On 30 April 2019, the U.S. Department of Justice (“DOJ”) published an updated guide entitled “Evaluation of Corporate Compliance Programs”. This guide is intended to help white collar prosecutors who are involved in criminal investigations against companies uniformly evaluate the compliance programmes of those companies on an informed basis. Therefore, it is also an important reference guide for international white collar and compliance practice.
Legal Situation
When US authorities investigate a company due to possible compliance violations, the effectiveness of the company’s compliance programme plays a significant role, in particular with regard to how the proceedings are concluded and how the company is sentenced. An important factor in this connection is the question of whether an adequate and efficient compliance programme was in place at the time of the violation as well as whether such a programme is in place at the time the sanction is imposed/the authorities refrain from imposing sanctions (cf. Principles of Federal Prosecution of Business Organizations, Justice Manual).
Moreover, in US law the remediation and improvement of a company’s compliance programme following a detected violation is a significant criterion for assessing whether a compliance monitor should be employed (cf. Benczkowski memo).
The legal situation in the USA is similar to the legal situation in Germany where these points are concerned. Although there are no compliance monitors in Germany (yet?), according to the case law of the German Federal Court of Justice, compliance measures must be taken into account – also under German law – when calculating a fine pursuant to section 30 Administrative Offences Act. The Federal Court of Justice considers the efficiency of the compliance management system at the time of the violation as well as the company’s efforts to optimise the existing system after a violation has been found (cf. FCJ 1 StR 265/16, see our report in this newsletter on 21 September 2017).
However, for the time being it remains unclear under German law as to which specific requirements must be met by a compliance management system – notwithstanding isolated deficiencies – for it to be regarded as efficient and for a reduction of the fine to be justified. Unlike the legal practice in the US, for example, in Germany it is not customary for authorities to issue statements on the criteria to be applied.
Thus, the German compliance practice relies on, among other things, internationally recognised criteria and standards. These also include, in particular, the guidelines of the US authorities.
Principles for the evaluation of compliance programmes
In publishing the updated guide on 30 April 2019, the DOJ has explicitly not provided a checklist or rigid formula for assessing the effectiveness of a corporate compliance programme. Instead, it has provided principles and “fundamental questions” on which the evaluation of a company’s compliance programme should be based.
It is the DOJ’s view that rigid formulas and checklists are not suitable for this purpose either. It contends that a company’s compliance programme must be evaluated in the specific context of the company’s business, including its sector and size, its geographical presence as well as the context of the investigation in question. The guide therefore also states that the authority must always make individualised determinations when examining compliance programmes. According to the DOJ, there are, however, common questions that can be asked in the course of each individualised determination.
According to the guide, compliance programmes are evaluated on the basis of three fundamental questions. The different elements of what the DOJ considers to be an effective compliance programme are categorised under these three questions. For each of these elements, the guide contains several control questions which are to be asked when evaluating a corporate compliance programme.
- “Is the corporation’s compliance program well designed?”
Here, the DOJ places a special emphasis on the reliability of the company’s own risk assessment. For example, prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction in a low-risk area.
Moreover, the policies and procedures, training and communication, (anonymous) whistleblower system and investigation process as well as the third-party due diligence process must be closely examined. In addition, the DOJ regards a “pre-M&A” compliance due diligence process for assessing compliance risks in connection with acquisitions as an important component of an effective compliance programme.
- “Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?”
In particular, the DOJ wants to distinguish between compliance programmes that have been efficiently and adequately implemented, on the one hand, and mere “paper programmes”, on the other. What is important here is the “tone from the top” and the involvement of the management in the work of the company’s compliance department. Moreover, the staffing and funding of the compliance department as well as its autonomy within the company must be examined. It is also necessary to evaluate whether the employees have proper incentives for compliance and disincentives for non-compliance.
- “Does the corporation’s compliance program work in practice?”
The DOJ recognises that the existence of misconduct does not necessarily mean that the implemented compliance programme does not work. No compliance programme can prevent all violations within a company. Therefore, it is generally difficult to evaluate whether a compliance programme works in practice. According to the DOJ, an important factor in this connection is whether the compliance programme has evolved over time to address existing and changing compliance risks and whether it has been regularly examined. One must also consider whether the company, following violations, has responded with adequately designed internal investigations and whether it has identified and put an end to the causes of the violations (root cause analysis).
Conclusion
The DOJ’s guide will be an additional important resource for assessing compliance programmes within companies, and not only for companies within the jurisdiction of the US authorities. It will aid a compliance officer in asking the right questions when evaluating his or her programme. On the other hand, it cannot serve as a substitute for a review and assessment in individual cases, which the guide itself also expressly notes. The practical challenge still lies in evaluating the compliance programme against the background of the company’s specific risk profile.