Corporate Compliance Safeguards Against U.S. Department of Justice Prosecution: New 2020 Guidelines
Do You Have an Enterprise-Wide Culture of Compliance?
In the Principles of Federal Prosecution of Business Organizations (“DOJ Principles”) the United States Department of Justice (DOJ) incorporates periodic guidance memoranda from the deputy attorneys general about how it should investigate and prosecute corporations. Set forth in the US Attorneys’ Manual, the DOJ Principles were updated again in June of 2020.
Verisys reviewed the twenty-page document and found it to be chock-full of insights that might all roll up under a single guideline: when investigating or prosecuting alleged corporate wrongdoing, DOJ officials must determine the extent to which a corporation has created a culture of compliance that permeates all aspects of its business and operations. Key buzzwords that flow from this guideline include “comprehensive,” “individualized,” “interactive,” “measured,” “tracked,” “tested,” and “updated.”
Verisys is the pioneer in provider screening, verification, credentialing, and monitoring powered by the most comprehensive data in the health care industry. Verisys partners with health care organizations to ensure compliance with both federal and state regulations which mitigates financial loss and regulatory and reputational risks.
- I. Compliance Program Design
DOJ attorneys are advised first to evaluate whether a corporate compliance program is designed to prevent wrongdoing to the maximum extent.
According to the DOJ Principles, corporate compliance programs must be comprehensive in nature and include the following:
- Appropriate incentives to ensure desired workforce behavior
- Easy to understand policies and procedure
- Regular training and communications
- Anonymous means of reporting suspected misconduct
- Appropriate allocation of resources to ensure compliance by a compliance unit that is sufficiently experienced and autonomous from senior leadership
Prosecutors should evaluate whether a compliance program is tailored to detect and deter the type of misconduct most likely to occur, and company resources are focused on the most serious risks. Companies are discouraged from focusing their attention on low-risk areas and encouraged to compile key learning metrics that are used to inform existing policies and procedures as risks evolve over time. Once a program meets these criteria, the DOJ assesses the frequency at which the metrics, policies, and procedures are reviewed and revised.
- II. Policies and Procedures
If nurturing a “culture of compliance” is the lodestar of the DOJ Principles, establishing a code of conduct that gives both content and effect to ethical norms is a critical means of doing so. All business units should have a seat at the table in creating this code of conduct, and the code should be rolled out so that all employees have easy access to it in a searchable format. Employee access to policies and procedures should then be tracked, thereby helping management understand which ones are most relevant.
III. Training and Communications
Another hallmark of an effective compliance program is creating trainings and communications tailored to a company’s business and workforce. Consequently, prosecutors are required to evaluate a company’s training and certification program, determining whether the policies and procedures are explained in a manner appropriate for the audience’s size and sophistication. In some instances, trainings that provide practical advice, case studies, and real-life scenarios might be best suited, while in other instances companies would be better off providing short, targeted trainings that demonstrate how employees may alert the relevant risk management unit as to any concerns. Supervisors should receive supplementary training, as should employees working in high-risk areas. Once training is complete, companies must have a way to measure its effectiveness, including by way of ongoing testing.
- IV. Confidential Reporting Process
After a company has rolled out a code of conduct and trained its workforce, employees should be provided a confidential means of reporting suspected misconduct. Employees must believe that the reporting process guarantees their anonymity and that all reports will be investigated in good faith and without retaliation. The investigation process should be mapped out in writing. An effective investigation process will identify 1) how information is gathered and documented; 2) who will gather the information; 3) how final decisions or recommendations will be made, and 4) by whom. Effective investigation processes also prioritize the most serious allegations and include a method for tracking the progress of the investigation.
- V. Paper Tigers
Even a well-designed compliance program may be unsuccessful in practice if implementation is lax, under-resourced, or otherwise ineffective. Prosecutors are instructed to probe whether a compliance program is a “paper program” or one “implemented, reviewed, and revised, as appropriate, in an effective manner.” The DOJ’s first consideration is determining whether a corporation has provided sufficient staff to audit, document, analyze, and utilize the results of its compliance efforts.
A second consideration is evaluating the level of buy-in from a company’s senior leadership. Prosecutors are told to examine the extent to which senior management has clearly articulated and disseminated the company’s ethical standards in clear and unambiguous terms and demonstrated rigorous adherence by example. In particular, the DOJ wants to know what concrete actions senior leaders have taken to demonstrate leadership in the company’s compliance and remediation efforts. Have certain risks been tolerated or minimized in pursuit of new business or greater revenues? Have managers encouraged employees to act unethically to achieve a business objective, or impeded compliance personnel from effectively implementing their duties? Does the board of directors play any role in oversight?
As part of the buy-in, senior leadership must make the compliance unit autonomous. At the end of the day, the DOJ wants to ensure that internal audit functions are conducted by compliance personnel who are sufficiently independent to effectively detect and prevent misconduct. The company must also hire a compliance leader with enough experience and expertise to discharge these responsibilities, and enough staff to assist. Prosecutors are instructed to assess whether a compliance unit’s requests for additional staff or funding have been rejected, and whether any portion of the compliance regime has been outsourced and why. Collaboration between a company’s compliance and human resource units is encouraged for the purpose of creating a program of incentives and disincentives for employee behavior.
- VI. Evolution and Adaptation
A final hallmark of an effective compliance program is its capacity to improve and evolve. The actual implementation of controls in practice will necessarily reveal areas of risk and potential adjustment. Accordingly, companies should engage in meaningful efforts to review their compliance program and ensure that it is not stale. Some companies survey employees to gauge the compliance culture and evaluate the strength of controls, while others conduct periodic audits to verify that controls are functioning well. Prosecutors are allowed to reward proactive efforts that promote improvement and sustainability. In evaluating whether a particular compliance program works in practice, prosecutors should consider “revisions to corporate compliance programs in light of lessons learned.”
While the latest 2020 updates to the guidance on Evaluation of Corporate Compliance Programs are refinements more than an overhaul, some of the revisions appear to reflect the DOJ’s continued raising of the compliance bar, particularly related to the use of data as part of continuous monitoring and periodic testing and program updates, as well as a continued emphasis on the need for programs to be properly tailored and dynamic to be effective.
Alongside the renewed stress on the need for a more finely-honed risk-based approach, the DOJ is also emphasizing the need for companies to pay more attention to the benefits of data collection and analytics around compliance risks. A data-driven compliance process also enables early warning indicators around supply chain, payment, and risks related to high-risk customers or vendors who may also implicate issues involving OFAC and export controls.
The revised guidance announces that compliance programs will be judged according to how they employ tools to analyze objective data sources and continuously translate those findings into ongoing program enhancements. While companies make difficult resource-allocation decisions in the short term and the long term, the guidance reinforces the government’s expectation that companies will continue to make investments to monitor compliance and operationalize the results of such monitoring.
Third parties have long been a focus in corporate enforcement actions and DOJ’s related guidance documents. The 2020 Compliance Guidance underscores that third-party risk management is a continuous process, stretching from needs assessments, through due diligence and onboarding, and continuing through the lifespan of the relationship. The updated guidance asks prosecutors to inquire whether a company conducted a needs assessment before engaging a third-party and if it “engage[s] in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?” This acknowledges the reality that as markets change over time, so do companies’ business models and their relationships with their third-party partners.
Verisys Specializes in Keeping Corporations Compliant
Verisys combines regulatory expertise and practical experience with health care organizations to assist clients in maintaining compliance with federal and state regulations. Verisys exclusion screening and license verifications comply with standard setting organizations such as NCQA, URAC, and the Joint Commission. All federal data sources such as OIG, SAM, FDA, DEA, TRICARE, FBI, U.S. DOJ, U.S. Treasury Dept., U.S. State Dept. as well as all state-level boards and data sources are used to see every possible record on health care individuals and entities and monitored to maintain a thorough compliance program for your organization.
DISCLAIMER: The information provided does not, and is not intended to, constitute legal advice; instead, all information and content are for general informational purposes only. All liability with respect to actions taken or not taken based on the contents of this site are hereby expressly disclaimed. Information in this summary may not constitute the most up-to-date legal or other information. Readers of this summary should contact their attorney to obtain advice with respect to any particular lal matter. We advise that you should not act or refrain from acting on the basis of any content included here without seeking legal or other professional advice. Only your individual attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this website or any of the links or resources contained within do not create an attorney-client relationship between the reader, user, or browser and website authors, contributors, contributing law firms, or committee members and their respective employers. eg