The most notable changes are:
1. Inclusion of the issues regarding the use of personal electronic devices and communications platforms by employees in the section of the paper focused on the capabilities of organisations to investigate violations;
2. Addition of a subsection exploring the payment of compensation by the individuals involved in corruption violations and remediation efforts.
Communication Channels
As regards communication channels that employees of companies use in conducting business, it is suggested that prosecutors, while evaluating corporate compliance programs, analyse policy and procedures regulating the use of personal devices, communications platforms and messaging applications, including ephemeral messaging applications (where messages automatically disappear after being viewed).
The paper highlights that the policy regulating the use of applications should be in compliance with the risk profile of the organisation and specific business needs and ensure, where necessary, as much as possible the accessibility and integrity of electronic data and messages related to the business. In particular, prosecutors should take into consideration the following factors:
1. Communication channels:
- What electronic communication channels do the company and its employees use, or allow to be used, to conduct business?
- How does that practice vary by jurisdiction where the company conducts business and business function, and why?
- What mechanisms has the company put in place to manage and preserve information contained within each of the electronic communication channels?
- What preservation or deletion settings are available to each employee under each communication channel, and what do the company’s policies require with respect to each? What is the rationale for the company’s approach to determining which communication channels and settings are permitted?
2. Policies:
- What policies and procedures are in place to ensure that communications and other data is preserved from devices that are replaced?
- What are the relevant code of conduct, privacy, security, and employment laws or policies that govern the organization’s ability to ensure security or monitor/access business-related communications?
- If the company has a “bring your own device” (BYOD) program, what are its policies governing preservation of and access to corporate data and communications stored on personal devices - including data contained within messaging platforms - and what is the rationale behind those policies?
- How have the company’s data retention and business conduct policies been applied and enforced with respect to personal devices and messaging applications?
- Do the organization’s policies permit the company to review business communications on BYOD and/or messaging applications?
- What exceptions or limitations to these policies have been permitted by the organisation?
- If the company has a policy regarding whether employees should transfer messages, data, and information from private phones or messaging applications onto company record-keeping systems in order to preserve and retain them, is it being followed in practice, and how is it enforced?
3. Risk management:
- What are the consequences for employees who refuse the company access to company communications?
- Has the company ever exercised these rights?
- Has the company disciplined employees who fail to comply with the policy or the requirement that they give the company access to these communications?
- Has the use of personal devices or messaging applications - including ephemeral messaging applications - impaired in any way the organization’s compliance program or its ability to conduct internal investigations or respond to requests from prosecutors or civil enforcement or regulatory agencies?
- How does the organization manage security and exercise control over the communication channels used to conduct the organization’s affairs?
- Is the organization’s approach to permitting and managing communication channels, including BYOD and messaging applications, reasonable in the context of the company’s business needs and risk profile?
It should be highlighted that the provisions regarding the use of personal devices and third-party applications as an area for evaluation of compliance programs appeared in the US DOJ’s documents last year, namely in the Memorandum from US Deputy Attorney General Lisa O. Monaco entitled “Further Revisions to Corporate Criminal Enforcement Policies Following Discussions with Corporate Crime Advisory Group”.
However, experts highlight that neither the policy paper nor the Memorandum give a clear response to whether the DOJ expects that companies will check personal devices and messaging applications of their employees. The matter remains open and seems to be associated with serious risks to confidentiality.
Compensation Structures and Consequence Management
The subsection of the policy paper entitled “Incentives and Disciplinary Measures” was renamed “Compensation Structures and Consequence Management” and supplemented by the provisions regarding:
1. Compensation: in particular, the paper recommends that prosecutors consider whether a company has incentivized compliance by designing compensation systems that defer or escrow certain compensation tied to conduct consistent with company values and policies. The paper stresses that some companies have enforced contract provisions that permit them to recoup previously awarded compensation if the recipient of such compensation is found to have engaged in or to be otherwise responsible for corporate wrongdoing. Furthermore, prosecutors may consider whether provisions for recoupment or reduction of compensation due to compliance violations or misconduct are maintained and enforced;
2. Consequence management: in particular, prosecutors are invited to answer the following questions:
- How has the company ensured effective consequence management of compliance violations in practice?
- What insights can be taken from the management of a company’s hotline that provide indicia of its compliance culture or its management of hotline reports?
- How do the substantiation rates compare for similar types of reported wrongdoing across the company (i.e. between two or more different states, countries, or departments) or compared to similarly situated companies, if known?
- Has the company undertaken a root cause analysis into areas where certain conduct is comparatively over or under reported?
- What is the average time for completion of investigations into hotline reports and how are investigations that are addressed inconsistently managed by the responsible department?
- What percentage of the compensation awarded to executives who have been found to have engaged in wrongdoing has been subject to cancellation or recoupment for ethical violations?
- Taking into account the relevant laws and local circumstances governing the relevant parts of a compensation scheme, how has the organization sought to enforce breaches of compliance or penalize ethical lapses?
- How much compensation has in fact been impacted (either positively or negatively) on account of compliance-related activities?
However, experts stress that the implementation of the changes suggested by the DOJ regarding compensation can in practice be associated with certain difficulties, or it can be completely unnecessary. In particular, the legal framework in different countries can consider the idea of repayment of the whole or a part of the promised, earned or assigned compensation in different ways, while the burden of proof in such situations definitely rests with the company thereby creating additional difficulties to it.
Other provisions
The updated policy paper also contains a number of other additions, including:
- The subsection “Accessibility” of the section “Policies and Procedures”: Have the policies and procedures been published in a searchable format for easy reference? Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?
- The subsection “Form/Content/Effectiveness of Training”: Whether online or in-person, is there a process by which employees can ask questions arising out of the trainings? Has the company evaluated the extent to which the training has an impact on employee behavior or operations?
- The subsection “Effectiveness of the Reporting Mechanism” of the section “Confidential Reporting Structure and Investigation Process”: Does the company take measures to test whether employees are aware of the hotline and feel comfortable using it?
- The subsection “Evolving Updates” of the section “Continuous Improvement, Periodic Testing, and Review”: Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks? etc.
*The guidance is targeted at the US DOJ prosecutors who evaluate corporate compliance programs in order to decide on liability and sanctions, including with regard to the violations of the Foreign Corrupt Practices Act (FCPA). It was in 2020 that the document was amended for the last time.