What are the DOJ’s Evolving Requirements for Effective Compliance Programs?

Answer: look at a recent Attachment C.

What in Sam Hill is Attachment C? So glad you asked… 

When the US Department of Justice (DOJ) issues Foreign Corrupt Practices Act resolutions, they often include an “Attachment C.” You can consider Attachment C to be a blueprint for compliance programs because they offer specific DOJ guidance into what elements are seen as crucial to an effective compliance program at the target company.

In other words, Attachment C can be a benchmark for your program. Of course, compliance practitioners should also regularly benchmark with the Evaluation of Corporate Compliance Programs and the FCPA Resource Guide (second ed.) in the design, enhancement, and maintenance of corporate compliance programs. That said, Attachment C is a relatively short summary for busy executives.

Well, the only constant in life is change… and this is no different for Attachment C. Near the end of 2023, the DOJ issued a substantially different Attachment C that offers fresh insight into its priorities.

The latest revisions focus on management commitment, training, third party management, remediating misconduct, mergers and acquisitions, monitoring and testing, and incentives compensation structures. (In other words, practically everything.)

Let’s explore these revisions together:

1. Management Commitment: from “High Level Commitment” to “Commitment to Compliance.” Previously, Attachment C focused on ensuring director and senior management support and commitment to compliance (i.e., “Tone at the Top”). This requirement now also applies to mid-level management – the folks who are closer to the action, involved in the day-to-day operations, and to whom employees tend to look for ethical guidance (i.e., “Tone in the Middle”). This evolution is consistent with the DOJ’s push to infuse compliance throughout all levels of organizational leadership.
2. Training and Guidance. Training must now be fit for purpose.  To achieve this training must be made both relevant and effective (i.e., targeted and powerful). A company should incorporate meaningful discussions around previous compliance incidents and tailor training to industry, department, and job responsibility; it can self-assess by using metrics “measuring knowledge retention.”
3. Third-Party Management. Extensive updates mandate that companies explicitly examine and document why third parties are being engaged.  (The business justification matters enough to warrant an entire paragraph in Attachment C!)  Additionally, companies must (a) clearly outline the services to be provided in the contract, (b) confirm that said work is actually being performed, and (c) ensure pricing for the services is comparable to services provided by others in the same region. These updates reinforce the need for ongoing monitoring of third-party relationships (e.g., through audits, certifications, and invoice reviews).
4. Remediation of Misconduct. The DOJ now expects a company under a resolution to “conduct a root cause analysis” of the misconduct, implement remediation measures in a timely manner, and share the information with management when and where possible. Such a proactive approach – consistent with the Evaluation of Corporate Compliance Programs – is intended to reveal potential systemic issues and prevent their recurrence. 
5. Monitoring and Testing. The DOJ clearly places great importance on establishing and documenting a plan to integrate an acquired business into the acquiring company’s enterprise resource planning (ERP) system “as quickly as practicable.”  Speedy incorporation helps to avoid missteps commonly encountered by companies that fail to fully integrate after acquiring. Separately, the DOJ expects that compliance personnel (broadly interpreted) must have the necessary access to “relevant sources of data” to effectively monitor and test transactions.
6. Incentives and Compensation. The DOJ prioritizes incenting compliant behavior and appropriately (and consistently) disciplining  violators, including with regards to corporate compensation and bonus programs.  (You might consider reviewing our recent blog on its view of clawbacks.)

Companies would be wise to utilize this most recent Attachment C for benchmarking purposes and, where lacking, should work towards incorporating its requirements into their own operations and compliance programs.

Don’t know where to start? Don’t have time to do it? We’re your huckleberry. Reach out to The Wallenstein Law Group today!