On 1 June 2020, the US Department of Justice (“DoJ”) Criminal Division published updated guidance on the Evaluation of Corporate Compliance Programs (the “ECCP”). Unlike previous updates, the DoJ did not publicise the update nor provide any explanatory press release. Our previous Law-Now (available here) set out in detail the purpose of the ECCP and how it is used by US prosecutors when considering whether to bring charges against a corporate and/or the terms of any plea agreement. In essence, US prosecutors will take into account any corporate compliance program when assessing corporate wrongdoing and how to deal with it by reference to the ECCP and by reference to the following three “fundamental questions”:
- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith?
- Does the corporation’s compliance program work in practice?
This approach differs to the UK position, where certain corporate offences have a defence if a corporate can show it had adequate or reasonable procedures in place designed to prevent the offending (i.e. it can be a complete defence to the offence rather than just a mitigation point). However, the ECCP is a very useful document for compliance professionals and those looking to increase the rigour of their corporate compliance regimes.
What are the main changes?
The updates reflect experience and learning by the DoJ in implementing the ECCP in previous iterations. Most of the updates deal with the first fundamental question and go to the design of the program (although the ECCP itself acknowledges there is wide overlap between the three questions). The updates:
- Highlight the fact that prosecutors need to try to understand why the company has chosen to set up its program in the way it has, as well as how and why the design of the program has evolved over time. In other words, the DoJ will look not just at the current iteration of the program but how it has evolved from inception. This was already clear in the guidance but has been further highlighted in the latest iteration.
- Clarify that the DoJ is interested in seeing that periodic risk reviews/assessments are not just snapshots at a particular moment but rather are “based upon continuous access to operational data and information across functions”.
- Interestingly, whereas the previous version of the ECCP explicitly noted that credit may be given to a program that devotes appropriate attention and resource to high-risk transactions, “even if it fails to prevent an infraction in a low-risk area”, the reference to low-risk areas has been removed, widening the circumstances where credit may be given, e.g. to include where an infraction occurs in a higher risk area.
- Add a separate category for “lessons learned”, which encompass not just whether the corporate has learnt from its own experiences but also from other companies operating in the same industry and/or region – placing an onus on corporates to keep a keen eye on what is happening within the areas in which they operate from a corporate crime perspective.
- Tone down wording that appeared to assume that some level of due diligence would be required on every third party, by acknowledging that not only the “degree” of diligence, but also the “need for” diligence may vary based on the circumstances of the company, but also the third party.
- Add consideration of whether the company engages in third party risk management throughout the lifespan of the relationship or predominantly at the onboarding stage. The message is that the DoJ wants to see active management and review of third parties on an ongoing basis as good risk management and mitigation.
- In the context of M&A, the ECCP highlights the need for review of not just pre-M&A due diligence conducted by companies, but also the controls and processes in place to integrate acquired targets on a “timely and orderly” basis into the company’s compliance regime. The amendments also add reference to whether the company conducted post-acquisition audits into acquired businesses to improve their understanding of the risks posed by that business following acquisition.
The updates also touch on aspects of the second “fundamental question” – i.e. whether the program is being applied earnestly and in good faith. Specifically:
- The second question as to whether the program is being applied “earnestly and in good faith” is clarified from being a question as to whether it is “being implemented effectively” instead to focus on whether the program is “adequately resourced and empowered to function effectively”. This change makes more sense than the previous language, as the focus should be on the steps taken to try to implement it effectively, rather than whether it has been effective (which to some extent it cannot have been if the DoJ are looking at potential crimes).
- Minor additions place more emphasis on not just senior management commitment to the program, but also middle management buy-in.
- An addition requires prosecutors to assess whether the compliance function has sufficient access (directly or indirectly) to relevant data sources to allow for timely and effective monitoring and testing of controls and, if there are impediments, what is the company doing to address them.
- A further addition focuses on whether the compliance function monitors its investigations and any resulting discipline to ensure consistency.
The amendments are not particularly ground-breaking and appear to be more in the nature of tweaks rather than substantial rewrites, to take account of learning points from past cases. They clarify and highlight certain points that were often already contained in (or implicit from) the ECCP and offer the DoJ more flexibility in how to approach their assessment of a corporate’s compliance program, potentially to the advantage of the corporate.
The US has always set the bar high in terms of its expectations of corporate compliance programs and many of the amendments and additions in the most recent ECCP only seek to raise that bar (particularly around ensuring risks are continuously identified, monitored and mitigated through evolutions of the corporate compliance program). For some non-US corporates, the kinds of measures envisaged by the ECCP may seem excessive or prohibitively costly/time consuming. Even for UK corporates, many of whom in recent years have sought to implement more substantial financial crime controls (following the implementation of the Bribery Act 2010, enhanced money laundering requirements for certain business sectors and the Criminal Finances Act 2017), some of the expectations may seem extreme.Indeed, the equivalent UK guidance from the SFO falls far short of the 20 pages worth of guidance in the ECCP (see our previous Law-Now on the SFO’s guidance here).
This is perhaps unsurprising. The US has had much longer to formulate and finesse guidance on this point, the prosecution and compliance culture is different, and there are potentially greater incentives for corporates exposed to US jurisdiction to develop more sophisticated and costly compliance controls (as the statistics suggest there is a greater threat of higher sanctions and risk of being caught). Due to the longer period of development in the US, the bar for all businesses as to what it is reasonable to expect them to put in place by way of compliance controls is also seemingly higher. For example, the US anti-bribery laws have been in place since the 1970s and the US authorities have been actively investigating corporate bribery for much longer than the UK authorities, who have only really increased their focus on corporates following the introduction of the Bribery Act in 2011.Before the Rolls-Royce DPA in 2017, the examples of financial penalties handed down for bribery offences were very significantly lower than in the US.While the level of detail between the US and UK guidance may differ significantly now, the ECCP may give UK corporates a steer on where UK prosecutors and regulators may look to develop their thinking on this topic in future, particularly if (as successive Directors of the SFO have advocated), further failure to prevent corporate offences are introduced in the UK.