DOJ - Effective Compliance Program Flashcards
Is the Corporation’s Compliance Program Well Designed?
The “critical factors in evaluating any program are whether the program is adequately designed for maximum effectiveness in preventing and detecting wrongdoing by employees and whether corporate management is enforcing the program or is tacitly encouraging or pressuring employees to engage in misconduct.” JM 9-28.800.
Accordingly, prosecutors should examine “the comprehensiveness of the compliance program,” JM 9-28.800, ensuring that there is not only a clear message that misconduct is not tolerated, but also policies and procedures – from appropriate assignments of responsibility, to training programs, to systems of incentives and discipline – that ensure the compliance program is well-integrated into the company’s operations and workforce.
U.S. Department of Justice Criminal Division
Evaluation of Corporate Compliance Programs
- “Is the corporation’s compliance program well designed?“
- “Is the program being applied earnestly and in good faith?“ In other words, is the program adequately resourced and empowered to function effectively?
- “Does the corporation’s compliance program work“ in practice?
See JM 9-28.800.
In answering each of these three “fundamental questions,“ prosecutors may evaluate the company’s performance on various topics that the Criminal Division has frequently found relevant in evaluating a corporate compliance program both at the time of the offense and at the time of the charging decision and resolution.1 The sample topics and questions below form neither a checklist nor a formula. In any particular case, the topics and questions set forth below may not all be relevant, and others may be more salient given the particular facts at issue and the circumstances of the company.2 Even though we have organized the topics under these three fundamental questions, we recognize that some topics necessarily fall under more than one category.
A. Risk Assessment
The starting point for a prosecutor’s evaluation of whether a company has a well- designed compliance program is to understand the company’s business from a commercial perspective, how the company has identified, assessed, and defined its risk profile, and the degree to which the program devotes appropriate scrutiny and resources to the spectrum of risks. In short, prosecutors should endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.
Prosecutors should consider whether the program is appropriately “designed to detect the particular types of misconduct most likely to occur in a particular corporation’s line of business” and “complex regulatory environment[].” JM 9-28.800.3
For example, prosecutors should consider whether the company has analyzed and addressed the varying risks presented by, among other factors, the location of its operations, the industry sector, the competitiveness of the market, the regulatory landscape, potential clients and business partners, transactions with foreign governments, payments to foreign officials, use of third parties, gifts, travel, and entertainment expenses, and charitable and political donations.
Prosecutors should also consider “[t]he effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment” and whether its criteria are “periodically updated.” See, e.g., JM 9-47-120(2)(c); U.S.S.G. § 8B2.1(c)
(“the organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement [of the compliance program] to reduce the risk of criminal conduct”).
Prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction.
Prosecutors should therefore consider, as an indicator of risk-tailoring, “revisions to corporate compliance programs in light of lessons learned.” JM 9-28.800.
The Civil Cyber-Fraud Initiative follows several significant cyberattacks, which are only becoming more prevalent. The new initiative is the first formal step DOJ has taken in combatting them by focusing on the preventative cybersecurity efforts of government contractors.
The implications for government contractors and service providers cannot be overstated. In the healthcare space, entities are already subject to a complex web of cybersecurity requirements under HIPAA. But, the Civil Cyber-Fraud Initiative brings a new enforcement dimension to all contractors, with the specter of treble damages and staggering statutory penalties under the FCA.
