On June 1, 2020, and for the third time in three years, the U.S. Department of Justice (DOJ) updated its guidance to federal prosecutors on evaluating corporate compliance programs. The document, titled “Evaluation of Corporate Compliance Programs,” was first published in 2017 and is a key reference material for compliance officers and professionals. This most recent update serves as a reminder of DOJ’s heightened focus on compliance during investigations. Specifically, the update underscores the importance of continuous risk assessments and encourages the use of data analytics to assess the efficacy of a corporation’s compliance function and as part of a corporation’s ongoing monitoring of third-party relationships.
Focus on Data Analytics
The DOJ’s focus on data analytics is a noteworthy change and reflective of
current trends in compliance. In the updated guidance, federal prosecutors are directed to consider whether the compliance function has sufficient “access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions” and whether “any impediments exist that limit access to relevant sources of data” and, if so, the steps the corporation is taking to address those impediments. While the devil is the details, this update makes clear that DOJ expects corporations to implement dynamic compliance programs that continually track relevant data beyond just the data captured by more traditional reporting mechanisms.
Specific Focus on Third-Party Relationships
As to third-party relationships, and
consistent with DOJ’s overall expectation regarding ongoing monitoring, the updated guidance directs federal prosecutors to consider whether “the company engage[s] in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process.” Corporations should take note of DOJ’s emphasis on monitoring third-party conduct throughout the course of the relationship. The updated guidance indicates that simply vetting the third party at the onset of the relationship is insufficient, and companies should evaluate whether their current third-party monitoring practices align with both the updated guidance and the company’s risk profile. Companies should also consider whether data analytics can be used to supplement their third-party
monitoring practices.
Testing Efficacy of Training, Policies and Hotlines
Other components of the updated guidance continue DOJ’s theme of directing corporations to analyze their data to test the following:
- Whether and how policies and procedures are being accessed by relevant employees.
- How training impacts employee behavior.
- Whether employees are aware of a hotline.
- The effectiveness of a hotline.
DOJ’s sustained attention to corporate compliance programs is increasingly evident with each new
update, and DOJ’s new focus on data analytics could have far-reaching implications and is not something that companies should ignore. For now, the solutions are relatively straightforward and approachable. Corporations should review their current compliance solutions and make sure they reasonably and appropriately reflect this updated guidance. Calfee’s Compliance attorneys have extensive experience in doing so and are happy to help ensure implementation and execution of an effective compliance program.