June 10, 2020
On June 1, 2020, the US Department of Justice (“DOJ”) issued updated guidance on the “Evaluation of Corporate Compliance Programs” (2020 Guidance) designed to assist prosecutors on how to assess the effectiveness of a corporation’s compliance program at the time of an offense and at the time of a charging decision or resolution. The 2020 Guidance builds on the DOJ’s prior updates from April 2019. While the updates made by the 2020 Guidance are not major, the changes emphasize and reinforce the factors the DOJ finds relevant when examining a company’s compliance program. The following are some of the overarching themes and key updates to the guidance.
MORE THAN AN “ON PAPER” COMPLIANCE PLAN
As with the April 2019 guidance, the 2020 Guidance remains built around three “fundamental questions” that are intended to guide prosecutors’ review and evaluation of a compliance program:
1. Is the corporation’s compliance program well designed?
2. Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
3. Does the corporation’s compliance program work in practice?
However, in the 2020 Guidance, the DOJ reworded question two to read: “[i]n other words, is the program adequately resourced and empowered to function effectively?” The addition of this language provides insight as to what DOJ considers to be the foundation of a strong compliance program—one that provides adequate resources and has followed through with its implementation. This update indicates an increased focus on compliance programs that are successful “on paper” but lack adequate support and resources to function effectively.
INDIVIDUALIZED AND EVOLVING COMPLIANCE PLAN
New additions in the guidance emphasize the importance of developing a compliance plan that is tailored to a company. For example, the introduction of the document now includes language that allows prosecutors to make “an individualized determination in each case that considers various factors including, but not limited to, the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.” The 2020 Guidance encourages companies to stay away from establishing a “one-size-fits-all” or “cookie cutter” approach.
In addition to an individualized program, the DOJ has made clear that compliance programs must be continually evolving and adapting and not remain stagnant after the program’s initial implementation. One key change in the 2020 Guidance consists of prosecutors attempting to understand why a company has chosen to design their compliance program the way it has, as well as why and how the company’s program has evolved overtime. Specifically, prosecutors are instructed to look at whether a company is “tracking and incorporating” lessons learned from its own issues and past experiences, as well as “other companies operating in the same industry and/or the same geographical region.” The updated guidance also directs prosecutors to examine companies’ periodic reviews of risk assessment and whether such reviews are based “upon continuous access to operational data and information across functions” or are “limited to a snapshot in time.” In this same vein, prosecutors are also called to inquire whether such periodic reviews led to updates in policies, procedures, and controls.
IMPORTANT RELIANCE ON DATA
As data becomes such a prevalent part in understanding and improving companies, the 2020 Guidance indicates an increased focus on data playing are large part in compliance programs. DOJ added a new segment into the guidance called, “Data Resources and Access.” This new stipulation describes that prosecutors will analyze whether compliance and control personnel have access to “relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions.” Additionally, prosecutors are directed to focus on any barriers that will restrict access to relevant data sources and how a company is addressing such barriers.
The following are some additional topic areas that have been updated with the release of the 2020 Guidance:
• Trainings and Testing. For online and in person trainings, are there processes for employees to ask questions arising out of the training? Has the company examined the impact trainings have on employee behavior and operations? What steps has the company taken to address employees who fail the testing regarding what they have learned?
• Reporting Mechanisms. How is the reporting mechanism publicized to the company’s employees and third parties? Does the company take measures to test whether employees are aware of the hotline and feel comfortable using it? Does the company periodically test the effectiveness of the hotline, for example, by tracking a report from start to finish?
• Third Parties. Does the company engage in risk management of third parties throughout the lifespan of the relationship or primarily during the onboarding process? Does the company know the business rationale for needing the third party in the transaction, and the risks posed by third party partners including the third-party partners’ reputations and relationships, if any, with foreign officials?
• Mergers and Acquisitions. Was the company able to complete pre-acquisition due diligence and, if not, why not? What has been the company’s process for implementing compliance policies and procedures and conducting post-acquisition audits at newly acquired entities?
In sum, the new guidance adds some additional factors and considerations for health care providers to incorporate into their compliance programs and it also may be used as a tool to evaluate their current programs. The timing of the DOJ’s publication of the updated guidance during the COVID-19 pandemic may, along with the COVID-specific additions to the OIG Workplan, indicate that despite the relaxation of a number of regulatory requirements during the pandemic, the government will continue to make pursuit of fraud and abuse enforcement a very high priority. As a result, even with all of the distractions and resource use related to COIVD-19, now is the time to ensure that your compliance program would be considered effective in accordance with this new guidance. If you have any questions about the new guidance from the DOJ, or how to implement the guidance into your compliance program, please contract a member of Hancock Daniel’s Compliance team.
Click here for a full PDF of this advisory.
The information contained in this advisory is for general educational purposes only. It is presented with the understanding that neither the author nor Hancock, Daniel & Johnson, P.C., is offering any legal or other professional services. Since the law in many areas is complex and can change rapidly, this information may not apply to a given factual situation and can become outdated. Individuals desiring legal advice should consult legal counsel for up-to-date and fact-specific advice. Under no circumstances will the author or Hancock, Daniel & Johnson, P.C. be liable for any direct, indirect, or consequential damages resulting from the use of this material.