DOJ guidelines on corporate compliance programs (ECCP)

DOJ guidelines on corporate compliance programs (ECCP)

Most compliance programs look fine from the outside. Policies documented, training logged, a reporting channel in place. The problem is that the U.S. Department of Justice doesn't look at programs from the outside.

The Evaluation of Corporate Compliance Programs (ECCP) is the framework DOJ prosecutors use to assess whether your compliance program actually works. It sits behind every criminal enforcement decision involving a corporate defendant. A program that performs well against it can mean reduced penalties, fewer ongoing obligations, and a meaningful distinction between an organization that had a bad actor and one that had a bad culture.

The latest version was updated in September 2024. It raises the bar in ways that matter.

Where the ECCP comes from

The DOJ's Criminal Division published the first ECCP in February 2017. It has been revised four times since: in 2019, 2020, 2023, and most recently September 2024. Each update has expanded what prosecutors are expected to examine and what companies are expected to demonstrate.

The September 2024 version is the most substantive update in recent years. It adds clear new expectations around artificial intelligence, whistleblower culture, and how well-resourced compliance teams are compared to the rest of the business.

The ECCP was written for prosecutors, but it has become something more: a practical benchmark for any organization serious about compliance. If you want to know what good looks like in the eyes of the DOJ, this is where you start. Companies that use the ECCP proactively, to stress-test their programs rather than respond to enforcement pressure, tend to build more credible, more durable compliance cultures as a result.

The three questions every compliance program must answer

The ECCP's core framework has not changed across revisions. Three fundamental questions anchor every evaluation:

Is the program well-designed? Does it reflect the company's actual risk profile, with policies and procedures built to address those specific risks, rather than risks borrowed from a generic template?

Is it adequately resourced and empowered? Does the compliance function have the independence, budget, and data access it needs? Or is it structurally set up to fail?

Does it work in practice? Can the company demonstrate that it monitors, investigates, and improves over time? Or does the program exist only on paper?

That third question is where many programs fall apart. The DOJ is not looking for documentation. It is looking for evidence that compliance is real, lived, and embedded in how the organization actually operates.

What prosecutors actually examine

The ECCP guides prosecutors through several dimensions of a compliance program. Here is what they look at, and what your program needs to show.

Risk assessment

Prosecutors want to see that a company knows its own risks: not generic risks, but the specific ones that come with its industry, geography, and business model. They also want to see that risk assessments happen regularly and incorporate lessons from incidents elsewhere in the sector, not just internal experience.

A risk assessment done once at program launch and never revisited will not hold up. The standard is ongoing, evolving awareness of what the business faces and how the compliance program responds to it.

Policies, procedures, and training

Policies need to be accessible and understood, not buried in a portal nobody visits. The 2024 update tightened the language here: compliance programs must actively mitigate risk, not just aim to reduce it. That is a meaningful shift in expectation.

Training should reflect the policies employees actually need to follow, and it should be updated when circumstances change. Prosecutors also expect training to cover anti-retaliation and external whistleblower protection laws, not just internal reporting procedures. Employees need to understand their rights, not just the rules.

Confidential reporting and anti-retaliation

This is where the 2024 update is most pointed, and where expectations have moved furthest.

Having a reporting channel is now a baseline expectation. What prosecutors examine is whether employees actually use it, whether the company actively encourages reporting, and whether anything in the culture chills it. The DOJ uses that word specifically: chilling. A formal policy that discourages reporting in practice is worse, in some ways, than having no policy at all.

The updated ECCP asks prosecutors to look at how companies treat employees who report misconduct compared to those who knew and said nothing. It asks whether anti-retaliation policies exist, whether employees are trained on them, and whether organizations assess their employees' willingness to report.

That last point deserves attention. The DOJ now expects companies to measure speak-up culture, not just declare it. The question has moved from do you have a hotline to do your people actually trust it.

For organizations using an anonymous reporting solution, the infrastructure is a starting point. The culture that surrounds it is what the ECCP is really probing. Read our guide to what whistleblowing is for a fuller picture of how effective reporting programs work in practice.

Third-party risk management

Vendor risk does not get a pass. The 2024 update puts more weight on ongoing due diligence: not just at onboarding, but as part of a continuous process that uses available data to monitor and re-evaluate third-party relationships as they evolve. A clean initial screen means little if nothing happens in the years that follow.

Mergers and acquisitions

Compliance needs to be involved in acquisitions, particularly in post-transaction integration. If an acquired company carries compliance risk, prosecutors will ask what role the compliance function played in identifying it and how the organization addressed it after the deal closed. The ECCP now explicitly asks whether compliance was involved in designing and executing the integration strategy.

Senior management commitment

A compliance program is only as credible as the leadership behind it. Prosecutors look for genuine commitment from both senior and middle management, not ceremonial endorsement at the annual all-hands. That commitment shows up in budgets, in what happens when compliance raises a concern, and in whether leadership visibly models the behavior it asks of everyone else.

Resourcing and autonomy

The 2024 ECCP makes a pointed observation: if a company invests heavily in technology to grow revenue and minimally in technology to detect and manage risk, that asymmetry is now something prosecutors are explicitly told to look for. Compliance teams need the independence to do their jobs without interference and the tools to do them properly.

What the September 2024 update actually changes

Three areas received the most substantive new language in the latest revision.

Artificial intelligence

The DOJ directed the Criminal Division to incorporate AI risks into the ECCP after Deputy Attorney General Lisa Monaco described AI as a double-edged sword in early 2024. The September update follows through.

Prosecutors now evaluate whether companies have governance frameworks for AI, whether those frameworks are integrated into broader enterprise risk management, and whether controls exist to prevent deliberate or reckless misuse. This applies to AI used in commercial operations and AI deployed inside the compliance function itself. Companies that use AI to identify opportunities but have not thought about what happens when it is misused internally will find that gap hard to explain.

Speak-up culture

The ECCP has always required reporting mechanisms. The 2024 update goes further: companies must actively encourage and incentivize reporting, assess employees' willingness to use reporting channels, train employees on anti-retaliation, and demonstrate that people who speak up are treated consistently and fairly compared to those who do not.

This aligns with broader DOJ activity on whistleblowing. In August 2024, the Criminal Division launched the Corporate Whistleblower Awards Pilot Program, which incentivizes individuals to report corporate misconduct directly to the government. The intent is clear: organizations that make internal reporting unappealing will see more external reports to regulators instead. The DOJ is actively creating that alternative.

The practical takeaway: your whistleblowing program needs to be something employees genuinely trust. The DOJ now expects you to show the difference between a channel that exists and one that works. That means anonymous access, protection from retaliation, visible follow-through on reports, and a culture where speaking up is treated as a contribution rather than a risk. For organizations operating in the EU, these requirements sit alongside the obligations of the EU Whistleblowing Directive, which sets its own binding standards for reporting channels, confidentiality, and anti-retaliation.

Data access and analytics

Compliance teams need real data access. The updated ECCP asks whether compliance personnel can reach the data systems required to monitor program effectiveness, whether the company uses analytics to detect misconduct patterns, and how data quality and model accuracy are managed.

The standard is explicit: compliance should have the same access to relevant data that other business functions take for granted. If your sales team has real-time dashboards and your compliance team is working from quarterly spreadsheets, the ECCP now asks prosecutors to treat that as a gap worth examining.

What this means for your compliance program

The ECCP describes a compliance program as something living. It changes based on what the organization learns. It involves genuine commitment from leadership. It surfaces problems early, because people inside the organization trust that speaking up matters and see evidence that it does.

Many programs do not look like that. They look like binders.

The 2024 update closes gaps that were previously soft expectations. AI governance, speak-up culture measurement, and data access for compliance are now hard requirements that prosecutors are guided to probe. Organizations that have not revisited their programs since the last update are likely behind the current standard.

The ECCP is also forward-looking in one important sense. A company that can demonstrate its program works, and can show how it improved after something went wrong, is in a fundamentally different position from one that can only point to a policy document. Prosecutors are looking for continuous improvement, not perfection. That distinction matters when it counts most.

Read our full guide to building an effective whistleblowing program to understand the foundations that sit beneath a program the DOJ would consider genuine.

How SpeakUp supports ECCP compliance

The ECCP's expectations around confidential reporting, anti-retaliation, and measurable speak-up culture are areas where the right infrastructure makes a real difference.

SpeakUp gives your employees a secure, anonymous channel to report concerns, and gives your compliance team the case management tools to act on what comes in, track outcomes, and demonstrate that reports are handled properly. When the DOJ asks whether your organization actively encourages reporting, protects those who speak up, and measures willingness to report, SpeakUp gives you a substantive, documentable answer rather than a policy document and a hope.

Frequently asked questions

What is the DOJ ECCP?

The Evaluation of Corporate Compliance Programs is guidance published by the DOJ's Criminal Division. It tells prosecutors what to look for when evaluating whether a company's compliance program is effective during an enforcement action. You can read the current version on the DOJ's official compliance page.

When was the ECCP last updated?

September 23, 2024. Previous updates were issued in February 2017, April 2019, June 2020, and March 2023.

What are the three core questions in the ECCP?

Whether the compliance program is well-designed. Whether it is adequately resourced and empowered to function. Whether it works in practice.

Does the ECCP apply to all companies?

The ECCP was written for DOJ prosecutors evaluating companies in criminal matters. In practice it is widely used across industries as a benchmark for building and assessing compliance programs, regardless of whether a company is under investigation.

What did the September 2024 update change?

The main additions cover AI and emerging technology risks, strengthened whistleblower and anti-retaliation expectations, and data access requirements for compliance teams. The update also expanded guidance on third-party risk management and post-acquisition compliance integration.

What does the ECCP say about whistleblower protections?

Companies need to go beyond providing a reporting channel. The 2024 update expects active encouragement of reporting, anti-retaliation training that covers external laws, a process for assessing whether employees are willing to report, and consistent fair treatment of those who do.

What happens if a company's compliance program does not meet ECCP standards?

A weak or ineffective program does not automatically trigger prosecution, but it removes one of the most important mitigating factors in an enforcement decision. Companies with credible, functioning programs are more likely to receive favorable resolutions, including reduced penalties and less burdensome ongoing obligations.