Use of Data Analytics and Access to Compliance Resources Among New Considerations
On June 1, 2020, the United States Department of Justice (DOJ) updated its “Evaluation of Corporate Compliance Programs,” a guidance document used by prosecutors to assess compliance programs. Prosecutors use the document in making charging decisions pertaining to companies and in imposing obligations such as a corporate monitorship.
The revised document updates a prior version released in 2019, with Assistant Attorney General Brian Benczkowski indicating that “important feedback from the business and compliance communities,” along with the DOJ’s “own experience,” prompted the revisions. The guidance places new emphasis on areas such as whether a compliance program utilizes data analytics, how the compliance program evolves and adapts to change, and whether the program is adequately resourced.
Utilize Data and Make Compliance Resources Accessible
One of the more notable updates to the guidance is a new paragraph on “Data Resources and Access,” advising prosecutors to consider whether compliance and control personnel have sufficient access to relevant sources of data “to allow for a timely and effective monitoring and/or testing of polices, controls, and transactions.” The guidance further suggests that prosecutors consider whether any impediments at the company exist that limit access to relevant sources of data and, if so, what the company is doing to address the impediments.
The update also advises prosecutors to consider whether compliance resources (often the sources from which data is gathered and assessed) are sufficiently accessible at the company. For example, the guidance instructs prosecutors to consider whether the company has instituted “online or in-person . . . process[es] by which employees can ask questions arising out of [compliance] trainings,” as well as whether the company “tests measures” to ensure that it has a reporting hotline that “employees are aware of” and “feel comfortable using.” In addition, prosecutors should also consider whether company policies and procedures have been published in a searchable format for “easy reference,” and whether the company tracks access to policies and procedures to understand which ones “are attracting more attention” from employees.
Consider How Compliance Adapts to Change
The guidance also suggests that prosecutors evaluate whether a compliance program appropriately reflects changing circumstances at the company. For example, prosecutors are encouraged to consider “why and how the company’s compliance program has evolved over time,” as well as whether the company “review[s] and adapt[s] its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks.” Prosecutors should also determine whether the company “engage[s] in risk management of third parties throughout the lifespan of the[ir] relationship” as opposed to “primarily during the onboarding process.”
Adequately Resource Compliance Programs
Another noteworthy update is the replacement of a question regarding whether a corporate compliance program is “being implemented effectively” with the new question of whether a corporate compliance program is “adequately resourced and empowered to function effectively.” This clarification shifts the previous focus on results to a more particular consideration of whether companies dedicate appropriate attention and resources to their compliance programs. Whether a compliance program is adequately resourced can depend on factors such as staffing at various levels and the availability of compliance personnel training, which can in turn signal the program’s effectiveness.