, and whether actual reasons (rather than pretext) are communicated to employees; and (2) whether there is consistent application of discipline, and if not, the reasoning for why “similar instances of misconduct [. . .are] treated disparately[.]”[20]

III. Does the Corporation’s Compliance Program Work in Practice?

The final overarching question of the Guidance relates to the investigative process employed by the company, and the compliance program’s reach. Notably, and in keeping with the risk-based focus of the document generally, the Guidance explicitly acknowledges that “existence of misconduct does not, by itself, mean that a compliance program did not work or was ineffective at the time of the offense.”[21] The Guidance states that there are two main points in time when a corporate compliance program is assessed: (1) at the time of the misconduct and (2) at the time of resolution. Prosecutors will thus evaluate the evolution of the compliance program over time and whether the company undertook an honest root-cause analysis to understand the misconduct and the degree of remediation required. Prosecutors will consider, “whether and how the misconduct was detected, what the investigation resources were in place to investigate suspected misconduct, and the nature and thoroughness of the company’s remedial efforts.”[22]

A. Continuous Improvement, Periodic Testing, and Review

As elsewhere in the document, the Guidance underscores the need for compliance programs and policies to evolve with developing risks. Prosecutors will consider if the compliance program is evaluated alongside and adjusted to the business environment in which the program operates “to ensure that it is not stale.”[23] Management, compliance functions, and internal audit functions play a role in this process by performing gap analyses “to determine if particular areas of risk are not sufficiently addressed in policies, controls, or training[.]”[24] Regarding the internal audit function in particular, the Guidance directs prosecutors to ask about the process for determining when and how to undertake an audit, and internal auditor plans for selecting which areas of the corporation to audit.

For the first time, the Guidance explicitly devotes a subtopic heading to “Culture of Compliance,” meant to address the ways in which (and how often) the company measures respect for compliance policies and procedures: “Does the company seek input from all levels of employees to determine whether they perceive senior and middle management’s commitment to compliance? What steps has it taken in response to measurement of its compliance culture?”[25] These questions reflect the recurring theme of self-evaluation and information-gathering. Similar to the assessment of training and communication or conduct at the top, incorporation of employee feedback into the program is of consistent relevance to the Department in its assessment of corporate compliance programs.

B. Investigation of Misconduct

Included as an entirely new topic, the “Investigation of Misconduct” topic tasks prosecutors to assess whether there is a ready and effective investigations structure for documenting actions taken when misconduct is identified. “[A] hallmark of a compliance program that is working effectively is the existence of a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or its agents.”[26] The DOJ will evaluate company actions to scope issues, keep investigative efforts independent from management, and document and record the process throughout the course of a relevant investigation.

C. Root Cause Analysis

A final hallmark of a compliance program working effectively in practice is “the extent to which a company is able to conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes.”[27] The Guidance underscores the accountability for control failures and the violation of corporate policies. The devotion of corporate resources is significant from both a controls and a design viewpoint: “How was the misconduct funded? . . What processes could have prevented or detected improper access to these funds? Have those processes been improved?”[28] This is especially true in light of the DOJ’s suggestion throughout the Guidance that a successful compliance program is dynamic rather than stale. Detection of misconduct is quicker when there is continuous self-evaluation and feedback provided to the program.

Takeaways from the Updated Guidance

The DOJ’s updated guidance on the Evaluation of Corporate Compliance Programs, while largely expanding on the topics released in its first iteration in February 2017, nonetheless offers valuable information on how prosecutors consider a corporate compliance program. The DOJ will make such evaluations at various critical investigatory stages – charging, sentencing and monitorships.

The additional detail provided by the Guidance offers practical insights into how prosecutors will consider compliance programs in each of these three stages and therefore reflects the issues upon which companies should focus. A few themes are recurrent throughout the Guidance:

First, prosecutors will at various points consider the extent to which a company has tailored its program to its risk profile, effectively managed its resources in doing so, and learned from the evolving regulatory and business landscape to adapt to changes relevant to the business.

Second, and relatedly, the degree to which an ethics and compliance program is dynamic, tested, and self-evaluated at regular intervals will inform the DOJ’s assessment of the program’s maturity.

Third, the DOJ expects a certain level of information gathering, measurement systems, and record-keeping in the day-to-day operational practices of the corporate compliance program.

Fourth, persons at all levels of the corporate structure must demonstrate a commitment to compliance in words and acts. This includes the board, senior management, middle management, and personnel in compliance and risk areas.

In addition to the level of continuous improvement, the capacity to monitor and leverage gathered data will assist the Department in distinguishing “paper programs” from well-designed, effective, and practically functional compliance programs.



[2] The Guidance makes explicit cross-reference to the Justice Manual, U.S. Sentencing Guidelines and DOJ memoranda released since the last version of the Evaluation of Corporate Compliance Programs Guidelines in February 2017.

[3] U.S. Dep’t of Justice, Criminal Div., Fraud Section, Evaluation of Corporate Compliance Programs Guidance Document Apr. 2019, 3 available at:

[4] Id. at 3.

[5] Id. at 4.

[6] Id.

[7] Id. at 5.

[8] Id. at 5.

[9] Id. at 6.

[10] Id. at 7.

[11] Id. at 8.

[12] Id.

[13] Id.

[14] Id. at 9.

[15] Id.

[16] Id. at 11.

[17] Id.

[18] Id. at 12.

[19] Id.

[20] Id.

[21] Id. at 13.

[22] Id.

[23] Id. at 14.

[24] Id. at 15.

[25] Id.

[26] Id.

[27] Id. at 16.

[28] Id.

This post comes to us from Cleary, Gottlieb, Steen & Hamilton LLP. It is based on the firm’s memorandum, “DOJ Updates Guidance for Evaluating Corporate Compliance Programs,” dated May 3, 2019, and available here.