10 Practical Takeaways for Compliance Officers from the Updated DOJ Guidance (Part 1)

You’ve probably seen some coverage about the March 2023 update to the DOJ’s Evaluation of Corporate Compliance Program (ECCP) guidance. But most of the coverage we’ve seen is far too legal. It doesn’t tell us what we as compliance officers should do with the information about the updates.

Fear not – we’ve scoured the updates and come up with 10 practical takeaways leading to concrete actions that you can use to move your program to the next level. We’ve also embedded links to whitepapers, checklists, and tons of resources to help you do just that.

This is the first of two blogs tackling this topic, from which we’ll create a downloadable whitepaper so you can have them all in one place. Here are the first five actions, all of which you can take today.

A Quick History of the ECCP


The compliance world was shaken up in 2019 when the Department of Justice issued the first edition of the ECCP.

The guidance set forth a series of questions prosecutors were to ask to see whether a corporation should receive mitigating credit against punishments for violations because they have a good compliance program in place. Our initial guidance for the top ten things to do in response to this guidance can be found HERE (all still relevant!).

The ECCP was updated in June 2020 based on the responses the guidance had received from prosecutors in the field and people in the business environment. We wrote about ten actions that compliance officers should take from that edition HERE (also still relevant!).

After a nearly three-year hiatus, the DOJ is back with updates and changes signaling their enhanced expectations. Some of this is tough stuff (incentives anyone?). But it’s worth it to keep our programs up to prosecutorial expectations.

Why We Love the ECPP


The great news about the ECCP is that it is written in question format. The answers the DOJ wants to hear are evident in the questions themselves.

We can use this guidance to inform how our programs are to be run, and also to support requests for program improvements. We can also use the ECCP to put pressure on our leaders, including the senior executives and the Board.

These are not your questions – they are the DOJ’s, and they need to be answered properly.

Here’s what you need to know and what to do.

Five Takeaways and Practical Actions

No. 1: Create an “Ephemeral Messaging” Policy


Let’s start with one of the toughest actions.

When Covid sent us all into our home offices, BYOD became the norm, even if it wasn’t properly authorized by the IT department. People used their personal phones to contact business colleagues and customers. Communications via messenger services like WhatsApp became common. These messaging services, including Snap Chat, Signal, and Telegram, became ubiquitous in many companies.

And this creates problems.

The DOJ wants to see what’s in the ephemeral messages of potential wrongdoers – so much so that they dedicated whole paragraphs to the issue. The ECCP states, “Policies governing such applications should be tailored to the corporation’s risk profile and specific business needs and ensure that, as appropriate and to the greatest extent possible, business-related electronic data and communications are accessible and amenable to preservation by the company.”

What to Do Now?


Work with IT to develop a strategy around capturing business-related ephemeral messaging. This is no easy task, but it needs to be done.

Once you’ve created a strategy, draft a policy stating when and how ephemeral messaging can be used in a business context, and how to preserve and transfer the data to the company (when required). After that, take the DOJ’s guidance and document how the policies and procedures have been designed and communicated to employees.

While you’re at it, track “whether the corporation has enforced the policies and procedures on a regular and consistent basis in practice.”

We’ll be publishing a blog with more detail on this topic soon. In the meantime, get your strategy together and start working on the policy and procedures.

No. 2: Add “Resourcing” to Your Risk Assessment and/or Program Review


One of the best parts of the ECCP is the section revolving around the proper resourcing of the compliance department.

The DOJ doubled down on this in the 2023 updates. They added the word “resourced” into the first part of section II, instructing prosecutors to “probe specifically whether a compliance program is a ‘paper program’ or one implemented, resourced, reviewed and revised, as appropriate, in an effective manner.”

The DOJ has also added a section on “independence and empowerment” relating to prosecutorial review of the compliance program resourcing and compensation structure.

There is a new sentence relating to resourcing. It tells prosecutors to evaluate the corporation’s method for assessing and addressing applicable risks in designing appropriate controls to manage these risks. This means it is imperative to consider the resourcing of the program in determining whether risk is being properly managed.

What to Do Now?


Include a review of the resources allocated to the compliance program in your next risk assessment or compliance program assessment. Use benchmarking to make your case. The Society of Corporate Compliance and Ethics puts out benchmarking data on salaries and program sizes. NAVEX and Ethico publish survey data as well.

It may be helpful to have an outside consulting firm reviewing program resources, as it can be difficult to make the case internally without sounding self-serving. Those with outside expertise (like Spark Compliance) can make the case for more resources effectively.

No. 3: Make the Case for Compliance-Related Incentives (Again)


Invariably when we at Spark Compliance do compliance program assessments, one of the worst-scored areas is incentives. Despite the fact that the Federal Sentencing Guidelines reference incentives as a part of the scoring to determine whether to grant mitigating credit for having a good compliance program, time and again compliance officers face pushback from implementing them.

That resistance should change with the updates to the ECCP. The new sections focus heavily on incentives and their importance in creating an ethical culture. One new sentence states that “Prosecutors may consider whether a company has incentivized compliance by designing compensation systems that defer or escrow certain compensation tied to conduct consistent with company valuates and policies.”

Another new sentence tells prosecutors to ask, “How does the company’s hiring and incentive structure reinforce its commitment to ethical culture?” Your company should have an answer to this.

What to Do Now?

Schedule the conversation to make the case for incentivizing compliance.

How do you incentivize compliance?

Take a look at these two resources. Joe Murphy’s eBook HERE and my blog with examples found HERE).

No. 4: Get in the Sales Incentive Game


The DOJ is pushing hard to help us get into the room when financial discussions about bonuses and sales incentives are made. They have good reason to do so, as they’ve just finished a plea deal, including jail time, for one of the executives at Wells Fargo. The executive implemented the bank’s scandalous use of unreasonable sales incentives that lead to a complete breakdown in customers’ trust in the bank as well as a $3 billion fine.

The DOJ included a new question in its 2023 update asking, “What role does the compliance function have in designing and awarding financial incentives at senior levels of the organization?”

What to Do Now?


Take an article covering the Wall Street Journal jailing of the executive (see this one from the WSJ) along with a copy of the ECCP to make the case that prosecutors expect Compliance to be involved in designing and awarding financial incentives at the senior levels of the organization.

No. 5: Update Your Metrics


Compliance officers often struggle to come up with metrics to determine the effectiveness of their program. In the 2023 update, the DOJ has responded to that by giving several examples of metrics that they consider useful, including:

  • Average time for the completion of investigations into hotline reports
  • Percentage of compensation clawed back or denied to executives who have been found to have engaged in wrongdoing
  • Locations/geographies where hotline report metrics show over or under-reporting
  • Number/percentage of compliance-related allegations that are substantiated
  • Average (and outlier) times to complete a compliance investigation (whether hotline-initiated or not)
  • Consistency of disciplinary action across levels, geographies, units, or departments

What to Do Now?


If you aren’t yet tracking the metrics above, begin today. Make a plan for obtaining the data and keeping it up to date.

We’ve created a whitepaper with over 60 examples of metrics that matter, along with instructions for implementing them. You can download that resource HERE.

In Part II, we’ll go over new actions to take in response to the new DOJ guidance on claw backs, compliance champions programs, root cause analyses, the focus on prevention (not just detection), and more.

Share the blog!

Picture of Kristy Grant-Hart

Kristy Grant-Hart

Kristy Grant-Hart is the founder and CEO of Spark Compliance.
She's a renowned expert at transforming compliance departments into in-demand business assets.