Mon, Jul 10, 2023
The U.S. Department of Justice (DOJ) has recently issued its March 2023 update on the Evaluation of Corporate Compliance Programs.[1] The update is crucial for companies operating in Central and Latin America, as it highlights the need for data-driven assessments of compliance programs and emphasizes the importance of comprehensive monitoring and testing systems to measure the effectiveness of these programs. In this article, we will explore the implications of this update and offer actionable advice for compliance professionals in Central and Latin America on how to implement these changes effectively.
In the process of strengthening the guidelines established by the “Principles of Federal Prosecution of Business Organizations” described in the Justice Manual, DOJ has recently issued its March 2023 update on the Evaluation of Corporate Compliance Programs;[2] its last update was in June 2020.[3] The primary changes in the 2023 update are under the headings “Compensation Structures and Consequence Management” and “Investigation of Misconduct”; however, the core structure and content of the guidance remain the same. In general terms, this document is intended to assist prosecutors on how to evaluate the effectiveness of a compliance program in accordance with each company’s risk profile and risk mitigation efforts. While the spirit of this document is to assist U.S. regulators in evaluating corporate compliance programs in the specific context of a criminal investigation, it has also become a vital guide for assessing corporate compliance programs in other parts of the world, including Central and Latin America.
One of the primary themes emphasized by the DOJ update is the need for data-driven assessments of compliance programs. As the management consultant, educator, and author Peter Drucker stated, it’s difficult to fix what you can’t measure.[4] Therefore, compliance professionals in Central and Latin America must ensure their compliance programs align with DOJ’s new guidance. They must revise policies and procedures, update training programs, and enhance monitoring and testing procedures to ensure their compliance program is appropriately designed and operating effectively.
Compliance professionals must also work closely with senior management to ensure compliance is integrated into the company’s overall strategy. This may involve securing additional funding or staff and ensuring compliance professionals have sufficient access to company data and resources. Companies should also consider engaging outside experts to provide independent compliance program assessments to implement the new guidance.
The update introduced several new components companies should consider when developing or evaluating their compliance programs. In general terms, these updates include:
The updates in “Compensation Structures and Consequence Management” emphasized the importance of establishing incentives for compliance and disincentives for noncompliance, including consequence management procedures, internally publicized disciplinary actions, tracking data related to disciplinary measures, and the design and implementation of compensation schemes. It also highlights the following factors:
The updates also strengthened the “Investigation of Misconduct” section, in reference to an effective investigation structure to document the company’s response to alleged misconduct, including any disciplinary or remediation measures taken. In particular, the update emphasizes the importance of the corporation’s policies and procedures governing the use of personal devices, communication platforms, and messaging applications tailored to the corporation’s risk profile and specific business needs. It considers the following factors:
Each of the new criterion highlights the involvement, commitment, and evaluation that each employee must have, which is aligned with the historical efforts of other U.S. regulatory institutions with respect to individual accountability.[5] For example, in 2014, the Financial Crimes Enforcement Network (FinCEN) of the U.S. Department of the Treasury emphasized the importance of maintaining a strong culture of compliance, and specified that the entire staff is responsible for anti-money laundering (AML) and countering the financing of terrorism (CFT) compliance.[6] Likewise, in sync with this advisory information, on September 9, 2015, then-Deputy Attorney General Sally Q. Yates issued a memorandum on “Individual Accountability for Corporate Wrongdoing” (the Yates Memo).[7] The Yates Memo also focuses on individuals who perpetrate wrongdoing in corporate misconduct investigations and notes that the resolution of a corporate case does not provide protection to individuals from criminal or civil liability.
In this sense, the effectiveness of a compliance program depends not only on the compliance officer, the compliance function, or the internal control design and operation but also on the commitment of each member of an organization who puts the compliance program into practice.
As the update mentioned, it is important to tailor compliance programs to the specific risks faced by the organization. DOJ sets out general criteria that can be reviewed and adjusted according to the characteristics of each organization, considering various factors including, but not limited to, the company’s size; industry; geographic footprint; regulatory landscape; and other factors—both internal and external to the company’s operations—that might affect its compliance program.
According to the 2022 Kroll Anti-Bribery and Corruption Benchmarking Report, global companies primarily respond to the new regulatory measures by reviewing their compliance programs (44%), refreshing their risk assessments (43%), and evaluating their existing policies and procedures (42%).[8] Only 31% of compliance professionals respond to these latest measures by considering enhancements to their compliance programs in expectation of additional scrutiny. While the review and/or assessment of the existing compliance program can be the first step, new regulatory measures also require an update of policies and procedures, in addition to proper implementation, employee training, and ongoing monitoring measures.
The continued strengthening of corporate compliance programs takes on added strength in Central and Latin America when we consider the continuous measures that the U.S. government is issuing in relation to the fight against corruption in the region. Examples include continuously updating of the Global Magnitsky Sanctions program and visa restriction powers, updating the Engels List, and different economic sanctions issued against entities and individuals.
In this regard, the effectiveness and continuous improvement of compliance programs according to the new updates could be assessed from the following areas:
Companies can establish policies and procedures to ensure effective compliance with these recommendations to avoid costly penalties and legal action while improving their corporate culture and reputation, increasing investor confidence, and better managing risk.
Copyright 2023 CEP Magazine, a publication of the Society of Corporate Compliance and Ethics (SCCE).
Sources:
1 U.S. Department of Justice, Criminal Division, Evaluation of Corporate Compliance Programs, March 2023, https://www.justice.gov/criminal-fraud/page/file/937501/download.
2 U.S. Department of Justice, Justice Manual, §9-28.300 (2023), https://www.justice.gov/jm/jm-9-28000-principles-federal-prosecution-business-organizations#9-28.300.
3 Aisling O’Shea, Nicolas Bourtin, and Anthony Lewis, “DOJ Updates Guidance on the Evaluation of Corporate Compliance Programs,” Harvard Law School Forum on Corporate Governance, June 20, 2020, https://corpgov.law.harvard.edu/2020/06/20/doj-updates-guidance-on-the-evaluation-of-corporate-compliance-programs/
4 Harry A. Patrinos, “You Can’t Manage What You Don’t Measure,” World Bank Blogs, December 1, 2014, https://blogs.worldbank.org/education/you-can-t-manage-what-you-don-t-measure.
5 U.S. Department of Justice Archives, “About The Individual Accountability Policy,” archived content, last accessed April 6, 2023, https://www.justice.gov/archives/dag/individual-accountability
6 U.S. Department of the Treasury, Financial Crimes Enforcement Network, “FIN-2014-A006: Advisory on the FATF-Identified Jurisdictions with AML/CFT Deficiencies,” August 5, 2014, https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2014-a006.
7 Sally Quillian Yates, “Individual Accountability for Corporate Wrongdoing,” Memorandum from the Deputy Attorney General, September 9, 2015, https://www.justice.gov/archives/dag/file/769036/download.
8 Kroll, “2022 Anti-Bribery and Corruption Report,” June 6, 2022, https://www.kroll.com/en/insights/publications/compliance-risk/anti-bribery-and-corruption-report.
The Kroll Investigations, Diligence and Compliance team are experts in forensic investigations and intelligence, delivering actionable data and insights that help clients worldwide make critical decisions and mitigate risk.
The Kroll Investigations, Diligence and Compliance team partners with clients to anticipate, detect and manage regulatory and reputational risks associated with global ethics and compliance obligations.
End-to-end governance, advisory and monitorship solutions to detect, mitigate, drive efficiencies and remediate operational, legal, compliance and regulatory risk.