On April 30, 2019, the U.S. Department of Justice (“DOJ”), Criminal Division, released updated guidance to DOJ prosecutors on how to assess corporate compliance programs when conducting an investigation, in making charging decisions, and in negotiating resolutions.  The pronouncement, “Evaluation of Corporate Compliance Programs,” updates earlier guidance that DOJ’s Fraud Section issued in February 2017 (covered in our 2017 Mid-Year FCPA Update).  This guidance emphasizes DOJ’s laser focus on compliance programs, requiring companies under investigation to carefully evaluate, test, and likely upgrade their programs well before the investigation is over.

The updated Evaluation document has been restructured around the three “fundamental questions” from the Justice Manual that DOJ prosecutors should assess:

  1. Is the corporation’s compliance program well designed?
  1. Is the program being applied earnestly and in good faith?  In other words, is the program being implemented effectively?
  1. Does the corporation’s compliance program work in practice?

Under these three categories, the updated Evaluation groups 12 topics and sample questions that DOJ considers relevant in evaluating a corporate compliance program.  Much like the earlier Evaluation articulation, these topics relate to common elements of effective compliance programs, including policies and procedures, training, reporting mechanisms and investigations, third-party due diligence, tone at the top, compliance independence and resources, incentives and disciplinary measures, and periodic testing and review.  Several of these core standards can be found in other compliance program guidance materials, such as the Resource Guide to the U.S. Foreign Corrupt Practices Act and, very recently, the “Framework for OFAC Compliance Commitments” issued by OFAC on May 2, 2019, pursuant to the Agency’s promise to provide more guidance on its expectations for sanctions compliance programs.

The following chart captures how the 12 compliance topics in the updated Evaluation are grouped under DOJ’s three core questions.

Core Questions

Compliance Topic

(Core Focus)

Is the Program Well Designed?

Risk Assessment 

DOJ will assess whether the program is appropriately tailored to the company’s business model and the particularized risks that accompany it, considering factors like the company’s locations, industry sectors, and interactions with government officials.

Policies and Procedures

DOJ will assess whether the company has established appropriate policies and procedures, the processes for doing so and disseminating them to the workforce, and the guidance and training provided to “key gatekeepers in the control processes.”

Training and Communications

DOJ will assess the compliance training provided to directors, officers, employees, and third parties, as well as efforts to communicate to the workforce about the company’s response to misconduct, and the availability of resources to provide compliance guidance to employees.

Confidential Reporting Structure and Investigation Process

DOJ will assess the company’s reporting channels and investigative mechanism.

Third-Party Management

DOJ will examine whether the company’s third-party due diligence process is risk-based and includes controls and monitoring related to the qualifications and work of its third parties.

Mergers and Acquisitions

DOJ will examine the company’s M&A pre-acquisition due diligence and post-acquisition integration processes.

Is the Program Implemented Effectively?

Commitment by Senior and Middle Management

DOJ will evaluate the commitment by company leadership to a culture of compliance, including management’s messaging and promotion of compliance and the board’s role in overseeing compliance.  The OFAC Compliance Framework similarly emphasizes the importance of management’s commitment to, and support of, a company’s compliance program.

Compliance Autonomy and Resources

DOJ will assess whether the compliance function has sufficient seniority, resources, and autonomy commensurate with the company’s size and risk profile.  Notably, DOJ will ask whether the company outsourced all or parts of its compliance function to an external firm or consultant.  If so, DOJ will probe the level of access that the external firm or consultant has to company information.

Incentives and Disciplinary Measures

DOJ will assess whether the company has clear disciplinary procedures that are enforced consistently, as well as whether and how the company incentivizes ethical behavior.

Does the Program Work in Practice?

Continuous Improvement, Periodic Testing, and Review

DOJ will consider how the company has reviewed and evaluated its compliance program to ensure it is current, including changes made to the program in light of lessons learned.  DOJ also will assess the internal audit function and how the company measures its culture of compliance.  Effective training also is called out specifically in the OFAC Compliance Framework.

Investigation of Misconduct

DOJ will assess the effectiveness and resources of the company’s investigative function.  Notably, this is the second instance in the updated Evaluation calling for DOJ to assess a company’s investigative function.

Analysis and Remediation of Any Underlying Misconduct

DOJ will consider whether the company conducts root-cause analyses of misconduct and takes timely and appropriate remedial action against violators.  Under the heading “Accountability,” the updated Evaluation includes a question about whether disciplinary actions for failures in supervision have been considered by the company.


The updated Evaluation covers many of the same topics as the prior version, yet the addition of certain questions signals added emphasis or expectations compared to the prior guidance.  Although non-exhaustive, the following list outlines key takeaways from the updated Evaluation that companies should consider in building, maintaining, and enhancing their compliance programs.

  • Starting with a Risk Assessment and Building on “Lessons Learned”:  The updated Evaluation calls for tailoring a company’s compliance program based on its risk assessment, and ensuring that the criteria for the risk assessment are “periodically updated.”  Commentators suggest risk assessments annually or every two years.  DOJ does not prescribe the timing of risk assessments.  Going forward, “‘revisions to corporate compliance programs [should be made] in light of lessons learned.’”  This means that a company’s risk assessment should be an ongoing and iterative process, and that a company should reexamine and revise its compliance program from time to time based on the risk assessment results.  Reexamining and revising the compliance program is necessary to address DOJ’s particular emphasis on making enhancements in response to specific instances of misconduct.  When companies conduct internal investigations, especially where there is a prospect of a government-facing inquiry, they should give serious consideration to taking prompt remedial steps to address the components highlighted by the updated Evaluation document.  This will better position companies to advocate that they have effectively and timely remediated root-cause issues and should receive remediation credit.
  • Importance of Compliance Personnel:  In evaluating whether a company has sufficient staffing for compliance personnel, the updated Evaluation presents a number of related queries, such as where within the company the compliance function is housed (but without dictating a particular reporting structure) and how the compliance function compares with other functions within the company in terms of stature, compensation, rank/title, reporting lines, resources, and access to key decision-makers.
  • Responsibility for Third Parties:  The updated Evaluation indicates an increased focus on a company’s oversight of third parties, which historically have factored into the vast majority of Foreign Corrupt Practices Act enforcement actions.  Among other things, DOJ will consider whether a company has “appropriate business rationale[s]” for the use of third parties and whether it has considered “the compensation and incentive structures” for third parties against the compliance risks posed.  In addition, in assessing a company’s remediation of misconduct involving suppliers, DOJ will consider the company’s process for supplier selection.  Termination of a supplier or business partner upon a company’s finding of misconduct, and steps to ensure that such third parties cannot be re-engaged without appropriate authorization, is a sign of a mature compliance program expected by DOJ.
  • Cascading Tone from the Top:  The updated Evaluation emphasizes “culture of compliance.”  Crucially, messaging at the “top” alone will not equate to an adequate tone of compliance.  Rather, DOJ will focus on how the compliance tone cascades downward in the organization and to counterparties.  DOJ will examine not only the standards set by the board of directors and senior executives, but also the tone and actions of middle management to reinforce those standards.  The focus on the cultural leadership by mid-level management has been a constant theme from DOJ for more than a decade.  In addition, in assessing a company’s remediation, DOJ will consider whether managers were held accountable for misconduct that occurred under their supervision and whether the company considered disciplinary actions for failures in supervision.

Like its predecessor, the updated Evaluation guidance is an important resource for companies both for reactively defending their compliance programs in the context of a DOJ investigation and for proactively benchmarking or enhancing their programs.  Clearly, this refined prism will provide the template for DOJ Filip Factor presentations.

This was originally published by Gibson Dunn to provide a summary of significant developments to its clients and friends. View the original publication here

F. Joseph Warin

Gibson Dunn

F. Joseph Warin is chair of the nearly 200-person Litigation Department of Gibson Dunn’s Washington, D.C. office, and he is co-chair of the firm’s global White Collar Defense and Investigations Practice Group. Mr. Warin’s practice includes representation of corporations in complex civil litigation, white collar crime, and regulatory and securities enforcement – including Foreign Corrupt Practices Act investigations, False Claims Act cases, special committee representations, compliance counseling and class action civil litigation.

Richard W. Grime

Gibson Dunn

Richard W. Grime is a litigation partner in Gibson, Dunn & Crutcher’s Washington, D.C. office and a member of the White Collar Defense and Investigations Practice Group. He is also co-chair of the Securities Enforcement Practice Group. Mr. Grime’s practice focuses on representing companies and individuals in a full range of corruption, accounting fraud, and securities enforcement matters before the Securities and Exchange Commission and the Department of Justice. Mr. Grime also conducts internal investigations and counsels clients on compliance and corporate governance matters.

Patrick Stokes

Gibson Dunn

Patrick Stokes is a litigation partner in Gibson, Dunn & Crutcher’s Washington, D.C. office. He is a member of the firm’s White Collar Defense and Investigations, Securities Enforcement, and Litigation Practice Groups. Mr. Stokes’ practice focuses on internal corporate investigations, compliance reviews, government investigations, and enforcement actions regarding corruption, securities fraud, and financial institutions fraud. He has tried more than 30 federal jury trials as first chair, including high-profile white-collar cases, and handled 16 appeals before the U.S. Court of Appeals for the Fourth Circuit.  Mr. Stokes is equally comfortable leading confidential internal investigations, negotiating with government enforcement authorities, or advocating in court proceedings. In 2019, Mr. Stokes was ranked nationally by Chambers USA as a leading attorney in FCPA.

Christopher W.H. Sullivan

Gibson Dunn

Christopher W.H. Sullivan is of counsel in the Washington, D.C., office of Gibson, Dunn & Crutcher. He practices in the firm’s Litigation Department and is a member of the White Collar Defense and Investigations Practice Group. His practice focuses on white collar criminal defense, internal investigations, and corporate compliance.

Oleh Vretsona

Gibson Dunn

Oleh Vretsona is an of counsel in the Washington, D.C. office of Gibson, Dunn & Crutcher. He currently practices in the firm’s Litigation Department, where he focuses on white collar criminal defense, internal investigations, regulatory inquiries, antitrust, and corporate compliance. Mr. Vretsona has represented clients in a wide variety of matters, including matters arising under the U.S. Foreign Corrupt Practices Act and antitrust matters, and he has advised clients on structure and implementation of corporate compliance programs.

Abbey Bush

Gibson Dunn

Abigail (“Abbey”) Bush is an associate in the Washington, D.C. office of Gibson, Dunn & Crutcher. She practices in the firm's Litigation Department. 

Alexander Moss

Gibson Dunn

Alexander “Sandy” Moss is an associate in the Washington, D.C. office of Gibson, Dunn & Crutcher. He is a member of the firm’s Litigation Department, and his practice focuses on white collar defense and investigations. Mr. Moss’s experience includes conducting internal investigations for multinational corporate clients, representing corporate and individual clients in government investigations involving the Department of Justice, Securities and Exchange Commission, and other regulatory and enforcement agencies, and advising clients regarding the development of their compliance and ethics programs. He has participated in investigations involving alleged violations of anti-money laundering laws and regulations, the Foreign Corrupt Practices Act, and alleged securities and tax fraud.


Submit a Comment

Your email address will not be published. Required fields are marked *