The U.S. Department of Justice, Criminal Division, publishes a guidance document: Evaluation of Corporate Compliance Programs (ECCP). The DOJ has updated the guidance multiple times, most recently in March 2023.
This guidance is used in two ways:
- Federal prosecutors conducting criminal fraud or misconduct investigations (including healthcare fraud) use it to evaluate the effectiveness of a corporation’s compliance program. An effective program has the potential to reduce financial penalties imposed.
- Corporations, including healthcare providers, use the ECCP as a resource when implementing or evaluating the effectiveness of their compliance programs.
The DOJ guidance focuses on three questions:
- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith? (Is the program adequately resourced and empowered to function effectively?)
- Does the corporation’s compliance program work in practice?
June ECCP 2020 Updates
In June 2020, the DOJ updated the ECCP; a summary of updates follows.
Does your compliance program have adequate resources?
The revised guidance considers whether compliance programs are “adequately resourced and empowered to function effectively….” (emphasis added).
Other updates in this guidance also evaluate the amount of resources behind the compliance program. The DOJ looks for:
- A culture of compliance at all levels, including the top and the middle.
- Whether companies “invest in further training and development” of compliance personnel.
- Whether compliance personnel have “sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions.”
Many compliance programs involve a great deal of effort in the beginning when they are implemented – but then resources drop off. The DOJ guidance makes clear that ongoing resources, such as leadership, training, and data-based auditing and monitoring, are necessary for a compliance program to be effective.
Does your compliance program evolve?
The DOJ’s revisions emphasize the importance of ongoing compliance program reviews and “how the company’s compliance program has evolved over time.” The DOJ is looking for:
- Whether compliance reviews result in updates to policies, procedures, and controls
- Whether compliance reviews are “limited to a ‘snapshot’ in time or based upon continuous access to operational data and information across functions”
- Whether the company incorporates “lessons learned” into its risk assessments. Does the compliance program incorporate lessons from past issues within the organization or from competitors?
In other words, it is not enough to conduct a compliance program review once, and then abandon this effort. Compliance review should be an ongoing process (with scheduled annual reviews). Without ongoing reviews that address evolving risks, compliance quickly becomes outdated.
Does your compliance program sufficiently evaluate third-party risk?
The revised guidance adds increased scrutiny of compliance programs’ review of third parties. The DOJ is looking for:
- Whether a company knows “the business rationale for needing [a] third party in [a] transaction, and the risks posed by third-party partners….”
- Whether third-party risk is managed throughout the relationship (and not just at on-boarding).
Vendor risk is of increasing regulator concern. In the healthcare setting, vendors bring HIPAA risk as well. Your compliance processes should include thorough screening at the outset of a relationship, but also ongoing controls.
March 2023 updates to the ECCP
In March 2023, the ECCP was updated again. The changes focus on the following areas:
Compensation and Clawbacks
The DOJ added a new section: C. Compensation Structures and Consequence Management. This section replaces the term “discipline” with “consequence management.” Some new measures the DOJ is looking for in this area include:
- Use of data to track the effectiveness of investigations, mitigations, and disciplinary actions.
- How compliance is incentivized with compensation systems that include financial penalties or recoupment for misconduct. For example, systems that “defer or escrow certain compensation tied to conduct consistent with company values and policies”; and policies for recouping compensation if the recipient is found responsible for wrongdoing (“clawbacks”).
- Positive compensation systems or career advancement opportunities that incentivize compliance and ethical behavior such. For example, implementing a compliance program, improving an existing program, or demonstrating ethical leadership.
In his comments at the ABA’s 38th Annual National Institute on White Collar Crime on March 3, 2023, Assistant Attorney General Kenneth A. Polite, Jr. addressed the ECCP, and an accompanying new pilot program at the DOJ:
…in addition to these ECCP changes, the Criminal Division is launching a pilot program (1) to require, as part of a criminal resolution, that corporate compliance programs include compensation-related criteria; and (2) to offer fine reductions for companies that seek to clawback compensation in appropriate cases.
The DOJ lists five factors to consider when evaluating compensation and consequence management:
- Human Resources Process. For example, is the process for discipline transparent?
- Disciplinary Measures. For example, do discipline options include compensation recoupment?
- Consistent Application. For example, what metrics are used to ensure discipline is applied consistently?
- Financial Incentive System. For example, what role does compliance play in “designing and awarding financial incentives at senior levels of the organization?” Are commercial targets evaluated with compliance and ethics in mind?
- What does the company’s hotline management reveal about compliance culture? Is the timeline for completing a hotline investigation tracked? What percent of compensation given to executives who engaged in misconduct has been recouped?
Under B. Investigation of Misconduct, the DOJ added several areas of focus:
- Independence and Empowerment. How does compensation structure ensure compliance for employees in charge of enforcing misconduct? Who determines compensation and promotion for compliance personnel?
- Messaging and communications.
- The DOJ advises prosecutors to “consider a corporation’s policies and procedures governing the use of personal devices, communications platforms, and messaging applications, including ephemeral messaging applications.”
- Policies should be in place to ensure these messages are accessible and preserved. Policies should address Bring-Your-Own-Device (BYOD) programs.
- The DOJ advises that prosecutors look into how messaging and communication policies are enforced; and how noncompliance is disciplined.
The DOJ ECCP is a great tool for Compliance Officers to evaluate their existing compliance program or as a guide when implementing a compliance program. And don’t forget that the guidance can be used as a source for updates for your compliance committee, senior management and board.
MPA can help with your annual review
MPA can assess your compliance program against the new DOJ guidance, as well as OIG standards, the Affordable Care Act, and best practices.