Updated Guidance from the US Department of Justice for Corporate Compliance Programs
By 刘相文 王德昌 Graham•Adria 王晶涛
On 30 April 2019, the Criminal Division of the U.S. Department of Justice (“DOJ”) released an updated version of its guidance document, Evaluation of Corporate Compliance Program (the “2019 Corporate Compliance Guidance”). In the release announcement, Assistant Attorney General Brian A. Benczkowski for the Criminal Division of the DOJ stated that goal of the update was to “harmonize the  publication with other [DOJ] guidance and legal standards” and provide “additional insight to both prosecutors and companies with respect to the evaluation of compliance programs.” This update successfully accomplishes both of those goals. Unlike its predecessor, the 2019 Corporate Compliance Guidance cites heavily from other DOJ resources. While much of the content will be familiar to lawyers experienced in American corporate compliance programs, the inclusion of much more substantive and specific insights on what prosecutors are looking for has proven insightful.
Beyond providing greater insight into the DOJ’s expectations, the 2019 Corporate Compliance Guidance does not signal any major policy changes regarding the evaluation of compliance programs. It also worth highlighting that this was published by the Criminal Division of the DOJ and is therefore only binding within its division. It is not binding on the U.S. Attorney’s offices who can also prosecute corporate crimes. Regardless, 2019 Corporate Compliance Guidance is a useful tool for anyone involved in reviewing or building compliance programs for Chinese companies operating under U.S. jurisdiction or looking for best practices that can be used elsewhere.
Structure of the 2019 Corporate Compliance Guidance
The 2019 Corporate Compliance Guidance was written to assist American prosecutors “in making informed decisions as to whether… the corporation’s compliance program was effective at the time of [a criminal] offense.” The effectiveness of a compliance program is necessary for determining the:
The Corporate Compliance Guidance, however, is neither a checklist nor a formula for evaluating a corporate compliance system because the DOJ requires federal prosecutors to make individualized assessments that takes into a specific corporation’s risk profile and solutions to mitigate risks. Rather, the Corporate Compliance Guidance answers three “fundamental questions” that a federal prosecutor will ask when evaluating a corporate compliance program:
This question framework categorizes the various topics that the DOJ has found relevant when analyzing corporate compliance programs.
Is the Corporation’s Compliance Program Well Designed?
The first fundamental question to be asked by federal prosecutors is whether the company’s compliance program is well designed. The “hallmarks” of a well-design compliance program involve risk assessment, policies and procedures, training and communications, confidential reporting structure and investigation process, third-party management, and mergers and acquisitions. To determine if a corporation’s compliance program is well designed, prosecutors will look at the following:
A critical aspect for a prosecutor determining whether a compliance is well designed is “whether a company has a well-designed compliance program is to understand the company’s business from a commercial perspective, how the company has identified, assessed, and defined its risk profile, and the degree to which the program devotes appropriate scrutiny and resources to the spectrum of risks.” Prosecutors “should consider whether the company has analyzed and addressed… risks presented by… the location of its operations, the industry sector, the competitiveness, the regulatory landscape, potential clients and business partners, transactions with foreign governments, payments to foreign officials, use of third parties, gifts, travel, and entertainment expenses, and charitable and political donations.”
Notably, prosecutors may “credit” an effective “risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction in a low-risk area.” To determine this, prosecutors should consider the risk management process, risk-tailored resource allocation; and any updates and revisions.
The 2019 Corporate Compliance Guidance reiterates the DOJ’s position that a “well-designed compliance program entails policies and procedures that…aim to reduce risks identified by the company as part of its risk assessment process.” There are five areas that prosecutors should consider when assessing a corporation’s policies and procedures: design, comprehensiveness, accessibility, responsibility for operational integration, and gatekeepers.
Training and Communications
The 2019 Corporate Compliance Guidance observes that “another hallmark of a well-designed compliance program is appropriately tailored training and communications.” To determine this, Prosecutors should “examine whether the compliance program is being disseminated to, and understood by, employees in practice.” The four key areas for training and communications are: risk-based training; form/content/effectiveness of training; communications about misconduct; and availability of guidance.
Confidential Reporting Structure and Investigation Process
The 2019 Corporate Compliance Guidance identifies that “[a]nother hallmark of a well-designed compliance program is the existence of an efficient and trusted mechanism by which employees can anonymously or confidentially report allegations” of misconduct or breaches of the company’s policies. Importantly, the 2019 Corporate Compliance Guidance highlights that “[c]onfidential reporting mechanisms are highly probative of whether a company has ‘established corporate governance mechanisms that can effectively detect and prevent misconduct.’” The four key areas that prosecutors will look at to determine whether there is an effective reporting structure and investigation process are: effectiveness of the reporting mechanism; properly scoped investigations by qualified personnel; investigation response; and resources and tracking of results.
The 2019 Corporate Compliance Guidance suggests that companies looking to implement “well-designed compliance program should apply risk-based due diligence to its third-party relationships.” Federal prosecutors should assess “the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors” and “whether the company knows its third-party partners’ reputations and relationships.” When assessing third party management, prosecutors will look for the following four things: risk-based and integrated processes; appropriate controls; management of relationships; and real actions and consequences.
Mergers and Acquisitions (M&A)
The 2019 Corporate Compliance Guidance advises that “a well-designed compliance program should include comprehensive due diligence of acquisition targets.” It observes that “[f]lawed or incomplete due diligence can allow misconduct to continue at the target company” which can result in harm to a business profit and reputation and put them at risk of civil and criminal liability. For evaluating M&A compliance procedures, prosecutors should examine the due diligence process; integration in the M&A process; and process connecting due diligence to implementation.
Is the Corporation’s Compliance Program Being Implemented Effectively?
The second fundamental question included in the 2019 Corporate Compliance Guidance is whether the compliance program is being implemented effectively. Prosecutors are tasked with determining whether a compliance program is a “paper program” or one that has been effectively implemented. In addition to the question mentioned before, prosecutors should also consider that if the corporation has the training and culture of compliance that would enable staff to “utilize the results of the corporation’s compliance efforts.” The 2019 Corporate Compliance Guidance notes that “even a well-designed compliance program may be unsuccessful in practice if implementation is lax or ineffective.” To determine if a corporation’s compliance program is being implemented effectively, prosecutors look at the following:
Commitment by Senior and Middle Management
A critical aspect of implementing effective compliance program is creating and fostering “a culture of ethics and compliance with the law” that comes from a “high-level commitment by company leadership to implement a culture of compliance from the top.” The 2019 Corporate Compliance Guidance states that prosecutors should “examine the extent to which senior management have clearly articulated the company’s ethical standards, conveyed and disseminated them in clear and unambiguous terms, and demonstrated rigorous adherence by example.” It also highlights the role of middle management in compliance, stating that prosecutors should “examine how middle management have reinforced those standards and encouraged employees to abide by them.” In analyzing the commitment of senior and middle management, prosecutors will look at: conduct at the top; shared commitment; and oversight.
Another aspect of effective implementation is ensuring “those charged with a compliance program’s day-to-day oversight to act with adequate authority and stature.” Prosecutors will look at whether those responsible for corporate compliance have: “(1) sufficient seniority within the organization; (2) sufficient resources, namely, staff to effectively undertake the requisite auditing, documentation, and analysis; and (3) sufficient autonomy from management, such as direct access to the board of directors or the board’s audit committee.” To ensure that this is the case, prosecutors will evaluate whether “internal audit functions [are] conducted at a level sufficient to ensure their independence and accuracy,” as this is an indictor of whether compliance personnel are actually empowered.
Incentives and Disciplinary Measures
The final hallmark of a well-implemented compliance program is the “establishment of incentives for compliance and disincentives for non-compliance.” Importantly, disciplinary procedures should be applied consistently across the company and “regardless of the position or title of the employee who engages in [unethical] conduct.” When looking at a compliance program’s incentives and disciplinary measures, prosecutors should examine: the human resources process; whether there is consistent application of rules; and is there an incentive system.
Does the Corporation’s Compliance Program Work in Practice?
The third and final fundamental question asked in the 2019 Corporate Compliance Guidance is whether the compliance program actually works “in practice.” The Principles of Federal Prosecution of Business Organizations require that prosecutors determine this at the time of the misconduct that led an investigation and again at the time of a charging decision or resolution. It’s important to note “the existence of misconduct does not, by itself, mean that a compliance program did not work or was ineffective at the time of the offense” and that the “[t]he [DOJ] recognizes that no compliance program can ever prevent all criminal activity by a corporation's employees.”
In determining whether a compliance program was effective at the time of the misconduct, prosecutors will consider “whether and how the misconduct was detected, what investigation resources were in place to investigate suspected misconduct, and the nature and thoroughness” of the company’s response. At the time of a charging decision or resolution, prosecutors will look at whether the “program evolved over time to address existing and changing compliance risks” and whether the company adequately and honestly analyzed “what contributed to the misconduct and the degree of remediation needed to prevent similar events in the future.” In making these assessments, prosecutors look at the following:
Continuous Improvement, Periodic Testing, and Review
In determining whether compliance programs work in practice, the 2019 Corporate Compliance Guidance asks that prosecutors to “consider whether the company has engaged in meaningful efforts to review its compliance program and ensure that it is not stale.” It suggests that companies undertake proactive activities such as “survey employees to gauge the compliance culture and evaluate the strength of controls, and/or conduct periodic audits to ensure that controls are functioning well.” These proactive activities are important as prosecutors may reward them with remediation credit or a lower fine range. In analyzing continuous improvement, periodic testing, and review, prosecutors will look at the following: internal audits; control testing; whether there are evolving updates; and is there a culture of compliance.
Investigation of Misconduct
A hallmark of whether a compliance program works in practice is “the existence of a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents.” There should also be an “established means of documenting the company’s response, including any disciplinary or remediation measures taken.” Prosecutors will be look at the following: whether there was a properly scoped investigation by qualified personnel; and what was the response to investigations.
Analysis and Remediation of Any Underlying Misconduct
The 2019 Corporate Compliance Guidance concludes by observing that a hallmark of a compliance program that is working effectively in practice is the ability of a company “to conduct a thoughtful root cause analysis of misconduct” and be able to “timely and appropriately remediate to address the root causes.” In examining a company’s analysis and remediation actions, prosecutors will look at the company’s root cause analysis; what were the prior weaknesses; what payment systems were used; were there prior indications of misconduct; have there been any remediation steps; and what kind of accountability has there been.
Observations for Chinese companies
As Assistant Attorney General Benczkowski remarked in his release announcement, “a company’s compliance program is the first line of defense that prevents the misconduct from happening in the first place. And if done right, it has the ability to keep the company off our radar screen entirely.” 
For Chinese companies wishing to do just that, the Corporate Compliance Guidance is a valuable tool for conducting a review of their compliance program. It provides a more detailed and specific look on what is expected by the DOJs. It’s a solid roadmap for companies looking to implement or improve their compliance programs. At the same time, it is a very accessible document so even non-compliance specialists can grasp what is expected of them.
With this in mind, Chinese companies operating under the jurisdiction of the United States should considering undertaking a thorough review of their compliance program. For companies that have yet to implement a comprehensive compliance program, this new Corporate Compliance Guidance is a perfect time to take that step.
Assistant Attorney General Brian A. Benczkowski Delivers Keynote Address at the Ethics and Compliance Initiative (ECI) 2019 Annual Impact Conference (April 30, 2019) https://www.justice.gov/opa/speech/assistant-attorney-general-brian-benczkowski-delivers-keynote-address-ethics-and
 This includes the Fraud Section, the Money Laundering and Asset Recovery Section, the Public Integrity Section and the Computer Crime and Intellectual Property Section
 Assistant Attorney General Brian A. Benczkowski Delivers Keynote Address at the Ethics and Compliance Initiative (ECI) 2019 Annual Impact Conference (April 30, 2019) https://www.justice.gov/opa/speech/assistant-attorney-general-brian-benczkowski-delivers-keynote-address-ethics-and