Disclaimer: This content is not a substitute for legal advice. It’s provided solely to inform and not intended as a standalone resource. If you have questions about these updates or their implications for your organization, please consult your legal counsel.

Since 2017, the U.S. Department of Justice (DOJ) has been evaluating corporate compliance programs using the Evaluation of Corporate Compliance Programs (ECCP), a structured framework to assess their effectiveness in preventing and addressing misconduct. The ECCP often comes into play when a prosecutor is determining whether to prosecute an organization or offer leniency via a deferred prosecution agreement. 

Several revisions to the ECCP since its inception highlight the DOJ’s focus on understanding the rationale behind the program’s design, evolution over time and functionality in addressing the relevant company’s risk profile.

On September 23, 2024, the latest round of updates were introduced. While primarily intended for prosecutors, the ECCP also serves as a valuable resource for companies to assess how their programs might be judged by the DOJ. A company with an effective compliance program is more likely to receive a favorable resolution in an enforcement action, including reduced monetary penalties and less burdensome ongoing compliance obligations, as part of the resolution terms.

Here are the newest additions introduced in the September 2024 ECCP update:

  • Risks associated with new and emerging technology: The updated ECCP includes new criteria to evaluate how companies are assessing and managing risks related to the use of new technology such as artificial intelligence (AI) in their commercial operations and compliance programs.
  • Incentivizing and protecting whistleblowers: The updated ECCP bolsters the DOJ’s expectations that corporations should actively promote internal whistleblowing and safeguard individuals who report misconduct. Going forward, the DOJ will evaluate whether companies have adequate policies and training to encourage whistleblowing and prevent retaliation, as well as how companies treat employees who report misconduct.
  • Access to data and resources for compliance functions: The revisions emphasize the DOJ’s stance that the effective operation of a compliance program requires a compliance function that is sufficiently resourced and funded and has access to the data and technology necessary to detect and mitigate risks. DOJ prosecutors will evaluate whether compliance functions (i) have timely access to data and (ii) appropriately leverage data analytics tools to create efficiencies in the compliance program and track its effectiveness.
  • Incorporating lessons learned: The updated ECCP also emphasizes that compliance programs and employee training should evolve based on lessons learned from both the company’s own prior issues and from issues at other companies in related industries and geographies.
  • Post-transaction compliance integration: The latest revisions underscore the importance of compliance function involvement in M&A activity, in particular post-transaction integration.

Together, these updates provide a clearer framework for companies to ensure their compliance programs are robust and aligned with DOJ expectations.

The bottom line

These updates underscore the DOJ’s focus on proactive, resource-rich, and data-driven compliance strategies. By addressing these updated guidelines, companies can enhance their compliance programs, reduce risk, and build trust with stakeholders.

About Ethena

Ethena takes you beyond checking the box with a modern library of 150+ customizable course modules and tech that lets you set it and forget it. An employee hotline, case manager, and phishing simulator are all built-in, so you can identify risks and tailor your training to them. We’re trusted by the People and Compliance teams at Pinterest, Notion, Asana, The Salvation Army, and more.


Blog Sample Training - Harassment Prevention (2)