DOJ Revises Its Guidance on Corporate Compliance Programs

Key Takeaways

• On March 3, 2023, the Criminal Division of the U.S. Department of Justice ("DOJ") revised its Evaluation of Corporate Compliance Programs or ECCP (the “March 2023 ECCP”) for the first time since June 2020.
• The March 2023 ECCP contains two major revisions: (1) new guidance regarding the use of personal devices, communications platforms, and messaging applications, including ephemeral messaging applications; and (2) expanded guidance regarding how compensation structures can drive compliance, including the use of financial penalties such as compensation clawback provisions to disincentivize non-compliant behavior. 
• The revisions in the March 2023 ECCP follow Deputy Attorney General ("DAG") Lisa Monaco’s September 2022 direction to the Criminal Division to develop further guidance on compensation clawback policies and to study best corporate practices regarding the use of personal devices and third-party messaging platforms.
• Although the March 2023 ECCP technically applies only to the Criminal Division, DAG Monaco has encouraged other DOJ components to follow it, and the recently issued Voluntary Self-Disclosure Policy for U.S. Attorney’s Offices states that U.S. Attorney’s Offices will consider the ECCP in determining whether to impose an independent compliance monitor as part of a corporate resolution. Companies can thus use the ECCP to assess whether their compliance programs meet DOJ’s expectations and make appropriate enhancements where needed.

Background

In February 2017, the Fraud Section in DOJ’s Criminal Division released the original ECCP, which provided a list of “some important topics and sample questions that the Fraud Section has frequently found relevant in evaluating a corporate compliance program.”  The original ECCP was generally received positively in the business and legal communities because it was viewed as providing useful direction for responding to investigations and clearer expectations for designing compliance programs.

The original ECCP was significantly revised in April 2019. Most significantly, the April 2019 ECCP integrated the topic-and-question format from the original ECCP into a broader discussion of DOJ policies, focusing them around the three key questions that the Justice Manual instructs prosecutors to consider when evaluating a compliance program: (1) is the program well designed, (2) is the program being implemented effectively, and (3) does the program actually work in practice? Also significantly, the April 2019 ECCP was made to apply to the entire Criminal Division, not just the Fraud Section. 

The ECCP was revised again in June 2020. The June 2020 ECCP remained structurally the same as the April 2019 ECCP but added new or expanded guidance on topics such as using data to shape and enhance compliance programs, integrating acquired companies into the acquiring company’s compliance program and internal controls, and ensuring adequate resourcing for the compliance function.

In September 2022, DAG Monaco issued a memorandum (the “Monaco Memo”), which signaled more revisions to the ECCP. In announcing a series of new policies designed to bolster corporate criminal enforcement, Monaco instructed the Criminal Division to develop further guidance on compensation clawback policies and to study best corporate practices regarding the use of personal devices and third-party messaging platforms. As to the latter, Monaco expressly directed the Criminal Division to incorporate the product of its study “into the next edition of its Evaluation of Corporate Compliance Programs, so that the Department can address these issues thoughtfully and consistently.” Monaco also encouraged other DOJ components to consider the ECCP when evaluating corporate compliance programs, further broadening its applicability across DOJ. Consistent with this encouragement, the Voluntary Self-Disclosure Policy for U.S. Attorney’s Offices, announced in February 2023, states that all of the U.S. Attorney’s Offices across the country will consider the ECCP in determining whether to impose an independent compliance monitor as part of a corporate resolution.

On March 3, 2023, Kenneth Polite Jr., Assistant Attorney General for DOJ’s Criminal Division ("AAG"), “following up on the DAG’s direction in her Sept. 15, 2022, memorandum,” announced “significant changes to the ECCP including how we consider a corporation’s approach to the use of personal devices as well as various communications platforms and messaging applications, including those offering ephemeral messaging.” According to AAG Polite, how a company answers, or fails to answer, questions about its communications policies and whether it was able to preserve and produce communications to DOJ “may very well affect the offer it receives to resolve criminal liability. So, when crisis hits, let that be top of mind.” Another change that AAG Polite described as “significant” is that “our prosecutors will consider more closely compensation structures and consequence management when evaluating compliance programs under the revised ECCP. They will consider numerous factors to determine how a company’s compensation system contributes to the presence – or lack – of an effective compliance program.” Below, we do a deeper dive into these two sets of “significant” changes set out in the March 2023 ECCP.  

Personal Device, Communication Platform, and Messaging Application Management

The March 2023 ECCP contains a new subsection addressing how prosecutors should evaluate a company’s policies and procedures governing the use of personal devices, communications platforms, and messaging applications, including ephemeral messaging applications. The new subsection mirrors the Monaco Memo’s three basic elements for such a policy—(1) implementation of effective policies governing the use of personal devices and third-party messaging platforms for corporate communications, (2) clear training for employees about such policies, and (3) enforcement of such policies when violations are identified—but provides additional details on how prosecutors will assess these elements in practice. 

According to the new subsection, communication-related policies and procedures should be risk-based, tailored to the company’s specific needs, and designed to ensure that business-related electronic data and communications are accessible and amenable to preservation by the company. On this last point, it is notable that the new subsection falls within the “Investigation of Misconduct” section of the March 2023 ECCP, suggesting that DOJ’s primary focus is on preserving relevant data for internal—and presumably government—investigations.

Conduct a Risk Assessment. The March 2023 ECCP sets out a number of helpful questions that prosecutors—and companies—should ask when analyzing whether the company’s communication policies and procedures are appropriately tailored and risk-based. This begins by assessing what electronic communication channels the company’s employees actually use, whether officially sanctioned or not, across the various parts of the company’s business. The next step is to determine what preservation or deletion settings are available and in place for each of these channels and to ask why those settings have been chosen.

Create an Appropriate Policy Environment, including BYOD and Messaging App Policies. Prosecutors will next assess the “Policy Environment,” i.e., the policies and procedures that are in place to ensure that communications and other data are properly preserved and accessible by the company. The March 2023 ECCP pays particular attention to “bring your own device” or BYOD programs and personal messaging applications. The March 2023 ECCP recognizes that there will be limitations imposed by local privacy and employment laws but establishes a clear expectation that companies will design and implement policies that best maximize their ability to access data on BYOD devices and personal messaging applications. In addition to considering the design and content of the Policy Environment, prosecutors will also consider how the policies and procedures have been communicated to employees.

Ensure and Measure Effectiveness. Finally, prosecutors will assess how a company has enforced and measured the effectiveness of its communication-related policies and procedures. For example, prosecutors will ask whether employees have been disciplined for violating the policies, whether compliance or investigations have been impaired because data was not recoverable, whether the company actually exercises control over communication channels subject to the policies, and whether the company has assessed the continued reasonableness of its policies and procedures in the context of its evolving business needs and risk profile.

Compensation Structures and Consequence Management

The March 2023 ECCP significantly revises the former “Incentives and Disciplinary Measures” section, now rebranded as “Compensation Structures and Consequence Management.” 

Offer Financial Carrots and Sticks, including Compensation Deferrals and Clawbacks. As in the previous version of the ECCP, the March 2023 ECCP begins with the premise that one hallmark of an effective compliance program is the establishment of incentives for compliance and disincentives for non-compliance. Elaborating on this premise, the March 2023 ECCP instructs prosecutors to consider whether a company has incentivized compliance by delaying certain compensation until an employee has demonstrated conduct consistent with company values and policies and disincentivizing non-compliance by recouping or reducing compensation if an employee engages in misconduct. The March 2023 ECCP also suggests that the compliance function should play a role in designing and awarding financial incentives for senior executives.

Ensure and Measure Effectiveness. The March 2023 ECCP suggests several ways that prosecutors—and companies—can ensure and measure the effectiveness of “consequence management” systems. For example, companies can track metrics related to hotline reports (such as the number of reports, substantiation rates, and time to investigate), benchmark against peer companies, conduct root cause analyses, track clawback metrics (such as the number of times the company has attempted to claw back compensation and the amounts that have been recouped), and measure the “consistency of disciplinary measures across all geographies, operating units, and levels of the organizations.”

Consistency with Other DOJ Policies. On the same day that AAG Polite announced the revisions to the ECCP, he also announced a new Criminal Division Pilot Program Regarding Compensation Incentives and Clawbacks (“Compensation Pilot Program”). As discussed in our previous client alert, under the Compensation Pilot Program, companies resolving cases with the Criminal Division will be required to implement compliance-promoting criteria within their compensation and bonus system, and the Criminal Division will reduce fines for companies that claw back or attempt to claw back compensation from wrongdoers. The ECCP revisions are consistent with the Compensation Pilot Program in that they both reflect DOJ’s belief that compensation structures and consequence management are key components of an effective compliance program.

Conclusion

Companies should benchmark their communications and compensation policies against the revised ECCP. Although the revised ECCP recognizes that local laws may impact a company’s ability to access data on BYOD devices or claw back executive compensation, it sets out a clear expectation that companies consider these limitations and design and implement policies that maximize their abilities to do so. In other words, DOJ is signaling that it won’t be enough for a company to ignore the problem or to throw its hands in the air and simply respond, “There’s nothing we can do about it.” When faced with scrutiny, companies should be able to explain how they designed policies and procedures that reflect their operating environments around the world.