On June 1, 2020, the United States Department of Justice (DOJ) brought forward revisions to its guidance for the “Evaluation of Corporate Compliance Programs” (ECCP). The guidance, first issued in February 2017 and updated last April (2019 Guidance), outlines the factors that federal prosecutors will weigh in on when assessing the effectiveness of a company’s compliance program.
The 2020 Guidance still relies on the “three fundamental questions” used in prior versions to inform the substance of the effectiveness inquiry: (1) “Is the corporation’s compliance program well designed?” (2) “Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?” (3) “Does the corporation’s compliance program work” in practice?
There was, however, one small but significant change made to the second question by including the words “adequately resourced and empowered to function effectively.” This update in language is thought to have sparked the introduction of several new questions that prosecutors are now being asked to consider. Provided below is a snapshot of exactly what questions were added:
Risk Assessments. There is one multi-part question about periodic reviews that focuses on a company’s process for tracking and incorporating “lessons learned” from its own issues or from other companies into its risk assessment process.
Policies and Procedures. There are two new questions related to access to policies and procedures. One question focuses on the ability to search these standards. The other question asks if access to them can be tracked to know which ones are getting more attention.
Training and Communications. There are two new questions added to assess the interactive nature (whether there are opportunities to ask questions) and the impact of training (whether a company can measure if training affects employee behavior or operations).
Confidential Reporting Structure and Investigation Process. There are two new questions on employee hotlines. One question asks if a company can confirm employee awareness of the hotline and their comfort in using it. The other question is whether the company is periodically testing the effectiveness of this tool (i.e. by using a tracking report).
Third-Party Management. There is one new question centered on whether the risk assessment of third parties is done throughout the lifespan of the relationship, or just during the onboarding process.
Mergers and Acquisitions. There is one new question to confirm whether due diligence was done during the pre-acquisition stage, and, if not, determine the basis for not being able to do so.
Autonomy and Resources. There are a few new questions here, including a whole new section on data and resources. One question considers whether a company invests in the training and development of compliance and other control personnel. In the “structure” section, there is now a direct query on the reasoning behind the company’s structural choices involving compliance reporting lines. There are also two questions covering the ability and limitation of compliance and control personnel to access data needed to carry out monitoring and testing responsibilities.
Incentives and Disciplinary Measures. Another new question is used to determine if compliance monitors investigations and resulting discipline for consistency.
To read the complete guidance, click here.