The DOJ’s recently updated guidance poses helpful questions for UK corporates evaluating the effectiveness of their internal compliance programmes.

By Stuart Alford QC, Erin Brown Jones, and Nathan H. Seltzer

It is well known that a corporate’s failure to prevent offences can be answered with a defence of “adequate procedures” in a case of bribery or “reasonable procedures” in a case of failure to prevent the facilitation of tax evasion. However, with no case law to aid comprehension of what “adequate” or “reasonable” mean, UK corporates are forced to seek answers elsewhere.

The UK government has issued guidance alongside both the Bribery Act 2010 and the Criminal Finances 2017, and these documents remain the principal source for interpreting those acts. However, UK companies looking to understand the wider expectations of law enforcement — particularly companies that operate in multiple jurisdictions — may find useful the US Department of Justice’s (DOJ’s) updated guidance “Evaluation of Corporate Compliance Programs” and recent comments from Assistant Attorney General Brian Benczkowski introducing the updated guidance, which replaces similar DOJ guidance issued in 2017.

Under the new guidance, prosecutors are instructed to probe whether a compliance programme is a “paper program” or a programme that is “implemented, reviewed, and revised, as appropriate, in an effective manner.” The new guidance also makes clear that if a compliance programme is to be truly effective, compliance personnel must be empowered within the company.

The new guidance — which contains most of the language from the 2017 guidance, but with additional context and new elements (making it twice as long) — is now organised around three “fundamental questions” a prosecutor should ask:

  1. Is the corporation’s compliance program well designed?
  2. Is the program being applied earnestly and in good faith?  In other words, is the program being implemented effectively?
  3. Does the corporation’s compliance program work in practice?

The guidance stresses that these questions are “neither a checklist nor a formula”, and that prosecutors should start by “understand[ing] the company’s business from a commercial perspective”. Benczkowski specifically noted that this policy would not “spell the death of monitorships”, but would instead “focus [the] prosecutors’ determination on the appropriate factors so that monitors are imposed only where necessary and under the terms and scope that is appropriate for that given case”.

Excerpted below are key new elements of the guidance that UK corporates may find useful in assessing their own compliance programmes:

  • Culture of Compliance
    • How often and how does the company measure its culture of compliance? Does the company seek input from all levels of employees to determine whether they perceive senior and middle management’s commitment to compliance?
    • What steps has the company taken in response to its measurement of the compliance culture?
  • Prior Weaknesses
    • What controls failed?
    • If policies or procedures should have prohibited the misconduct, were they effectively implemented, and have functions that had ownership of these policies and procedures been held accountable? [Previous guidance asked: “What controls failed or were absent that would have detected or prevented the misconduct? Are they there now?”]
  • Risk-Tailored Resource Allocation –
    • Does the company devote a disproportionate amount of time to policing low-risk areas instead of high-risk areas, such as questionable payments to third-party consultants, suspicious trading activity, or excessive discounts to resellers and distributors?
    • Does the company give greater scrutiny, as warranted, to high-risk transactions (for instance, a large-dollar contract with a government agency in a high-risk country) than more modest and routine hospitality and entertainment?
  • Updates and Revisions
    • Is the risk assessment current and subject to periodic review?
    • Have there been any updates to policies and procedures in light of lessons learned?
    • Do these updates account for risks discovered through misconduct or other problems with the compliance program?
  • Comprehensiveness
    • What efforts has the company made to monitor and implement policies and procedures that reflect and deal with the spectrum of risks it faces, including changes to the legal and regulatory landscape?
  • Form/Content/Effectiveness of Training
    • Has the training been offered in the form and language appropriate for the audience?
    • Is the training provided online or in-person (or both), and what is the company’s rationale for its choice?
    • Has the training addressed lessons learned from prior compliance incidents?
    • How has the company measured the effectiveness of the training?
    • Have employees been tested on what they have learned? How has the company addressed employees who fail all or a portion of the testing?  [New language underlined.]
  • Properly Scoped Investigations by Qualified Personnel
    • How does the company determine which complaints or red flags merit further investigation?
    • How does the company ensure that investigations are properly scoped?
    • What steps does the company take to ensure investigations are independent, objective, appropriately conducted, and properly documented?
    • How does the company determine who should conduct an investigation, and who makes that determination? [New language underlined.]
  • Investigation Response
    • Does the company apply timing metrics to ensure responsiveness?
    • Does the company have a process for monitoring the outcome of investigations and ensuring accountability for the response to any findings or recommendations?  [Prior guidance on investigation response focused on identification of root causes, system vulnerabilities, and accountability lapses; process for responding to investigative findings; and how high up do investigative findings go.]
  • Resources and Tracking of Results
    • Are the reporting and investigating mechanisms sufficiently funded?
    • How has the company collected, tracked, analyzed, and used information from its reporting mechanisms?
    • Does the company periodically analyze the reports or investigation findings for patterns of misconduct or other red flags for compliance weaknesses?

UK corporates looking to scope and evaluate their compliance programs — particularly those with a multi-jurisdictional focus — can now look to this guidance for at least one regulator’s perspective on what would be considered “adequate procedures” or “reasonable procedures.”