Now under the Biden administration, the U.S. Department of Justice (DOJ) has published, on March 3, 2023, an update to its guide for evaluating compliance programs. It assists prosecutors in this task, allowing them to identify whether the program is efficient at the time of the offense and whether it is effective at the time of a charging decision or resolution.
Indeed, the current update, under the leadership of Deputy Attorney General Lisa Monaco, ultimately resulted in 2 major changes: (i) new guidelines on the use of personal devices, communication platforms, and messaging apps, and (ii) expanded guidelines on how compensation structures can enforce compliance, including the use of financial penalties to discourage misconduct.
In addition, it was agreed that, from now on, this document will be essential to assist prosecutors in determining an independent monitor.
First, the 3 fundamental questions that must be asked by prosecutors are given:
THE THREE FUNDAMENTAL QUESTIONS
1. Is the corporation’s compliance program well designed?
2. Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
3. Does the corporation’s compliance program work in practice?
Thus, listed below are the items that should be considered by prosecutors for each of the three fundamental questions above.
To seek the adequate answer to the first question, the following must be evaluated:
IS THE CORPORATION’S COMPLIANCE PROGRAM WELL DESIGNED?
1. Risk Assessment (risk management process, risk-tailored resource allocation, updates and revision, and lessons learned)
2. Policies and Procedures (design, comprehensiveness, accessibility, responsibility for operational integration, gatekeepers)
3. Trainings and Communications (risk-based training, form/content/effectiveness of training, communication about misconduct, availability of guidance)
4. Confidential Reporting Structure and Investigation Process (effectiveness of the reporting mechanism, properly scoped investigations by qualified personnel, investigation response, resources and tracking of results)
5. Third Party Management (risk-based and integrated processes, appropriate controls, management of relationships, real actions and consequences)
6. Mergers and Acquisitions (due diligence process, integration in the merger and acquisition process, process connecting due diligence to implementation)
With regard to the second question, the following must be evaluated:
IS THE PROGRAM BEING APPLIED EARNESTLY AND IN GOOD FAITH? IN OTHER WORDS, IS THE PROGRAM ADEQUATELY RESOURCED AND EMPOWERED TO FUNCTION EFFECTIVELY?
1. Commitment by Senior and Middle Management (conduct at the top, shared commitment, oversight)
2. Autonomy and Resources (structure, seniority and stature, experience and qualifications, funding and resources, data resources and access, autonomy, outsourced compliance functions)
3. Compensation Structures and Consequence Management (human resources process, disciplinary measures, consistent application, financial incentive system, effectiveness)
And finally, for the third question, the following must be evaluated:
DOES THE CORPORATION’S COMPLIANCE PROGRAM WORK IN PRACTICE?
1. Continuous Improvement, Periodic Testing, and Review (internal audit, control testing, evolving updates, culture of compliance)
2. Investigation of Misconduct (properly scoped investigation by qualified personnel, response to investigations, independence and empowerment, communication channels, policy environment, risk management)
3. Analysis and Remediation of Any Underlying Misconduct (root cause analysis, prior weaknesses, payment systems, vendor management, prior indications, remediation, accountability)