DOJ Updates Its Guidance for the Evaluation of Corporate Compliance Programs

Individually Tailored Compliance Programs and Individualized Prosecution Determinations

4 min

On April 30, 2019, Assistant Attorney General Brian Benczkowski announced an update to the Department of Justice's (DOJ) guidance on the Evaluation of Corporate Compliance Programs (ECCP).1 The update to the ECCP, first released by the Fraud Section in 2017, includes a non-exhaustive list of factors prosecutors should consider when analyzing the effectiveness of corporate compliance programs and their ability to prevent, detect, and remediate misconduct and fraud.2 DOJ's evaluation of the effectiveness of a company's compliance program remains a critical data point for prosecutors in resolving corporate criminal investigations. Prosecutors continue to look to a company's compliance program when determining whether to bring criminal charges or to settle civilly, in assessing criminal monetary penalties and deductions, in choosing the appropriate plea deal (including declinations and deferred/non-prosecution agreements), and when deciding whether to insist upon the imposition of a corporate monitor. While the updated guidance to the ECCP expanded upon and provided additional factors for consideration, the most important takeaway from last week's updated guidance is that DOJ expects compliance programs to be individually tailored to the needs of the company and implemented with attention to the particular risks the company faces.

In assessing whether a corporate compliance program is well designed and properly implemented, the updated ECCP guidance asks prosecutors to answer three fundamental questions about a company's compliance program. First, "Is the corporation's compliance program well designed?" Second, "Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?" And third, "Does the corporation's compliance program work in practice?" These broad questions are then distilled down into numerous factors, including the adequacy of a company's risk assessment, the drafting of the company's policies and procedures, and the funding and resources of the company's compliance function. Many of the factors contain additional sub-factors and detailed questions for consideration in making a determination on the company's performance. The updated ECCP makes clear, however, that "[the] topics and questions … form neither a checklist nor a formula," and individualized attention to a company's particular needs is paramount.

Is the corporation's compliance program well designed?

The updated ECCP states that the "starting point for a prosecutor's evaluation of whether a company has a well-designed compliance program is to understand … how the company has … defined its risk profile." Companies that have not conducted a thorough risk assessment based on factors such as the location(s) of operations, industry, and the regulatory landscape, among other factors, will be hard pressed to defend the design of their compliance program. Furthermore, a company's policies and procedures must reflect attention to the targeted risks identified in the risk assessment. Those policies and procedures must be effectively communicated to employees and third-party business partners, and not merely formalized in boilerplate certifications. Finally, DOJ expects companies to have a confidential reporting structure and internal investigation process capable of addressing misconduct.

Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?

Prosecutors are asked to evaluate whether "a compliance program is a paper program or one implemented, reviewed and revised … in an effective manner." An effective program is one in which senior and middle management have demonstrated a commitment to the program through "conduct at the top" and active oversight. Furthermore, the compliance function must have autonomy from management and the resources to effectuate the program as designed. The updated ECCP makes clear that "resources and autonomy" mean more than funding and personnel, but that compliance has the "appropriate authority and direct access to the governing authority." This requires attention to the corporate structure and the seniority and stature of the compliance personnel, among other factors. Prosecutors are also asked to evaluate the company's incentive and disciplinary structure to determine how the company actually values compliance.

Does the corporation's compliance program work in practice?

Finally, the updated ECCP focuses on whether a company's compliance program is effective. This factor asks not only whether there are violations of company policy that rise to the level of government investigation, but whether there is continuous improvement, testing, and review of the compliance program. Prosecutors will also assess a company's response to uncovered misconduct, and whether internal investigations are conducted by appropriately qualified personnel. Finally, prosecutors must assess a company's remedial actions in relation to misconduct that is discovered.

The updated ECCP does not provide compliance professionals or counsel with a scientific formula for designing an effective compliance program. That being said, the guiding principles and enumerated factors contained in the updated policy provide clear direction in establishing an effective corporate compliance program, always with one overarching theme: individual attention to a company's particular needs and risk profile, and a good faith effort toward implementation.

  1. U.S. Department of Justice Criminal Division Fraud Section, Evaluation of Corporate Compliance Programs (Apr. 30, 2019),
  2. U.S. Department of Justice Criminal Division Fraud Section, Evaluation of Corporate Compliance Programs (Feb. 8, 2017).