Above Board: Changes to DOJ's Compliance Guidance

MoFo Perspectives Podcast

16 Dec 2020

In this episode of Above Board, Morrison & Foerster partner Dave Lynn speaks with James Koukios and Chuck Duross, heads of the firm’s FCPA and Global Anti-corruption practice, about the Department of Justice’s revised guidance on the evaluation of corporate compliance programs.

Listen to the episode to learn:

  1. The two most important things that the Department of Justice now considers when evaluating a company’s compliance program;
  2. The ways in which the DOJ’s expectations for compliance programs have changed;
  3. The steps that directors can take to oversee a company’s corporate compliance function; and
  4. Other guidance from the DOJ that is relevant to compliance programs.


Speaker: Please make sure to subscribe to the MoFo Perspectives podcast so you don’t miss an episode. If you have any questions about what you heard today, or would like more information on this topic, please visit mofo.com/podcasts.

Dave Lynn: Hello, my name is Dave Lynn, and I’m a partner at Morrison & Forster, and I’m pleased to be joined today by two of my colleagues, James Koukios and Chuck Duross. James and Chuck are partners in the Washington, D.C., office of Morrison & Foerster, and they lead up the firm’s FCPA and Global Anti‑Corruption practice. They are both former federal prosecutors. Gentlemen, thank you for joining me today.

Chuck Duross: Thanks, Dave.

James Koukios: Thanks for having us, Dave.

Dave Lynn: This past summer, the Department of Justice published a revised version of its guidance on the evaluation of corporate compliance programs. What exactly is this guidance, and why does the DOJ provide its views on corporate compliance programs?

Chuck Duross: Well thanks, Dave. So DOJ has been issuing this guidance now for a couple of years. In June, they had their most recent update. The bottom line is the DOJ policy requires prosecutors, certainly in the criminal division and more broadly, to evaluate corporate compliance programs. That assessment can result in lower fines, less severe penalties, or even a declination, in the best of circumstances. As a result of that, it really has become a standard part of negotiating a resolution with the Department of Justice. And you are expected as a company, as part of this process, to present on the compliance program, and it’s a pretty detailed process and the guidance that they put out sets, I think, their own expectations in advance of that. James?

James Koukios: Yeah, back when Chuck and I were both at the fraud section of the DOJ Criminal Division and the FCPA unit, we sat through a lot of these presentations that Chuck was just talking about. And one day we kind of sat back and started to think about what made a good presentation and what made a bad presentation, and what questions can our prosecutors ask to really get at the right questions to get to the right information that we want to know about compliance programs. So I remember one week in particular, we had two different compliance program presentations. One was the best one I’d ever seen, and one was the worst one I’d ever seen. That really got me started to thinking, what was it that the one company had done right that so impressed me. And what were the things that the other company did so wrong that really made it seem like this was not good compliance program?

James Koukios: So my colleagues at the FCPA unit and I sat down, and we came up with a list of questions organized around several different topics to try to figure out the questions we’d want to ask companies when they came in, really try to make those compliance presentations that Chuck was talking about more informed, more structured, and more searching. A couple of years later after we left actually, DOJ hired a professional compliance council, somebody who had been working in compliance departments in the private sector, to help them come in and get even more sophisticated on compliance programs. The prior effort I was mentioning was really prosecutors who’d sat through a lot of presentations trying to reflect on what we had seen, but at this point, the fraud section actually brought in somebody who had sat in a compliance department and had real-life experience trying to live a compliance program.

James Koukios: And that person in the compliance council, in February of 2017, publicly released for the first time this document, the “Evaluation of Corporate Compliance Programs.” It was structured as a series of questions, organized around a number of key compliance issues, and it was published kind of in the dark of night without a lot of fanfare on the fraud section’s website. And people took notice of it. And it really caught on as a very helpful way to get some insight into the kinds of questions that DOJ would ask during one of these presentations and, at the same time, insight into what DOJ was looking for when it came to a corporate compliance program. And then, of course, evolved after the fact, Chuck, you want to talk about the next step?

Chuck Duross: Sure. So, first of all, there was definitely an appetite, both within the compliance community in corporate America, as well as within the defense bar, to understand exactly what the government’s expectations were going to be when it came to compliance. But we’re not really sure why this sort of document appeared on the government’s website. No DOJ seal, it didn’t really look like an official document, but it became very popular very quickly because of the desire for greater insight and understanding in terms of expectations. I think, however that happened, the Department ultimately decided, well, this is probably something we should spend some time refining and issuing in a more formal way, which ultimately they did. So, in April of 2019, the Criminal Division of the Department of Justice issued a revised document of the “Evaluation of Corporate Compliance Programs.” And they made it applicable to the entire criminal division and not just the fraud section, and they structured it in a way around some key questions that are asked as part of the broader principles of prosecution of business organizations.

Chuck Duross: And so really tied it into DOJ policy. And so now, it’s applicable not just to the fraud section, but also to the money laundering and asset recovery section, and other sections within the criminal division. And it continued to maintain this sort of question format. So rather than specific statements that they wanted people to agree to, they had questions that they wanted people to evaluate. I think part of that desire was to avoid being overly prescriptive yet, at the same time, trying to telegraph what DOJ was thinking about and how they wanted to go about it. And so that ultimately sort of led to the greater transparency engagement and the like in terms of this issuance in April 2019.

Dave Lynn: What are some of the key insights that came out of the latest update to the guidance that came out earlier this year?

James Koukios: Well, the June 2020 version of the guidance was more of a fine-tuning of that last version that Chuck mentioned from April 2019, rather than a revamp like that April 2019 version had been, but still, the fine-tuning is important because it reveals DOJ’s views about how compliance programs are evolving and more importantly, what they expect to see in compliance programs. So recognizing as a first proposition that this was a fine-tuning, and that most of the substance and format from the previous version stayed the same, it is still important to look at two very important things that did not change that are still two very important themes that DOJ has been emphasizing since the first version. Number one, the evaluation continues to emphasize that companies should design and implement a compliance program that is uniquely tailored to the company’s risks and evolving needs. So very importantly, a compliance program should not follow checklist.

James Koukios: There’s no one-size-fits-all compliance program that fits every company and every industry and every region. Instead, a compliance program needs to be risk-based, and it needs to evolve as the company’s risks evolved, and importantly, as the company learns lessons about what works and doesn’t work. There is an addition on that point in the new version about taking lessons learned both from the company’s own experiences, but also from other companies in the industry and reading about public accounts of lessons learned and using those lessons learned as part of designing your corporate compliance program. So being risk-based and evolving didn’t change, but they did add that little part of about lessons learned. And even though this is not new in principle, DOJ also added one statement that I think really underscores this approach to a compliance program.

James Koukios: And I’ll just quote it, because I think it’s helpful. In short, prosecutors should endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time. So again, they’re going to want you to react to your environment, react to your experiences, design a compliance program around those, and then ultimately be able to explain to them if you ever come before them, the choices that you made. The second big thing that stayed the same is that the evaluation continues to emphasize that the compliance function needs to be adequately resourced. This was actually even going back to that February 2017 document. This was really an interesting part of it because it asked questions about how much compliance officers get paid, what the stature of the compliance officers are in an organization, and how much resources are devoted to the compliance function. That’s particularly helpful for the compliance function at a company because they can go to their superiors or other people in the organization and say, look, you gotta give us more money, DOJ says so, but that’s a very important thing that was in the original version of February 2017 and continues to be emphasized today. So, those are two things that stayed the same, but Chuck, why don’t you talk about some of the things that were added to the most recent guidance that we found to be most important?

Chuck Duross: So, yeah, I think there are probably three main additions I think are worth teasing out of the latest version. First is utilizing and analyzing data. The truth is that the goal posts are moving. Expectations that DOJ has for compliance programs are different today than they were 10 years ago. And I think that’s what you see in this guidance, which is they talk about and suggest the need and appropriateness to have access to continuous data sources, big data, data analytics, being able to predict certain things with artificial intelligence. Those are the kinds of things being suggested here, and they ask questions, as we were discussing earlier, so it’s not unduly prescriptive. Although I will tell you that the way they ask the questions, they certainly telegraph where they want you to come out. Say, for example, is the periodic review limited to a snapshot in time or based on continuous access to operational data and information across functions?

Chuck Duross: You have a pretty clear indication what the government is looking for there, and they really are encouraging compliance personnel to be able to have that access to direct relevant sources of data for timely and effective analyses. That’s certainly number one. Number two, they stress user‑friendly resources. They definitely want to make it clear that employees should have easy access, where to find answers, where to report concerns or to get advice. They want to have the companies making an assessment about the effectiveness of their training and resources. They even are suggesting that by having certain kinds of resources, the company may be able to track what policies or procedures or information are being accessed most frequently by employees really trying to look for trends or look around corners, see the horizon about where they may be problems. And we just had a client, in fact, pursue an interactive code of conduct with the whole idea that they could not only give greater immediate access and accessibility to employees, but have the ability to track what those employees are looking at.

Chuck Duross: So they could see what might be going on and kind of have a finger on the pulse of the employee population to understand what the concerns might be. And then third, I would say post acquisition due diligence. Now, this has been one that DOJ has had as part of its attachment C or its enhanced compliance requirements. It’s part of resolutions for many, many years, but they baked it into this compliance evaluation guide, and I think it really sort of recognizes there’s going to be a limit to what you can do pre-acquisition, but that they do have expectations in terms of post-acquisition integration and what companies should be doing after an acquisition to make sure that they’re thinking about the risks that they’re acquiring, including, for example, the possibility of post-acquisition audits of newly-acquired entities, asking whether companies have a policy for integrating the acquired entity and how that’s a thoughtful process is going to be taking place. And those are definitely among the items I think DOJ’s highlighting with this most recent version of the guidance that came out in June.

Dave Lynn: What steps can directors take when they’re overseeing a company’s corporate compliance function?

James Koukios: Well, Dave, no doubt, as you and your listeners know well, under standards like the Caremark Standard or the U.S. [inaudible] Guidelines and similar authorities, directors, of course, have a duty to ensure that the company’s systems are reasonably designed to prevent compliance breaches. Some courts have held, for example, that Caremark requires that the board make a good faith effort to put in place a reasonable board-level system of monitoring and compliance. And the evaluation reflects these principles and asks some questions that I think will be helpful if you’re on the board to think about what you’ve should be doing when you’re overseeing the compliance function. With respect to oversight of the compliance program, the evaluation asks what compliance expertise has been available on the board of directors? Have the board of directors and or external auditors held executive or private sessions with the compliance and control functions?

James Koukios: What types of information have the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred. So kind of teasing some lessons out from those questions, a few tips, I’m sure there are many more, but a few tips that we’ve identified kind of come out of those questions. First of all, directors should know the company’s key compliance leaders, should probably be briefed by them, certainly know their names, their qualifications, things like that. The directors should review the company’s key compliance policies on a regular basis. And, as we always say, when you want to create a record, it’s good to document that review that was made, as well, but really take time to look at the compliance policy on a regular basis, make sure that the policies are working, make sure they’re up to date, make sure that they reflect the reality of the business.

James Koukios: On that point, a director should understand the company’s key risks and understand what is being done to address them. How does the compliance program address those issues? How does the compliance plan program seek to mitigate those risks? And if it’s not working, really ask the tough questions and insist on something being changed. And then finally, another tip, of course, there could be many more, but another one that we’ve drawn is it’s important for the directors to discuss compliance at the board or committee meetings on a regular cadence. In order to be informed, in order to understand whether the compliance program is working adequately, whether it needs any revisions, it’s really important that the board talk amongst themselves with key compliance leaders, the company, potentially with outside council, on a regular cadence about these issues so that any changes that need to be made can be made. And hopefully in doing all this, the directors can fulfill their duties under Caremark and the sentencing guidelines to oversee the corporate compliance function.

Dave Lynn: Has the DOJ provided any other guidance recently that is relevant to overseeing compliance programs?

Chuck Duross: They have. Over the summer, about a month or so after the revised edition of the “Evaluation of Corporate Compliance Programs,” the department also put out a second edition of the “FCPA Resource Guide,” which was originally issued in November of 2012. It’s interesting. The overall updates were not that substantial. There were case law developments. There were some corrections that were added in there. There were a couple of smaller changes that were made. Overall, it appeared that that document withstood the test of time. Interestingly, that document, which James and I were intimately involved with back in 2012 when we were still at the department running the SEPA unit, it was really in part a reaction to the OECDs working group on briberies review of the United States. That happens periodically every eight years or so. And so that guide was actually done in reaction to certain criticisms of the Department of Justice and the SEC for not having greater guidance when it came to FCPA issues.

Chuck Duross: And so DOJ and SEC issued that document jointly in reaction to the OECD criticism. And interestingly, eight years later, during the next phase of review, which was actually supposed to finish in June of 2020, was postponed until October 2020, but it was supposed to be in June. This document was being reissued. So in part, again, I think in reaction to the OECD and their review process. On the whole, the document, I think, was mostly the same, although I will indicate there was an additional hallmark of an effective compliance program added into that guide and reflects the practices and expectations reflected in the “Evaluation of Corporate Compliance Programs,” which is this idea of sort of a root cause analysis that it’s not just enough from DOJ and SEC’s perspective to conduct a thorough investigation, figure out what happened, if there was a compliance policy violation, and maybe even a violation of law, but also that it was incumbent upon good companies that cared about getting compliance right to actually evaluate what happened that caused this problem.

Chuck Duross: How was it permitted to occur? Whether that might be, for example, the need for a new financial control, the segregation of duties, additional training, maybe a newer modified policy or procedure. And so the whole idea was that it should sort of have a life cycle to it, which is investigate the conduct, and even if it’s a close call, there may be lessons learned and a root cause analysis should be done. And ultimately you could make some improvements that have lasting impact. That’s certainly one of the things that came out of the most recent FCP resource guide.

Dave Lynn: Great. Well, thank you both very much for joining me today.

Chuck Duross: Thanks so much, Dave. Really appreciate it.

James Koukios: Thanks a lot, Dave.

Speaker: Please make sure to subscribe to the MoFo Perspectives podcast so you don’t miss an episode. If you have any questions about what you heard today or would like more information on this topic, please visit mofo.com/podcasts. Again, that’s MoFo, M-O-F-O.com/podcasts.



Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.