Staying Ahead of the Curve: Understanding and Implementing the DOJ's Latest Guidelines

The U.S. Department of Justice (DOJ) has recently issued its March 2023 update on the Evaluation of Corporate Compliance Programs.^[1] The update is crucial for companies operating in Central and Latin America, as it highlights the need for data-driven assessments of compliance programs and emphasizes the importance of comprehensive monitoring and testing systems to measure the effectiveness of these programs. In this article, we will explore the implications of this update and offer actionable advice for compliance professionals in Central and Latin America on how to implement these changes effectively.

Unpacking the DOJ’s Updated Guidelines

In the process of strengthening the guidelines established by the “Principles of Federal Prosecution of Business Organizations” described in the Justice Manual, DOJ has recently issued its March 2023 update on the Evaluation of Corporate Compliance Programs;^[2] its last update was in June 2020.^[3] The primary changes in the 2023 update are under the headings “Compensation Structures and Consequence Management” and “Investigation of Misconduct”; however, the core structure and content of the guidance remain the same. In general terms, this document is intended to assist prosecutors on how to evaluate the effectiveness of a compliance program in accordance with each company’s risk profile and risk mitigation efforts. While the spirit of this document is to assist U.S. regulators in evaluating corporate compliance programs in the specific context of a criminal investigation, it has also become a vital guide for assessing corporate compliance programs in other parts of the world, including Central and Latin America.

One of the primary themes emphasized by the DOJ update is the need for data-driven assessments of compliance programs. As the management consultant, educator, and author Peter Drucker stated, it’s difficult to fix what you can’t measure.^[4] Therefore, compliance professionals in Central and Latin America must ensure their compliance programs align with DOJ’s new guidance. They must revise policies and procedures, update training programs, and enhance monitoring and testing procedures to ensure their compliance program is appropriately designed and operating effectively.

Compliance professionals must also work closely with senior management to ensure compliance is integrated into the company’s overall strategy. This may involve securing additional funding or staff and ensuring compliance professionals have sufficient access to company data and resources. Companies should also consider engaging outside experts to provide independent compliance program assessments to implement the new guidance.

The update introduced several new components companies should consider when developing or evaluating their compliance programs. In general terms, these updates include:

• Prioritizing training and education: Companies must prioritize training and education for their employees, third-party agents, and business partners. This includes providing regular training on the company’s code of conduct, anti-corruption policies, and other compliance-related topics. Companies should also consider providing specialized training for employees who work in high-risk areas.
• Conducting risk assessments: Companies should regularly conduct risk assessments to identify areas where they are most vulnerable to potential violations. These risk assessments should consider the company’s operations, industry, and location.
• Maintaining accurate and complete records: Companies should maintain accurate and complete records of all compliance-related activities, including training, risk assessments, and investigations. This documentation should be easily accessible to all relevant personnel.
• Conducting thorough investigations: Companies should conduct thorough and impartial investigations of potential violations. This includes providing employees with a way to report violations anonymously and without fear of retaliation.
• Encouraging reporting and creating a culture of compliance: Companies should encourage employees to report potential violations and create a culture of compliance. This includes promoting open communication, providing incentives for good behavior, and creating a system for whistleblowers to report potential violations.

New Evaluation Criteria Outlined

The updates in “Compensation Structures and Consequence Management” emphasized the importance of establishing incentives for compliance and disincentives for noncompliance, including consequence management procedures, internally publicized disciplinary actions, tracking data related to disciplinary measures, and the design and implementation of compensation schemes. It also highlights the following factors:

• Human resource processes related to the procedures and parties making disciplinary decisions, the design and implementation of disciplinary processes, and the disclosure or access to information about disciplinary processes.
• Disciplinary measures, actions, and procedures to enforce compliance policies.
• Consistent application of disciplinary measures across all geographies, operating units, and levels of the organization.
• A financial incentive system that rewards compliance and ethical behavior but allows for cancellation or recoupment in cases of noncompliance, such as denial of promotions or awards, deferred compensation, or clawbacks.
• Effectiveness in terms of indicators, insights, substantiation rates, root cause analysis, average time for completion of investigations, and percentages related to qualitative and quantitative analysis of the performance of compliance measures.

The updates also strengthened the “Investigation of Misconduct” section, in reference to an effective investigation structure to document the company’s response to alleged misconduct, including any disciplinary or remediation measures taken. In particular, the update emphasizes the importance of the corporation’s policies and procedures governing the use of personal devices, communication platforms, and messaging applications tailored to the corporation’s risk profile and specific business needs. It considers the following factors:

• Communication channels used by the company and its employees to conduct business—and how they vary according to the jurisdiction and business function—and mechanisms to preserve information or delete settings within each communication channel.
• Policies and procedures related to communications, including preservation, monitoring and access, and security of business communications.
• Risk management, security, and control over the communication channels, including bringing your own device (BYOD) and messaging applications.

Each of the new criterion highlights the involvement, commitment, and evaluation that each employee must have, which is aligned with the historical efforts of other U.S. regulatory institutions with respect to individual accountability.^[5] For example, in 2014, the Financial Crimes Enforcement Network (FinCEN) of the U.S. Department of the Treasury emphasized the importance of maintaining a strong culture of compliance, and specified that the entire staff is responsible for anti-money laundering (AML) and countering the financing of terrorism (CFT) compliance.^[6] Likewise, in sync with this advisory information, on September 9, 2015, then-Deputy Attorney General Sally Q. Yates issued a memorandum on “Individual Accountability for Corporate Wrongdoing” (the Yates Memo).^[7] The Yates Memo also focuses on individuals who perpetrate wrongdoing in corporate misconduct investigations and notes that the resolution of a corporate case does not provide protection to individuals from criminal or civil liability.

In this sense, the effectiveness of a compliance program depends not only on the compliance officer, the compliance function, or the internal control design and operation but also on the commitment of each member of an organization who puts the compliance program into practice.

Best Practices for Implementing the New Criteria

As the update mentioned, it is important to tailor compliance programs to the specific risks faced by the organization. DOJ sets out general criteria that can be reviewed and adjusted according to the characteristics of each organization, considering various factors including, but not limited to, the company’s size; industry; geographic footprint; regulatory landscape; and other factors—both internal and external to the company’s operations—that might affect its compliance program.

According to the 2022 Kroll Anti-Bribery and Corruption Benchmarking Report, global companies primarily respond to the new regulatory measures by reviewing their compliance programs (44%), refreshing their risk assessments (43%), and evaluating their existing policies and procedures (42%).^[8] Only 31% of compliance professionals respond to these latest measures by considering enhancements to their compliance programs in expectation of additional scrutiny. While the review and/or assessment of the existing compliance program can be the first step, new regulatory measures also require an update of policies and procedures, in addition to proper implementation, employee training, and ongoing monitoring measures.

The continued strengthening of corporate compliance programs takes on added strength in Central and Latin America when we consider the continuous measures that the U.S. government is issuing in relation to the fight against corruption in the region. Examples include continuously updating of the Global Magnitsky Sanctions program and visa restriction powers, updating the Engels List, and different economic sanctions issued against entities and individuals.

In this regard, the effectiveness and continuous improvement of compliance programs according to the new updates could be assessed from the following areas:

• Risk-focused regulatory and operational compliance assessments for internal and external advisers, according to local and international law and regulations, including a risk-based AML/CFT and sanctions compliance program.
• Third-party identification and due diligence policy, including the third-party verification process, beneficial ownership identification, customer due diligence or enhanced due diligence for politically exposed persons and other high-risk third parties as may be defined by the corporation, and periodic/ongoing reviews.
• Information security assessments that assess IT governance, application development lifecycles, change management policies and practices, and information security controls against regulatory requirements and global industry standards. In addition, the corporation could identify and evaluate communications channels and evaluate application and infrastructure monitoring, capacity planning, business continuity, and recovery plans.

Takeaways

• The U.S. Department of Justice (DOJ) updates emphasized the application of compliance-based reward and bonus systems through compensation structures and consequence management criteria.
• Management of communication channels should include mechanisms and policies around managing, preserving, and deleting information settings, including policies on personal devices.
• DOJ’s update is a significant development for companies operating in Central and Latin America, even more so when they have operations or commercial relationships in the U.S.
• Compliance professionals must ensure that their programs align with the new guidance, integrate with the company’s overall strategy, and use data-driven assessments to measure effectiveness.

Companies can establish policies and procedures to ensure effective compliance with these recommendations to avoid costly penalties and legal action while improving their corporate culture and reputation, increasing investor confidence, and better managing risk.

Copyright 2023 CEP Magazine, a publication of the Society of Corporate Compliance and Ethics (SCCE).

Sources:
¹ U.S. Department of Justice, Criminal Division, Evaluation of Corporate Compliance Programs, March 2023, https://www.justice.gov/criminal-fraud/page/file/937501/download.
² U.S. Department of Justice, Justice Manual, §9-28.300 (2023), https://www.justice.gov/jm/jm-9-28000-principles-federal-prosecution-business-organizations#9-28.300.
³ Aisling O’Shea, Nicolas Bourtin, and Anthony Lewis, “DOJ Updates Guidance on the Evaluation of Corporate Compliance Programs,” Harvard Law School Forum on Corporate Governance, June 20, 2020, https://corpgov.law.harvard.edu/2020/06/20/doj-updates-guidance-on-the-evaluation-of-corporate-compliance-programs/
⁴ Harry A. Patrinos, “You Can’t Manage What You Don’t Measure,” World Bank Blogs, December 1, 2014, https://blogs.worldbank.org/education/you-can-t-manage-what-you-don-t-measure.
⁵ U.S. Department of Justice Archives, “About The Individual Accountability Policy,” archived content, last accessed April 6, 2023, https://www.justice.gov/archives/dag/individual-accountability
⁶ U.S. Department of the Treasury, Financial Crimes Enforcement Network, “FIN-2014-A006: Advisory on the FATF-Identified Jurisdictions with AML/CFT Deficiencies,” August 5, 2014, https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2014-a006.
⁷ Sally Quillian Yates, “Individual Accountability for Corporate Wrongdoing,” Memorandum from the Deputy Attorney General, September 9, 2015, https://www.justice.gov/archives/dag/file/769036/download.
⁸ Kroll, “2022 Anti-Bribery and Corruption Report,” June 6, 2022, https://www.kroll.com/en/insights/publications/compliance-risk/anti-bribery-and-corruption-report.