In September, the U.S. Department of Justice updated its Evaluation of Corporate Compliance Programs (ECCP) guidance, which is the roadmap that Criminal Division prosecutors use to evaluate a company’s compliance program. The updated guidance underscores two primary DOJ priorities for corporate compliance: (1) how companies are navigating risks relating to artificial intelligence and other “new and emerging technologies,” and (2) how companies are encouraging and protecting corporate whistleblowers. Please see our client alert for more information.

As public companies gear up for their annual review of corporate policies and employee training, in-house attorneys may want to particularly focus on the following guidance from the ECCP: 

• Design: Companies should have a process for updating policies and procedures, including updates to reflect lessons learned either from the company’s own prior issues or from those of other companies. As part of this process, attorneys reviewing policies and procedures should consult business units and other key stakeholders in the company prior to rolling out any changes. 
• Accessibility: The ECCP indicates that companies are expected to:
  • translate their policies and procedures to another language for foreign subsidiaries
  • publish policies and procedures in a searchable format
  • confirm that employees know how to access relevant policies
  • track access to various policies and procedures to understand what policies are attracting more attention from relevant employees.

These are relatively simple changes to bolster a company’s compliance program. 

• Gatekeepers: Companies should provide tailored guidance and training to employees with approval authority or certification responsibilities for control processes so they understand what misconduct to look for and how to escalate concerns. For example, do leaders on the company’s sales team understand what type of gifts, entertainment, or other expenses are prohibited under the anti-corruption policy and should not be approved? 
• Training: Companies should provide regular compliance training to employees. These trainings should be updated to reflect lessons learned either from the company’s own prior issues or from those of other companies. The ECCP suggests that companies should evaluate employee engagement with training and whether they have learned the covered subject matter. For example, companies may want to consider including a test and addressing employees who fail all or a portion of the testing. 
• Guidance re: Policies: The ECCP suggests that companies should provide guidance regarding compliance policies. Corporate teams may want to keep track of common employee questions about certain policies and prepare a plain-English FAQ covering these topics.

This article is part of a Fenwick "Securities Law Update" authored by David A. Bell, Ran Ben-Tzur, Amanda Rose, Wendy Grasso, and Merritt Steele.