DOJ Updates Guidance to Prosecutors on Corporate Compliance Programs

On June 2, 2020, the DOJ issued updated guidance to prosecutors regarding how to evaluate the compliance programs of corporations undergoing a criminal investigation or prosecution. The updates emphasize the importance of a dynamic, adaptable compliance program to a prosecutor's decisions with respect to resolving a corporate prosecution, the amount of monetary penalties to seek, and ongoing compliance obligations that may be necessary following resolution. The following are highlights from the DOJ's guidance:

  • Effective use of data and a data-driven approach to compliance are critical. Prosecutors should ask: "Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions?"

  • Companies should ensure that their employees and relevant third parties are aware of and comfortable using anonymous reporting mechanisms, such as compliance hotlines. Companies should periodically test the effectiveness of their hotlines by, for example, "tracking a report from start to finish."

  • Rather than asking merely whether the corporation's compliance program is being implemented effectively, prosecutors must probe whether the program is being "adequately resourced and empowered to function effectively." This places great weight on funding and resources that ensure that compliance personnel can "effectively audit, document, analyze, and act on the results of the [corporation's] compliance efforts."

  • The company's third-party relationships should be subjected to risk-based due diligence under the compliance program. "[P]rosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions."

  • Additionally, companies must continually update their programs and policies to address "lessons learned" from the "company's own prior issues or from those of other companies operating in the same industry and/or geographical region."


The DOJ's guidance hammers home the simple truth that having a compliance program is not enough - it must be effectively implemented. Having a compliance manual, code of conduct, or compliance hotline does no good if it is not being put to active use, routinely assessed and refined. As the DOJ emphasized, companies should not limit their compliance assessments to a "snapshot" in time but rather base their reviews "upon continuous access to operational data and information." Effective use of data will be critical to compliance efforts going forward.

The timing of the DOJ's update is significant, as it signals the DOJ's view that compliance efforts should not take a backseat during the COVID-19 crisis. This places some companies in a difficult position, as many have laid off compliance staff and cut compliance budgets in response to the business slowdown. Under the updated guidance, companies would be advised to use the slowdown as a period to assess whether they have "adequately resourced" compliance programs and where improvements may be made.

Email me about this