ComplianceDOJ compliance guidance
Detailed briefing on the DOJ’s June 2020 Evaluation of Corporate Compliance Programs update, with risk-based design, governance, documentation expectations, and enforcement implications for corporate compliance leaders.
Accuracy-reviewed by the editorial team
The U.S. Department of Justice’s Criminal Division released an updated Evaluation of Corporate Compliance Programs (ECCP) on . The document guides prosecutors in assessing corporate compliance efforts during investigations and resolutions. The 2020 revision sharpened expectations around data-driven risk assessments, the credibility of compliance resources, and evidence that programs improve after incidents.
What changed in the June 2020 ECCP
The ECCP’s organising questions—whether a program is well designed, implemented in good faith, and works in practice—remain intact, but the 2020 update adds specificity. Prosecutors are now directed to probe how frequently risk assessments are refreshed, whether compliance has access to business data, and how misconduct lessons translate into policy updates. The revision also expands focus on third-party oversight, post-acquisition integration, and the alignment of incentives with compliance outcomes. Companies will present contemporaneous evidence of decision-making, remediation, and resource allocation.
Evaluation factors
Prosecutors assess whether risk assessments incorporate factors such as geographic exposure, industry norms, regulatory regimes, use of third parties, and growth strategies. They review how the company benchmarks against peers, whether compliance has escalation paths, and how leadership responds to identified weaknesses. The ECCP encourages teams to document methodologies—data sources, scoring models, frequency of refresh—and to show why certain risks were prioritized. Evidence of board engagement, training completion metrics, and the tracking of disciplinary actions influences the DOJ’s view of program effectiveness.
Risk-based design and adaptive controls
The ECCP expects companies to align controls to their risk profile rather than deploying uniform, check-the-box measures. Risk assessments should account for supply chain complexity, high-risk jurisdictions, government touchpoints, and the use of agents or distributors. The DOJ asks whether programs evolve when business models shift—for example, remote work, new market entries, or product launches with heightened export-control or privacy implications. Companies should maintain a risk register that links inherent risks to owners, controls, and monitoring plans.
Governance, accountability, and culture
The 2020 update emphasizes compliance authority and independence. Prosecutors review whether the chief compliance officer has unfiltered access to the board or audit committee and whether budget and staffing match the company’s risk profile. The guidance highlights the need for cross-functional collaboration with HR, finance, procurement, and IT to enforce controls. Tone at the top and middle is evaluated through communications cadence, leadership participation in training, and the consistent application of incentives and discipline.
Compensation and promotion processes should include compliance criteria; the DOJ’s later 2023 speeches further tied charging decisions to clawbacks and incentive structures. Culture measurement—via surveys, exit interviews, and focus groups—should be documented and used to target interventions where policy adherence lags. Companies should also log instances where business leadership overrode compliance recommendations, along with rationale and mitigating steps.
Third-party lifecycle and M&A integration
The ECCP reiterates that third-party risk management must extend beyond onboarding. Companies are asked to show how risk scoring influences diligence depth, contract clauses, payment controls, and ongoing monitoring. High-risk partners should be subject to periodic certifications, audit rights, and training. Payment reviews should flag anomalies such as round-dollar invoices, off-cycle payments, or routing through high-risk jurisdictions. When red flags arise, documentation should show escalation pathways and remediation outcomes.
For mergers and acquisitions, prosecutors evaluate whether pre-acquisition diligence was risk-based, whether integration plans addressed identified gaps, and how quickly policies, training, and controls were extended to the target. Tracking post-close milestones—policy rollouts, system access controls, training completion, and remediation of audit findings—shows seriousness of integration. Lessons learned from past deals should inform playbooks for future transactions.
Reporting channels, investigations, and remediation
Accessible and trusted reporting mechanisms are central to the ECCP. Hotlines should be publicised internally and to third parties, available in local languages, and allow anonymity where lawful. The DOJ evaluates how promptly allegations are triaged, whether investigators are qualified and independent, and how findings are documented. Investigation files should capture scoping decisions, interview notes, data sources, and root-cause analysis. Trends in substantiation rates, cycle times, and repeat issues should feed risk assessments.
Remediation requires targeted control fixes, disciplinary measures that are consistent and proportionate, and communications that reinforce expectations. The update asks whether companies test the effectiveness of remedial steps and whether similar risks elsewhere in the organization receive comparable treatment. Cooperation credit is influenced by transparency, timely remediation, and evidence that misconduct did not stem from structural resource gaps.
Data access, analytics, and technology enablement
The 2020 revision highlights data accessibility: prosecutors ask whether compliance teams can obtain and analyze information from finance, procurement, HR, sales, and operations systems. Analytics should be risk-based, flagging anomalies in payments, discounts, travel, entertainment, and third-party engagements. Documentation should show how alerts are triaged, how false positives are tuned, and how data quality issues are resolved. Technology investments—such as case management tools, due diligence platforms, and communication surveillance—should align with risk priorities and include audit trails.
Data governance is critical. Companies should define data owners, access controls, retention schedules, and backup practices that respect privacy and cross-border transfer requirements. Cloud migrations and vendor relationships must be assessed for data residency, incident response, and business continuity. Collaboration between compliance and IT should produce playbooks for log management, segregation of duties, and evidence retention that will stand up to prosecutorial scrutiny.
Training, policies, and operational integration
Policies should be version-controlled, translated, and distributed with acknowledgement tracking. The ECCP looks for alignment between written policies and operational reality—procurement approvals, delegation of authority, and expense controls should reflect stated standards. Training programs should be calibrated by role and risk, using interactive scenarios and knowledge checks rather than passive modules. Completion metrics must be paired with effectiveness measures such as survey feedback, post-training assessments, and observed behavioral changes.
Operational integration means embedding compliance steps into workflows—requiring due diligence clearance before vendor onboarding, automating sanctions and export-control screening, or gating high-risk transactions behind approvals. Business units should own control execution while compliance guides and oversight. Clear documentation of ownership, procedures, and escalation criteria reduces ambiguity and strengthens defensibility.
Continuous improvement and oversight
Continuous improvement is a core ECCP pillar. Companies should schedule periodic audits and control testing, prioritized by risk. Findings must be tracked to closure with accountable owners and timelines. Dashboards that visualize trends in investigations, training, third-party reviews, and control failures support board-level oversight. The DOJ also considers whether lessons learned from internal matters or industry events are converted into policy updates, training refreshers, or control redesigns.
Documentation expectations
Prosecutors evaluate the quality, not just the existence, of documentation. Boards and audit committees should receive regular compliance reports covering risk assessments, investigations, training metrics, resource decisions, and remediation progress. Minutes should capture deliberations and follow-up actions. Investigation files need clear decision rationales, root-cause findings, and evidence of remedial steps. Maintaining contemporaneous records of resource requests—and the basis for approvals or denials—helps show that limitations were considered and addressed.
Action plan for compliance leaders
Immediate (0–30 days): Map existing program elements to the 2020 ECCP questions. Identify gaps in risk assessments, data access, and investigative documentation. Refresh board reporting templates to capture ECCP themes.
Next 30–90 days: Update third-party procedures to document risk scoring, monitoring cadence, and escalation. Expand training to include role-specific scenarios tied to recent incidents. Implement or tune analytics for payments, discounts, and travel data. Coordinate with internal audit to align testing schedules and avoid overlaps.
Ongoing: Revisit risk assessments after material business changes, track remediation performance, and document how lessons learned alter policies and controls. Continuously evaluate whether compliance staffing and technology budgets match risk exposure, and record the rationale for adjustments.
Why this matters for enforcement outcomes
Alignment with the June 2020 ECCP influences prosecutorial decisions on charging, resolutions, and penalty reductions. Well-documented, risk-based programs can support arguments for declinations or reduced monitorship obligations under the Justice Manual and the FCPA Corporate Enforcement Policy. Conversely, gaps in data access, resourcing, or remediation can signal that misconduct was foreseeable or tolerated. Companies that can show timely adjustments, disciplined investigations, and accountable governance are better positioned when negotiating with enforcement authorities.
Continue in the Compliance pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Third-Party Risk Oversight Playbook
Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.
-
Compliance Operations Control Room
Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.
-
ESG Assurance Operating Guide
Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.
Coverage intelligence
- Published
- Coverage pillar
- Compliance
- Source credibility
- 89/100 — high confidence
- Topics
- DOJ compliance guidance · Corporate compliance programs · Third-party risk · Compliance analytics
- Sources cited
- 3 sources (justice.gov, iso.org)
- Reading time
- 7 min
Further reading
- Evaluation of Corporate Compliance Programs (Updated June 2020) — U.S. Department of Justice
- DOJ announcement of June 2020 compliance program guidance updates — U.S. Department of Justice
- ISO 37301:2021 — Compliance Management Systems — International Organization for Standardization
Comments
Community
We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.
No approved comments yet. Add the first perspective.