Justice Department Updates Its Guidance on Corporate Compliance Programs

Stephen Cutler and Nicholas Goldin are partners and David Caldwell is an associate at Simpson Thacher & Bartlett LLP. This post is based on their Simpson Thacher memorandum.

Earlier this month, the Criminal Division of the Department of Justice updated its guidance for prosecutors to use when evaluating a company’s compliance program in the context of corporate charging and settlement decisions. [1] While the revised guidance is very similar to DOJ’s April 2019 version, [2] it includes substantive updates in a number of areas—including regarding how compliance programs are resourced, how they evolve and adapt, and how they address pre-acquisition due diligence and post-acquisition compliance integration in mergers and acquisitions.


As with prior versions, the updated guidance continues to emphasize at the outset that the Criminal Division does not use any “rigid formula” to evaluate compliance programs, and instead states that each company’s risk profile requires “particularized evaluation.” The revisions (italicized below), however, add notable language with respect to the factors DOJ will consider in its individualized determination:

Accordingly, we make a reasonable, individualized determination in each case that considers various factors including, but not limited to, the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.

Adequate Resources and Empowerment

In the updated guidance, DOJ has refined one of the three “fundamental questions” prosecutors should use in evaluating a company’s compliance program. As background, the DOJ previously framed these three fundamental questions as follows:

  1. Is the corporation’s compliance program well designed?
  2. Is the corporation’s compliance program being implemented effectively?
  3. Does the corporation’s compliance program work in practice? [3]

The revised guidance modifies the second question to read: “Is the corporation’s compliance program adequately resourced and empowered to function effectively?”

While the notion that DOJ will evaluate the resources a company devotes to its compliance program is not a novel concept, the revised guidance provides three specific refinements under the umbrella of resourcing questions that companies should note.

  • Investment in and Development of Compliance Personnel: In addition to evaluating the experience and qualifications of compliance and control personnel, the revised guidance now asks: “How does the company invest in further training and development of the compliance and other control personnel?” This refinement mirrors other broader revisions to the updated guidance that emphasize the importance of a dynamic compliance program.
  • Data Resources and Access: The updated guidance explicitly asks whether compliance personnel “have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions,” whether any “impediments” exist that limit access to such data, and if so, what the company is doing to address those impediments.
  • Monitoring Investigations and Consistency: While the previous guidance asked whether disciplinary actions are consistently applied, the updated guidance now asks whether a company’s compliance function monitors its investigations and disciplinary actions to ensure consistency.

“Lessons Learned” and an Evolving Program

While the 2019 guidance considered whether a company updates both its compliance program and its risk assessments in light of lessons learned from prior issues, the 2020 update further emphasizes the government’s expectation that compliance programs should constantly evolve.

Design of the Compliance Program

In evaluating whether a company’s compliance program is well designed, the revised guidance includes several refinements to the section on risk assessments:

  • An Updated “Starting Point”: In its description of the “starting point” for evaluating the design of a compliance program, the update now instructs that “prosecutors should endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.”
  • Updates and Revisions: While last year’s version of the guidance asked whether risk assessments are subject to periodic review, it now goes further—asking whether such periodic review is “limited to a ‘snapshot’ in time or based upon continuous access to operational data and information across functions,” as well as whether the periodic review has “led to any updates in policies, procedures, and controls.”
  • Tracking and Incorporating Issues: The revised guidance now asks whether the company has a “process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region.”

In addition, the guidance explicitly notes that in considering the design of the program itself, prosecutors should consider the company’s process for designing and implementing new procedures as well as for “updating existing policies and procedures.”

Third-Party Relationships

Last year’s version of the guidance extensively covered third-party management practices, including evaluation of appropriate controls and managing third-party relationships. The updates reflect that the government will consider not just whether a company appropriately evaluates third-party risk at the onboarding stage, but also whether a company performs “risk management of third parties throughout the lifespan of the relationship.”

Lessons Learned from Other Companies

Last year’s guidance asked how often a company updates its risk assessments, whether a company performs a gap analysis, and whether a company has determined if its policies and procedures make sense for particular parts of the business. Under the revised guidance, prosecutors are also directed to evaluate whether “a company review[s] and adapt[s] its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks.” This is a particularly notable change, as it suggests that the Criminal Division will evaluate not only the extensiveness of a company’s own inward-looking review, but also whether the compliance function is effectively observing the broader external risk environment.

M&A Due Diligence

The revised guidance makes a number of refinements with respect to how prosecutors should view a company’s approach to due diligence of acquisition targets and post-closing compliance implementation.

First, while last year’s guidance noted that a well-designed program “should include comprehensive due diligence of any acquisition targets,” the revisions add: “as well as a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.” The importance of post-acquisition compliance integration and its potential impact on how regulators will view an acquirer in the event misconduct is discovered after closing was highlighted in the 2012 DOJ and SEC FCPA Resource Guide [4]; but now, a company might want to consider not just whether it undertakes post-acquisition compliance integration, but whether post-acquisition compliance integration procedures are expressly set out in its compliance program.

Second, in evaluating the due diligence process, the revised guidance now asks: “Was the company able to complete pre-acquisition due diligence and, if not, why not?” While it does not elaborate on this point, it is now more clear than in the past that the extent of a company’s ability to conduct pre-acquisition due diligence will be considered by the Criminal Division where issues arise in the merger-and-acquisition context.

Third, in evaluating a company’s process for implementing compliance controls at newly acquired entities, the revised guidance now explicitly considers whether the company conducts post-acquisition audits.


The Criminal Division’s updated guidance includes limited but noteworthy changes from its 2019 version of the guidance. As before, the Criminal Division eschews any “rigid formula” to assess compliance programs, and instead focuses on an “individualized determination” based on a company’s “particularized” risk profile. While most of the revised guidance will be familiar to seasoned compliance professionals, it provides some additional insight with respect to how prosecutors will evaluate whether and how a company’s compliance program is sufficiently resourced and monitored, and whether and how it evolves and improves over time.


1U.S. Dep’t of Justice, Criminal Division, Evaluation of Corporate Compliance Programs (June 2020), https://www.justice.gov/criminal-fraud/page/file/937501/download.(go back)

2For more information about the changes DOJ implemented in its 2019 guidance, please review our prior alert, available at https://www.stblaw.com/docs/default-source/Publications/regulatoryenforcementalert_05_06_19.pdf.(go back)

3U.S. Dep’t of Justice, Criminal Division, Evaluation of Corporate Compliance Programs (Apr. 2019), https://assets.documentcloud.org/documents/5983840/DOJ-Evaluation-of-Corporate-Compliance-Programs.pdf.(go back)

4See U.S. Dep’t of Justice and U.S. Sec. and Exch. Comm’n, A Resource Guide to the U.S. Foreign Corrupt Practices Act 28 (2012), https://www.justice.gov/sites/default/files/criminal-fraud/legacy/2015/01/16/guide.pdf.(go back)

Both comments and trackbacks are currently closed.