Compliance & Ethics
Michael Volkov Image
Michael Volkov
CEO and Founder of The Volkov Law Group LLC

Critical takeaways from DOJ’s recent update to guidance concerning the evaluation of corporate compliance programs

April 10, 2023
0 min read
Compliance team members discussing updates to the DOJ's Compliance Program Guidance

On March 3, 2023, the United States Department of Justice (“DOJ”) unveiled a series of updates to its now ubiquitous guidance concerning the evaluation of corporate compliance programs (“Compliance Program Guidance”).

Last updated in June 2020, the DOJ’s most recent revisions to the Compliance Program Guidance are focused on two (2) critical areas:

1) The adoption of compensation structures, policies and procedures that encourage corporations to remain cognizant of compliance in the context of management and executive compensation practices

2) The implementation of controls sufficient to ensure that third-party messaging applications utilized with increasing frequency by employees on their personal electronic devices are appropriately monitored for evidence of malfeasance or misconduct

Below is a summary of what each of these updates mean for CCOs and corporate compliance teams.

Renewed Emphasis on Executive Compensation

The latest Compliance Program Guidance remains faithful to Deputy Attorney General (“DAG”) Lisa Monaco’s promise of directing the Criminal Division to promulgate additional guidance on how to “reward” corporations that employ clawback and escrow provisions in connection with employee compensation practices.

Under the revised rubric of “Compensation Structures and Consequence Management,” the Compliance Program Guidance now emphasizes the need for corporations to adopt “clear consequence management procedures” — identified as specific “procedures to identify, investigate, discipline and remediate violations of the law, regulation or [internal policy]” — as the foundation of incentives and disincentives for compliant-conscious and compliant-ignorant behavior, respectively.

To that end, prosecutors will consider whether a corporation has publicized company-wide disciplinary actions on an internal basis “where appropriate and possible” to maximize the deterrent effect of concrete examples.

Additionally, the new Compliance Program Guidance calls on prosecutors to consider whether a corporation is sufficiently tracking disciplinary action data and measuring the effectiveness of its investigation and consequence management functions.

In this vein, the Compliance Program Guidance tacitly encourages corporations to track:

(a) The number of compliance-related allegations that are substantiated;

(b) The average time it takes to complete an internal investigation related to a compliance-related violation with a more detailed analysis of any outliers

(c) The effectiveness and consistency of disciplinary measures across all levels, units, departments, and locations of a corporation.

As for the “design and implementation” of compensation structures, the revised Compliance Program Guidance incorporates a detailed discussion of additional considerations relevant to a prosecutor’s assessment of compliance program effectiveness.

Chief among these considerations is whether the corporation in question has operationally incentivized compliance considerations by adopting compensation structures that “defer or escrow certain compensation tied to conduct consistent with company values and policies.”

Similarly, prosecutors are instructed to gauge whether the company has both implemented and enforced appropriate contractual provisions for the recoupment of previously awarded financial benefits if the recipient is found to have been engaged in malfeasance.

The new Compliance Program Guidance also instructs prosecutors to weigh whether a corporation has made working on compliance “a means of career advancement,” offered opportunities for employees or managers to “champion” compliance concerns, or made compliance a “significant metric” for management bonuses.

Notably, the new language contained in the revised Compliance Program Guidance repeatedly insists that prosecutors evaluate whether a corporation consistently applies disciplinary measures for deviant behavior across the organization or sufficiently accounts for any discrepancies involving such discipline.

Also notable is the DOJ’s insistence that the compliance function be involved in all discussions concerning compensation structures — particularly, financial incentives and disincentives — with respect to senior management officials in particular, but rank-and-file employees as well.

Finally, the Compliance Program Guidance provides detailed data collection and analysis instructions for the actual measurement of consequence effectiveness, asking prosecutors to consider, among other things:

  • how “substantiation rates compare for similar types of wrongdoing across the company;”
  • whether a corporation has undertaken a “root cause analysis into areas where certain conduct is comparatively over- or under- reported;” and
  • what “percentage of the compensation awarded to executives who have been found to have engaged in wrongdoing has been subject to cancellation or recoupment” in accordance with company policy.

Monitoring Third-Party Messaging Applications

As messaging applications and personal electronic devices increasingly facilitate — and can conveniently conceal — wrongdoing, the DOJ’s Compliance Program Guidance now contains an explicit provision requiring organizations to identify, report, investigate and remediate potential misconduct and violations of the law that involve the use of ephemeral messaging systems.

Specifically, prosecutors are required to assess:

  • the organization’s knowledge of its various electronic communication channels
  • whether the organization has adopted policies and procedures designed to manage and preserve information contained within those channels
  • whether individual employees are allowed to alter preservation or deletion settings

In a similar vein, the Compliance Program Guidance also now explicitly requires organizations to account for information stored on personal electronic devices, to the extent that the organization allows its employees to utilize their own devices for work-related purposes.

Here, the Compliance Program Guidance emphasizes that organizations should adopt “bring your own device” (“BYOD”) policies that account for access to, and preservation of, all company-related data.

Significantly, the revisions emphasize that the organization should expand its data retention and business conduct policies to encompass these devices, and establish procedures that allow the company to periodically inspect and monitor the content of data stored on personal devices for evidence of wrongdoing.

Additionally, the new revisions tacitly encourage organizations to adopt policies that require employees to periodically transfer messages, data and information from their private phones or messaging applications to company-owned devices.

Next Steps for CCOs

In the end, the new, targeted revisions of the Compliance Program Guidance issued by the DOJ should serve as a clarion call for compliance professionals to examine their own practices in relation to both compensation structures and personal-device/third-party application management.

Failure to align a company’s compliance program to these emerging expectations is an almost certain recipe for reducing or altogether eliminating an organization’s eligibility for full cooperation credit when faced with criminal consequences arising from employee misconduct.

Fortunately, the right technology can make compliance easier by providing clarity and transparency in an integrated, user-friendly platform.

Learn how the Diligent Policy Management solution can help your organization stay aligned with the DOJ’s Compliance Program Guidance and other emerging regulations. Request a demo today.


Your Data Matters

At our core, transparency is key. We prioritize your privacy by providing clear information about your rights and facilitating their exercise. You're in control, with the option to manage your preferences and the extent of information shared with us and our partners.

© 2024 Diligent Corporation. All rights reserved.