U.S. DOJ Unveils New Components of Effective Corporate Compliance Programs

First, following up on Deputy Attorney General Lisa Monaco’s statements in September 2022 (covered in a prior Sidley Update, available here), Polite announced “significant changes to the ECCP, including how [DOJ] consider[s] a corporation’s approach to the use of personal devices as well as various communications platforms and messaging applications, including those offering ephemeral messaging.” Polite explained that in practice, prosecutors will consider corporate policies on messaging applications, bring-your-own-device programs, and preservation of such communications when considering the corporation’s risk profile and business needs. Notably, prosecutors will more actively seek data from third-party messaging applications, and a company’s failure to preserve and produce such data may affect any plea offer that it receives.

Second, Polite offered further clarification regarding how the government will assess corporate compensation structures. Under the ECCP, prosecutors will affirmatively review compensation structures when evaluating compliance programs. Further, and as discussed in detail in Sidley’s Update from yesterday (available here), Polite reiterated two aspects of the DOJ’s new pilot program: that (1) criminal resolutions will take into account corporate compliance programs, including compensation-related criteria, and (2) DOJ will offer fine reductions for companies that seek to claw back compensation in appropriate cases.

Polite also reemphasized the significant benefits available to companies that self-report misconduct (covered in more detail in a prior Sidley Update, available here) and demonstrate an effective “tone at the top,” noting that “there is enormous gulf between the benefits associated with doing the right thing and the punishment associated with not.”

Companies and their counsel should continue to monitor the recent uptick of DOJ policy announcements, especially those relating to DOJ’s evolving expectations on effective compliance program components. With such considerations in mind, below are some steps companies should consider, as appropriate, when evaluating their own compliance posture and readiness to confront these shifts:

1. Tone at the Top: Management should routinely emphasize and promote a commitment to a culture of compliance and lawfulness through words and actions.
2. Mobile Devices and Messaging: Evaluate policies regarding the permissible use of mobile devices and third-party messaging applications, including retention and preservation policies, to ensure alignment with best practices and, if applicable, regulatory record-keeping requirements. Ensure employees receive periodic training on the company’s permissible-use policies, and conduct regular monitoring of communications to ensure compliance with those policies.
3. Compensation: Assess management compensation structures to ensure that compliance-related metrics are taken into account, for example, that employees are rewarded for improving compliance programs and demonstrating ethical leadership. Assess whether, under applicable law and in consideration of possible employment suits, clawing back, deferring, or withholding compensation in the event of misconduct is worth the incentives offered by the government.
4. Periodic Risk Assessments: Ensure that the company is engaging in regular periodic compliance risk assessments to align resources and tailor procedures to address and mitigate entity-specific material risk areas. DOJ will evaluate the sufficiency of a corporate compliance program based in part on the company’s particular risk profile.
5. Whistleblower Hotline and Investigations: Implement a widely publicized whistleblower hotline or other confidential reporting mechanism for employees and others to anonymously identify compliance issues and raise complaints.
6. Investigations: Have a process in place for ensuring that investigations are conducted efficiently and effectively and fully documented. Additionally, root-cause analysis of misconduct will be essential to enhancing policies and procedures to guard against recidivism. When misconduct is discovered, companies should move quickly to consider voluntary self-disclosure.