Department of Justice Updates Guidance on the Evaluation of Corporate Compliance Programs

On June 1, 2020, the Department of Justice (DOJ) updated its guidance document on the “Evaluation of Corporate Compliance Programs.” As outlined below, the DOJ identifies the adequacy of resources and the access to data and analytics as key components to establishing an effective compliance program.

The original version of the guidance document was published by the Criminal Division in February 2017 to assist prosecutors in evaluating the effectiveness of a corporation’s compliance program for purposes of determining the appropriate resolution or prosecution of the case, monetary penalties, as well as any compliance obligations contained in any corporate criminal resolution. Prior to this most recent update, the DOJ updated the guidance document in April 2019.

The following analysis is a summary of the pertinent updates to the April 2019 guidance document. A full comparison of the June 2020 and April 2019 guidance documents can be found here.

In evaluating the effectiveness of a corporate compliance program in the context of a criminal investigation, the DOJ will make a reasonable, individualized determination that considers, among other factors, the company’s size, industry, geographic footprint, regulatory landscape and other internal and external factors that may impact the compliance program. The DOJ restates the original 3 fundamental questions considered in making the individualized assessment (changes reflected below):

“Is the corporation’s compliance program well designed?“
“Is the program being applied earnestly and in good faith?“ In other words, is the program being implemented adequately resourced and empowered to function effectively?
“Does the corporation’s compliance program work“ in practice?

Throughout the updated guidance, the DOJ emphasizes the importance of leveraging operational data and information to strengthen the effectiveness of the compliance program. Specifically, when discussing updates and revisions to the compliance program in the context of the Risk Assessment, the DOJ states the following:

Updates and Revisions – Is the risk assessment current and subject to periodic review? Have there been any updates to policies and procedures in light of lessons learned? Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures, and controls? Do these updates account for risks discovered through misconduct or other problems with the compliance program?

In addition, the DOJ adds a new question based on internal or external “lessons learned.”

Lessons Learned – Does the company have a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region?

A well-designed compliance program includes policies and procedures that are readily accessible to relevant employees. Once again, it is recommended that internal data be used to identify the most frequently accessed policies and procedures.

Accessibility – How has the company communicated its policies and procedures to all employees and relevant third parties? If the company has foreign subsidiaries, are there linguistic or other barriers to foreign employees’ access? Have the policies and procedures been published in a searchable format for easy reference? Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?

Third-party relationships are a widely recognized area of risk for any industry, but even more so in the life sciences industry, where healthcare providers and organizations play an integral role in the life cycle of drugs, biologics and medical devices. In assessing third-party relationships, the DOJ encourages prosecutors to assess:

whether the company knows its the business rationale for needing the third party in the transaction, and the risks posed by third-party partners, including the third-party partners’ reputations and relationships, if any, with foreign officials, and the business rationale for needing the third-party in the transaction. For example, a prosecutor should analyze whether the company has ensured that contract terms with third parties specifically describe the services to be performed, that the third party is actually performing the work, and that its compensation is commensurate with the work being provided in that industry and geographical region. Prosecutors should further assess whether the company engaged in ongoing monitoring of the third-party relationships, be it through updated due diligence, training, audits, and/or annual compliance certifications by the third party.

The DOJ’s guidance set forth above is consistent with the safe harbor under the Anti-kickback Statute related to personal services and management contracts and reinforces the need for a rigorous and well controlled HCP engagement and management process.[1]

A critical question for the DOJ in assessing the effectiveness of compliance programs is the adequacy of resources. The DOJ notes, that “[e]ven a well-designed compliance program may be unsuccessful in practice if implementation is lax, under-resourced, or otherwise ineffective.” In discussing the adequacy of resources, the DOJ identifies “data” as a critical resource.

Data Resources and Access – Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?

The DOJ’s focus on access to data and effective analytics and monitoring is entirely consistent with the enormous growth in data within the corporate enterprise. The ability to aggregate and analyze data is no longer a “nice to have” for enterprise management but is now a requirement for demonstrating an effective corporate compliance program.

The DOJs updated guidance on evaluating the effectiveness of a corporate compliance program identifies the need for organizations to leverage data and technology to continuously monitor compliance within the organization. As technology and the ability to analyze large volumes of data evolves, it is critical for enterprises to understand what is happening within the organization and to improve their compliance program accordingly.

[1] 42 C.F.R § 1001.952(d)

Tim Robinson, Esq.
Chief Legal and Privacy Officer

June 4, 2020

Cookie	Description
cookielawinfo-checkbox-advertisement	This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given their consent to the usage of cookies under the category 'Advertisement'.
cookielawinfo-checkbox-necessary	This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given the consent to the usage of cookies under the category 'Necessary'.
cookielawinfo-checkbox-non-necessary	This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given their consent to the usage of cookies under the category 'Non-Necessary'.
cookielawinfo-checkbox-preferences	This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given the consent to the usage of cookies under the category 'Preferences'.
viewed_cookie_policy	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Description
GPS	This cookie is set by Youtube and registers a unique ID for tracking users based on their geographical location
IDE	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the users' browser supports cookies.
_ga	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, camapign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assigns a randoly generated number to identify unique visitors.
_gat	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.
_gid	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.

Cookie	Description
IDE	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
Marketo	This allows a website to track visitor behaviour on the sites on which the cookie is installed and to link a visitor to the recipient of an email marketing campaign, to measure campaign effectiveness. Tracking is performed anonymously until a user identifies himself by submitting a form.
test_cookie	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the users' browser supports cookies.
VISITOR_INFO1_LIVE	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	This cookies is set by Youtube and is used to track the views of embedded videos.

Share This Story, Choose Your Platform!