Deputy Attorney General Lisa Monaco’s speech and memo of September 15 and the DOJ Fraud Section’s hiring this month of Matthew Galvin, formerly the head of ethics and compliance at AB InBev, continues the steady surge of compliance resources and guidance provided by DOJ since 2019. This “compliance surge” of both guidance and resources has roots dating back to at least the 1999 issuance of a memo by then-Deputy Attorney General Eric Holder, but has picked up unprecedented speed and force since 2019.
The Criminal Division’s Fraud Section has emerged as the preeminent Department component with regard to evaluating and issuing guidance on compliance programs. Overseeing the Fraud Section today are two former Chief Compliance Officers: Kenneth Polite, the Assistant Attorney General of the Criminal Division, appointed in 2021, who previously served as the Chief Compliance Officer of Entergy Corp., and Glenn Leon, the newly-appointed Chief of the Fraud Section whose prior role was as Chief Ethics and Compliance Officer at Hewlett-Packard Enterprise.
Within the Fraud Section, the Corporate Enforcement, Compliance, and Policy Unit (CECP) takes the lead in evaluating compliance programs during an investigation and with regard to post-settlement compliance obligations such as monitorships and self-reporting. The staff of CECP includes attorneys who themselves have vast compliance expertise. Lauren Kootman played key roles on two monitorships while at Orrick. Lauren assisted the independent compliance monitors of Braskem SA, a Brazilian petrochemical company which pled guilty to FCPA offenses in 2016, and also represented Zimmer Biomet during that company’s monitorship. Marnee Rand also had extensive involvement with the Zimmer Biomet monitorship while at Orrick and joined her former colleague Lauren at CECP earlier this year.
Sally Molloy and Andrew Gentin, longtime Fraud Section and CECP attorneys, have been evaluating corporate compliance programs for DOJ for years now. And, just this month the section added to its ranks Matthew Galvin, the former head of ethics and compliance for multi-national brewer AB InBev. While at AB InBev, Galvin was well known for his focus on data analytics to identify high-risk third parties and transactions. With a new title of “Counsel, Compliance and Data Analytics,” we can expect the Fraud Section to add a focus on “Big Data” to its compliance program scrutiny.
These compliance experts will be evaluating companies’ compliance programs pursuant to the most detailed guidance issued to-date by DOJ or any other government authority, 2020’s Evaluation of Corporate Compliance Programs (2020 Guidance). It is, ostensibly, guidance to DOJ attorneys regarding how they should evaluate compliance programs. It directs prosecutors to ask three overarching questions, in essence: (1) is the program well designed?; (2) is the program being applied in good faith?; and (3) does the program work? In making this document public, the DOJ has given companies a road map of what their own compliance programs should look like. This 2020 Guidance builds upon an Evaluation document issued by the Fraud Section 2017, though is more detailed and represents the DOJ’s evolution and growing sophistication with regard to corporate compliance programs.
The 2020 Guidance ought to be required reading for all compliance professionals with several notable provisions. As an example, it focuses on not just the design of a compliance program, but on the process that led to that design. The 2020 Guidance clearly states that the design process should change over time and involve a broad swath of company personnel. Such a process will assist a company in designing a program that is fit-for-purpose and accepted – “bought into” – by employees.
The 2020 Guidance also directs prosecutors to inquire into how a company not only trains its employees, but how it measures the effectiveness of such training. Measuring the effectiveness of training is something that plenty of companies do not yet do, but they certainly ought to. Companies have spent more and more money over the years at designing training sessions that they hope will entertain and educate, but few companies take the time to measure how effective the sessions truly are and whether the money they are spending is paying off. Similarly, the 2020 Guidance directs prosecutors to not just ensure that companies have whistleblower hotlines, but that they have tested those hotlines to ensure that employees are aware of the hotline and feel comfortable using it.
The 2020 Guidance is also notable for its focus on the need for a program to evolve with the business. This principle comes up several times in the guidance including with regard to: updating risk assessments and risk assessment criteria; revising programs in light of lessons learned both by the company itself as well as by companies with similar profiles or risks; and revising policies and procedures to meet a company’s “spectrum of risks.” This focus on evolution makes clear that DOJ realizes that companies are never “done” with their compliance mission and that a program must grow and evolve along with each company’s business.
Another major theme that emerges from the 2020 Guidance is the need for companies to test their programs, test them again and then test them some more. This comes up in several contexts, including: testing the effectiveness of training; testing the effectiveness of controls with access to relevant sources of data; more broadly testing the effectiveness of an overall compliance program; and a focus on the testing performed by internal audit.
The memo issued by Deputy Attorney General Lisa Monaco last week adds to DOJ’s library of guidance in some important ways. First, it makes clear that DOJ will now scrutinize executive compensation schemes – including possible clawback policies – to determine if they incentivize compliance. Second, the Monaco Memo brings renewed focus to employees’ use of instant messaging for work purposes and to their use of personal devices. Further guidance should be coming on these issues in coming months and companies may need to revise relevant compliance policies and controls. In addition, the Monaco Memo lays out 10 criteria the DOJ should consider when deciding whether to impose a monitor. Many of these echo the guidance found in the 2020 Evaluation of Corporate Compliance Programs with regard to the testing and monitoring of compliance programs.
During a March 2022 speech, Criminal Division Assistant Attorney General Kenneth Polite warned companies to “[s]upport your compliance program now or pay later.” And, like at no time in its history, the DOJ is prepared to make good at this warning.
This DOJ compliance surge – in both resources and guidance – means that the Department is well equipped to evaluate the compliance programs that come before it and emphasizes the very real benefits to companies who get their compliance house in before a lapse in judgment or controls brings it to the door of the DOJ.
Billy Jacobson, pictured above left, is a partner at Allen & Overy in Washington D.C. and was formerly the Assistant Chief for FCPA Enforcement at DOJ and the Co-General Counsel and Chief Compliance Officer of Weatherford International.
Claire Rajan, above right, is a partner at Allen & Overy in Washington D.C. Her primary focus is on anti-corruption laws, including the Foreign Corrupt Practices Act and political laws, which regulate how companies engage with government entities.