DOJ’s New Corporate Compliance Guidance: Training and Communications, Reporting and Investigations, Third-Party Management and Mergers and Acquisitions (Part III of V)
The Volkov Law Group has scheduled a free webinar on DOJ’s New Compliance Program Guidance for May 9, 2019, at 12 noon EST. Sign up HERE.
The Justice Department’s new Corporate Compliance Guidance is keyed to the concept of a “well-designed compliance program.” Under this concept, we first examined risk assessments and policies and procedures. DOJ’s Corporate Compliance Guidance also addresses training and communications, reporting and investigations, third-party management and mergers and acquisitions. As explained herein, DOJ’s new guidance advances ethics and compliance expectations, with the exception of mergers and acquisition where it falls short of capturing current pronouncements and expectations.
Training and Communications
In the training and communications function, DOJ’s Guidance emphasizes training and certification for all directors, officers, relevant employees and, where appropriate, agents and business partners. In delivering training programs and communications, companies are advised to “tailor” such information to the “audience’s size, sophistication, or subject matter expertise.” As an example, DOJ cites companies providing real-life examples and scenarios to underscore and highlight prior compliance incidents. Further, DOJ cites the importance of determining how the company measures the effectiveness of its training program.
DOJ’s expectations cover a number of important issues in the training and communications functions. In particular, DOJ asks whether training has been provided to “relevant control functions,” “high risk and control employees,” and “supervisory employees.” The implication of these listed subjects is that the company has to properly tailor its training program to employees based on risk and control functions, including supervisors. On more specific issues, DOJ cites the need to provide training in language appropriate for the audience, in what form (online or in-person) and the reason for that decision, including testing of employees.
Under the communications prong, DOJ’s Guidance asks whether senior management has communicated its position concerning misconduct, whether such communications include anonymized information about specific disciplinary actions companies and the type of misconduct at issue, and whether the company offers guidance resources.
Reporting and Investigations
The DOJ Guidance includes examination of whether a company’s compliance program offers an “efficient and trusted mechanism” for employees to confidentially (or anonymously) report breaches of the company’s code of conduct, company policies or suspected misconduct. As part of this inquiry, this factor includes an assessment of the company’s “pro-active measures to create a workplace atmosphere without fear of retaliation, appropriate processes for submission of complaints and processes to protect whistleblowers.” Guidance at 6. In handling complaints companies have ensure “the routing of complaints to proper personnel, timely completion of thorough investigations, and appropriate follow-up and discipline.
Under the DOJ Guidance, a company has to offer an anonymous reporting avenue, publicize the reporting mechanisms, and assess the serious ness of an allegation to make sure it is properly investigated and resolved. A Company’s compliance function should have full access to all reporting and investigation information.
Companies also have to ensure that their internal investigations are properly scoped, accurately assessed in terms of seriousness, independently conducted, properly documented, and conducted by a qualified and independent investigator. In response to specific deficiencies identified in reviewing internal investigations, DOJ will examine whether the reporting and investigating mechanisms are sufficiently funded, whether the company is collecting, tracking and analyzing reporting and investigation data and identifying patterns of misconduct or other weaknesses for compliance deficiencies.
Under third-party risk management, DOJ’s Guidance reiterates many important principles emphasized by DOJ in prior guidance and enforcement actions. In particular, DOJ stated that due diligence should reflect the size and nature of the company or transaction, the qualifications and associations of third-party partners, including the agents, consultants and distributors. DOJ will also examine if the company identified the third-party’s reputations and relationships with foreign officials and the business rationale for needing the third party in the transaction. For example, DOJ cites the importance of examining the contract terms to ensure that it includes a specific description of the services to be performed, confirmation that the third party is actually performing the work, and compensation commensurate with the work in that industry and region. As to post-engagement monitoring, DOJ points to the need to use various tools such as “updated due diligence, training, audits, and/or annual compliance certifications.
In setting out relevant issues in third-party risk management, DOJ intends to focus on whether the company’s third-party risk process corresponds to the nature and level of enterprise risk identified by the company; whether the company adequately verifies the business rationale for using the third-party; that appropriate contract terms are included; whether the company adequately considered and analyzed the compensation and incentive structures for the third parties; how the company monitors its third parties; whether the company has secured audit rights and exercised those rights; and whether the company has conducted training of its third parties.
Finally, DOJ intends to review whether a company tracks red flags identified and resolved in the due diligence process; whether a company keeps records of third parties that are rejected in the due diligence process (o they are not hired at a later date), and whether a company reviewed similar third parties after identifying misconduct committed by a third party.
Mergers and Acquisitions
DOJ’s Guidance relating to mergers and acquisitions is questionable in its failure to include several policy pronouncements previously articulated by DOJ officials and prior enforcement actions. The focus of DOJ’s merger and acquisition discussion is on pre-acquisition due diligence, and omits any meaningful discussion of post-acquisition audit principles.
In the pre-acquisition area, DOJ’s Guidance notes the importance of the due diligence process to accurately determine the target company’s value. In particular, DOJ seeks to determine whether post-acquisition misconduct was identified during due diligence, how the due diligence was conducted, and what general policies and procedures are in place. DOJ asks generally whether the compliance function was integrated into the merger, acquisition and integration process, and what process the company has to track and remediate misconduct or risks identified during the due diligence process.