On April 30, 2019, the Criminal Division of the U.S. Department of Justice released updated guidance on how prosecutors evaluate the effectiveness of corporate compliance programs.[1] The updated guidance, entitled Evaluation of Corporate Compliance Programs, expands on the guidance released by the Fraud Section in February 2017.[2] When announcing the updated guidance last week, Assistant Attorney General Benczkowski noted that it is intended to “harmonize the prior Fraud Section publication with other DOJ guidance and legal standards,” and “provide additional transparency on how [the DOJ] will analyze a company’s compliance program.”[3] The updated guidance provides a framework for how prosecutors will assess compliance programs as it considers potential enforcement actions, and it complements the DOJ training programs, announced last October, designed to enhance prosecutors’ understanding of compliance.[4] Despite the new detail provided by the updated guidance, the DOJ continues to make individualized determinations in each case and does not use any rigid formula to assess the effectiveness of corporate compliance programs.

The updated guidance focuses on the same areas as the 2017 guidance, but gives considerably more context and is structured around three key questions concerning a compliance program’s design, implementation, and function: (1) Is the corporation’s compliance program well designed? (2) Is the program being applied earnestly and in good faith? (In other words, is the program being implemented effectively?) and (3) Does the corporation’s compliance program work in practice?


The DOJ’s Justice Manual describes specific factors prosecutors should consider when contemplating prosecution of a corporation, including the adequacy and effectiveness of a company’s compliance program at the time of the offense and the company’s remedial efforts to implement such a program.[5] In 2017, the Fraud Section issued a list of 119 questions it might ask when assessing the quality of a company’s compliance program.[6] The 2017 guidance did not provide benchmarks, specific factors, or requirements for corporate compliance programs to meet, nor did it prioritize, synthesize, or otherwise indicate the relative importance of the long list of questions posed.[7] Many of the questions in the 2017 guidance built on factors identified in prior DOJ and other guidance, as well as the U.S. Sentencing Guidelines and the OECD’s Good Practice Guidance on Internal Controls, Ethics, and Compliance.[8]

In the 2017 guidance, the questions were grouped under eleven topics, including the company’s analysis and remediation of the underlying misconduct; the conduct of its senior and middle management; the autonomy and resources of its compliance function; its policies and procedures; risk assessment; training and communication; confidential reporting; incentives for compliance and non-compliance; periodic testing and review; and monitoring of third-party relationships and potential mergers and acquisitions.[9]

The Updated Guidance

The updated guidance contains twelve topics and nearly 150 sample questions that may be relevant to evaluating a corporate compliance program. The updated guidance organizes these topics and questions into three central categories based on three “fundamental” questions drawn from the DOJ’s Justice Manual.[10] The “three ‘fundamental questions’ a prosecutor should ask” when making an individualized determination as to whether, and to what extent, a corporation’s compliance program was effective are:

  • Is the corporation’s compliance program well designed? This question focuses on a number of factors, including whether a company’s compliance program is appropriately designed to detect the compliance risks associated with a company’s business; whether its policies and procedures give content and effect to ethical norms that address and reduce risks identified by the company as part of its risk assessment process; the steps taken by the company to ensure its policies and procedures have been integrated through training and communication; the existence of an efficient and trusted confidential reporting structure and investigation process; the application of risk-based due diligence to third-party relationships; and comprehensive due diligence of any acquisition targets.
  • Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively? When considering these questions, prosecutors will look at the commitment of senior and middle management to fostering a culture of compliance; the autonomy and resources at the disposal of the company’s compliance function; and the incentives for compliance and disincentives for non-compliance.
  • Does the corporation’s compliance program work in practice? Prosecutors will assess whether a corporation’s compliance program works in practice by considering its capacity to improve and evolve; whether there is a well-functioning and appropriately funded mechanism for conducting timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents; and the ability of the company to conduct a thoughtful root-cause-analysis of the misconduct and remediate the root causes.[11]

Practical Takeaways

As Assistant Attorney General Brian Benczkowski recently explained, the updated guidance continues to eschew “any rigid formula to assess the effectiveness of corporate compliance programs,” but it does aim to “provide additional transparency.”[12] Organizing the evaluation of corporate compliance programs around three central questions provides a useful framework for implementing an effective compliance program and for thinking about the previously disparate topics, or factors, listed in the 2017 Guidance. In addition to this framework, the updated guidance provides background for the factors that grounds each in the wider context of compliance. By asking the three fundamental questions, and ensuring they are able to answer them affirmatively, companies will be better able to identify business risks, mitigate them, and remediate shortcomings.