On June 1, 2020, the Department of Justice (DOJ) updated its guidance document on the “Evaluation of Corporate Compliance Programs.” As outlined below, the DOJ identifies the adequacy of resources and the access to data and analytics as key components to establishing an effective compliance program.
The original version of the guidance document was published by the Criminal Division in February 2017 to assist prosecutors in evaluating the effectiveness of a corporation’s compliance program for purposes of determining the appropriate resolution or prosecution of the case, monetary penalties, as well as any compliance obligations contained in any corporate criminal resolution. Prior to this most recent update, the DOJ updated the guidance document in April 2019.
The following analysis is a summary of the pertinent updates to the April 2019 guidance document.
In evaluating the effectiveness of a corporate compliance program in the context of a criminal investigation, the DOJ will make a reasonable, individualized determination that considers, among other factors, the company’s size, industry, geographic footprint, regulatory landscape and other internal and external factors that may impact the compliance program. The DOJ restates the original 3 fundamental questions considered in making the individualized assessment (changes reflected below):
- “Is the corporation’s compliance program well designed?“
- “Is the program being applied earnestly and in good faith?“ In other words, is the program being implemented adequately resourced and empowered to function effectively?
- “Does the corporation’s compliance program work“ in practice?
Throughout the updated guidance, the DOJ emphasizes the importance of leveraging operational data and information to strengthen the effectiveness of the compliance program. Specifically, when discussing updates and revisions to the compliance program in the context of the Risk Assessment, the DOJ states the following:
- Updates and Revisions – Is the risk assessment current and subject to periodic review? Have there been any updates to policies and procedures in light of lessons learned? Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures, and controls? Do these updates account for risks discovered through misconduct or other problems with the compliance program?
In addition, the DOJ adds a new question based on internal or external “lessons learned.”
- Lessons Learned – Does the company have a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region?
A well-designed compliance program includes policies and procedures that are readily accessible to relevant employees. Once again, it is recommended that internal data be used to identify the most frequently accessed policies and procedures.
- Accessibility – How has the company communicated its policies and procedures to all employees and relevant third parties? If the company has foreign subsidiaries, are there linguistic or other barriers to foreign employees’ access? Have the policies and procedures been published in a searchable format for easy reference? Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?
Third-party relationships are a widely recognized area of risk for any industry, but even more so in the life sciences industry, where healthcare providers and organizations play an integral role in the life cycle of drugs, biologics and medical devices. In assessing third-party relationships, the DOJ encourages prosecutors to assess:
whether the company knows its the business rationale for needing the third party in the transaction, and the risks posed by third-party partners, including the third-party partners’ reputations and relationships, if any, with foreign officials, and the business rationale for needing the third-party in the transaction. For example, a prosecutor should analyze whether the company has ensured that contract terms with third parties specifically describe the services to be performed, that the third party is actually performing the work, and that its compensation is commensurate with the work being provided in that industry and geographical region. Prosecutors should further assess whether the company engaged in ongoing monitoring of the third-party relationships, be it through updated due diligence, training, audits, and/or annual compliance certifications by the third party.
The DOJ’s guidance set forth above is consistent with the safe harbor under the Anti-kickback Statute related to personal services and management contracts and reinforces the need for a rigorous and well controlled HCP engagement and management process.[1]
A critical question for the DOJ in assessing the effectiveness of compliance programs is the adequacy of resources. The DOJ notes, that “[e]ven a well-designed compliance program may be unsuccessful in practice if implementation is lax, under-resourced, or otherwise ineffective.” In discussing the adequacy of resources, the DOJ identifies “data” as a critical resource.
- Data Resources and Access – Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?
The DOJ’s focus on access to data and effective analytics and monitoring is entirely consistent with the enormous growth in data within the corporate enterprise. The ability to aggregate and analyze data is no longer a “nice to have” for enterprise management but is now a requirement for demonstrating an effective corporate compliance program.
The DOJs updated guidance on evaluating the effectiveness of a corporate compliance program identifies the need for organizations to leverage data and technology to continuously monitor compliance within the organization. As technology and the ability to analyze large volumes of data evolves, it is critical for enterprises to understand what is happening within the organization and to improve their compliance program accordingly.
[1] 42 C.F.R § 1001.952(d)
Tim Robinson, Esq.
Chief Legal and Privacy Officer
June 4, 2020