In the latest in a series of Department of Justice (DOJ) moves to clarify its expectations for compliance programs and its approach to penalizing companies, the DOJ recently issued new internal guidelines to assist prosecutors. The guidelines address the evaluation of corporate compliance program effectiveness in organizations that have violated federal fraud laws. These guidelines are a key consideration in determining the penalties imposed against those organizations. The new guidelines expand upon the previous guidance for determining whether a company has demonstrated a commitment to compliance and is deserving of credit when entering into a corporate settlement. The guidance also provides prosecutors with greater detail on what to look for in compliance programs, including evidence of top-down support for the program, compliance education and training, confidential channels for employees to report misconduct, policies and procedures, and a code of conduct that provides written guidance on actions required to reduce fraud risks. Additionally, along with the new guidelines, the DOJ is providing compliance program evaluation training for their prosecutors.
The DOJ has taken these guidelines seriously. It has given consideration to subject organizations that have evidenced an effective compliance program, and in some cases, has also waived prosecutions. The guidelines have also affected DOJ decisions regarding the assignment of DOJ compliance monitors.
Key points in the new compliance program guidelines include the following:
- Organizations must have proper staff and budget resources to carry out all necessary requirements for an effective program, which includes auditing risk areas, analyzing results, and acting upon findings;
- Compliance officers must report directly to the Chief Executive Officer and have the authority to independently access the board of directors or the board’s audit committee;
- The compliance department must be integrated and pro-actively work with other functions, especially internal audit, procurement, and third-party vendor management, to implement the compliance program throughout the organization;
- Organizations should adopt a risk-based approach to avoid devoting a disproportionate amount of time to policing low-risk areas instead of high-risk areas;
- Ongoing monitoring should occur to evidence whether the program is effective, including reviewing metrics such as policies and procedures, investigations, third-party relationships, risk management/risk assessments, and education and training, among other things;
- Organizations must ensure that “gatekeepers” who carry out compliance obligations receive compliance training on how to respond to high-risk activity, beyond the general workforce training;
- Organizations should adopt stringent third-party controls, continuously monitor those third parties, and obtain updated due diligence, training, audits, and/or annual compliance certifications from them;
- The compliance officer should communicate the organization’s policies and procedures to third-parties. They must also ensure that third parties have integrated the organization’s policies and procedures through periodic training and certification for agents and business partners;
- Organizations must implement a robust whistle-blowing process that creates an atmosphere without fear of retaliation, appropriate processes for complaint submissions, and a process to protect whistle-blowers. The whistleblower policies must be publicized to the organization’s workforce, and the compliance department should have full access to reporting and investigative information. The organization should review whether and how the system is used and the types of allegations received; and
- Organizations should also conduct professionally and expertly designed compliance program effectiveness evaluations to determine whether risk areas are sufficiently addressed in the organization’s policies, controls, or training.
For more information on this issue, please contact Richard Kusserow at [email protected].Subscribe to blog