March 2023 Updates to the DOJ’s Compliance Program Evaluation Guidance

March 2023 was an important month for compliance programs. During this time, the U.S. Department of Justice (DOJ) updated their guidance document titled “Evaluation of Corporate Compliance Programs.”¹

What is the Evaluation of Corporate Compliance Guidance Document?

For those unfamiliar with this document, it serves as guidance for prosecuting attorneys in determining whether an organization had an effective compliance program in place at the time of alleged misconduct. This is an important factor that prosecutors weigh when they are calculating fines and determining obligations associated with resolution of misconduct. In essence, the guidance document is a tool DOJ uses to assess an organization’s compliance program effectiveness. As such, it should also be a tool for compliance professionals as they assess their organization’s compliance program.

Key Updates in March 2023

This paper provides a summary of key updates made to this document in March 2023. It is not the first time updates have been made, and Healthicity has reported on updates in the past.² If you are not familiar with the rest of this DOJ document, familiarize yourself with its entire contents rather than relying on this paper alone, as the intention here is to highlight the major changes, not expound on all the other important information in the DOJ guidance.

The most substantial changes focused on two areas; these include section II.C (Compensation Structures and Consequence Management) and portions of III.B (Investigation of Misconduct).

Section II.C (Compensation Structures and Consequence Management)

This section received a title change from “Incentives and Disciplinary Measures” to “Compensation Structures and Consequence Management.”

DOJ wants compliance programs to demonstrate clear consequences for non-compliance. They want to see procedures that identify, investigate, discipline, and remediate. One example includes the idea of internally publicizing disciplinary actions when appropriate and possible. The DOJ believes this type of activity can be a valuable deterring factor. Consideration of the compliance program’s efforts to use data as it relates to discipline is also important in assessing consequence management as the DOJ describes it. They suggest efforts could “include monitoring the number of compliance-related allegations that are substantiated, the average (and outlier) times to complete a compliance investigation, and the effectiveness and consistency of disciplinary measures across the levels, geographies, units or departments of an organization.”

Significant language was also added to this section relating to compensation structures, as DOJ believes this can play an important role in fostering a culture of compliance.

Generally, this can be achieved in two ways:

• The first includes the threat, or possibility, of losing compensation for actions of non-compliance.
• The second is rewarding individuals for fostering compliant behavior.

Essentially, these approaches parallel a “stick or carrot” approach, or possibly both.

The stick approach might include incentivizing compliance by employing a compensation system that defers or escrows “certain compensation tied to conduct consistent with company values and policies.” DOJ explains some companies have enforced contract provisions that permit the company to recoup previously awarded compensation “if the recipient of such compensation is found to have engaged in or to be otherwise responsible for corporate wrongdoing.” It would be important to demonstrate actual financial recoupment, or use of this “stick,” on occasion as circumstances dictate. It does not demonstrate effectiveness if such policies are written and approved but never acted upon.

The carrot approach can also work. Positive incentives highlighted by the DOJ include “promotions, rewards, and bonuses for improving and developing a compliance program or demonstrating ethical leadership…Prosecutors should examine whether a company has made working on compliance a means of career advancement, offered opportunities for managers and employees to serve as a compliance “champion”, or made compliance a significant metric for management bonuses.”

In either case, DOJ suggests the compliance department might just have a role in helping construct incentives that foster a culture of compliance. The guidance asks, “What role does the compliance function have in designing and awarding financial incentives at senior levels of the organization? How does the company incentivize compliance and ethical behavior?”

Consistent with themes in the recent DOJ Monaco Memo,³ the updated DOJ guidance also focuses on individual, and even executive, accountability when non-compliance occurs. Specifically, the updated guidance asks, “How transparent has the company been with the design and implementation of its disciplinary process? In circumstances where an executive has been exited from the company on account of a compliance violation, how transparent has the company been with employees about the terms of the separation? Are the actual reasons for discipline communicated to employees in all cases? If not, why not?”

III.B (Investigation of Misconduct)

The DOJ believes one element of an effective compliance program “is the existence of a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents.”

The section on investigation of misconduct saw significant updates with the March 2023 revisions. These include some of the following:

Independence and Empowerment

“Independence and Empowerment” is a newly added subsection. DOJ asks some very specific questions relating to these principles. Specifically, they ask:

• Is compensation for employees who are responsible for investigating and adjudicating misconduct structured in a way that ensures the compliance team is empowered to enforce the policies and ethical values of the company?
• Who determines the compensation, including bonuses, as well as discipline and promotion of compliance personnel or others within the organization that have a role in the disciplinary process generally?

Communication

Staying current with the times and the technology used to communicate with one another in today’s business environment, the DOJ prefaces questions about communication with explanation of contemporary messaging applications.

“In evaluating a corporation’s policies and mechanisms for identifying, reporting, investigating, and remediating potential misconduct and violations of law, prosecutors should consider a corporation’s policies and procedures governing the use of personal devices, communications platforms, and messaging applications, including ephemeral messaging applications. Policies governing such applications should be tailored to the corporation’s risk profile and specific business needs and ensure that, as appropriate and to the greatest extent possible, business-related electronic data and communications are accessible and amenable to preservation by the company. Prosecutors should consider how the policies and procedures have been communicated to employees, and whether the corporation has enforced the policies and procedures on a regular and consistent basis in practice.”

As it relates to messaging applications, DOJ subdivides their evaluation questions into Communication Channels, Policy Environment and Risk Management.

Communication Channels:

• What electronic communication channels do the company, and its employees use, or allow to be used, to conduct business?
• How does that practice vary by jurisdiction and business function, and why?
• What mechanisms has the company put in place to manage and preserve information contained within each of the electronic communication channels?
• What preservation or deletion settings are available to each employee under each communication channel, and what do the company’s policies require with respect to each?
• What is the rationale for the company’s approach to determining which communication channels and settings are permitted?

Policy Environment:

• What policies and procedures are in place to ensure that communications and other data is preserved from devices that are replaced?
• What are the relevant code of conduct, privacy, security, and employment laws or policies that govern the organization’s ability to ensure security or monitor/access business-related communications?
• If the company has a “bring your own device” (BYOD) program, what are its policies governing preservation of and access to corporate data and communications stored on personal devices—including data contained within messaging platforms—and what is the rationale behind those policies?
• How have the company’s data retention and business conduct policies been applied and enforced with respect to personal devices and messaging applications?
• Do the organization’s policies permit the company to review business communications on BYOD and/or messaging applications?
• What exceptions or limitations to these policies have been permitted by the organization?
• If the company has a policy regarding whether employees should transfer messages, data, and information from private phones or messaging applications onto company record-keeping systems in order to preserve and retain them, is it being followed in practice, and how is it enforced?

Risk Management:

• What are the consequences for employees who refuse the company access to company communications?
• Has the company ever exercised these rights?
• Has the company disciplined employees who fail to comply with the policy or the requirement that they give the company access to these communications?
• Has the use of personal devices or messaging applications—including ephemeral messaging applications—impaired in any way the organization’s compliance program or its ability to conduct internal investigations or respond to requests from prosecutors or civil enforcement or regulatory agencies?
• How does the organization manage security and exercise control over the communication channels used to conduct the organization’s affairs?
• Is the organization’s approach to permitting and managing communication channels, including BYOD and messaging applications, reasonable in the context of the company’s business needs and risk profile?

Conclusion:

The DOJ’s March 2023 updates to their compliance program evaluation guidance centered on two major areas.

These included: (1) compensation structures and consequence management, and (2) investigation of misconduct. For the first area, DOJ emphasizes the importance of financial incentives and the possibility of compensation recoupment in order to encourage compliance behavior. For the second area, DOJ focused on messaging applications and how they relate to investigations of misconduct. Their evaluation questions were divided into communication channels, policy environment and risk management.

Given these new expectations as well as the many others which have remained in the DOJ’s guidance, how can organizations be reassured their compliance programs are effective and in line with DOJ direction?

The answer is performing a compliance program effectiveness review or having someone perform one for you. The DOJ seems to agree by suggesting “prosecutors should consider whether the company has engaged in meaningful efforts to review its compliance program and ensure that it is not stale.” They continue by referencing the U.S. Sentencing Guidelines which state organizations should “evaluate periodically the effectiveness of the organization’s” program. If it has been a while since your organization’s compliance program has had an effectiveness review, now might be the time to schedule one.

[1] See https://www.justice.gov/criminal-fraud/page/file/937501/download

[2] See https://www.healthicity.com/blog/explaining-dojs-updated-guidance-corporate-compliance-programs

[3] See https://www.healthicity.com/blog/individual-accountability-dojs-latest-enforcement-focus

To download this blog post as a pdf, click the button below.