The Justice Department updated its guidance for evaluating effective compliance programs on Monday, adding new material about how often a company reviews the structure of its program, a compliance officer’s access to data, and how companies integrate acquisitions into their existing programs.
The department posted the update without fanfare on Monday afternoon, and had made no hints beforehand that an update was in the works. This new version supersedes the prior guidance unveiled in April 2019, and is the third incarnation since the Justice Department first offered guidance about effective compliance programs in 2017.
This new version is a few pages longer than the prior version, although most of the material is identical. Only through a close reading do the changes become clear. For example, this is one paragraph from the April 2019 guidance on mergers & acquisitions:
A well-designed compliance program should include comprehensive due diligence of any acquisition targets. Pre-M&A due diligence enables the acquiring company to evaluate more accurately each target’s value and negotiate for the costs of any corruption or misconduct to be borne by the target. Flawed or incomplete due diligence can allow misconduct to continue at the target company, causing resulting harm to a business’s profitability and reputation and risking civil and criminal liability.
Below is the new paragraph. Additions are in red text, and nothing was deleted from the old:
A well-designed compliance program should include comprehensive due diligence of any acquisition targets, as well as a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls. Pre-M&A due diligence, where possible, enables the acquiring company to evaluate more accurately each target’s value and negotiate for the costs of any corruption or misconduct to be borne by the target. Flawed or incomplete pre- or post-acquisition due diligence and integration can allow misconduct to continue at the target company, causing resulting harm to a business’s profitability and reputation and risking civil and criminal liability.
So you need to look hard to spot the difference, but the emphasis is there: The Justice Department will give more consideration to the company’s plans for M&A targets. Even if you can’t perform perfect due diligence before the acquisition (“where possible”), prosecutors will still want to see evidence that the company had a plan to bring the acquisition into its compliance program after the deal closes.
That addition is not a surprise, really. Recall that back in 2018, Justice Department officials said they didn’t want fears of FCPA inherited liability to stifle M&A activity. These questions are a reflection of that sentiment — try for due diligence as much as you can, and then make a sincere effort to remedy any compliance failures you discover after deal closure.
Updating Your Program
More new material was added in the section about how compliance programs work in practice. Under the heading, “Evolving Updates,” the guidance tacked on a new question at the end of the paragraph:
How often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? Has the company undertaken a gap analysis to determine if particular areas of risk are not sufficiently addressed in its policies, controls, or training? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries? Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?
First, that new question strikes me as something corporate compliance monitors would be likely to ask. I’ll keep that in mind for later this week when we have a follow-up post about the compliance monitor report for Wynn Resorts.
Second, that whole paragraph seems especially apt given the Covid-19 crisis. The virus has changed companies’ risks dramatically, so performing a fresh risk assessment should be a high priority.
After all, these guidelines are likely to be in force by 2023 or so, when prosecutors are making charging decisions about misconduct that happened today. If your company went through the profound crisis of Covid-19 and economic recession without considering how those things might undermine your policies and internal controls — well, good luck having that conversation with prosecutors in a few years.
Access to Data
A third significant addition came in the section about the compliance officer’s autonomy and resources. The Justice Department added an entire paragraph about access to data:
Data Resources and Access – Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?
Again, this new material shouldn’t really be a surprise. In several speeches over the last year or so, the Justice Department has talked about the importance of data analytics when looking for misconduct. Last fall, Justice Department functionary Matt Miner gave a speech about corporate enforcement where he said this about the subject (emphasis added):
[I]f misconduct does occur, our prosecutors are going to inquire about what the company has done to analyze or track its own data resources — both at the time of the misconduct, as well as at the time we are considering a potential resolution.
The new paragraph above reflects what Miner was saying. My question is more about how compliance officers can use this point — that you should have the access and technology you need to find relevant data — to advance the compliance program’s influence in your organization.
For example, say you want to configure SAP so it blocks payments to third parties that haven’t yet completed due diligence. From a technical standpoint, that’s a fairly straightforward IT exercise, and automating that blacklist can cut your risk of improper payments substantially.
But do you, the compliance officer, have the technology you need to identify all those third parties that haven’t completed due diligence? And do you then have sufficient clout within the company to get the IT, accounting, and sales teams to agree to your SAP change? I know CCOs who don’t, even today.
(I have a line-by-line text analysis of the new guidance available for download, if you want to see the exact changes made.)