Prior posts here and here discussed the DOJ’s “Evaluation of Corporate Compliance Programs” (ECCP) guidance document released in Spring 2019.
Recently, the DOJ released an updated version. While the ECCP is not Foreign Corrupt Practices Act specific, it is FCPA relevant and set forth below are the most meaningful changes to the ECCP.
Like the original ECCP, the revised version makes clear that the DOJ “does not use any rigid formula to assess the effectiveness of corporate compliance programs.” The revised version adds the following factors that the DOJ will consider in making a “reasonable individualized” determination: “the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.”
Like the original ECCP, the revised version is focused on three “fundamental questions” as follows (new language underlined).
- “Is the corporation’s compliance program well designed?“
- “Is the program being applied earnestly and in good faith?“ In other words, is the program adequately resourced and empowered to function effectively?
- “Does the corporation’s compliance program work“ in practice?
The revised version of the ECCP makes clear that the DOJ will evaluate compliance programs “both at the time of the offense and at the time of the charging decision and resolution.” Moreover, the revised ECCP states that one of the circumstances of the company that the DOJ will consider is the following:
“Prosecutors should consider whether certain aspects of a compliance program may be impacted by foreign law. Where a company asserts that it has structured its compliance program in a particular way or has made a compliance decision based on requirements of foreign law, prosecutors should ask the company the basis for the company’s conclusion about foreign law, and how the company has addressed the issue to maintain the integrity and effectiveness of its compliance program while still abiding by foreign law.”
One factor relevant to the DOJ’s determination of whether a compliance program is well designed is a risk assessment and the revised version of the ECCP states under the heading “Risk Assessment” as follows (new language underlined).
“The starting point for a prosecutor’s evaluation of whether a company has a well-designed compliance program is to understand the company’s business from a commercial perspective, how the company has identified, assessed, and defined its risk profile, and the degree to which the program devotes appropriate scrutiny and resources to the spectrum of risks. In short, prosecutors should endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.”
Under the sub-heading “Updates and Revisions” the revised version of the ECCP states (new language underlined):
“Is the risk assessment current and subject to periodic review? Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures, and controls? Do these updates account for risks discovered through misconduct or other problems with the compliance program?”
The revised ECCP adds a new sub-heading titled “Lessons Learned” which states:
“Does the company have a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region?”
Another factor relevant to the DOJ’s determination of whether a compliance program is well designed is policies and procedures and the revised version of the ECCP states under the sub-heading “Accessibility” as follows (new language underlined).
“How has the company communicated its policies and procedures to all employees and relevant third parties? If the company has foreign subsidiaries, are there linguistic or other barriers to foreign employees’ access? Have the policies and procedures been published in a searchable format for easy reference? Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?”
Another factor relevant to the DOJ’s determination of whether a compliance program is well designed is training and communications and the revised version of the ECCP states as follows (new language underlined).
“Prosecutors should assess the steps taken by the company to ensure that policies and procedures have been integrated into the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners. Prosecutors should also assess whether the company has relayed information in a manner tailored to the audience’s size, sophistication, or subject matter expertise. Some companies, for instance, give employees practical advice or case studies to address real-life scenarios, and/or guidance on how to obtain ethics advice on a case-by-case basis as needs arise. Other companies have invested in shorter, more targeted training sessions to enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management functions. Prosecutors should also assess whether the training adequately covers prior compliance incidents and how the company measures the effectiveness of its training curriculum.”
Under the sub-heading “Form/Content/Effectiveness of Training” the revised ECCP states as follows (new language underlined).
“Has the training been offered in the form and language appropriate for the audience? Is the training provided online or in-person (or both), and what is the company’s rationale for its choice? Has the training addressed lessons learned from prior compliance incidents? Whether online or in-person, is there a process by which employees can ask questions arising out of the trainings? How has the company measured the effectiveness of the training? Have employees been tested on what they have learned? How has the company addressed employees who fail all or a portion of the testing? Has the company evaluated the extent to which the training has an impact on employee behavior or operations?”
Another factor relevant to the DOJ’s determination of whether a compliance program is well designed is confidential reporting structure and investigation process and the revised version of the ECCP states, under the sub-heading “Effectiveness of the Reporting Mechanism” as follows (new language underlined).
“Does the company have an anonymous reporting mechanism and, if not, why not? How is the reporting mechanism publicized to the company’s employees and other third parties? Has it been used? Does the company take measures to test whether employees are aware of the hotline and feel comfortable using it? How has the company assessed the seriousness of allegations it received? Has the compliance function had full access to reporting and investigative information?”
The revised version of the ECCP states, under the sub-heading “Resources and Tracking of Results” as follows (new language underlined).
“Are the reporting and investigating mechanisms sufficiently funded? How has the company collected, tracked, analyzed, and used information from its reporting mechanisms? Does the company periodically analyze the reports or investigation findings for patterns of misconduct or other red flags for compliance weaknesses? Does the company periodically test the effectiveness of the hotline, for example by tracking a report from start to finish?”
Another factor relevant to the DOJ’s determination of whether a compliance program is well designed is third party management and the revised version of the ECCP adds the following question: “Does the company engage in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?”
Another factor relevant to the DOJ’s determination of whether a compliance program is well designed is mergers and acquisitions and the revised version of the ECCP suggests that a “well-designed compliance program should include comprehensive due diligence of any acquisition targets as well as a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.” Moreover, under the sub-heading “Due Diligence” the revised ECCP adds the following question: “Was the company able to complete pre-acquisition due diligence and, if not, why not?”
One factor relevant to the question of whether a compliance program is “adequately resourced and empowered to function effectively?” is “Commitment by Senior and Middle Management” and the revised ECCP states (new language underlined) as follows:
“Beyond compliance structures, policies, and procedures, it is important for a company to create and foster a culture of ethics and compliance with the law at all levels of the company. The effectiveness of a compliance program requires a high-level commitment by company leadership to implement a culture of compliance from the middle and the top.”
Another factor relevant to the question of whether a compliance program is “adequately resourced and empowered to function effectively?” is “Autonomy and Resources” and the revised ECCP states under the sub-heading “Experience and Qualifications” as follows (new language underlined).
“Do compliance and control personnel have the appropriate experience and qualifications for their roles and responsibilities? Has the level of experience and qualifications in these roles changed over time? How does the company invest in further training and development of the compliance and other control personnel? Who reviews the performance of the compliance function and what is the review process?”
The revised ECCP also adds the following sub-heading:
“Data Resources and Access – Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?”
Another factor relevant to the question of whether a compliance program is “adequately resourced and empowered to function effectively?” is “Incentives and Disciplinary Measures” and the revised ECCP states under the sub-heading “Consistent Application” as follows (new language underlined).
“Have disciplinary actions and incentives been fairly and consistently applied across the organization? Does the compliance function monitor its investigations and resulting discipline to ensure consistency? Are there similar instances of misconduct that were treated disparately, and if so, why?”
One factor relevant to the question of whether a compliance program is “working in practice” is “Continuous Improvement, Periodic Testing, and Revise” and the revised ECCP states under the sub-heading “Evolving Updates” as follows (new language underlined).
“How often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? Has the company undertaken a gap analysis to determine if particular areas of risk are not sufficiently addressed in its policies, controls, or training? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries? Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?”
FCPA Institute Online
The most comprehensive online FCPA training course available. Over 12 hours of narrated instruction from Professor Koehler allowing professionals to elevate their FCPA knowledge and practical skills at their own pace.
Purchase
