DOJ Evaluation of Corporate Compliance Programs (ECCP) — Oracle Source

DOJ ECCP - Overview

The Evaluation of Corporate Compliance Programs (ECCP) is the U.S. Department of Justice Criminal Division's guidance document that federal prosecutors use to assess the effectiveness of a corporation's compliance program when making charging decisions, determining penalties, and deciding whether to impose a compliance monitor [cite:587][cite:614]. First published in February 2017 and substantively revised in 2019, 2020, March 2023, and most recently September 2024, the ECCP establishes the prosecutorial standard against which every corporate compliance program in the United States is measured [cite:608][cite:611]. It is not a regulation — it is a prosecutorial framework. But its practical effect is regulatory: companies that demonstrably satisfy the ECCP's criteria receive favourable charging decisions, reduced penalties, declinations, and avoidance of monitors; companies that fail the ECCP's tests face full criminal prosecution [cite:585][cite:607]. The ECCP centres on three fundamental questions [cite:590][cite:593]:

1. Is the corporation's compliance program well designed?
2. Is the program adequately resourced and empowered to function effectively?
3. Does the corporation's compliance program work in practice?

The September 2024 update added significant new requirements around AI and emerging technology risk assessment, whistleblower protections, and compliance function access to data [cite:604][cite:608]. In May 2025, the DOJ Criminal Division further revised its Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP) to provide a clear path to declination (replacing the previous "presumption of declination") for companies that self-disclose, cooperate, and remediate [cite:606][cite:607][cite:588].

DOJ ECCP - What It Is

Prosecutorial Guidance, Not Regulation

The ECCP is a guidance document that assists federal prosecutors in making informed decisions about [cite:587][cite:614]:

• (1) The form of any resolution or prosecution
• (2) The monetary penalty, if any
• (3) Compliance obligations in any corporate criminal resolution (e.g., monitorship or reporting obligations)

It evaluates compliance programs at two points in time [cite:605][cite:595]:

• At the time of the offence — Was the compliance program effective when the misconduct occurred?
• At the time of the charging decision/resolution — Is the compliance program effective now?

Individualized, Not Formulaic

The DOJ explicitly states it does not use a rigid formula [cite:590][cite:605]. Each evaluation is a reasonable, individualised determination considering:

• Company size, industry, and geographic footprint
• Regulatory landscape
• Internal and external operational factors
• The company's specific risk profile

The Three Fundamental Questions

The entire ECCP is structured around three questions, each containing hallmarks with specific prosecutorial inquiries [cite:590][cite:593][cite:587]:

DOJ ECCP - Who It Applies To

Direct Application

The ECCP applies to any corporation subject to U.S. federal criminal jurisdiction that is under investigation, facing charges, or negotiating a resolution with the DOJ Criminal Division [cite:590][cite:587]. This includes:

• U.S.-incorporated companies
• Foreign companies with U.S. operations or nexus
• Companies subject to the FCPA (Foreign Corrupt Practices Act) for bribery of foreign officials
• Companies in any industry — healthcare, financial services, defence, technology, energy, etc.
• Acquiring companies under the M&A Safe Harbor Policy [cite:591][cite:594]

Indirect Application — The De Facto Standard

The ECCP's influence extends far beyond DOJ prosecutions [cite:590][cite:612]:

• Board-level governance — Boards of directors use the ECCP as the benchmark for compliance programme effectiveness
• Internal audit — Internal audit functions test against ECCP hallmarks
• Regulatory agencies — SEC, OCC, OFAC, and other agencies reference ECCP-like standards in their enforcement
• State-level enforcement — State AGs increasingly reference federal compliance evaluation standards
• International enforcement — The UK Serious Fraud Office, French PNF, and other international authorities have adopted similar frameworks influenced by the ECCP
• Private litigation — Plaintiffs' attorneys use ECCP failure as evidence of corporate negligence or failure of duty of care
• Insurance underwriting — D&O and cyber insurers evaluate ECCP compliance in underwriting

Antitrust Division ECCP

In November 2024, the DOJ Antitrust Division released its own revised ECCP specifically for criminal antitrust investigations, retaining the core three-prong structure while adding emphasis on employee roles in compliance culture, AI and ephemeral messaging systems, and remediation methods [cite:586][cite:595].

DOJ ECCP - What It Requires - Well Designed (Section I)

Section I evaluates whether the compliance programme is adequately designed for maximum effectiveness in preventing and detecting wrongdoing [cite:590][cite:605].

A. Risk Assessment

The starting point for every ECCP evaluation. Prosecutors assess whether the company has identified, assessed, and defined its risk profile, and whether the programme devotes appropriate resources to the spectrum of risks [cite:605][cite:583].

Prosecutorial inquiries [cite:590]:

• Risk management process — What methodology has the company used to identify, analyse, and address risks? What information or metrics has the company collected? How have they informed the compliance programme?
• Risk-tailored resource allocation — Does the company devote disproportionate time to low-risk areas instead of high-risk areas? Is greater scrutiny given to high-risk transactions?
• Updates and revisions — Is the risk assessment current and subject to periodic review? Is it based on continuous access to operational data, not just snapshots? Have updates led to changes in policies, procedures, and controls?
• Lessons learned — Does the company track and incorporate lessons from its own prior issues or those of peer companies?

September 2024 AI Addition — Prosecutors now assess whether the company has conducted a risk assessment regarding the use of AI and other emerging technologies, and whether it has taken appropriate steps to mitigate technology-related risks [cite:604][cite:608][cite:611]. Specific new inquiries include:

• How does the company assess the potential impact of AI on its ability to comply with criminal laws?
• Is management of AI-related risks integrated into broader enterprise risk management?
• What governance structures and controls exist for technology use?
• How does the company train employees on AI and emerging technology use?
• What steps has the company taken to mitigate technology-related risks and avert potential misuse?
• Does the company monitor developments in AI and adapt its risk management accordingly? [cite:604][cite:608]

B. Policies and Procedures

Policies must give content and effect to ethical norms and address risks identified in the risk assessment [cite:590][cite:593].

Prosecutorial inquiries [cite:590]:

• Design — What is the process for designing, implementing, and updating policies? Have business units been consulted?
• Comprehensiveness — Do policies reflect the full spectrum of risks, including legal and regulatory changes?
• Accessibility — Are policies communicated in searchable, accessible formats? Are there linguistic barriers for foreign subsidiaries? Does the company track access to policies?
• Operational integration — Who is responsible for integrating policies into operations? Are policies reinforced through internal control systems?
• Gatekeepers — Have key gatekeepers (approval authorities, certification holders) received guidance and training on what misconduct to look for and when/how to escalate?

C. Training and Communications

Training must be tailored, effective, and demonstrably understood [cite:590][cite:612].

Prosecutorial inquiries [cite:590]:

• Risk-based training — Has the company provided tailored training for high-risk and control employees? Have supervisory employees received supplementary training?
• Form/content/effectiveness — Is training in appropriate form and language? Has it addressed lessons from prior incidents? Are employees tested? How has the company measured training effectiveness and addressed failures?
• Communications about misconduct — What has senior management done to communicate the company's position on misconduct? Are disciplinary actions communicated (anonymised)?
• Availability of guidance — What resources exist for employees to get compliance guidance? Do employees know when to seek advice and are they willing to?

D. Confidential Reporting Structure and Investigation Process

An efficient, trusted mechanism for anonymous/confidential reporting is "highly probative" of effective corporate governance [cite:590][cite:612].

Prosecutorial inquiries [cite:590]:

• Effectiveness of reporting mechanism — Does the company have an anonymous reporting mechanism? Is it publicised? Has it been used? Are employees aware of and comfortable using it? Does compliance have full access to reporting and investigative information?
• Properly scoped investigations — How does the company determine which complaints merit investigation? How are investigations ensured to be independent, objective, and properly documented?
• Investigation response — Does the company apply timing metrics? Is there a process for monitoring outcomes and ensuring accountability?
• Resources and tracking — Are mechanisms sufficiently funded? Does the company analyse reports for patterns of misconduct? Does it periodically test the hotline end-to-end?

September 2024 Whistleblower Addition — The updated ECCP expands on whistleblower protections, asking prosecutors to evaluate whether companies have robust anti-retaliation policies, whether employees trust the reporting mechanisms, and whether the compliance function has sufficient access to data from reporting channels [cite:604][cite:608][cite:589].

E. Third-Party Management

Risk-based due diligence on third-party relationships is required [cite:590][cite:593].

Prosecutorial inquiries [cite:590]:

• Risk-based processes — How has third-party management corresponded to enterprise risk levels? How is it integrated into procurement and vendor management?
• Appropriate controls — Is there a business rationale for each third party? Do contracts describe services, payment terms, and deliverables?
• Relationship management — How does the company monitor third parties throughout the relationship (not just at onboarding)? Does it exercise audit rights?
• Real actions and consequences — Does the company track red flags from due diligence? Are non-compliant third parties terminated and tracked to prevent re-engagement?

F. Mergers and Acquisitions

Comprehensive due diligence and timely integration of acquired entities [cite:590][cite:591].

Prosecutorial inquiries [cite:590]:

• Due diligence process — Was pre-acquisition due diligence completed? Was misconduct risk identified?
• Integration — How has the compliance function been integrated into the M&A process?
• Due diligence to implementation — What is the process for tracking and remediating risks identified during due diligence?
• Post-acquisition audits — What is the process for implementing compliance policies and conducting audits at newly acquired entities?

M&A Safe Harbor Policy (October 2023) — The DOJ will presumptively decline to prosecute acquiring entities that voluntarily self-disclose criminal misconduct discovered at acquisition targets within six months of closing, fully cooperate, and remediate within one year [cite:591][cite:594].

DOJ ECCP - What It Requires - Adequately Resourced (Section II)

Section II evaluates whether the compliance programme is more than a "paper programme" — whether it is implemented, resourced, reviewed, and revised effectively [cite:590][cite:592].

A. Commitment by Senior and Middle Management

Culture of compliance starts at the top and is reinforced through the middle [cite:590][cite:592].

Prosecutorial inquiries [cite:590]:

• Conduct at the top — How have senior leaders encouraged or discouraged compliance through words and actions? Have managers tolerated compliance risks in pursuit of revenue? Have managers impeded compliance personnel?
• Shared commitment — What actions have business managers, finance, procurement, legal, and HR taken to demonstrate commitment to compliance?
• Oversight — What compliance expertise exists on the board? Have the board/external auditors held private sessions with compliance? What information has the board examined in the area where misconduct occurred?

B. Autonomy and Resources

Compliance personnel must be empowered with adequate authority, stature, resources, and data access [cite:590][cite:592].

Prosecutorial inquiries [cite:590]:

• Structure — Where is compliance housed? To whom does it report? Is there a designated CCO? Do compliance personnel have non-compliance responsibilities?
• Seniority and stature — How does compliance compare with other strategic functions in compensation, rank, resources, and access to decision-makers? Has compliance stopped or modified transactions?
• Experience and qualifications — Do compliance personnel have appropriate qualifications? Has the level changed over time?
• Funding and resources — Is there sufficient staffing for auditing, documentation, analysis, and action? Have resource requests been denied?
• Data resources and access — Do compliance personnel have sufficient access to relevant data sources for timely monitoring and testing? Do impediments exist, and what is being done about them?
• Autonomy — Do compliance functions have direct reporting lines to the board/audit committee? How is independence ensured?
• Outsourced functions — If compliance is outsourced, who oversees it? How is effectiveness assessed?

September 2024 Data Access Addition — The updated ECCP significantly expands on compliance function access to data, emphasising that compliance personnel must have timely access to operational data, analytics tools, and reporting systems to effectively monitor and test controls [cite:604][cite:608][cite:589].

C. Compensation Structures and Consequence Management

Incentives for compliance and disincentives for non-compliance must be established and enforced [cite:590][cite:592].

Prosecutorial inquiries [cite:590]:

• Human resources process — Who participates in disciplinary decisions? How transparent is the process? Are reasons for discipline communicated?
• Disciplinary measures — Are recoupment/clawback provisions in place and enforced? Are employees on notice they won't benefit from misconduct?
• Consistent application — Are disciplinary actions applied consistently across levels, geographies, and departments? Does compliance monitor for consistency?
• Financial incentive system — Has the company considered the impact of compensation on compliance? Are bonuses tied to compliance performance? Are clawback provisions maintained and enforced?

DOJ ECCP - What It Requires - Works in Practice (Section III)

Section III evaluates whether the compliance programme produces real results — detection, investigation, remediation, and continuous improvement [cite:590][cite:609].

A. Continuous Improvement, Periodic Testing, and Review

A compliance programme must evolve [cite:590][cite:609][cite:593].

Prosecutorial inquiries [cite:590][cite:609]:

• Internal audit — How strong is the internal audit function? Does it conduct risk-based auditing of compliance controls?
• Control testing — Has the company tested its compliance controls? What testing methodologies are used? Have tests been conducted by qualified, independent personnel?
• Evolving updates — How has the compliance programme been updated based on testing results, audit findings, and changing risks?
• Culture of compliance — How and how often is compliance culture measured? Does the company use surveys, interviews, or other mechanisms?

B. Investigation of Misconduct

Timely, thorough, independent investigations with proper documentation [cite:590][cite:593].

Prosecutorial inquiries [cite:590]:

• Properly scoped investigations — How does the company scope investigations? Are they conducted by qualified, independent personnel?
• Response to investigations — What happens after investigation findings? Are there accountability measures?
• Independence and empowerment — Can the investigation function operate independently of management influence?

September 2024 addition: Communication channels — The updated ECCP continues its March 2023 expansion on ephemeral messaging and personal device policies. Prosecutors assess the company's policies on communication platforms, messaging applications, and the preservation and monitoring of electronic communications [cite:604][cite:611].

C. Analysis and Remediation of Underlying Misconduct

Root cause analysis and remediation are hallmarks of a programme that works [cite:590][cite:593].

Prosecutorial inquiries [cite:590]:

• Root cause analysis — Has the company conducted a root cause analysis of the misconduct? What systemic issues were identified?
• Prior weaknesses — Were there prior indications or opportunities to detect the misconduct?
• Remediation — What specific changes were made to policies, procedures, controls, and personnel? Were changes timely and comprehensive?
• Accountability — Were individuals held accountable through appropriate disciplinary or remedial measures?

DOJ ECCP - What It Requires - Voluntary Self-Disclosure and Safe Harbor

The DOJ's Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP), revised May 2025, works in tandem with the ECCP [cite:606][cite:607][cite:588].

Path to Declination (May 2025 CEP)

The revised CEP provides a clear path to declination — not merely a presumption — for companies that meet three core requirements [cite:588][cite:606]:

1. Voluntary self-disclosure — The company discloses original information not already known to the government, voluntarily and in a timely manner
2. Full cooperation — The company fully cooperates with the investigation, preserves and discloses all relevant documents, and makes individuals available
3. Timely and appropriate remediation — The company remediates the misconduct, including implementing or improving its compliance programme

If declination is unwarranted, a non-prosecution agreement (NPA) is the default resolution [cite:606].

120-Day Whistleblower Response Window

As of August 1, 2024, companies must self-disclose within 120 days of receiving an internal whistleblower report to remain eligible for the declination presumption [cite:597]. This creates a race-to-the-door dynamic: if the whistleblower reports to DOJ first, the company loses the self-disclosure benefit [cite:585][cite:597].

M&A Safe Harbor (October 2023)

Acquiring companies that self-disclose misconduct discovered at targets within six months of closing and remediate within one year receive a presumption of declination [cite:591][cite:594].

Corporate Whistleblower Awards Pilot Program

Expanded in May 2025 to cover the Trump administration's enforcement priorities: national security, healthcare fraud, transnational criminal organisations, sanctions evasion, tariff evasion, and trade/customs fraud [cite:606][cite:615][cite:610]. Individuals receive monetary awards for tips leading to enforcement actions, creating additional pressure on companies to self-disclose before employees do [cite:585][cite:607].

Reduced Monitorships (May 2025)

DOJ will not impose compliance monitors except in exceptional circumstances, significantly reducing post-resolution burden on companies [cite:606][cite:613].

DOJ ECCP - Governance Implications

The ECCP is the U.S. government's most granular articulation of what "effective compliance" looks like in practice. It translates directly to governance architecture requirements [cite:590][cite:612].

Ontic BOM Mapping

• model — AI/ML models used in business operations or compliance functions are now explicitly within the ECCP's scope. The September 2024 update requires companies to demonstrate that they have conducted a risk assessment regarding AI use, implemented governance structures and controls, and trained employees on AI-related risks [cite:604][cite:608]. Models used for compliance monitoring (transaction screening, anomaly detection, automated due diligence) must be validated, tested, and documented as part of the "works in practice" evaluation (Section III.A)
• oracle — The ECCP creates extensive oracle requirements: risk assessment documentation, policy registers, training completion records, investigation files, remediation tracking, root cause analyses, disciplinary action logs, hotline/reporting data, third-party due diligence files, M&A compliance integration records, and board oversight documentation [cite:590]. These records constitute the evidentiary basis for demonstrating compliance programme effectiveness at both time-of-offence and time-of-resolution
• ontology — The ECCP's three-prong structure (well designed / adequately resourced / works in practice) with nine hallmarks provides the compliance ontology. Every hallmark contains specific prosecutorial inquiries that define the evaluation taxonomy. This ontology maps to ISO 37301 compliance management system requirements and GRC framework structures [cite:593]
• system_prompt — For AI systems performing compliance functions (automated monitoring, screening, risk scoring), the system prompt configuration determines detection sensitivity, risk thresholds, and escalation triggers. Under the September 2024 ECCP, prosecutors will examine whether AI-driven compliance tools are appropriately configured, monitored, and validated [cite:604][cite:608]
• gate — The ECCP creates implicit gates: risk assessment before programme design (I.A), due diligence before third-party engagement (I.E), due diligence before M&A (I.F), board oversight review (II.A), control testing before reliance (III.A), root cause analysis before remediation (III.C), and self-disclosure within 120 days of whistleblower report (CEP) [cite:590][cite:597]
• security — Data resources and access (II.B) requires compliance personnel to have secure, timely access to operational data. Investigation independence (III.B) requires secure, tamper-proof investigation records. Communication channel monitoring (III.B) requires policies on ephemeral messaging and personal devices [cite:604]
• signed_client — Self-disclosure submissions, cooperation records, remediation plans, and compliance programme documentation submitted to DOJ must be authenticated and authoritative. These records determine charging decisions and penalty amounts [cite:585][cite:588]

E/A/D Axis Integration

DOJ ECCP - Enforcement Penalties

The ECCP itself does not impose fines — it determines how prosecutors exercise discretion in cases where penalties are at stake [cite:590][cite:605].

Spectrum of Outcomes

Practical Penalty Impact

Under the U.S. Sentencing Guidelines, an effective compliance programme can reduce the culpability score by up to 3 points (U.S.S.G. § 8C2.5(f)), which translates to significantly reduced fine ranges [cite:590]. A declination under the revised CEP means no criminal resolution at all — the most favourable outcome possible [cite:588][cite:606].

AI-Specific Enforcement Risk

The September 2024 ECCP puts companies on notice that if their use of AI leads to compliance failures, prosecutors will examine whether resources devoted to AI risk management were proportionate to the risk [cite:604][cite:587]:

• Inadequate AI risk assessment → weakens "well designed" evaluation
• Insufficient AI governance structures → weakens "adequately resourced" evaluation
• Failure to monitor AI-driven compliance tools → weakens "works in practice" evaluation
• Use of AI that facilitates misconduct without adequate controls → aggravating factor

DOJ ECCP - Intersection With Other Frameworks

The ECCP does not exist in isolation — it interfaces with every major compliance and governance framework [cite:590][cite:612].

Direct Intersections

Cross-Oracle References

The following oracles in the library contain content that directly supports ECCP compliance evidence:

• Internal Controls — ECCP Sections I.B (policies as controls), II.B (control environment), III.A (control testing)
• Policy Management — ECCP Section I.B (design, comprehensiveness, accessibility, operational integration)
• Compliance Management Systems — ECCP entire three-prong structure maps to CMS frameworks (ISO 37301)
• GRC Fundamentals — ECCP is the prosecutorial implementation of integrated GRC
• NIST AI RMF — September 2024 AI risk assessment additions map to AI RMF functions

DOJ ECCP - Recent Updates

September 2024 Update — The AI and Technology Revision

The most significant substantive revision since the ECCP's creation [cite:604][cite:608][cite:589]:

AI and emerging technology risk management:

• Companies must conduct a risk assessment regarding the use of AI and other new technologies [cite:604]
• Prosecutors evaluate governance structures and controls for technology use [cite:608]
• Companies must assess how AI impacts their ability to comply with criminal laws [cite:604]
• Training employees on AI use and risks is expected [cite:608]
• Resources devoted to AI risk management must be proportionate to risk [cite:587]
• Ten specific prosecutorial questions on AI and technology risk assessment added to Section I.A [cite:611]

Whistleblower protections:

• Expanded inquiry into anti-retaliation policies and employee trust in reporting mechanisms [cite:604][cite:589]
• Links to the 120-day self-disclosure window following internal whistleblower reports [cite:597]

Compliance function access to data:

• Compliance personnel must have sufficient access to operational data, analytics tools, and reporting systems [cite:604][cite:608]
• Impediments to data access must be identified and addressed [cite:611]

May 2025 — Corporate Enforcement Policy Overhaul

The DOJ Criminal Division, under Matthew Galeotti, announced comprehensive revisions [cite:606][cite:607][cite:588]:

• Clear path to declination — Companies meeting self-disclosure, cooperation, and remediation criteria "will" receive a declination (replacing "presumption" language) [cite:588]
• NPA as default — If declination is unwarranted, non-prosecution agreement is the default resolution form [cite:606]
• Reduced monitorships — Monitors will not be imposed except in "exceptional circumstances" [cite:606][cite:613]
• Expanded whistleblower programme — Corporate Whistleblower Awards Pilot Program expanded to cover national security, healthcare fraud, TCOs, sanctions evasion, tariff/trade fraud [cite:606][cite:615]
• Enforcement priorities — Drug cartels, fentanyl, human smuggling, child predation, fraud in U.S. markets, sanctions evasion, tariff evasion, and bribery impacting U.S. national interests [cite:613][cite:606]
• Individual accountability — Individual prosecutions remain DOJ's top priority; corporate resolution does not preclude individual charges [cite:613]

November 2024 — Antitrust Division ECCP Revision

The Antitrust Division revised its parallel ECCP for criminal antitrust investigations [cite:586][cite:595]:

• All employees have roles in antitrust compliance
• AI and ephemeral messaging addressed
• Board of directors compliance expertise evaluated
• Confidential reporting structures emphasised
• Remediation guidelines updated

Historical Timeline