United States: DOJ Issues Most Detailed Guidance Regarding Evaluation Of Corporate Compliance Programs To Date

On April 30, 2019, the U.S. Department of Justice ("DOJ") released new guidance regarding its evaluation of the adequacy and effectiveness of a company's compliance program (the "Guidance"). DOJ has issued similar documents in recent years, providing companies with blueprints to use when developing and assessing their compliance programs, though this recent Guidance significantly expands upon DOJ's prior statements, underscoring its continued focus on compliance and endeavoring to give companies more specific benchmarks for meeting DOJ expectations.

The Guidance makes clear that the adequacy and effectiveness of a company's compliance program are critical factors in any DOJ investigation of a corporation, including when making prosecutorial decisions and negotiating potential resolutions. As Assistant Attorney General Brian Benczkowski stated on April 30, 2019, at the Ethics and Compliance Initiative Annual Impact Conference, "the importance of corporate compliance cannot be overstated." DOJ's Guidance is intended to provide practical insight and transparency to prosecutors as they make charging decisions or resolve criminal cases, and to companies as they develop and implement their compliance programs.

Key Takeaways From the New Guidance

The Guidance directs that a prosecutor should ask three "fundamental questions" when evaluating a company's compliance program:

  1. Is the corporation's compliance program well-designed?
  2. Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?
  3. Does the corporation's compliance program work in practice?

Within this framework, the Guidance walks through 18 pages of specific considerations prosecutors will use when evaluating a company's compliance program. The Guidance also explains that prosecutors should focus on context and make individualized assessments based on the facts of each criminal investigation.

1. Is the corporation's compliance program well-designed?

When evaluating whether a company's compliance program is "adequately designed for maximum effectiveness in preventing and detecting wrongdoing by employees," as well as corporate management's commitment to the program, the Guidance instructs consideration of the following elements:

  • Risk Assessment. Prosecutors should familiarize themselves with the company's business and risk profile and then assess whether the company has tailored its compliance program to detect the types of misconduct most likely to occur in that context. Accordingly, prosecutors will evaluate a company's risk assessment process, whether the company devotes appropriate time and resources to high-risk areas, whether the risk assessment itself is updated over time, and whether policies and procedures are updated in response to lessons learned and issues identified.
  • Policies and Procedures. Prosecutors will then evaluate whether a company's policies and procedures actually address the risks identified in the risk assessment process. At a minimum, a company should have a Code of Conduct demonstrating a commitment to compliance, as well as a suite of policies and procedures that incorporate a culture of compliance into everyday operations. Prosecutors also should examine the company's process for, and individuals involved in, designing the policies; the comprehensiveness and accessibility of those policies; and the assignment of individuals responsible for rolling out and acting as gatekeepers in control processes.
  • Training and Communications. Because a company's policies and procedures are only effective if known and understood, prosecutors will assess a company's training program and methods of communication. This includes whether the company has employed a risk-based approach, communicating compliance material in a manner tailored to the audience's size, sophistication or subject matter expertise, and whether the company provides practical advice to address real-life scenarios and prior compliance incidents.
  • Confidential Reporting Structure and Investigation Process. An efficient mechanism by which employees can anonymously or confidentially report misconduct allegations without fear of retaliation is key to a well-designed compliance program. Prosecutors will assess whether a company has appropriate processes for the submission of complaints, routed to and reviewed by qualified personnel; processes for timely and thorough completion of investigations; appropriate follow-up, discipline and tracking of results; and protection for whistleblowers.
  • Third-Party Management; Mergers & Acquisitions. Prosecutors will assess whether a company applies risk-based due diligence to its third-party relationships, including whether the company understands its third-party partners' qualifications and relationships with foreign officials, as well as how the company ensures there is a proper business rationale for engaging the third party. Such diligence should not be a one-time endeavor — rather, prosecutors will assess whether a company engages in ongoing monitoring of its third-party partners, through updated due diligence, training, audits, and/or annual compliance certifications. Steps should also be taken to ensure that red flags are addressed and third-party misconduct is tracked. Similarly, prosecutors will assess whether the company has appropriate processes in place for conducting pre-M&A due diligence of any acquisition targets and remediating any identified misconduct.

2. Is the program being applied earnestly and in good faith?

The following categories are aimed at aiding prosecutors in determining whether a company has a mere "paper program" in place, rather than one that is effectively implemented, reviewed and revised as appropriate.

  • Commitment by Senior and Middle Management. Prosecutors will assess a company's "tone at the top" — whether senior management has demonstrated a commitment to clearly defined ethical standards and leads by example, including through remediation efforts. In addition, prosecutors will assess whether middle management has reinforced those commitments.
  • Autonomy and Resources. Expounding on its previous guidance, DOJ directs prosecutors to evaluate whether a company's compliance function is appropriately staffed and empowered relative to the size, structure and risk profile of the company. This analysis includes review of whether compliance personnel have sufficient seniority, resources, autonomy from management and access to key decision-makers.
  • Incentives and Disciplinary Measures. Prosecutors will assess whether a company has incentivized compliance and disincentivized non-compliance by establishing clear, commensurate disciplinary procedures that are enforced consistently across the organization. Prosecutors may also recognize a company's efforts to incentivize compliance, such as through promotions or bonuses for demonstrating compliance leadership.

3. Does the corporation's compliance program work in practice?

The Guidance specifically notes that the existence of misconduct does not, in and of itself, mean that a compliance program was not working effectively at the time of the offense. Rather, a compliance program that identified misconduct, allowing for timely remediation and self-reporting, should be viewed as a strong indicator of the program's efficacy. Accordingly, prosecutors will consider whether and how the misconduct was detected, what resources were in place to investigate suspected misconduct, and the nature and thoroughness of the company's remedial efforts.

Regarding whether a company's compliance program is working effectively at the time of a charging decision or resolution, prosecutors will consider if the program evolved to address changing compliance risks and whether the company undertook an honest root cause analysis to understand what caused the misconduct and the remediation necessary to prevent similar issues in the future.

  • Continuous Improvement, Periodic Testing, and Review. Per the Guidance, prosecutors may reward efforts to promote improvement and sustainability, and will assess whether a company engaged in meaningful efforts to review and update its compliance program. To that end, prosecutors will examine a company's process for determining the subject and frequency of internal audits; whether a company has reviewed the compliance program in areas relating to misconduct; and the frequency with which the company updates its risk assessments, policies and procedures.
  • Investigation, Analysis, and Remediation of Misconduct. Prosecutors will assess whether the company has an effective and appropriately funded mechanism to provide for timely, thorough and independent investigations undertaken by qualified personnel. Identification and remediation of root causes, as well as disciplinary action to hold bad actors accountable, will be key in prosecutors' analyses of whether the company has demonstrated recognition of the seriousness of the misconduct and implemented measures to reduce the risk that it will reoccur.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions