DOJ compliance program guidance and credit for cooperation and self-disclosure

By Gabriel L. Imperato, JD

Gabriel L. Imperato (gabriel.imperato@nelsonmullins.com) is the Managing Partner of the Fort Lauderdale office of Nelson Mullins Broad and Cassel and the Team Leader of the firm’s Health Care Criminal and Civil Enforcement, Litigation and Compliance Practice.

The United States Department of Justice (DOJ) recently released documents with guidelines for evaluating corporate compliance programs and cooperation credit and self-disclosure in both criminal and civil enforcement actions. The DOJ Criminal Fraud Section updated its existing guidance entitled Evaluation of Corporate Compliance Programs[1] for its criminal prosecuting attorneys, and the Civil Fraud Branch further elaborated on guidance for cooperation credit and self-disclosure to DOJ attorneys in civil False Claims Act (FCA) cases.[2] These documents emphasize important aspects and best practices for organizational compliance programs and highlight the need for effective corrective action to prevent and detect future occurrences of underlying noncompliant conduct.

Evaluating compliance programs

The DOJ released a comprehensive guidance document entitled Evaluation of Corporate Compliance Programs during 2017. This recently updated guidance[3] is intended to assist federal prosecutors in making decisions about whether and to what extent an organization’s compliance program was effective for the purposes of determining:

  • Whether criminal charges should be filed against the company,

  • Whether and in what amount a fine should be levied against the company, and

  • Whether a monitor or some other compliance obligation should be imposed on the company.

The guidance document also offers valuable insight for compliance professionals and reinforces the fact that prosecutors will assign significant weight to compliance programs when determining whether to charge, fine, or impose monitorships on companies that have engaged in wrongdoing.

The guidance document states that DOJ does not use a “rigid formula” to assess the effectiveness of a company’s compliance program, but it does lay out three “fundamental questions” that a criminal prosecutor should answer.

1. Is the compliance program well-designed?

The guidance states that prosecutors should first make a threshold determination about whether a company’s compliance program is appropriately designed to detect the types of misconduct that are most likely to occur in the company’s line of business (i.e., risk assessment). An examination should also be made of the company’s policies and procedures to ensure that they address key compliance risks and that they are effectively communicated to employees through regular training. Additionally, prosecutors are instructed to determine whether a company has an “efficient and trusted” system for the confidential reporting of potential violations, as well as for investigating such reports. Finally, prosecutors should determine whether a compliance program includes procedures for performing meaningful due diligence on its third-party business partners and/or acquisition targets.

The updated guidance calls for the following design features of the organization’s compliance program to be evaluated:

  • Risk assessment is the starting point for any company’s compliance program. It means conducting an initial risk assessment and having a predetermined “investigations playbook” that addresses how a company determines which issues merit further investigation and who should conduct an investigation.

  • Policies and procedures are clearly written, well known, and accessible to employees and third-party partners, including any incentive or disciplinary policies and procedures.

  • Resources are appropriately allocated depending on the size of the company. The general rule of thumb is the larger the organization, the more formal its compliance operation should be.

  • Training and communication are integrated through periodic training and certification of all directors, officers, relevant employees and third-party partners. DOJ may credit the quality and effectiveness of a risk-based compliance program, even if it ultimately fails to prevent an infraction.

  • Confidential reporting structures are a new addition from the 2017 guidance. The DOJ will evaluate the organization’s systems that allow employees to anonymously or confidentially report allegations of misconduct or other breaches of a company’s policies, procedures, or code of conduct.

  • Managing third parties by applying a company’s risk-based due diligence to its relationships with outside partners, agents, consultants, and distributors is essential.

  • Mergers and Acquisitions require due diligence, and any acquisition should include the target company’s compliance program to identify any potential misconduct that could harm profitability or brand reputation, or risk civil or criminal liability.

2. Is the compliance program implemented effectively?

Even a well-designed compliance program can be unsuccessful if it is implemented incorrectly. Thus, prosecutors are instructed to determine whether a company’s compliance program is “implemented, reviewed, and revised…in an effective manner.” In order to do so, prosecutors should first determine whether management has clearly articulated the company’s ethical standards, demonstrated adherence to these standards, and encouraged employees to follow them. Prosecutors should also evaluate whether the employees who are responsible for compliance have sufficient experience, seniority, resources, and autonomy. Finally, prosecutors should assess what happens after compliance issues are detected—that is, whether the company has disciplinary procedures in place, whether these procedures are consistently and effectively enforced, and whether the company’s compliance program is adapted or revised, as necessary.

3. Does the compliance program work in practice?

One of the most difficult things for a prosecutor to do after misconduct has occurred is to try to determine whether a compliance program was working effectively, especially if the misconduct was not immediately detected. The guidance document notes that “the existence of misconduct does not, by itself, mean that a compliance program did not work or was ineffective at the time of the offense.” In order to assess whether a compliance program was effective at the time that misconduct occurred, prosecutors should consider, “whether and how the misconduct was detected, what investigation resources were in place to investigate suspected misconduct, and the nature and thoroughness of the company’s remedial efforts.” Prosecutors should also consider whether and how a company’s compliance program “evolved over time to address existing and changing compliance risks.” Prosecutors are also instructed to consider any remedial actions taken by a company in the wake of the discovery of misconduct, including disciplinary actions against individual violators.

Compliance professionals and company management would be wise to pay attention to DOJ’s updated guidance for the evaluation of corporate compliance programs. The guidance document is easily the most detailed articulation of how DOJ will analyze corporate compliance programs when determining whether criminal charges, fines, or monitorships are warranted. This document is a reminder to organizations of the ever-increasing emphasis that the DOJ places on compliance. As Assistant Attorney General Brian Benczkowski noted in a speech announcing the issuance of the guidance document, “The importance of corporate compliance cannot be overstated.”

This document is only available to members. Please log in or become a member.
Become a Member Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings