Compliance Briefing — June 1, 2020
The U.S. Department of Justice updated its Evaluation of Corporate Compliance Programs guidance on 1 June 2020, sharpening expectations around data analytics, third-party oversight, and resource allocation for prosecutors.
Executive briefing: The U.S. Department of Justice’s Criminal Division released an updated Evaluation of Corporate Compliance Programs (ECCP) on . The document guides prosecutors in assessing corporate compliance efforts during investigations and resolutions. The 2020 revision emphasises data-driven risk assessments, continuous improvement, and integration of compliance into business functions.
Key themes
The ECCP centres on three questions: Is the compliance program well designed? Is it effectively implemented? Does it work in practice? The 2020 update refines these pillars by highlighting the importance of dynamic risk assessments, resource allocation, and data analytics. Prosecutors are instructed to consider company-specific risk profiles, responsiveness to changing risks, and evidence of continuous monitoring.
New language stresses the need for compliance officers to have access to relevant data, authority, and resources. The guidance also addresses integration with mergers and acquisitions, third-party management, and remediation of misconduct.
Risk assessment and updates
Companies must conduct periodic, data-driven risk assessments considering geographic, industry, and regulatory factors. The update asks whether risk assessments are based on lessons from prior misconduct, audits, or testing. Organisations should document methodologies, data sources, and frequency of updates. Prosecutors will examine whether companies adjust policies and controls when new risks emerge (e.g., market expansion, remote work, supply chain disruptions).
The ECCP expects companies to track risk ownership, ensuring business units are accountable. Scenario analysis, benchmarking, and emerging risk monitoring (cybersecurity, sanctions, human rights) should feed into risk registers and mitigation plans.
Policies, procedures, and training
Prosecutors assess whether policies are accessible, translated, and tailored to roles. Training must be risk-based, include real-world examples, and be updated for evolving risks. Interactive formats, testing, and follow-up communications support retention. The guidance emphasises tracking training completion, assessing effectiveness, and providing training to third parties where appropriate.
Policy management requires version control, approvals, and acknowledgment tracking. Companies should integrate policies into business processes, ensuring they are followed in practice (e.g., procurement approvals, expense controls).
Third-party and M&A due diligence
The ECCP examines risk-based due diligence for third parties, including vetting, contract clauses, monitoring, and remediation. Companies must document risk ratings, ongoing monitoring, and escalation of red flags. Payment controls should detect anomalies, and incentives should align with compliance expectations.
For mergers and acquisitions, companies must conduct pre- and post-acquisition due diligence, integrate compliance promptly, and monitor acquired entities. The update asks whether companies track integration milestones and address identified issues.
Reporting and investigations
Prosecutors evaluate whistleblower mechanisms, accessibility, and protections against retaliation. The ECCP asks whether hotlines are publicised, available in local languages, and accessible to third parties. Companies must ensure prompt, well-documented investigations with qualified personnel, root cause analysis, and remediation. Lessons learned should be shared across the organisation.
The guidance emphasises tracking investigation metrics (response time, closure rate, substantiation rate) and using data to improve controls. Disciplinary actions should be consistent and transparent, with documentation of rationale.
Continuous improvement, testing, and review
The ECCP highlights the importance of continuous monitoring through audits, control testing, data analytics, and compliance dashboards. Companies should use data to detect misconduct proactively (e.g., transaction monitoring, communications surveillance). Technology investments must align with risk priorities and provide actionable insights.
Internal audit and compliance should coordinate to avoid duplication and share findings. Boards and senior management must review compliance reports, track remediation, and allocate resources accordingly.
Culture and incentives
The guidance reiterates that tone at the top and middle is critical. Prosecutors assess whether leaders model ethical behaviour, communicate expectations, and respond to compliance issues. Incentive structures should reward ethical conduct and penalise misconduct. HR processes (hiring, promotions, bonuses) must incorporate compliance criteria.
Companies should measure culture using surveys, focus groups, and exit interviews. Culture assessments help identify gaps between policy and practice, informing targeted interventions.
Data analytics and resources
The update asks whether compliance has sufficient data access to monitor transactions, third-party activity, and other risks. Companies should implement dashboards, analytics, and automated alerts. Documentation should show how analytics inform investigations and risk mitigation.
Resource allocation is scrutinised; prosecutors evaluate whether compliance staffing, budget, and technology investments match risk profile. Companies must justify resource decisions and demonstrate independence of the compliance function.
Action plan
- Immediate: Compare existing compliance programmes against the 2020 ECCP. Identify gaps in risk assessments, data access, and documentation.
- 30–60 days: Update policies, training, and third-party due diligence processes. Enhance reporting mechanisms and investigation protocols.
- 60–90 days: Implement data analytics dashboards, coordinate with internal audit, and document remediation plans. Present updates to the board or audit committee.
- Continuous: Monitor DOJ guidance, adjust compliance frameworks as risks evolve, and maintain evidence of programme effectiveness.
Aligning with the DOJ’s updated ECCP demonstrates commitment to ethical conduct, reduces enforcement risk, and strengthens organisational resilience.
Technology enablement and data governance
The ECCP update encourages leveraging technology to monitor transactions, communications, and third-party behaviour. Companies should implement data governance frameworks defining ownership, access controls, and retention policies. Analytics platforms must handle structured and unstructured data, enabling correlation of red flags across finance, procurement, and HR systems. Documentation should demonstrate how data feeds are validated, cleansed, and protected against tampering.
Compliance and IT teams must collaborate on system enhancements, ensuring logging, audit trails, and segregation of duties. Cloud migrations require risk assessments covering data residency, vendor management, and incident response.
Global operations and cross-border considerations
Multinational companies must adapt compliance programmes to local laws while maintaining global standards. The ECCP asks whether companies tailor policies to regional risks, provide local-language training, and monitor third parties in high-risk jurisdictions. Cross-border data transfer restrictions (GDPR, China’s Cybersecurity Law) should be addressed in compliance monitoring strategies.
Cooperation with international regulators, such as the UK Serious Fraud Office or Brazil’s CGU, may be necessary in cross-border investigations. Companies should maintain coordinated response plans to handle multi-jurisdictional inquiries.
Documentation and board oversight
Boards and audit committees must receive regular compliance reports outlining risk assessments, investigations, training metrics, and resource needs. Meeting minutes should reflect discussions of compliance issues and follow-up actions. Prosecutors will review board materials to determine oversight effectiveness.
Companies should maintain documentation demonstrating decision-making rationale, remediation steps, and continuous improvement. This evidence supports cooperation credit and can influence DOJ charging decisions and penalty calculations.
Follow-up: DOJ reinforced the same themes in its March 2023 Evaluation of Corporate Compliance Programs update and the Monaco policy speeches, linking charging decisions to compensation clawbacks and data analytics evidence.
Sources
- Evaluation of Corporate Compliance Programs (Updated June 2020) — U.S. Department of Justice; Department of Justice Criminal Division memo outlining prosecutorial questions on program design, implementation, and effectiveness with June 2020 revisions.
- DOJ announcement of June 2020 compliance program guidance updates — U.S. Department of Justice; Official press release summarising new focus areas in the 2020 Evaluation of Corporate Compliance Programs, including data access and third-party management.