The Department of Justice (“DOJ”) has been touting for years the common interest that government and industry share in promoting an ethical corporate culture. This week, DOJ reinforced the importance of a robust, well-designed, and effective corporate compliance program in DOJ’s determination of whether to prosecute, impose monetary penalties, and require compliance obligations on a company accused of misconduct.
In an updated guidance document, DOJ expands on the types of questions prosecutors should be asking to evaluate a company’s compliance program. The questions fall under three main categories:
- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?
- Does the corporation’s compliance program work in practice?
If the questions are answered positively, then DOJ may decline to prosecute the company, focus efforts on prosecuting individuals, or provide leniency in the fine or imposition of a monitor.
For the first question, DOJ evaluates the comprehensiveness of the program (i.e., whether there is a clear message from the top that misconduct is not permitted). To do this, DOJ instructs its attorneys to review a company’s policies and procedures for assigning responsibility, training, and disciplining. DOJ specifically highlights the diligence process associated with M&A activities. Although it is our experience that companies already include compliance issues as part of its due diligence, this recent statement by DOJ heightens the priority companies should place on these issues pre- and post-closing.
For the implementation question, the key issues relate to the commitment by management to foster the culture of compliance. DOJ wants to see commitment from not just the Board of Directors or Senior Executives at a company, but also wants to see that “middle management” is reinforcing these standards. And to evaluate the last category of questions, whether the program actually works, DOJ looks at how misconduct is identified, and whether there is adequate analysis and remediation of the misconduct once uncovered.
Notably, these same questions are those that drug and device companies routinely ask in the context of evaluating complaints about the company’s products. The Quality System Regulation requires medical device companies to establish procedures to implement corrective and preventive action. See 21 C.F.R. § 820.100. These procedures must include an investigation of the cause of the issue, actions to correct and prevent recurrence of the issue, validation to ensure the actions are effective, and management oversight and review. Similar requirements are imposed on drug manufacturers as part of complaint handling and adverse event reporting. See, e.g., 21 C.F.R. §§ 211.198, 314.80. Thus, a framework for addressing compliance issues should be very familiar to pharma and device companies.
Ironically, DOJ issued this guidance in the shadow of another DOJ policy that prohibits its lawyers from basing enforcement on violations of requirements set forth in guidance documents. Nevertheless, this 18-page guidance document is worth close review by compliance officers.