The manual was first published in 2017 in the form of a relatively short “check-list” of questions that prosecutors would answer when assessing corporate compliance programmes to determine whether to bring charges and impose sanctions.
In 2019 the manual was updated: the list of questions was considerably extended and supplemented by comments that provide prosecutors with further guidance on analyzing compliance programmes. Besides that, the very structure of the manual was modified: it was divided into three sections in accordance with the three “fundamental questions” that prosecutors should ask:
- Is the corporation’s compliance programme well designed?
- Is the programme being applied earnestly and in good faith?
- Does the compliance programme work in practice?
The update of June 2020 makes some supplementary amendments to the previous version, based on the experience gained by prosecutors over that time and the comments they received from the business sector and other stakeholders.
In particular, the new version of the manual specifies that the corporate compliance programme of every single organization is evaluated in the context of company’s size, industry, geographic footprint, regulatory (legal) landscape, and other factors, both internal and external, and prosecutors should take into consideration its provisions at the time of the offence, as well as at the time of a charging decision.
The manual also recommends that prosecutors consider whether the structure of a compliance programme may be impacted by foreign law. To this end, they should ascertain on which requirements of foreign law the respective decision regarding the compliance programme is based and how the company has addressed the issue to maintain the integrity and effectiveness of its compliance programme while still abiding by the foreign law.
Besides, one of the “fundamental questions” has changed: instead of evaluating whether the programme “functions effectively” (question 2) it is recommended that prosecutors focus on evaluating whether the programme is adequately resourced and empowered to function effectively.
Other additions to the manual, sorted by section, are presented below.
Risk assessment. The updated manual pays particular attention to the necessity to conduct risk assessment “in real time”. For example, the manual highlights that while conducting the analysis of the system of risk assessment prosecutors should endeavour to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time. Prosecutors should also verify whether the periodic review of the system of risk assessment is limited to a “snapshot” in time or is based upon continuous access to operational data and information across functions. Besides that, a new indicator, “Lessons learned”, was added to the section. It provides for the analysis of whether the company has a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry or geographical region.
Policies and procedures. This section was supplemented by the questions about the convenience of the format of communication of policies and procedures that the company employs, as well as about the necessity to track the documents which its employees have accessed more frequently to understand what policies are attracting more attention.
Training and communications. The updated manual specifically states that prosecutors should evaluate whether the organization has the mechanisms that allow the employees to ask questions (both in person and online) arising out of the trainings and verify if the company measures the impact of trainings on the conduct and work performance of the employees.
Confidential reporting structure and investigation process. This section of the updated manual pays particular attention to the operation of the hotline that employees may use to report violations they notice. In particular, prosecutors should consider whether employees are aware of the hotline and feel comfortable using it and if the company periodically tests the effectiveness of the hotline, for example by tracking a report from start to finish.
Third Party Management. This section stresses the necessity to conduct compliance control “in real time”: it is recommended that prosecutors assess whether the company engages in risk management of third parties throughout the lifespan of their relationship, or primarily during the onboarding process.
Mergers and Acquisitions (M&A). The updated version of the manual underlined that it is important not only to conduct pre-M&A due diligence procedure, but also to timely integrate the acquired entity into existing compliance program structures and internal controls.
Autonomy and Resources. Prosecutors should take into consideration whether the company invests in further development of the compliance and other control personnel and evaluate if competent employees have sufficient access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions. Prosecutors should also consider the impediments limiting access to relevant sources and what the company is doing to address them.
Incentives and Disciplinary Measures. The manual highlights the necessity to consider whether the company monitors investigations and resulting discipline to ensure consistency in using sanctions.
Continuous Improvement, Periodic Testing, and Review. This section also stresses the importance of implementing the compliance programme “in real time”: prosecutors should consider whether the company reviews and adapts its compliance program based upon lessons learned from its own misconduct or that of other companies facing similar risks.
* In spite of the fact that the manual is meant for internal use of the US DOJ and is targeted at prosecutors, it is very useful also for private companies that may refer to it to better understand what the government expects them to do in terms of development and implementation of compliance programmes.