As discussed in our most recent blog post, on April 30, 2019, the Criminal Division of the U.S. Department of Justice (“DOJ” or “the Department”) announced updated guidance for the Criminal Division’s Evaluation of Corporate Compliance Programs (“the Guidance”).  The Guidance is relevant to the exercise of prosecutorial discretion in conducting an investigation of a corporation, determining whether to bring charges, negotiating plea or other agreements, applying sentencing guidelines and appointing monitors.[1]  The Guidance focuses on familiar factors: the adoption of a well-designed compliance program that addresses the greatest compliance risks to the company, the effective implementation of the company’s compliance policies and procedures, and the adequacy of the compliance program at the time of any misconduct and the response to that misconduct.  The Guidance makes clear that there is no one-size-fits-all compliance program and that primary responsibility for the compliance program will lie with senior and middle management and those in control functions.

For the first time, however, the Guidance singles out some actions that a company’s board of directors should take in connection with corporate compliance programs.  This Guidance is relevant both to public and to private companies.  While no single factor or combination of factors will dictate the manner in which prosecutorial discretion should be exercised in any respect, the Guidance provides that boards should[2]:

  1. Consider receiving briefings from management to assess the design of the company’s compliance program, and to ensure that it reflects and addresses “the varying risks presented by, among other factors, the location of [the company’s] operations, the industry sector, the competitiveness of the market, the regulatory landscape, potential clients and business partners, transactions with foreign governments, payments to foreign officials, use of third parties, gifts, travel and entertainment expenses, and charitable and political donations.”[3] Directors should also exercise reasonable oversight over the company’s regular risk assessments.
  2. Require reports from company management to assess whether the company’s compliance program has been effectively implemented, is effectively operated and is reviewed and evaluated on a periodic basis to adapt to evolving regulatory and compliance risks and to employee concerns.
  3. Read the company’s code of conduct, which should set forth the company’s commitment to full compliance with relevant Federal laws.
  4. Be periodically trained on the company’s policies and procedures and certify that they have taken such training.
  5. Set the appropriate tone for the rest of the company and clearly articulate the company’s ethical standards. Senior leaders should encourage compliance through their words and actions and model proper behavior.
  6. Be available to personnel within the compliance function. The Guidance directs that the compliance function should be sufficiently autonomous from management through, for example, direct access to the board of directors or the board’s audit committee.
  7. Receive periodic briefings from personnel within the compliance function, including in executive or private sessions.
  8. Establish a reporting system reasonably designed to provide management and directors with timely and accurate information sufficient to allow them to reach an informed decision regarding the organization’s compliance with the law.
  9. Receive regular reports from internal audit on, among other things, the compliance function and financial controls.
  10. Follow up on the reporting by personnel within the internal audit and compliance functions, especially with respect to audit findings, risk assessments and any ongoing remediation.

For further detail regarding the Guidance, please click here for the full alert memorandum.


[2] In certain of the factors set out below, it may be more appropriate for a committee of the board, such as the Audit Committee or the Compliance Committee, to undertake the relevant actions in the first instance.

[3] U.S. Dep’t of Justice, Criminal Div., Fraud Section, Evaluation of Corporate Compliance Programs Guidance Document Apr. 2019, at 2-3.