New Compliance Evaluation Guidelines

The Justice Department released Tuesday a fresh set of guidelines on how prosecutors should evaluate corporate compliance programs: a much longer document, with more narrative explanation about what the Justice Department considers important. Compliance professionals should prepare to obsess over it like last Sunday’s Game of Thrones episode.

Assistant attorney general Brian Benczkowski unveiled the guidance Tuesday afternoon while delivering a speech at the Ethics & Compliance Initiative’s annual conference in Dallas. He said the updated guidelines were necessary “to better harmonize the prior Fraud Section publication with other Department guidance and legal standards.”

That prior guidance was published in February 2017, and written primarily by former Justice Department compliance counsel Hui Chen. Chen has said previously that her original guidelines were written for internal use by federal prosecutors, without any specific intention to publish them. That shows in the form of the 2017 document, which is mostly a series of more than 100 questions prosecutors might potentially ask about how your compliance program works. (The 2017 guidelines are no longer on the Justice Department website, but Radical Compliance has archived a copy for download if you want one.)

In contrast, the 2019 guidance is longer (18 pages, compared to only four pages in the first version), with long passages written in narrative form. All the original questions seem to be in the new document too (I haven’t found any deletions yet), with a bundle more questions included, too. Most important, Benczkowski said, are three primary questions that prosecutors will want to answer.

• Is the program well-designed?
• Is the program effectively implemented?
• Does the compliance program actually work in practice?

The rest of those 18 pages are really details and expansions upon those three basic points. In various ways, the new guidelines still tie back to the seven elements of an effective compliance program, as laid out in the U.S. Sentencing Guidelines. Risk assessment, policies and procedures, training, third-party oversight, mechanisms for internal reporting, autonomy and resources, incentives and disciplinary measures — it’s all in there somewhere. To that extent, these 2019 guidelines aren’t anything terribly new.

So What’s Changed?

Let’s look at two examples of differences between the 2017 and 2019 versions. First is one set of questions about reporting mechanisms, taken from the 2017 version:

Effectiveness of the Reporting Mechanism – How has the company collected, analyzed, and used information from its reporting mechanisms? How has the company assessed the seriousness of the allegations it received? Has the compliance function had full access to reporting and investigative information?

Now that same subject in the 2019 version. New material has been colored red.

Effectiveness of the Reporting Mechanism – Does the company have an anonymous reporting mechanism, and, if not, why not? How is the reporting mechanism publicized to the company’s employees? Has it been used? How has the company assessed the seriousness of the allegations it received? Has the compliance function had full access to reporting and investigative information?

Those new questions above don’t exist in the 2017 version at all. They strike me as rather basic. For example, public companies have been required to provide anonymous internal reporting mechanisms at least since the Sarbanes-Oxley Act of 2002 — who in this field doesn’t know that? Who prosecuting corporate crime wouldn’t know that?

Next is an example about scoping investigations. Again, first is the 2017 version:

Properly Scoped Investigation by Qualified Personnel – How has the company ensured that the investigations have been properly scoped, and were independent, objective, appropriately conducted, and properly documented?

And here is the same issue from the 2019 version:

Properly Scoped Investigations by Qualified Personnel – How does the company determine which complaints or red flags merit further investigation? How does the company ensure that investigations are properly scoped? What steps does the company take to ensure investigations are independent, objective, appropriately conducted, and properly documented? How does the company determine who should conduct an investigation, and who makes that determination?

Again, these new questions strike me as elementary. That said, they’re not necessarily bad questions. This process isn’t a cross-examination where prosecutors only want to ask questions where they already know the answers. This is, supposedly, an honest inquiry into how the organization tries to run its ethics and compliance program — and the inquiry might come from assistant U.S. attorneys with no real business experience.

Remember the History Here

In fact, that was my biggest impression when comparing the 2017 and 2019 guidelines; that the new guidelines are more comprehensive, so they can be used by people less familiar with corporate compliance. Whether that’s comforting news for corporate compliance officers sitting across the negotiating table, or exasperating news, I’m not sure.

Recall that when the Justice Department first developed their evaluation guidelines in 2016 and 2017, the department had a compliance counsel: Hui Chen. She was a seasoned veteran in corporate compliance, and the thinking at the time was that Chen (or subsequent compliance counsels) would help prosecutors evaluate the compliance programs of companies under investigation.

Benczkowski eliminated that compliance counsel role. He says the Justice Department will instead hire more prosecutors with compliance experience (which I don’t believe, because the feds can’t match private sector salaries), and also provide prosecutors with more training in how to evaluate compliance programs. These 2019 guidelines read like the handouts prosecutors can take back to the office after that training.

As Benczkowski said in Dallas: “[We] have taken significant steps to educate our prosecutors about compliance and provide transparent and comprehensible standards to the public so that companies can understand how we evaluate compliance programs.”

My other question is this. If a compliance program is ineffective, the appointment of a compliance monitor becomes more likely. Yet Benczkowski already published new guidance last October on when corporate compliance monitors will be appointed. So these evaluation guidelines should be consistent with those policy objectives, right?

That strikes me as doing things in reverse. One should first decide how to evaluate compliance programs, and then move to the next question: What do we do when the program is inadequate?

Moreover, several points in the monitor guidance don’t seem to be mentioned at all in these evaluation guidelines. For example, when mulling whether to appoint a compliance monitor, prosecutors should ask questions such as whether the misconduct happened under previous senior leadership, or “within a compliance environment that no longer exists within a company?”

Those are good points. They’re also not mentioned at all in the 2019 evaluation guidelines; search for words like “previous” or “exist” and you won’t find any.

But as I said, these are first impressions. We’ll all be obsessing over every hint and nuance of this pronouncement for quite some time.

And if you want to hear my awesome Game of Thrones theory too, drop me an email at mkelly@radicalcompliance.com.