Compliance Briefing — June 1, 2020

Executive briefing: The U.S. Department of Justice’s Criminal Division released an updated Evaluation of Corporate Compliance Programs (ECCP) on 1 June 2020. The document guides prosecutors in assessing corporate compliance efforts during investigations and resolutions. The 2020 revision sharpened expectations around data-driven risk assessments, the credibility of compliance resources, and evidence that programs improve after incidents.

What changed in the June 2020 ECCP

The ECCP’s organising questions—whether a program is well designed, implemented in good faith, and works in practice—remain intact, but the 2020 update adds specificity. Prosecutors are now directed to probe how frequently risk assessments are refreshed, whether compliance has access to business data, and how misconduct lessons translate into policy updates. The revision also expands focus on third-party oversight, post-acquisition integration, and the alignment of incentives with compliance outcomes. Companies are expected to present contemporaneous evidence of decision-making, remediation, and resource allocation.

Evaluation factors

Prosecutors assess whether risk assessments incorporate factors such as geographic exposure, industry norms, regulatory regimes, use of third parties, and growth strategies. They review how the company benchmarks against peers, whether compliance has escalation paths, and how leadership responds to identified weaknesses. The ECCP encourages teams to document methodologies—data sources, scoring models, frequency of refresh—and to show why certain risks were prioritised. Evidence of board engagement, training completion metrics, and the tracking of disciplinary actions influences the DOJ’s view of program effectiveness.

Risk-based design and adaptive controls

The ECCP expects companies to align controls to their risk profile rather than deploying uniform, check-the-box measures. Risk assessments should account for supply chain complexity, high-risk jurisdictions, government touchpoints, and the use of agents or distributors. The DOJ asks whether programs evolve when business models shift—for example, remote work, new market entries, or product launches with heightened export-control or privacy implications. Companies should maintain a risk register that links inherent risks to owners, controls, and monitoring plans.

Risk management

An effective program ties risk identification to mitigation activities, testing plans, and remediation tracking. The ECCP notes that companies should evaluate whether policies are translated, accessible, and tailored to business roles. It also probes how training is calibrated to risk severity, how scenario-based exercises are used, and whether follow-up communications reinforce key themes. Continuous monitoring—through audits, analytics, and control self-assessments—should generate feedback loops that update the risk assessment. Metrics such as issue closure times, control failure rates, and exception trends help demonstrate effectiveness.

Governance, accountability, and culture

The 2020 update emphasises compliance authority and independence. Prosecutors review whether the chief compliance officer has unfiltered access to the board or audit committee and whether budget and staffing match the company’s risk profile. The guidance highlights the need for cross-functional collaboration with HR, finance, procurement, and IT to enforce controls. Tone at the top and middle is evaluated through communications cadence, leadership participation in training, and the consistent application of incentives and discipline.

Compensation and promotion processes should include compliance criteria; the DOJ’s later 2023 speeches further tied charging decisions to clawbacks and incentive structures. Culture measurement—via surveys, exit interviews, and focus groups—should be documented and used to target interventions where policy adherence lags. Companies should also log instances where business leadership overrode compliance recommendations, along with rationale and mitigating steps.

Third-party lifecycle and M&A integration

The ECCP reiterates that third-party risk management must extend beyond onboarding. Companies are asked to show how risk scoring influences diligence depth, contract clauses, payment controls, and ongoing monitoring. High-risk partners should be subject to periodic certifications, audit rights, and training. Payment reviews should flag anomalies such as round-dollar invoices, off-cycle payments, or routing through high-risk jurisdictions. When red flags arise, documentation should show escalation pathways and remediation outcomes.

For mergers and acquisitions, prosecutors evaluate whether pre-acquisition diligence was risk-based, whether integration plans addressed identified gaps, and how quickly policies, training, and controls were extended to the target. Tracking post-close milestones—policy rollouts, system access controls, training completion, and remediation of audit findings—demonstrates seriousness of integration. Lessons learned from past deals should inform playbooks for future transactions.

Reporting channels, investigations, and remediation

Accessible and trusted reporting mechanisms are central to the ECCP. Hotlines should be publicised internally and to third parties, available in local languages, and allow anonymity where lawful. The DOJ evaluates how promptly allegations are triaged, whether investigators are qualified and independent, and how findings are documented. Investigation files should capture scoping decisions, interview notes, data sources, and root-cause analysis. Trends in substantiation rates, cycle times, and repeat issues should feed risk assessments.

Remediation requires targeted control fixes, disciplinary measures that are consistent and proportionate, and communications that reinforce expectations. The update asks whether companies test the effectiveness of remedial steps and whether similar risks elsewhere in the organisation receive comparable treatment. Cooperation credit is influenced by transparency, timely remediation, and evidence that misconduct did not stem from structural resource gaps.

Data access, analytics, and technology enablement

The 2020 revision highlights data accessibility: prosecutors ask whether compliance teams can obtain and analyse information from finance, procurement, HR, sales, and operations systems. Analytics should be risk-based, flagging anomalies in payments, discounts, travel, entertainment, and third-party engagements. Documentation should show how alerts are triaged, how false positives are tuned, and how data quality issues are resolved. Technology investments—such as case management tools, due diligence platforms, and communication surveillance—should align with risk priorities and include audit trails.

Data governance is critical. Companies should define data owners, access controls, retention schedules, and backup practices that respect privacy and cross-border transfer requirements. Cloud migrations and vendor relationships must be assessed for data residency, incident response, and business continuity. Collaboration between compliance and IT should produce playbooks for log management, segregation of duties, and evidence retention that will stand up to prosecutorial scrutiny.

Training, policies, and operational integration

Policies should be version-controlled, translated, and distributed with acknowledgement tracking. The ECCP looks for alignment between written policies and operational reality—procurement approvals, delegation of authority, and expense controls should reflect stated standards. Training programs should be calibrated by role and risk, using interactive scenarios and knowledge checks rather than passive modules. Completion metrics must be paired with effectiveness measures such as survey feedback, post-training assessments, and observed behavioural changes.

Operational integration means embedding compliance steps into workflows—requiring due diligence clearance before vendor onboarding, automating sanctions and export-control screening, or gating high-risk transactions behind approvals. Business units should own control execution while compliance provides guidance and oversight. Clear documentation of ownership, procedures, and escalation criteria reduces ambiguity and strengthens defensibility.

Continuous improvement and oversight

Continuous improvement is a core ECCP pillar. Companies should schedule periodic audits and control testing, prioritised by risk. Findings must be tracked to closure with accountable owners and timelines. Dashboards that visualise trends in investigations, training, third-party reviews, and control failures support board-level oversight. The DOJ also considers whether lessons learned from internal matters or industry events are converted into policy updates, training refreshers, or control redesigns.

Documentation expectations

Prosecutors evaluate the quality, not just the existence, of documentation. Boards and audit committees should receive regular compliance reports covering risk assessments, investigations, training metrics, resource decisions, and remediation progress. Minutes should capture deliberations and follow-up actions. Investigation files need clear decision rationales, root-cause findings, and evidence of remedial steps. Maintaining contemporaneous records of resource requests—and the basis for approvals or denials—helps demonstrate that limitations were considered and addressed.

Action plan for compliance leaders

Immediate (0–30 days): Map existing program elements to the 2020 ECCP questions. Identify gaps in risk assessments, data access, and investigative documentation. Refresh board reporting templates to capture ECCP themes.

Next 30–90 days: Update third-party procedures to document risk scoring, monitoring cadence, and escalation. Expand training to include role-specific scenarios tied to recent incidents. Implement or tune analytics for payments, discounts, and travel data. Coordinate with internal audit to align testing schedules and avoid overlaps.

Ongoing: Revisit risk assessments after material business changes, track remediation performance, and document how lessons learned alter policies and controls. Continuously evaluate whether compliance staffing and technology budgets match risk exposure, and record the rationale for adjustments.

Why this matters for enforcement outcomes

Alignment with the June 2020 ECCP influences prosecutorial decisions on charging, resolutions, and penalty reductions. Well-documented, risk-based programs can support arguments for declinations or reduced monitorship obligations under the Justice Manual and the FCPA Corporate Enforcement Policy. Conversely, gaps in data access, resourcing, or remediation can signal that misconduct was foreseeable or tolerated. Companies that can show timely adjustments, disciplined investigations, and accountable governance are better positioned when negotiating with enforcement authorities.

Sources

• Evaluation of Corporate Compliance Programs (Updated June 2020) — U.S. Department of Justice Criminal Division guidance outlining prosecutorial questions on design, implementation, and effectiveness.
• DOJ press release announcing the June 2020 ECCP updates — Official summary of the added emphasis on data access, continuous improvement, and third-party risk management.
• U.S. Sentencing Guidelines §8B2.1 — Federal standards for effective compliance and ethics programs that inform DOJ expectations for corporate remediation and governance.
• OECD Good Practice Guidance on Internal Controls, Ethics, and Compliance — Multilateral framework highlighting risk-based controls, third-party management, and senior leadership oversight.