DOJ Evaluation of Corporate Compliance Programs

The U.S. Department of Justice (DOJ) Criminal Division refreshed its Evaluation of Corporate Compliance Programs (ECCP) on 3 March 2023, locking in heightened prosecutorial scrutiny on how companies govern messaging platforms, incentivise ethical behavior through compensation, and use data to continuously monitor misconduct risks. Chief compliance officers, audit committees, and legal leadership must show that program design, setup, and remediation efforts are documented in a way that enables prosecutors to determine whether compliance is resourced, helped, and agile enough to prevent repeat violations.

Capabilities: Strengthen program design across data, devices, and discipline

The 2023 ECCP update reiterates that prosecutors examine whether compliance programs are well-designed, adequately resourced, and work in practice, but it adds new depth on three capability areas. First, companies must show that policies governing personal devices, encrypted messaging, ephemeral tools, and collaboration platforms capture business records needed for investigations.

Prosecutors will ask how policies are distributed, how exceptions are justified, and how employees are disciplined for violating retention rules. Second, the DOJ expects integration of compliance considerations into compensation and promotions, including clawbacks, deferred compensation, or disciplinary measures when supervisors ignore red flags. Third, the guidance emphasizes data-driven monitoring—companies should show how they collect, analyze, and act on metrics such as hotline trends, investigations, audits, and root-cause analyzes.

Beyond the headline themes, the guidance reinforces enduring capabilities. Risk assessments should be tailored to evolving business models and geographic footprints, capturing supply-chain, third-party, and acquisition risks. Training must be risk-based and tracked for completion and effectiveness, with scenario exercises for high-risk functions. Third-party management should include due diligence proportional to risk, contractual audit rights, and ongoing monitoring. Mergers and acquisitions must feature pre-close diligence where practicable, post-close integration plans, and rapid remediation of inherited issues.

Compliance leaders should therefore catalog the artifacts prosecutors ask for—policy inventories, attestation records, training curricula, investigative protocols, and dashboards. The ECCP specifically probes whether compliance professionals have access to sufficient data and authority, whether they are involved in strategic decisions, and whether the program adapts based on lessons learned. Coordinating with IT, HR, internal audit, and business unit leaders is crucial to centralize evidence demonstrating that policies operate in practice.

Implementation sequencing: 30-60-90 day roadmap

First 30 days. Establish an ECCP response task force chaired by the chief compliance officer. catalog all messaging platforms, personal device arrangements, and retention tools; document legal or technical barriers to preservation; and draft mitigation plans such as enterprise archiving, mobile device management, or disciplined exception processes. Run tabletop exercises with legal, HR, and security to map how investigations would proceed if messaging data were unavailable. Begin a compensation and incentives inventory, documenting how compliance considerations inform bonuses, promotions, and clawbacks across business units.

Days 31–60. Update codes of conduct, disciplinary policies, and employment agreements to articulate expectations around messaging preservation and cooperation. Align HR systems to capture compliance-linked performance data, enabling evidence of fair enforcement. Launch targeted communications explaining policy changes, and provide microlearning modules for supervisors on how to document escalation and disciplinary decisions. Concurrently, improve data analytics by integrating hotline, audit, and transaction monitoring feeds into dashboards, defining thresholds for escalation to compliance leadership.

Days 61–90. Present progress to the audit committee, including remediation timelines, resource needs, and open risks. Finalize compensation governance adjustments—such as deferred bonus pools or clawback provisions tied to misconduct findings—and document board approval. Conduct a refreshed enterprise compliance risk assessment capturing new markets, third-party exposures, or technology deployments. For high-risk areas, develop written remediation plans with owners, milestones, and metrics. Update investigation protocols to include preservation notices for messaging platforms and procedures for interviewing employees using personal devices for work.

Responsible governance and oversight

The ECCP reinforces that tone from the top and middle must be evidenced through actions, not slogans. Prosecutors examine whether senior and middle management have clearly articulated the company’s stance on misconduct and whether they have modeled compliance behavior. Boards and audit committees should maintain detailed minutes showing significant oversight, challenge, and follow-up on compliance issues. They should review trends in investigations, root causes, and disciplinary outcomes, ensuring that accountability is consistent across seniority levels.

Documentation is critical: maintain matrices mapping risk owners, control owners, and oversight bodies. Capture management responses to audit findings, regulatory inquiries, and whistleblower allegations. Ensure privilege considerations are balanced with transparency—prosecutors will probe whether factual investigation results were shared with decision-makers and how remediation was implemented.

Companies operating globally must reconcile DOJ expectations with local privacy, labor, and data localization regimes. The ECCP recognizes legitimate legal constraints but expects companies to articulate tailored solutions—such as enterprise-wide policies with local addenda, contractual clauses requiring cooperation, and escalation pathways when legal barriers impede data collection. Engaging local counsel early and documenting rationale for alternative controls helps show good-faith efforts.

Industry playbooks

Financial services. Align messaging controls with SEC, FINRA, and banking regulator retention rules, extending surveillance tools to cover encrypted apps and personal devices. Document how trading, sales, and wealth teams are monitored and how exceptions are approved. Coordinate with anti-money laundering teams to integrate transaction monitoring alerts with conduct risk data.

Life sciences and healthcare. Map compliance analytics to promotional practices, clinical trials, and third-party distributor oversight. Use data from field force ride-alongs, medical science liaison engagements, and grant committees to detect off-label promotion or improper inducements. Preserve communications between sales representatives and healthcare professionals across approved channels.

Technology and manufacturing. Focus on safeguarding intellectual property, export controls, and supply-chain integrity. Monitor collaboration platforms used by engineering, product, and operations teams; implement access controls and audit logs that can be produced during investigations. Align incentive structures for product leaders with compliance objectives tied to safety, privacy, and secure development practices.

Government contractors. Document segregation of cost accounting systems, procurement integrity controls, and reporting obligations under the Federal Acquisition Regulation. Ensure subcontractor due diligence captures cyber, ethics, and labor compliance obligations, and that messaging retention covers communications with contracting officers and program managers.

Measurement and continuous improvement

The ECCP highlights the importance of testing program effectiveness and adapting based on lessons learned. Companies should define quantitative and qualitative indicators, such as hotline volume by region and category, investigation substantiation rates, remediation completion timelines, disciplinary consistency analyzes, and employee survey results on culture and willingness to speak up. Dashboards should enable drill-down into root causes and track remediation milestones. Integrate external signals—industry enforcement actions, regulator priorities, or geopolitical developments—to trigger targeted risk assessments.

Perform after-action reviews following incidents, considering whether controls failed due to design, setup, or bypassion. Update policies, training, and monitoring as needed. Use data science to identify anomalies, but ensure models are explainable and validated. Document change management steps, including communications, training, and resource allocations.

Finally, maintain evidence packets demonstrating program effectiveness: organizational charts showing compliance independence, budgets and staffing plans, training attendance logs, risk assessment reports, and case studies of remediation. When negotiating with the DOJ, the ability to provide contemporaneous documentation linking misconduct detection to corrective action can materially influence charging decisions, penalties, and monitorship requirements.

Further reading

• U.S. Department of Justice Criminal Division — Evaluation of Corporate Compliance Programs (March 2023).
• Remarks by Assistant Attorney General Kenneth A. Polite Jr. at the ABA National Institute on White Collar Crime (2 March 2023).
• Remarks by Deputy Attorney General Lisa O. Monaco on corporate criminal enforcement (2 March 2023).

Partnering with compliance, legal, and audit leaders to operationalize DOJ-ready evidence across messaging governance, incentive structures, and analytics-driven monitoring.

Similar analysis

Additional analysis covering similar themes.

Compliance · Credibility 71/100 · March 8, 2023

UK reintroduces Data Protection and Digital Information Bill

The UK's data protection reform bill was reintroduced in March 2023. Brexit-era changes to UK GDPR remained contentious. Understanding UK-EU data protection divergence matters for transatlantic operations.

Compliance · Credibility 71/100 · February 14, 2023

CPPA files final CPRA regulations with California OAL

California's CPPA filed final CPRA regulations in February 2023, adding implementation detail to the statute. Risk assessments, automated decision-making disclosures, and updated privacy notice requirements. The…

Compliance · Credibility 71/100 · March 31, 2023

Italy’s Garante orders temporary ChatGPT suspension

Italy's Garante suspended ChatGPT in March 2023 over GDPR concerns. The first major regulatory action against generative AI in Europe. OpenAI eventually resolved the issues, but it signaled regulatory scrutiny to come.

Compliance · Credibility 71/100 · April 25, 2023

EU designates first DSA very large platforms

DSA's first Very Large Online Platform designations in April 2023 triggered enhanced obligations. Major platforms like Google, Meta, Amazon faced systemic risk assessment and transparency requirements.

Compliance · Credibility 89/100 · January 1, 2023

Virginia Consumer Data Protection Act

Virginia's CDPA went effective January 1, 2023—the second comprehensive state privacy law after California. Consumer rights, data protection assessments, and opt-out requirements. The state privacy law patchwork was…

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Third-Party Risk Oversight Playbook

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

• Compliance Operations Control Room

  Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

• ESG Assurance Operating Guide

  Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.

Coverage intelligence

Published

March 3, 2023

Coverage pillar

Compliance

Source credibility

88/100 — high confidence

Topics

DOJ Evaluation of Corporate Compliance Programs · Messaging retention · Compensation governance · Corporate compliance analytics · Corporate criminal enforcement

Sources cited

3 sources (justice.gov)

Reading time

6 min

Further reading

1. Evaluation of Corporate Compliance Programs (March 2023) — justice.gov
2. Assistant Attorney General Kenneth A. Polite Jr. delivers remarks at the ABA National Institute on White Collar Crime — justice.gov
3. Deputy Attorney General Lisa O. Monaco delivers remarks on corporate criminal enforcement — justice.gov