[1]On April 30, 2019, the Criminal Division of the U.S. Department of Justice (DOJ) issued updated guidance [2] on the “Evaluation of Corporate Compliance Programs” (Updated Evaluation Guidance) intended to “assist prosecutors in making informed decisions as to whether, and to what extent, [a] corporation’s compliance program was effective at the time of the offense, and is effective at the time of a charging decision or resolution, for purposes of determining the appropriate (1) form of any resolution or prosecution; (2) monetary penalty, if any; and (3) compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations).”
Miller & Chevalier’s alert about the Updated Evaluation Guidance is available here [3] in English, here [4] in Spanish, and here [5] in Portuguese.
Certain aspects of the Updated Evaluation Guidance are directly relevant to anti-corruption compliance efforts in Latin America.
No “Rigid Formula” for Evaluating a Compliance Program: The fact that DOJ does not advocate a mandatory set of questions to be asked when evaluating a compliance program suggests that companies should not do so either when designing their programs. This is an important lesson for Latin American compliance audiences. Oftentimes, compliance programs in Latin America can be overly process-oriented. They might exceedingly rely on layers of forms, certifications, authorizations, and other formalities at the expense of an actual focus on risk and a thoughtful response to managing that risk. Even worse, the piling on of procedures might give management a false sense of comfort that real risks are being adequately addressed. The more gatekeepers involved, the harder it can also be to hold one person ultimately accountable for ensuring programs are well-calibrated. A cloud of bureaucracy can enable those intent on circumventing controls to hide misconduct from scrutiny. Considered in this light, the recognition that there is no “rigid formula” for a compliance program can help to breathe life into a company’s compliance efforts.
Instead, the DOJ’s Updated Evaluation Guidance generally advocates consideration of three core questions about a compliance program’s effectiveness:
- “Is the corporation’s compliance program well designed?” Topics covered include: Risk Assessment; Policies and Procedures; Training and Communications; Confidential Reporting Structure and Investigation Process; Third Party Management; and Mergers and Acquisitions.
- “’Is the program being applied earnestly and in good faith?’ In other words, is the program being implemented effectively?” Topics covered include: Commitment by Senior and Middle Management; Autonomy and Resources; and Incentives and Disciplinary Measures.
- “‘Does the corporation’s compliance program work’ in practice”? Topics covered include: Continuous Improvement, Periodic Testing, and Review; Investigation of Misconduct; and Analysis and Remediation of Any Underlying Misconduct.
Emphasis on Rationale behind Compliance Decisions: Because there is no “one-size-fits-all” in compliance, there is no one specific model or roadmap for building a compliance infrastructure at a company. This is an important lesson for senior executives in Latin America, who might mistakenly conclude that an off-the-shelf Code of Conduct and Anti-Corruption Policy are enough to protect their company.
The Updated Evaluation Guidance includes several new questions prompting prosecutors to inquire about a company’s reasons for making certain decisions related to the design and implementation of its compliance program—both broadly and at a more detailed level. What the Updated Evaluation Guidance reminds us is that there are various models that can be effective, depending on the company itself.
For example, a Chief Compliance Officer might report to the General Counsel, or she might be independent. Different companies might take different approaches to leveraging the internal audit function for compliance purposes. A company might utilize its hotline for reporting of a broad range of issues from actors inside and outside of the company, or the hotline can be targeted to a specific purpose and type of user. What is important to prosecutors is the company’s rationale supporting its decisions on issues like these. Companies are expected to be thoughtful when making these calibrations and to have the supporting rationale well-documented. A company should be prepared to defend the considerations that informed program design and resource allocations.
Elevated Importance of Risk Assessment: Various jurisdictions throughout Latin America have in recent years issued their own guidance on compliance programs. Many of these include as a key component the need to perform a formal risk assessment. In its Updated Evaluation Guidance, the DOJ now features risk assessment as the first hallmark for consideration, noting that the “starting point for a prosecutor’s evaluation of whether a company has a well-designed compliance program is to understand the company’s business from a commercial perspective, how the company has identified, assessed, and defined its risk profile and the degree to which the program devotes appropriate scrutiny and resources to the spectrum of risks.” The Updated Evaluation Guidance includes questions regarding: “Risk Management Process – e.g., the company’s methodology for assessing risk, including what types of information/metrics the company uses in this process.” It introduces two new areas of consideration (1) Risk-Tailored Resource Allocation – e.g., the company’s allocation of compliance resources to high-risk areas; and (2) Updates and Revisions – e.g., The company’s process for periodically updating its risk assessment.
Latin American companies should not lose sight of the importance of this component when designing and continually strengthening their compliance programs. Companies can expect prosecutors to spend more time understanding how risk assessments informed their resource allocations, and to scrutinize those decisions.
Emphasis on Proactive Justification of Business Rationales for Third Parties. More and more, companies operating in Latin America are performing reputational reviews and other due diligence on third parties. But less frequently are they reviewing and documenting the internal business rationale for their use. Perhaps the reason is that the compliance function does not have strong visibility into the decision-making processes of the business units. Contracting at the company might also be performed in an informal way with no expectation for written justifications. While a company might have processes to confirm the third party is a legally-establish entity, those processes often stop short of requiring employees to articulate the business rationale.
The Updated Evaluation Guidance’s section on “Third Party Management” assesses how the company ensures appropriate business rationales for the use of third parties. These questions evidence the view that the first, and arguably most important, step in managing compliance risk posed by third parties is to evaluate whether there is a clear business need to engage them and if so, to articulate what qualifications are required to meet that need. Companies in Latin America will be well served to consider whether their compliance programs require this step and, if so, whether it is documented and maintained as part of the due diligence file.
The opinions expressed in this post are those of the author in his or her individual capacity and do not necessarily represent the views of anyone else, including the entities with which the author is affiliated, the author`s employers, other contributors, FCPAméricas, or its advertisers. The information in the FCPAméricas blog is intended for public discussion and educational purposes only. It is not intended to provide legal advice to its readers and does not create an attorney-client relationship. It does not seek to describe or convey the quality of legal services. FCPAméricas encourages readers to seek qualified legal counsel regarding anti-corruption laws or any other legal issue. FCPAméricas gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to FCPAméricas LLC.
© 2019 FCPAméricas, LLC