As I noted in yesterday’s blog post, at the Ethics and Compliance Initiative (ECI) Impact 2019 Conference, Assistant Attorney General Brian Benczkowski announced (ECI speech) an update to the 2017 Evaluation of Corporate Compliance Programs, which had been released in February 2017. This new document is entitled Evaluation of Corporate Compliance Programs – Guidance Document (2019 Guidance) and is available for download at no charge. It should be mandatory reading for every Chief Compliance Officer (CCO), compliance practitioner and professional or any other person interested in the latest thinking of the Department of Justice’s (DOJ’s) on what constitutes a best practices compliance program. Over the next several blog posts, I will be considering the 2019 Guidance in some depth.
The first thing to note is in the Introduction section, which lays out the reason for having the 2019 Guidance. The 2019 Guidance is designed to supplement the “Principles of Federal Prosecution of Business Organizations” in the Justice Manual (formerly US Attorneys Manual) and provide assistance to prosecutors in thinking through charging decisions. The 2019 Guidance states, “This document is meant to assist prosecutors in making informed decisions as to whether, and to what extent, the corporation’s compliance program was effective at the time of the offense, and is effective at the time of a charging decision or resolution, for purposes of determining the appropriate (1) form of any resolution or prosecution; (2) monetary penalty, if any; and (3) compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations).”
This points to the importance of having a best practices compliance program in place to help prevent, detect and remediate violations of laws such as the Foreign Corrupt Practices Act (FCPA) and what needs to be accomplished if a violation occurs. The 2019 Guidance then goes on to state, “Because a corporate compliance program must be evaluated in the specific context of a criminal investigation, the Criminal Division does not use any rigid formula to assess the effectiveness of corporate compliance programs. We recognize that each company’s risk profile and solutions to reduce its risks warrant particularized evaluation. Accordingly, we make an individualized determination in each case.”
Both in his prepared remarks at the ECI speech and in the informal Q&A afterwards Benczkowski emphasized the flexible nature of this inquiry. Once again no “one size fits all” is a clear mantra from the DOJ. The reason is quite clear and straight-forward, with Benczkowski stating, “Because a corporate compliance program must be evaluated in the specific context of a criminal investigation, the Department does not use any rigid formula to assess the effectiveness of corporate compliance programs. We recognize that each company’s risk profile and solutions to reduce its risks warrant particularized evaluation. Accordingly, we make an individualized determination in each case.”
The 2019 Guidance then goes on to pose three “fundamental questions” that prosecutors must begin their analysis with:
- “Is the corporation’s compliance program well designed?“
- “Is the program being applied earnestly and in good faith?“ In other words, is the program being implemented effectively?
- “Does the corporation’s compliance program work” in practice?
Benczkowski explained how these three considerations assist in a prosecutorial analysis. First, prosecutors assess the adequacy and effectiveness of the corporation’s compliance program at the time of the offense, as well as at the time of a charging decision. This step helps guide the prosecutors in determining whether they should decline to bring a case, or, if a resolution is appropriate, what that resolution should be. This makes clear that “there can be no question about the seriousness with which we take the effectiveness of a company’s compliance program when determining whether and how to bring a corporate case.”
Next, prosecutors assess a company’s compliance program at the time of the misconduct to determine the company’s culpability score under the US Sentencing Guidelines, which determines the company’s ultimate fine range. This is important because if an entity has “maintained an effective ethics and compliance program at the time of the misconduct, the company would also be eligible for a significant reduction in its overall fine.” This means an overall fine would be further reduced based on the FCPA Corporate Enforcement Policy, which provides for 50% off the low end of the Sentencing Guidelines in cases where the company has voluntarily self-disclosed, fully cooperated and fully remediated, including putting in place an effective ethics and compliance program.
Finally, “prosecutors look at the company’s compliance program at the time of the resolution to determine whether an independent compliance monitor is necessary to prevent the reoccurrence of misconduct, or whether the compliance program is sufficiently effective to permit the company to self-monitor.” This expands and fleshes out the concepts which Benczkowski laid out last fall when he announced the Benczkowski Memo about the DOJ’s use of corporate monitors going forward.
As we take a deeper dive into specifics of the 2019 Guidance going forward, the comments by Benczkowski at the ECI conference and the language in the 2019 Guidance make clear to everyone that the DOJ has zero use for rigid formulas such as ISO 37001 as a basis for some type of compliance defense. What must occur is that company’s assess and then manage their own risks, not simply follow a written checklist or paper program advocated by those still trying to append a compliance defense on the FCPA. Not only do neither of these approaches move forward the operationalization of compliance but also remove a key tool of prosecutorial discretion to reward companies that meet the requirements of a company to assess and to manage its risks.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2019