United States: DOJ Revises Guidance On Evaluation Of Corporate Compliance Programs

On April 30, 2019, the Assistant Attorney General (AAG) for the U.S. Department of Justice's Criminal Division, Brian Benczkowski, announced the release of an updated version of the "Evaluation of Corporate Compliance Programs" guidance (the "revised Guidance")—a document that provides guidance on how prosecutors conducting corporate investigations should assess a company's compliance program. The revised Guidance doubled the length of the original document and broadened applicability to the Criminal Division more generally (as opposed to just the Division's Fraud Section).

Much like its original iteration, many of the areas discussed in the revised Guidance have been discussed in other sources, including A Resource Guide to the U.S. Foreign Corrupt Practices Act ("FCPA Guide"), published by DOJ and the U.S. Securities and Exchange Commission in November 2012, and the Justice Manual's Principles of Federal Prosecution of Business Organizations. That said, the revised Guidance adds more detail and offers insights into how prosecutors will be thinking about compliance programs when conducting or resolving a corporate investigation. The revised Guidance is also useful in that it affords companies more information as they benchmark their own program, against DOJ's expectations. Perhaps most notably, it underscores certain key principles when it comes to corporate compliance programs—first, ensuring the program is well designed; second, assessing whether the program is being implemented effectively; and third, asking whether the company's compliance program works in practice.

The Original Guidance

In February 2017, the Fraud Section in DOJ's Criminal Division released the original "Evaluation of Corporate Compliance Programs" Guidance (the "Original Guidance"). Although released quietly on the Fraud Section's website, with little or no press (and not even on DOJ letterhead), the stated purpose of the February 2017 document was to provide a list of "some important topics and sample questions that the Fraud Section has frequently found relevant in evaluating a corporate compliance program" and included a list of 11 topics (and 119 questions) to that end. The Original Guidance received a generally positive reception from the legal and business communities because it increased transparency into the Fraud Section's compliance expectations. As we said at the time, the Guidance "can provide useful direction for companies not only undertaking or responding to investigations but also designing or enhancing compliance programs, or simply wishing to benchmark an existing compliance program against the government's expectations."   

The Revised Guidance

Unlike the original Guidance, which was released by and applied only to the Criminal Division's Fraud Section, the revised Guidance expressly applies to the entire Criminal Division. Moreover, while the original Guidance was essentially a series of topically-organized questions, the revised Guidance integrates the topics and questions into a broader discussion of Justice Manual policies. Indeed, the revised Guidance uses the three key questions that the Justice Manual instructs prosecutors to consider when evaluating a compliance program—is the program well designed, is the program being implemented effectively, and does the program actually work in practice—as a framework for categorizing relevant topics for considering whether a program is effective. Slotted within these categories are 11 different topic areas. Each subsection contains a discussion of the relevant policy background, with citations to the Justice Manual and, to a lesser extent, the U.S. Sentencing Guidelines, as well as questions that a prosecutor may consider when evaluating the particular area. 

Below we discuss some of the key aspects of the revised Guidance.

  • Risk-Based Approach to Compliance. The revised Guidance makes clear that prosecutors must evaluate how well a company has not only evaluated its risk profile but also used that evaluation to create a program that best allocates resources and attention to areas that pose the highest risk. DOJ has long said that there is no "one-size-fits-all" approach when it comes to creating a compliance program,1 and the revised Guidance underscores that point. Referencing principles outlined in the Justice Manual, the revised Guidance explains how prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction in a low-risk area. It goes on to state that prosecutors should therefore consider, as an indicator of risk-tailoring, revisions to corporate compliance programs in light of "lessons learned." Further highlighting the importance of this point, the revised Guidance includes new questions related to risk-tailored resource allocation as well as questions aimed at understanding the updates and revisions that have been made to ensure the program remains practical as-applied. As these additions highlight, the revised Guidance is focused on ensuring a nimble compliance environment—one that can successfully react and "deal with the spectrum of risks [the company] faces, including changes to the legal and regulatory landscape" in which the company operates.
  • Risk-Based Third Party Management and Ongoing Monitoring. Third parties are the number one risk area for FCPA violations—indeed, over 90% of FCPA cases in the last ten years involved third parties—and the revised Guidance understandably emphasizes that a well-designed program should apply risk-based due diligence to the company's third party relationships.  In terms of appropriate controls, the revised Guidance asks prosecutors to consider how a company ensures that there are appropriate business rationales for the use of a particular third party.  Prosecutors will also ask how a company tracks third parties that do not pass due diligence and/or are terminated and how the company ensures these entities are not hired in the future. For any third party implicated in potential misconduct, prosecutors will ask what the business rationale was for hiring the third party, whether there were red flags identified during the company's due diligence, and what the company did to gain comfort before engaging the third party.
  • Tailored Training and Communication. Further underscoring the focus on an appropriately tailored compliance program, the revised Guidance emphasizes that prosecutors should assess whether the company has relayed anti-corruption information, including the company's anti-corruption policies and procedures, in a manner "tailored to the audience's size, sophistication, or subject matter expertise." The revised Guidance offers examples of ways a company can accomplish this, for example, by providing case studies that address real-life scenarios. Moreover, the revised Guidance again underscores the need for a company to incorporate feedback and acquired knowledge from any prior misconduct by directing prosecutors to consider to what extent a company's training program incorporates lessons learned from prior compliance incidents. While DOJ has long emphasized the importance of compliance training, calling out the importance of incorporating lessons learned and other feedback from prior events is a useful suggestion to companies looking to enhance their training programs.
  • Strong Example from Leaders and No "Paper Programs." The revised Guidance emphasizes the importance of creating and fostering a culture of ethics and compliance, which comes from both senior and middle management. It is explicit on this point, stating that prosecutors should examine the extent to which senior management has clearly articulated the company's ethical standards, conveyed and disseminated them in clear and unambiguous terms, and demonstrated rigorous adherence by example and how middle management has reinforced those standards and encouraged employees to abide by them. "Tone at the top" and "mood at the middle" have long been part of the rubric for an effective compliance program, but the revised Guidance's emphasis on these rubrics—and the reformulated "conduct at the top" rather than simply "tone at the top"—further underscores their importance. A theme taken from the revised Guidance in general is that DOJ is looking to probe whether a compliance program is effective in practice or merely a "paper program." The tone from leadership (at all levels) is a central component to this assessment because the leaders are responsible not only for establishing a culture of zero tolerance for bribery or corruption, but also for leading by example.
  • Emphasis on the Proper Allocation of Resources. The revised Guidance asks prosecutors to consider whether the reporting and investigating mechanisms at a company receive sufficient funding. Although prior compliance program guidance discussed resource allocation for compliance as compared to other areas within a company, the revised Guidance pinpoints specific aspects within the compliance program that companies should ensure receive sufficient resources. Indeed, the revised Guidance notes that a hallmark of a program that is working effectively is one that has well-functioning and appropriately resourced reporting and investigation mechanisms. That said, resources alone do not create an effective program—the revised Guidance explicitly states that in order to be truly effective, compliance personnel must also be empowered by the company.

Key Takeaways

  • There is no "one-size-fits-all" approach to compliance. While the revised Guidance is more specific in targeting things a company should consider when creating (or enhancing) a compliance program, DOJ has also emphasized that the revised Guidance should not be used as a checklist or a formula. That said, a company looking to benchmark its program against DOJ's expectations should review the revised Guidance to stress test its program and gain insight into the types of questions and considerations that a prosecutor will have in mind when evaluating the efficacy of the program.
  • The revised Guidance comes in the wake of the Criminal Division's decision not to hire a dedicated compliance counsel and to instead train all of its prosecutors on compliance issues. In October 2018, AAG Benczkowski had previewed that the Criminal Division planned to roll out Division-wide training programs to enhance prosecutors' understanding of compliance; on the same day he announced the revised Guidance, he added that the first of these sessions was taking place in Washington, D.C. that day. While the business community has expressed mixed feelings about the elimination of the compliance counsel position, the Criminal Division maintains that building compliance knowledge across all of its prosecutors (as opposed to hiring a single compliance counsel) will help ensure a more rigorous and informed analysis for companies that are under scrutiny.
  • In general, the revised Guidance is a positive development because it is another example of DOJ's efforts to be more transparent, specifically in terms of what a company can do to better position itself if it is ever facing a DOJ investigation. The revised Guidance comes in the wake of DOJ's March revisions to its FCPA Corporate Enforcement Policy—changes that appear to have been made (at least in part) in response to concerns posed by the business community looking to comply with the policy. Updates like these demonstrate that DOJ is keen to provide companies with the tools they need to prevent and detect misconduct and ensure their compliance programs meet DOJ's expectations. AAG Benczkowski ended his remarks this month noting that "the interests of the Department and private industry to root out corporate crime are very much aligned"—in keeping with that premise, the revised Guidance is another source to help put the business community and prosecutors on the same page when it comes to corporate compliance programs.


1 U.S. Dep't of Justice & U.S. Sec. and Exch. Comm'n, A Resource Guide to the U.S. Foreign Corrupt Practices Act (Nov. 12, 2012) at 57, available here 

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
Akin Gump Strauss Hauer & Feld LLP
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Akin Gump Strauss Hauer & Feld LLP
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions