Editor’s Note: The Criminal Division earlier this month announced the release of a guidance document for white-collar prosecutors on the evaluation of corporate compliance programs. The document, entitled “The Evaluation of Corporate Compliance Programs,” updates a prior version issued by the Division’s Fraud Section in April 2019. The guidance document sets forth topics that the Criminal Division has frequently found relevant in evaluating corporate compliance programs and it may be beneficial for legal, business, and information technology professionals in the eDiscovery ecosystem as they consider audits, investigations, and litigation in the area of corporate compliance.
An extract from the updated DOJ Criminal Division Evaluation of Corporate Compliance Programs Document
Evaluation of Corporate Compliance Programs
General Introduction Extract
This document is meant to assist prosecutors in making informed decisions as to whether, and to what extent, the corporation’s compliance program was effective at the time of the offense, and is effective at the time of a charging decision or resolution, for purposes of determining the appropriate (1) form of any resolution or prosecution; (2) monetary penalty, if any; and (3) compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations).
Because a corporate compliance program must be evaluated in the specific context of a criminal investigation, the Criminal Division does not use any rigid formula to assess the effectiveness of corporate compliance programs. We recognize that each company’s risk profile and solutions to reduce its risks warrant particularized evaluation. Accordingly, we make a reasonable, individualized determination in each case that considers various factors including, but not limited to, the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program. There are, however, common questions that we may ask in the course of making an individualized determination. As the Justice Manual notes, there are three “fundamental questions “a prosecutor should ask:
- “Is the corporation’s compliance program well designed?
- “Is the program being applied earnestly and in good faith? “In other words, is the program adequately resourced and empowered to function effectively?
- “Does the corporation’s compliance program work “in practice?
See JM 9-28.800.
Mergers and Acquisitions Section Extract
A well-designed compliance program should include comprehensive due diligence of any acquisition targets, as well as a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls. Pre-M&A due diligence, where possible, enables the acquiring company to evaluate more accurately each target’s value and negotiate for the costs of any corruption or misconduct to be borne by the target. Flawed or incomplete pre- or post-acquisition due diligence and integration can allow misconduct to continue at the target company, causing resulting harm to a business’s profitability and reputation and risking civil and criminal liability.
The extent to which a company subjects its acquisition targets to appropriate scrutiny is indicative of whether its compliance program is, as implemented, able to effectively enforce its internal controls and remediate misconduct at all levels of the organization.
- Due Diligence Process – Was the company able to complete pre-acquisition due diligence and, if not, why not? Was the misconduct or the risk of misconduct identified during due diligence? Who conducted the risk review for the acquired/merged entities and how was it done? What is the M&A due diligence process generally?
- Integration in the M&A Process – How has the compliance function been integrated into the merger, acquisition, and integration process?
- Process Connecting Due Diligence to Implementation – What has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process? What has been the company’s process for implementing compliance policies and procedures, and conducting post-acquisition audits, at newly acquired entities?
Evaluation of Corporate Compliance Programs (PDF) Mouseover to ScrollEvaluation-of-Corporate-Compliance-Programs-June-2020-Revision
- The Workstream of eDiscovery: Considering Processes and Tasks
- New From NIST: Integrating Cybersecurity and Enterprise Risk Management (ERM)