Compliance Briefing — March 3, 2023
The DOJ’s March 2023 update to its Evaluation of Corporate Compliance Programs raises the bar for messaging governance, incentive-aligned compensation, and analytics-driven monitoring, requiring companies to evidence how their programmes work in practice.
Executive briefing: The U.S. Department of Justice (DOJ) Criminal Division refreshed its Evaluation of Corporate Compliance Programs (ECCP) on 3 March 2023, locking in heightened prosecutorial scrutiny on how companies govern messaging platforms, incentivise ethical behaviour through compensation, and leverage data to continuously monitor misconduct risks. Chief compliance officers, audit committees, and legal leadership must demonstrate that programme design, implementation, and remediation efforts are documented in a way that enables prosecutors to determine whether compliance is resourced, empowered, and agile enough to prevent repeat violations.
Capabilities: Strengthen programme design across data, devices, and discipline
The 2023 ECCP update reiterates that prosecutors examine whether compliance programmes are well-designed, adequately resourced, and work in practice, but it adds new depth on three capability areas. First, companies must show that policies governing personal devices, encrypted messaging, ephemeral tools, and collaboration platforms capture business records needed for investigations. Prosecutors will ask how policies are disseminated, how exceptions are justified, and how employees are disciplined for violating retention rules. Second, the DOJ expects integration of compliance considerations into compensation and promotions, including clawbacks, deferred compensation, or disciplinary measures when supervisors ignore red flags. Third, the guidance emphasises data-driven monitoring—companies should demonstrate how they collect, analyse, and act on metrics such as hotline trends, investigations, audits, and root-cause analyses.
Beyond the headline themes, the guidance reinforces enduring capabilities. Risk assessments should be tailored to evolving business models and geographic footprints, capturing supply-chain, third-party, and acquisition risks. Training must be risk-based and tracked for completion and effectiveness, with scenario exercises for high-risk functions. Third-party management should include due diligence proportional to risk, contractual audit rights, and ongoing monitoring. Mergers and acquisitions must feature pre-close diligence where practicable, post-close integration plans, and rapid remediation of inherited issues.
Compliance leaders should therefore catalogue the artefacts prosecutors ask for—policy inventories, attestation records, training curricula, investigative protocols, and dashboards. The ECCP specifically probes whether compliance professionals have access to sufficient data and authority, whether they are involved in strategic decisions, and whether the programme adapts based on lessons learned. Coordinating with IT, HR, internal audit, and business unit leaders is crucial to centralise evidence demonstrating that policies operate in practice.
Implementation sequencing: 30-60-90 day roadmap
First 30 days. Establish an ECCP response task force chaired by the chief compliance officer. Catalogue all messaging platforms, personal device arrangements, and retention tools; document legal or technical barriers to preservation; and draft mitigation plans such as enterprise archiving, mobile device management, or disciplined exception processes. Run tabletop exercises with legal, HR, and security to map how investigations would proceed if messaging data were unavailable. Begin a compensation and incentives inventory, documenting how compliance considerations inform bonuses, promotions, and clawbacks across business units.
Days 31–60. Update codes of conduct, disciplinary policies, and employment agreements to articulate expectations around messaging preservation and cooperation. Align HR systems to capture compliance-linked performance data, enabling evidence of fair enforcement. Launch targeted communications explaining policy changes, and provide microlearning modules for supervisors on how to document escalation and disciplinary decisions. Concurrently, enhance data analytics by integrating hotline, audit, and transaction monitoring feeds into dashboards, defining thresholds for escalation to compliance leadership.
Days 61–90. Present progress to the audit committee, including remediation timelines, resource needs, and open risks. Finalise compensation governance adjustments—such as deferred bonus pools or clawback provisions tied to misconduct findings—and document board approval. Conduct a refreshed enterprise compliance risk assessment capturing new markets, third-party exposures, or technology deployments. For high-risk areas, develop written remediation plans with owners, milestones, and metrics. Update investigation protocols to include preservation notices for messaging platforms and procedures for interviewing employees using personal devices for work.
Responsible governance and oversight
The ECCP reinforces that tone from the top and middle must be evidenced through actions, not slogans. Prosecutors examine whether senior and middle management have clearly articulated the company’s stance on misconduct and whether they have modelled compliance behaviour. Boards and audit committees should maintain detailed minutes showing substantive oversight, challenge, and follow-up on compliance issues. They should review trends in investigations, root causes, and disciplinary outcomes, ensuring that accountability is consistent across seniority levels.
Documentation is critical: maintain matrices mapping risk owners, control owners, and oversight bodies. Capture management responses to audit findings, regulatory inquiries, and whistleblower allegations. Ensure privilege considerations are balanced with transparency—prosecutors will probe whether factual investigation results were shared with decision-makers and how remediation was implemented.
Companies operating globally must reconcile DOJ expectations with local privacy, labour, and data localisation regimes. The ECCP recognises legitimate legal constraints but expects companies to articulate tailored solutions—such as enterprise-wide policies with local addenda, contractual clauses requiring cooperation, and escalation pathways when legal barriers impede data collection. Engaging local counsel early and documenting rationale for alternative controls helps demonstrate good-faith efforts.
Sector playbooks
Financial services. Align messaging controls with SEC, FINRA, and banking regulator retention rules, extending surveillance tools to cover encrypted apps and personal devices. Document how trading, sales, and wealth teams are monitored and how exceptions are approved. Coordinate with anti-money laundering teams to integrate transaction monitoring alerts with conduct risk data.
Life sciences and healthcare. Map compliance analytics to promotional practices, clinical trials, and third-party distributor oversight. Use data from field force ride-alongs, medical science liaison engagements, and grant committees to detect off-label promotion or improper inducements. Preserve communications between sales representatives and healthcare professionals across approved channels.
Technology and manufacturing. Focus on safeguarding intellectual property, export controls, and supply-chain integrity. Monitor collaboration platforms used by engineering, product, and operations teams; implement access controls and audit logs that can be produced during investigations. Align incentive structures for product leaders with compliance objectives tied to safety, privacy, and secure development practices.
Government contractors. Document segregation of cost accounting systems, procurement integrity controls, and reporting obligations under the Federal Acquisition Regulation. Ensure subcontractor due diligence captures cyber, ethics, and labour compliance obligations, and that messaging retention covers communications with contracting officers and program managers.
Measurement and continuous improvement
The ECCP highlights the importance of testing programme effectiveness and adapting based on lessons learned. Companies should define quantitative and qualitative indicators, such as hotline volume by region and category, investigation substantiation rates, remediation completion timelines, disciplinary consistency analyses, and employee survey results on culture and willingness to speak up. Dashboards should enable drill-down into root causes and track remediation milestones. Integrate external signals—industry enforcement actions, regulator priorities, or geopolitical developments—to trigger targeted risk assessments.
Perform after-action reviews following incidents, considering whether controls failed due to design, implementation, or circumvention. Update policies, training, and monitoring accordingly. Leverage data science to identify anomalies, but ensure models are explainable and validated. Document change management steps, including communications, training, and resource allocations.
Finally, maintain evidence packets demonstrating programme effectiveness: organisational charts showing compliance independence, budgets and staffing plans, training attendance logs, risk assessment reports, and case studies of remediation. When negotiating with the DOJ, the ability to provide contemporaneous documentation linking misconduct detection to corrective action can materially influence charging decisions, penalties, and monitorship requirements.
Sources
- U.S. Department of Justice Criminal Division — Evaluation of Corporate Compliance Programs (March 2023).
- Remarks by Assistant Attorney General Kenneth A. Polite Jr. at the ABA National Institute on White Collar Crime (2 March 2023).
- Remarks by Deputy Attorney General Lisa O. Monaco on corporate criminal enforcement (2 March 2023).
Zeph Tech partners with compliance, legal, and audit leaders to operationalise DOJ-ready evidence across messaging governance, incentive structures, and analytics-driven monitoring.
Continue in the Compliance pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Third-Party Risk Oversight Playbook — Zeph Tech
Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.
-
Compliance Operations Control Room — Zeph Tech
Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.
-
SOX Modernization Control Playbook — Zeph Tech
Modernize Sarbanes-Oxley (SOX) compliance by aligning PCAOB AS 2201, SEC management guidance, and COSO 2013 controls with data-driven testing, automation, and board reporting.