Daniela Melendez, an Associate at The Volkov Law Group, an Alex Cotoia, Regulatory Manager at The Volkov Law Group, rejoin us for another posting on DOJ’s recent modifications to its compliance requirements. Daniela can be reached at [email protected] and Alex can be reached at [email protected].

As The Volkov Law Group previously noted in the context of a blog post authored by Michael Volkov,  the U.S. Department of Justice (“DOJ”)—at the behest of Deputy Attorney General Lisa Monaco—recently updated the requirements for an effective corporate compliance program found in Attachment C to provide up-to-date guidance concerning the  most recent anti-bribery and anti-corruption cases, whose origin can be traced to the 2020 Herbalife settlement and has been incorporated consistently into a number of other, more recent resolutions implicating DPAs. Broadly speaking, Attachment C offers companies subject to an enforcement action with specific direction concerning the operational component of a company’s compliance function. These elements include management commitment, training, third party management, the prompt and effective remediation of misconduct, routine monitoring and testing, properly designed compensation structures, and consistent consequence management. 

Critically, under the rubric of management commitment, Attachment C specifies that a company must ensure that its directors and senior management “provide strong, explicit, and visible support and commitment” to the organization’s compliance function and corporate policies against anti-bribery and corruption laws. Concomitantly, the DOJ expects both corporate directors and senior management to demonstrate “rigorous” support for compliance principles in word and deed. The DOJ has expanded this requirement to encompass commitments on the part of middle-level management as well—the operational forces that are critical in the day-to-day reinforcement of ethical practices and policies. In keeping with unofficial DOJ guidelines issued in recent years, directors, senior leadership, and middle-level managers, bear the ultimate responsibility to create and sustain an ethical culture that serves as a check on the propensity of some to engage in unethical practices. 

With respect to training, the additions to Attachment C include, but are not limited to, compliance policies that address some of the greatest risks facing contemporary corporations—namely, gifts, hospitality, entertainment, and expenses; corporate funded customer travel; political contributions designed to influence the activity of foreign officials; charitable donations and sponsorships intended to curry favor with a foreign official; the improper facilitation payments; and solicitation and extortion. In addition, Companies should develop metrics to assess the knowledge and effectiveness of the training. Training should be addressed to employees that are more exposed to corruption risks.

As the risks involving the utilization of third parties to act at the behest of companies has increased precipitously over the last several decades, Attachment C’s language now explicitly requires companies to maintain an adequate third party due diligence program that incorporates several key elements; among the most important of which is an unambiguous, documented, good faith rationale for utilizing the third party in question. In a similar vein, Attachment C requires companies to incorporate appropriate representations and warranties that ensure the third party is keenly aware of its compliance-related obligations vis-a-vis its representation of the contracting party, particularly when it comes to foreign government interactions. Unsurprisingly, the relatively new Attachment C language requires companies to carefully consider the fair market value of similar services rendered in the same region to avoid an inflated price that could be used as a conduit for illicit payments. 

The final elements of the new Attachment C stipulations consist of DOJ’s increasing reliance on objective information to assist prosecutors in a more fulsome examination of the compliance program’s effectiveness. These factors now include effective data monitoring and testing, reflecting the DOJ’s increasing reliance on data-driven decisions that arguably present a more accurate picture of compliance program effectiveness. Echoing guidance from the most recent iteration of the guidelines for the “Evaluation of Corporate Compliance Programs,” the DOJ reminds companies engaged in merger and acquisition activity to establish a streamlined plan for integration of the acquired businesses or entities into the company’s enterprise resource planning (“ERP”) systems. Attachment C’s language emphasizes that this should be done “as quickly as practicable” to mitigate the potential that the acquiring party will be responsible for perpetuating misconduct that exists at the M&A target. Finally, with respect to monitoring and  testing, again relying on the aforementioned guidelines revised earlier this year, the DOJ emphasizes the need for compliance personnel to have sufficient access—on either a direct or indirect basis” to “relevant sources of data” that allow for proper monitoring and testing of corporate transactions. Attachment C similarly requires that mechanisms designed to ensure that policies, including the Code of Conduct, are effectively communicated include “metrics for measuring knowledge retention and effectiveness” of training. In the same vein, training must be “tailored to the audience’s size, sophistication, or subject matter expertise.” Lastly, DOJ strongly encourages companies to “discuss prior compliance incidents” in training, where appropriate and to disclose to senior management the outcome of the investigations, so companies can put in place a plan to conduct a root cause analysis of the misconduct and conduct “timely and appropriate remediation”

While it is extremely helpful for companies to receive additional guidance from the federal government concerning compliance program expectations, they should already have incorporated most of the guidance contained in Attachment C, much of the information contained in the attachment closely mirrors the updated guidance the DOJ published earlier this year. As such, we consider this to be a recitation of essential compliance program requirements rather than a complete shift in the paradigm of compliance itself. Nonetheless, companies should avail themselves of the opportunity to benchmark their compliance programs against the latest DOJ stipulations.