The Justice Department Criminal Division recently released guidance on what it considers when deciding how a corporation’s compliance program factors into its investigation and the ultimate decision as to whether to bring charges, negotiate pleas or enter into other agreements with corporations under investigation. The Evaluation of Corporate Compliance Programs, released on April 30, 2019, is an expansion of the 2017 guidance document issued by the Criminal Division Fraud Section.

Prosecutors Must Ask Three Fundamental Questions

Prosecutors will ask three fundamental questions to determine if a corporation’s compliance program was effective at the time of the offense and at the time of charging:

1. Is the compliance program well-designed?
2. Is the compliance program being implemented effectively?
3. Does the compliance program work in practice?

Is Your Compliance Program Well-Designed?

An Effective Compliance Program Identifies Specific Risks

An effective compliance program will be tailored to the specific risks affecting the company under investigation. Prosecutors will ask if the company identified its own “high-risk” areas, as well as the degree to which the program dedicates resources to monitor these areas. Even a well designed program might not catch every event. Therefore, another important factor is when an event is uncovered, are the lessons learned incorporated into the compliance program going forward?

Train Your Employees

Prosecutors will analyze how thoroughly and effectively a company has trained its employees on its compliance program. Companies should use real-life experiential training scenarios and case studies during employee training. Employees must know when, where and how to report suspected misconduct. Then, once an incident is reported, how does the company identify which complaints merit further investigation? What access is given to the individual investigating the complaint? Is this an employee or an independent outside agency? A well-designed compliance program will also make it clear that no employee retaliation will be tolerated.

Third-Party Risk

Just as you should be monitoring your employees, it is just as (if not more) important to take your third-party vendors into consideration when assessing high-level risks. Your company should be mitigating these risks by using appropriate contracts and agreements for outside work, and doing regular due diligence and compliance training for third-party vendors.

Is Your Compliance Program Being Implemented Effectively?

Prosecutors will analyse if your compliance program is being implemented effectively. A company can spend countless hours developing a compliance program that looks and sounds great, but if, after the initial introduction to employees, it gets forgotten or completely ignored, then prosecutors will not look favorably on your company’s efforts. A successful compliance program must be woven into the fabric of the day-to-day culture from the top down.

Does Your Compliance Program Work in Practice?

The final question prosecutors will ask is whether the compliance program actually works in practice. Prosecutors will look into : (1) Was investigation into the misconduct conducted in a timely manner? (2) Has the company completed a root cause analysis? (3) Can the program be tested in order to improve? Again, evolution is key here. Does your program have to be perfect? No, no risk will ever be 100% mitigated. However, a program that works in practice needs to have the ability to be updated built into its core.

Take Away

As you can see, the DOJ has shared valuable insight into what prosecutors look for when evaluating compliance programs. This is extremely valuable and companies should take advantage of this intel and honestly self-assess whether its program measures up. Companies that have well-thought-out and designed plans that are capable of evolving will fare better before the Criminal Division than those who do not. If you have any questions regarding your program or compliance in general, or any other aspect of your business, please feel free to contact us at Danziger Shapiro, P.C.
This entry is presented for informational purposes only and is not intended to constitute legal advice.

Key elements of the DOJ’s suggested response plan prior to intrusion include:

• Having a well-established actionable plan;
• Identify your company’s most valuable information; and
• Have appropriate technology in place to shut down intrusion.

Key elements of the DOJ’s suggested response plan immediately after intrusion include:

• Make initial assessment;
• Take steps to minimize continuing damage;
• Record all information;
• Notify people within Organization, law enforcement and other victims; and
• DO NOT use the compromised system to communicate.

At Danziger Shapiro, P.C. we urge our clients to meet with their technology professionals and develop a plan that deals with both keeping cyber criminals at bay and what to do in the unfortunate event you are hacked. We then work with our clients to make sure that their cyber defense plans are properly worked into employee handbooks and other materials as appropriate. Remember, you do not want to disclose all of your cyber security efforts to your employees and inadvertently provide a roadmap to defeat the measures you have taken. On the other hand, proper training will go a long way in effectively protecting your company’s’ assets. Feel free to contact us at Danziger Shapiro to discuss this or any other aspect of your business organization.

This entry is presented for informational purposes only and does not constitute legal advice.