The DOJ's 2020 updates to its Evaluation of Corporate Compliance Programs policy have far-reaching implications for regulated firms.
Assistant attorney general Brian Benczkowski has called them improvements "based on our own experience and important feedback from the business and compliance communities."
More to the point, these changes continue to emphasize how critical it has become for firms to stop ticking boxes and start taking a more practical and dynamic approach to compliance. As Volkov Law Group CEO Michael Volkov puts it, "Compliance can't be just a set of rules. It must be demonstrated in the activity of every individual, every day."
But how have these updates influenced how regulated firms approach compliance in practice?
What has changed since the DOJ announced them on June 1, 2020?
One year on, here's a look at what, in our view, have been the most significant developments.
The DOJ's 2020 updates may affect various aspects of compliance, but they share a common theme. Moving forward, regulators expect greater accountability and cold, hard proof that firms' compliance programs are intentional and effective.
Given this high bar, it's no surprise that ever more firms are turning to RegTech to gain an edge.
By 2022, Juniper Research expects firms will be spending over $72 billion on RegTech. And a report by the City of London Corporation has called 2021 a 'critical year' for it. "RegTech represents more than just an efficiency tool," the report argues. It's "...a pivotal change...the next logical evolution..."
It's hard to disagree with this statement, given the constant onslaught of new rules and regulatory updates firms face, plus regulators' soaring expectations.
Put bluntly, staying compliant is becoming harder and harder if you don't use technology to gain visibility and control over every aspect of your firm's operations and embed compliance into its day-to-day activities. RegTech is no longer a nice-to-have, it's a key component of future success.
In future, concludes Gemserv's Jonathan Harley, "...markets will look to tech to get the commercial edge and make sure they're on the right side of regulatory compliance." And it's a matter of if, not when.
So, the real question for firms moving forward is, do you want to lead the way? Or spend the next decade trying to catch up?
One of the updated guidance's biggest takeaways is that regular, comprehensive, and — most importantly — meaningful risk assessments are critical.
The updated guidance requires prosecutors to consider the “effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment.” In other words, firms not only have to tailor their compliance programs to their unique circumstances. They must also update them as new risks emerge.
Needless to say, the Covid-19 pandemic has created an abundance of new risks.
While digital transformation has been on regulated firms' agendas for almost a decade, many were nowhere near close to ready in March 2020, when lockdowns and other physical restrictions forced employees to work from home wherever possible. As a result, many scrambled to take their businesses online.
At the same time, firms had to adapt their policies and procedures to cover situations they hadn't anticipated. As GRC expert Michael Rasmussen notes, there were:
"...IT security risks as a result of people working from home... harassment and discrimination risks, because people might be saying things on Zoom which they wouldn’t say in a boardroom.... There might even be increased risk of bribery and corruption, because of import and export restrictions and the constraints ... on supply chains..."
To make things more challenging, firms had to adapt to all these changes in an environment where they could no longer call staff meetings to run through policy updates.
It's been a steep learning curve. One that has forced even firms who were reasonably prepared for remote working to evaluate their processes. Gemserv's Business Development Director Jonathan Harley, for instance, told us that the reality of working from home "has prompted us to look at our approach and evolve it further."
But if firms had to drastically rethink how they work and put processes in place to manage new risks when the pandemic hit, that was just the start.
Now that we're returning to some semblance of normality, including working from the office at least some of the time, risk assessments will have to remain a top priority. And, to comply with the DOJ's new guidance, firms will need to evaluate what lessons they've learned from the pandemic and incorporate them into their compliance programs.
If Covid-19 put regulated firms in a tough spot when it comes to risk management, it's been a boon for compliance training.
This is just as well.
The DOJ's updated guidance expects firms to invest more money in training and communication to ensure employees understand what they need to accomplish from a compliance standpoint. Accessibility is key here - it’s important for policies and procedures to be hosted in a searchable format that staff can access from anywhere, anytime.
With a centralized policy management platform, staff can track down a policy they need to consult in just a few clicks and be safe in the knowledge that it's the latest, most up-to-date one. And administrators can track policy adherence by pulling a report to see who has read and attested their policies and procedures and who hasn't and identify any gaps in compliance.
"With the ever-changing regulatory environment and exposure to enormous fines for breaches, it is not surprising that the call for compliance training is greater than ever. There's a growing realization that training and communication is the key to managing regulatory risk and embedding effective governance, risk and compliance processes into corporate culture," says the British Virgin Islands Financial Services Institute's Principal Tutor Rose Chapman.
Who said compliance has to be boring? The DOJ’s requirement is that organizations have an established policy management process that incorporates the culture of compliance into its day-to-day operations. For many organizations, when it comes to designing and implementing new policies and procedures, and updating existing policies and procedures, it can be a daunting and often dreaded process. For this reason, compliance teams are increasingly looking at ways to streamline their policy management and make the process more engaging and interactive.
Here are three main ways organizations are spicing things up:
For more information, download the full report: 4 ways the DOJ's 2020 guidance is changing compliance.