When entering a casino, professional gamblers understand that “the house doesn’t beat the player. It just gives him the opportunity to beat himself.” This axiom is precisely why in the long run casinos make money, while gamblers see their bank accounts dwindle. The same holds true in the corporate world with respect to the creation, implementation, and maintenance of compliance programs. A company gambling on its compliance obligations does so at its own peril and must understand exactly what the “House” expects. If it doesn’t, then that company may join the unfortunate few that roll the dice or spin the wheel and come up with snake eyes or double zeros. That risk is multiplied if the company betting on sufficient compliance is receiving federal dollars, where failure can lead to catastrophic civil and criminal liability. Fortunately, the United States Department of Justice (“DOJ”) has published its version of “House Rules” that it is supposed to consult when examining whether to investigate, prosecute, or settle criminal charges against a company. In this respect, DOJ prosecutors are tasked with looking at specific factors outlined in the “Principles of Federal Prosecution of Business Organizations” (“Principles”) section of the Justice Manual. Among other factors, these Principles instruct DOJ prosecutors to consider “the adequacy and effectiveness of the corporation’s compliance program at the time of the offense, as well as at the time of a charging decision.” In furtherance of this mandate, the DOJ’s Criminal Division issued revised guidance on June 1, 2020, regarding the specific factors DOJ prosecutors should consider in making that evaluation. This updated version of the DOJ’s “Evaluation of Corporate Compliance Programs” (Guidance) clarifies and modifies certain areas of the version last updated in April 2019. Among other noteworthy revisions, the Guidance underscores the need for companies to ensure their corporate compliance program is:
- Appropriately tailored to and updated in accordance with the company’s risk profile.
- Adequately resourced and empowered to operate effectively.
- Subject to continuous updates and improvements.
The Guidance also provides practical advice on discrete issues such as employee training and testing and third-party relationships in addition to the impact of mergers and acquisitions on a compliance program.
At first blush, the Guidance may appear to have the most practical application for companies already sitting at DOJ’s table playing the cards they have been dealt. However, for the strategic company, playing three to four moves ahead and wishing to keep the money they walked in with, the Guidance provides a way to increase the odds and lessen the risk if you find yourself in an ill-fated stare down with a stone-cold dealer. The Guidance also provides an array of practical advice regarding the constituent elements of an “effective” compliance program. As federal contractors know all too well, they operate in a unique back room where violations of applicable statutes and regulations may subject them to significant monetary and criminal penalties far and above those felt by routine commercial companies. Although the DOJ recognizes that there is no “rigid formula” or “checklist” to assess the effectiveness of a corporate compliance program, the Guidance is grounded in three fundamental prosecutorial considerations when assessing a corporation’s compliance program:
- Whether the company’s compliance program is well designed.
- Whether the program is being applied earnestly and in good faith.
- Whether the program actually works in practice.
The recent revisions update the Guidance for the first two fundamental considerations. Regarding the criterion as to whether the compliance program is well designed, the Guidance now makes clear that the program should be subject to “continuous evolution” as driven by a comprehensive risk assessment. The second question—i.e., whether the compliance program is being applied earnestly and in good faith—has been expanded to ask whether the compliance infrastructure is adequately resourced and empowered to function effectively. Finally, the Guidance includes general updates of all sections that underscore the need and use of corporate operational data to measure the overall effectiveness of the compliance program. A summary of these revisions and what they mean for government contractors follows below.
Periodic Risk Assessment and the Evolving Compliance Program
A number of the revisions emphasize that a corporate compliance program should evolve continuously and be based on the company’s risk profile. Under the Guidance, DOJ prosecutors are told to consider not only whether a company’s risk profile is subject to periodic review but also whether such reviews are “limited to a ‘snapshot’ in time or based upon continuous access to operational data and information across functions.” In addition, the DOJ will specifically examine whether periodic compliance reviews “led to updates in policies, procedures, and controls.” In order to meet these requirements, each company should implement a data-driven, analytical process for tracking and incorporating “lessons learned” in periodic risk assessments based on the company’s experience or that of peer companies in the same industry and/or geographic region. Thus, the DOJ expects compliance programs to be flexible, “living” regimes, subject to ongoing adjustments based on the changing dynamics of the company and its environment. Notably here, however, the DOJ recognizes that a proactive risk assessment should not focus myopically on a company’s risk profile but also should apply risk-based due diligence to a company’s “third party relationships” (e.g., vendors, suppliers, and subcontractors). The Guidance goes so far as to suggest comprehensive, pre-closing due diligence of all corporate acquisitions as well as establishment of a process for “timely and orderly” integration of acquisitions with the company’s existing compliance program. With acquisitions and mergers expected to increase in a post-COVID-19 world, this is a specific inclusion that the DOJ regards as likely absent from most corporate compliance programs.
Ensuring the Compliance Program Is Adequately Resourced and Empowered
Prior to the June 2020 update, the second overarching question asked whether a company’s compliance program was “being implemented effectively.” However, the Guidance adds a new wrinkle to this question by inquiring whether the compliance program “is adequately resourced and empowered to function effectively.” In other words, this revision suggests that prosecutors “call” the company on its hand to ensure that it has dedicated adequate resources—in terms of human resources, training, and authority—to support its compliance efforts. The DOJ isn’t accepting an IOU or a voucher; it needs to see the money on the table. In particular, the Guidance suggests that inter alia, prosecutors consider the commitment of a company’s management to fostering a culture of compliance and the reasoning underlying a company’s decisions on structuring its compliance program (e.g., is the program controlled by the company legal department, or is it independent?). In fact, a new subsection of the Guidance, “Data Resources and Access,” asks whether a company’s compliance and control personnel have sufficient access to relevant sources of data “to allow for timely and effective monitoring and/or testing of policies, controls, and transactions” and what if anything a company is doing to address any impediments to receiving those relevant sources of data. This new Guidance once again underscores the DOJ’s emphasis on leveraging corporate data as a means to continuously improve compliance programs.
What the DOJ Guidance Means for Government Contractors
More than most, federal contractors should use this Guidance to evaluate the effectiveness of their compliance programs and reporting requirements, and should assess whether their compliance program comports with the DOJ’s best practices. Federal contractors are typically subject to more regulations than exclusively commercial entities, and violations of those regulations carry significant penalties, such as suspension or debarment from federal contracting for the company in addition to possible criminal penalties for the individuals involved. Indeed, a responsible contractor should have comprehensive compliance programs—to include a written code of business ethics and conduct, an internal control system, and an established employee training program—sufficient for its size and contracting footprint. See, e.g., Federal Acquisition Regulation (FAR) clause 52.203-13. Contractors also must make mandatory disclosures of improper conduct in connection with government contracts and subcontracts when the company or its officers or directors become aware of credible evidence of actual or suspected violations of Federal law concerning violations of Title 18 of the U.S. Code (i.e., evidence of fraud, conflict of interest, bribery, or gratuity violations) or the civil False Claims Act (i.e., knowingly or recklessly submitting an invoice on a contract when not all the contractual requirements are being met).
In addition, the ongoing COVID-19 pandemic has forced contractors to confront new compliance challenges related to remote work, supply-chain disruption, and reimbursement for employee sick leave—along with the related reporting obligations to address each. Just like on gambling’s seedier side, the outlay of federal funds, as if being provided by a loan shark, will bring with it enforcers prepared to remedy the situation through audits, investigations, and prosecutions. Using the Guidance as a reference point, contractors and their subcontractors, vendors, and suppliers all should assess whether their current compliance programs are appropriately tailored to meet not only their contractual requirements but also the DOJ’s revised expectations. In light of this Guidance, contractors should fine-tune their existing compliance programs to more effectively mitigate the risk of wrongdoing while also reducing their risk of downstream exposure in the event that something goes awry.
While the themes of gambling and compliance make it easy to craft an allegorical structure, compliance is not a game and should never be a gamble. Between qui tam relators, curious or confused contracting officers, the chance of submitting an improperly prepared invoice, and the omnipresence of inspectors general, compliance is simply too low a bar to risk a company’s survival on a roll of the dice. As the old adage reminds us, if you feel the need to make a throw, “the best throw of the dice is to throw them away.”