In the ever-evolving landscape of compliance, the U.S. Department of Justice (DOJ) has intensified its scrutiny of corporate and executive liability, underscoring the critical role of effective compliance programs in preventing, detecting, and remediating misconduct. Lisa Monaco, the deputy attorney general, and other senior DOJ officials have emphasized the significance of robust compliance measures in mitigating legal risks and fostering ethical business practices.
Monaco, acknowledging DOJ’s commitment to accountability, stated, “With a combination of carrots and sticks—with a mix of incentives and deterrence—we’re giving general counsels and chief compliance officers the tools they need to make a business case for responsible corporate behavior.”[1] She elaborated that “companies should feel empowered to do the right thing—to invest in compliance and culture, and to step up and own up when misconduct occurs.” Kenneth Polite, former assistant attorney general for the Criminal Division, echoed this sentiment: “We closely evaluate corporate compliance programs during our corporate investigations and after our corporate resolutions, and give significant credit to companies that build strong controls to detect and prevent misconduct.”[2]
This article delves into the latest guidance—updated in March 2023—provided in the DOJ Criminal Division’s Evaluation of Corporate Compliance Programs, offering valuable insights for compliance employees at colleges and universities.[3] Although the guidance comes from DOJ’s Criminal Division, it is equally relevant to civil matters; compliance programs aligned with these guidelines will be recognized as the gold standard by many federal regulators in addition to DOJ.
Overview of DOJ’s Evaluation of Corporate Compliance Program
The updated guidance from DOJ builds on prior updates to the original guidance released in 2017. It provides a comprehensive framework for evaluating the effectiveness of corporate compliance programs. It emphasizes the need for a proactive approach, stressing that compliance should not be a mere check-the-box exercise but an integral part of an organization’s DNA while recognizing that a one-size compliance program does not fit all. This section outlines key considerations that DOJ evaluates when assessing the adequacy of a company’s compliance program.
DOJ’s guidance is structured around three “fundamental questions” a regulator should ask when evaluating a corporate compliance program:
-
Is the corporation’s compliance program well-designed?
-
Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
-
Does the corporation’s compliance program work in practice?
Monaco explained in a September 2022 DOJ memo that these factors should be assessed at two points in time: (1) the time the conduct occurred and (2) the time that DOJ (or another regulator) is evaluating the compliance program.[4] This means it is never too late to improve and adjust your compliance program. DOJ is likely to look more favorably upon an organization—including a college or university—that took immediate steps to remedy any identified gaps in its compliance program once misconduct was detected.
Is the corporation’s compliance program well-designed?
In the first core component, DOJ focuses on the design of the corporate compliance program. According to the guidance, a well-designed compliance program should be comprehensive and tailored to the specific risks and characteristics of the organization. The following are some key considerations.
Risk assessment
DOJ emphasizes the importance of a robust and dynamic risk assessment process. It encourages organizations to reassess risks periodically to ensure that the compliance program effectively addresses evolving challenges. It encourages organizations to tailor their risk assessments to their specific industry, size, and operations. Colleges and universities must be vigilant in identifying potential risks related to admissions, research, financial aid, and other areas unique to the academic environment.
Policies and procedures
The guidance underscores the need for clear and accessible policies and procedures. A well-designed program should provide guidance on a wide range of compliance-related matters, ensuring that employees are aware of the rules governing their conduct. For colleges and universities, this involves clear guidelines on academic integrity, research ethics, financial management, and other areas relevant to the institution’s mission.
Training and communication
Effective communication and training are crucial components of a well-designed compliance program. Organizations should implement regular training sessions tailored to the needs of different employee groups, promoting awareness and understanding of compliance expectations. Colleges and universities should ensure that faculty, staff, and students receive regular training on compliance matters, promoting a culture of awareness and responsibility.
Confidential reporting structure and investigation process
Another hallmark of a well-designed compliance program is a sound mechanism for employees to confidentially report misconduct allegations without fear of retaliation. The institution’s complaint-handling process must be proactive and must promote a workplace atmosphere that encourages employees to report misconduct or concerns of unethical behavior. The investigation of these complaints should be timely and thorough and include appropriate remediation and discipline where appropriate.
Third-party management
DOJ highlights the significance of effectively managing relationships with third parties. This includes partnerships with vendors, research collaborators, and contractors for colleges and universities. Implementing due diligence and monitoring mechanisms for third parties is crucial.
Mergers and acquisitions
DOJ’s guidance does not discourage mergers or acquisitions but stresses the value of robust due diligence in the process. That diligence should include both pre- and post-acquisition diligence to reduce the risk that may be associated with the institution that is being merged or acquired. Under DOJ’s newly announced “safe harbor” policy, an organization that discloses misconduct detected through the due diligence process within six months of closing the acquisition will presumptively not be prosecuted for that misconduct if they remediate the problem within a year, disgorge any ill-gotten gains, and implement an appropriate compliance program going forward. For colleges and universities, this guidance is particularly important in the current environment of increasing merger activity among universities struggling financially.