Written by Global Investigations Review on Oct 1, 2025
Alejandra Montenegro Almonte, Ann K Sultan, Facundo Galeano, Miller & Chevalier
This is an extract from the fourth edition of GIR’s The Guide to Compliance. The whole publication is available here.
This is an Insight article, written by a selected contributor as part of GIR’s co-published content. Read more on Insight
Introduction
US compliance expectations for corporations have significantly increased over the past two decades. These expectations have been driven most prominently by the US Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) – the principal enforcement agencies with jurisdiction over financial and other white-collar crimes.
Guidance on US compliance expectations comes primarily from:
- the US Sentencing Guidelines;
- guidance to US prosecutors;
- guidance provided to the public through various resources;
- enforcement actions; and
- public statements by officials.
Together, these pieces of guidance set an expectation that companies develop a risk-based multi-faceted approach to compliance.
As at the time of writing this chapter, the Trump administration has issued several policy documents and directives relevant to its enforcement priorities, including an Executive Order directing a temporary pause of enforcement of the US Foreign Corrupt Practices Act (FCPA) for 180 days while the DOJ re-examined open cases and enforcement priorities.[1] Since then, the Head of the DOJ Criminal Division has issued a memorandum titled ‘Focus, Fairness, and Efficiency in the Fight Against White-Collar Crime’, which outlines the Division’s enforcement priorities and policies for prosecuting corporate and white-collar crimes.[2] Additionally, the DOJ has released updated guidance on the selection of monitors in Criminal Division matters, along with revisions to the Corporate Enforcement and Voluntary Self-Disclosure Policy and the Corporate Whistleblower Awards Pilot Program. Finally, in response to the Executive Order, on 9 June 2025, Deputy Attorney General Todd Blanche issued revised guidance[3] on investigations and enforcement of the FCPA ‘targeting enforcement actions against conduct that directly undermines US national interests’. Notably, while enforcement priorities may have shifted, the aforementioned policy changes do not significantly alter the importance or significance of robust compliance programmes for companies subject to US jurisdiction.
A brief background on US compliance guidance
Historically, principal compliance guidance came from the United States Sentencing Commission Guidelines Manual (the Sentencing Guidelines).[4] Developed by the Commission to promote effectiveness and fairness in the criminal justice system, as authorised by the Sentencing Reform Act of 1984, the Sentencing Guidelines were amended in 1991 to include Chapter 8, laying out sentencing considerations for organisations that have committed crimes. Subsequently amended in 2004, Chapter 8B, ‘Remedying Harm from Criminal Conduct, and Effective Compliance and Ethics Program’, outlines the very basic principles deemed most critical by the Commission for evaluating corporate compliance programmes.
Further compliance guidance for corporations gradually emerged through enforcement actions brought under the US law prohibiting bribery of foreign public officials: the FCPA. Because the FCPA, unlike more recent anti-bribery laws in other jurisdictions, does not prescribe compliance requirements, the DOJ and the SEC communicate compliance expectations through enforcement actions, such as deferred prosecution agreements and other civil and criminal resolutions with corporations and individuals, and public policy or guidance releases. Together, these sources provide the foundation for many of the elements of corporate compliance that we know today.
Building on years of ‘unofficial’ compliance guidance through resolution documents, in November 2012, the DOJ and the SEC jointly issued ‘A Resource Guide to the US Foreign Corrupt Practices Act’ (the Resource Guide), which introduced for the first time the now well-established principles underlying effective compliance programmes. The Resource Guide was last updated on 3 July 2020.[5]
Since that time, the DOJ has issued other guidelines of its own, such as the guidelines on ‘Evaluation of Corporate Compliance Programs’ (updated most recently in September 2024) (the Evaluation Guidance) [6] and the ‘Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy’ (updated most recently in May 2025) (The Enforcement Policy). [7] Although most of the key elements of corporate compliance originated from the Sentencing Guidelines and compliance with anti-corruption laws, these guidelines apply broadly to other financial crimes as well, such as money laundering, fraud, tax evasion and violations of economic sanctions. In particular, the Evaluation Guidance provides general principles for evaluating the effectiveness of corporate compliance programmes and is not specific to any types of corporate crimes.
In this chapter, we discuss the four main sources of guidance on compliance requirements issued by the DOJ. Although the guidance provided does not constitute requirements or obligations mandated by US laws, together these documents define US government expectations and set the standards to which the DOJ and the SEC hold companies when evaluating their compliance programmes in criminal, civil and regulatory enforcement actions. As shown by a 2024 Miller & Chevalier survey that measured compliance maturity in various markets,[8] the United States is one of the ‘most developed’ markets, which reflects a continued trend of companies improving and expanding their compliance programmes beyond basic policies and making meaningful investments to erect robust, sustainable programmes based on the guidance discussed in this chapter.
United States Sentencing Commission Guidelines Manual
The Sentencing Guidelines provide the basis for corporate compliance. Focusing on the need for adequate due diligence and a culture of compliance, the Guidelines state the following:
To have an effective compliance and ethics program . . . an organization shall—
- exercise due diligence to prevent and detect criminal conduct; and
- otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.
Such compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct. The failure to prevent or detect the instant offense does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct.[9]
In a few short sentences, the Sentencing Guidelines provide the framework for more detailed guidance developed later that dives deeper into compliance programme design, application and testing.
In August 2022, the US Sentencing Commission issued ‘The Organizational Sentencing Guidelines’, which provide comprehensive organisational sentencing data and summarise the influence of the Sentencing Guidelines over compliance in both the public and private sectors in the past 30 years. Despite the ‘widespread acceptance’ of the above criteria for ‘developing and maintaining effective compliance and ethics programs to prevent, detect, and report criminal conduct’, the Organizational Guidelines found that ‘the lack of an effective compliance and ethics program may be a contributing factor to criminal prosecutions against organizations’, noting that 89.6 per cent of the organisational offenders since fiscal year 1992 did not have a compliance and ethics programme.[10]
A Resource Guide to the US Foreign Corrupt Practices Act
The FCPA Resource Guide emphasises the importance of implementing an effective compliance programme that is ‘tailored to the company’s specific business and to the risks associated with that business’ in order to ‘prevent, detect, remediate, and report misconduct’.[11] The programme should be ‘well-constructed, effectively implemented, appropriately resourced, and consistently enforced’.[12] Having an adequate and effective compliance programme may help companies under investigation by the DOJ or the SEC obtain more favourable outcomes in terms of the form of resolution, monetary penalty and compliance obligations that could be imposed.
As a threshold matter, when assessing the effectiveness of a company’s compliance programme, the DOJ and the SEC will consider three main factors: whether the programme: (1) is well designed; (2) is being applied in good faith; and (3) works in practice.
To guide companies in designing and implementing effective compliance programmes, the DOJ and the SEC introduced 11 ‘hallmarks’ that they consider necessary for a well-functioning compliance programme; however, the DOJ and the SEC acknowledge that one size cannot fit all and, therefore, caution that each company’s compliance programme should be designed to address its own ‘specific needs, risks, and challenges’.[13] Additionally, in 2023, the DOJ revised its detailed requirements for effective corporate compliance programs, found in Attachment C to corporate resolutions, to better reflect its policy guidance and incorporate lessons based on recent FCPA enforcement, but these requirements are not limited to companies subject to FCPA resolutions. We discuss each of the hallmarks and edits to the Attachment C requirements below.
Commitment from management and a clearly articulated policy against corruption
A proper tone from the top is a key component of a strong compliance culture, which is fundamental to a strong compliance programme. The DOJ and the SEC encourage corporate leaders, such as board members and senior executives, to commit to ethical and compliant business practices and to demonstrate that commitment not just through words but by their own conduct. Corporate leaders must ensure that their companies have clearly articulated standards against corruption, which the corporate leaders should unambiguously communicate and disseminate throughout the organisation. In the new Attachment C, the DOJ expands management’s commitment to compliance to specifically include mid-level management and clarifies that support for compliance needs to ‘create and foster a culture of ethics and compliance’ in the ‘day-to-day operations at all levels of the Company’.[14]
Code of conduct and compliance policies and procedures
A company should have a code of conduct that is ‘clear, concise, and accessible’ to all employees and its third parties, and that should be reviewed and updated periodically to stay current.[15] To be ‘clear, concise, and accessible’, a code of conduct should be easy to understand and be relevant to every member of the organisation. It is recommended that companies make their codes of conduct available in the local languages of the countries in which they operate.
Building on the code of conduct, a company should develop and put in place written policies and procedures that ‘outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures’ to ensure that the principles set out in the code of conduct are followed and that the company can properly manage its specific risks.[16]
The FCPA Resource Guide lists a few areas that commonly present compliance risks that a company may need to address through specific policies and procedures, including interactions and transactions with foreign officials; engagement of third parties; gifts, travel and entertainment expenses; charitable and political donations; and facilitating and expediting payments.
Oversight, autonomy and resources
To monitor the implementation of a compliance programme, the FCPA Resource Guide calls for a company to assign oversight responsibility to its senior executives, who ‘must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources’ to ensure the effectiveness of the compliance programme.[17] Whether the resources that a company dedicates to compliance are sufficient will be highly dependent on the company’s size and industry, the countries in which it operates, the complexity of its business and risks associated with its business.
Risk assessment
The FCPA Resource Guide recommends a risk-based approach to compliance, meaning that a company should analyse the specific compliance risks that it faces and design its compliance programme to address those specific risks, including by dedicating more resources to markets, transactions and third parties that pose higher risks. When the risks for corruption or other financial crimes increase, a company should increase its due diligence efforts, which again are company-specific.
The FCPA Resource Guide identifies common factors that often affect those risks, including the countries and industry in which the company operates, the nature of the business opportunity or transaction, the involvement of business partners and other third parties, the level of interactions with governments and the amount of government regulation and oversight.[18]
Training and continuing advice
For a compliance programme to be effective, all levels of officers and employees within a company must understand the company’s compliance requirements and how those requirements apply to them. To achieve this goal, a company should conduct periodic training sessions on company policies and procedures and applicable laws. Training should include practical tips and case studies relevant to the specific audience. Similar training may also need to be provided for third parties with which the company does business, particularly in high-risk countries.
In addition to formal training, a company should encourage employees to seek guidance and ongoing compliance advice from company compliance personnel. To facilitate that guidance, a company should ensure that employees know to whom they should reach out for advice and how to do that.[19]
Further, according to the revised Attachment C, companies need to implement mechanisms to ensure that policies are effectively communicated to ‘all directors, officers, employees, and, where necessary and appropriate, agents and business partners’. These mechanisms shall include, among others, ‘metrics for measuring knowledge retention and effectiveness’ of training, which must be ‘tailored to the audience’s size, sophistication, or subject matter expertise’.[20] Where appropriate, companies should also ‘discuss prior compliance incidents’ in training.[21]
Incentives and disciplinary measures
A company should clearly articulate that compliance obligations apply to all members of the organisation without exception and should implement appropriate procedures to discipline those who fail to follow applicable laws or company policies and procedures. Not only can effective disciplinary measures punish the wrongdoers and remediate their wrongdoing to some degree, from which a company under investigation by the DOJ or the SEC may earn credit, they can also deter others from engaging in misconduct. Appropriate disciplinary measures may range from coaching, written warnings, withholding of discretionary bonuses, exclusion from promotion opportunities to dismissal.
On the other hand, awarding compliant behaviours can further drive and promote corporate compliance, which also shows the value that an organisation places on ethics and compliance. Companies, therefore, should also design incentives to reward those that demonstrate commitment to compliance. Incentives can be monetary, such as making compliance a metric for salary or bonus determination, or non-monetary, such as personnel evaluations and promotions or rewards and recognitions within the organisation.[22]
The updated Attachment C also makes it clear that a company should ‘implement clear mechanisms to incentivise behavior . . . that comply with its corporate policy against violations of the anti-corruption laws, its compliance policies, and its Code of Conduct’, including by incorporating compliance-related factors in the ‘compensation and bonus system’ and instituting ‘appropriate disciplinary procedures’ to address violations of those laws and policies.[23]
Third-party due diligence and payments
Third parties remain the highest compliance risks for companies – agents, consultants and sales partners, among others, are frequently involved in cross-border financial crimes. Due diligence provides an effective way to mitigate those risks.
The FCPA Resource Guide provides the following three guiding principles on conducting due diligence on third parties,[24] noting that ‘the degree of appropriate due diligence may vary based on industry, country, size and nature of the transaction, and historical relationship with the third party’:
First, a company should understand the qualifications and associations of its third parties, including whether they have any relationship with foreign officials.
Second, a company should have a business rationale for involving a specific third party in a transaction and specify its role and responsibilities in the engagement within the contract terms.
Third, a company should undertake continuing monitoring after a third party is engaged, including conducting due diligence refreshers periodically based on its risk level, providing compliance training, requesting compliance certifications and exercising audit rights.[25]
Moreover, the updated Attachment C is significantly revised as regards to third-party management. Specifically, it now imposes explicit obligations that companies understand and document the reasons for using a third party in a transaction and ensure that contract terms with those third parties ‘specifically describe the services to be performed’.[26] As part of the continuing monitoring, a company should also have an effective way to confirm that the third party is actually performing the work described in the contract and is receiving compensation commensurate with the goods or services it provides, including based on its ‘industry and geographical region’.[27] The DOJ also expects companies to monitor continuously their third-party relationships through ‘updated due diligence, training, audits, and/or annual compliance certifications’.[28]
Confidential reporting and internal investigation
Companies must investigate allegations of wrongdoing and should design an adequate allegation management system that has (1) a process that allows company personnel and third parties to report suspected or actual misconduct anonymously, and (2) a process for the company to thoroughly investigate the allegations in a timely manner, and document its findings and responses, including any disciplinary measures or remedial actions taken.[29]
Continuous improvement: periodic testing and review
The DOJ and the SEC encourage companies to conduct regular testing and reviews of their compliance programmes and make improvements that may be necessary because of changes in their business operations, applicable laws and regulations, and industry standards.[30] The DOJ also emphasises, in the updated Attachment C, that companies should ‘ensure that compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of transactions’.[31]
Pre-acquisition due diligence and post-acquisition integration
In mergers and acquisitions, it is crucial that a company conduct appropriate pre-closing and post-closing due diligence and risk assessment and integrate the new entity into the company’s compliance programme in a timely manner. These measures will mitigate the risk of potential liability for the company that could result from any misconduct in which the target company might have engaged prior to the transaction.[32]
Investigation, analysis and remediation of misconduct
The FCPA Resource Guide refers to responding to misconduct as the ‘truest measure of an effective compliance program’.[33] Companies should implement and maintain ‘a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents’ and then properly document their responses, including any disciplinary or remedial measures taken.[34] Companies should also analyse the root causes of the misconduct and integrate the lessons learned into their policies, training and internal controls.[35]
In an entirely new provision added to Attachment C, companies subject to FCPA resolutions are now required to ‘conduct a root cause analysis of misconduct, including prior misconduct, to identify any systemic issues and/or any control failures’, which must be accompanied by ‘timely and appropriate’ remediation.[36]
Evaluation of corporate compliance programmes
The DOJ Criminal Division issued in 2017 (and subsequently amended in 2019, 2020, 2023 and 2024) its Evaluation Guidance to assist federal prosecutors in evaluating the effectiveness of a company’s compliance programme as part of their enforcement determinations in line with the requirements of Section 9-28.300 of the Justice Manual and of the Sentencing Guidelines. The Justice Manual requires prosecutors to consider certain factors in determining ‘the adequacy and effectiveness of the corporation’s compliance programme at the time of the offense, as well as at the time of a charging decision’ and the corporation’s efforts ‘to implement an adequate and effective corporate compliance program or to improve an existing one’.[37]
The Evaluation Guidance retains the hallmark principles introduced in the FCPA Resource Guide but crafts questions that federal prosecutors should consider, both at the time of the offence and at the charging or resolution stage, to evaluate whether a company’s programme meets the DOJ’s expectations for each hallmark. These questions also serve as an important tool for companies seeking to design and maintain an effective compliance programme that meets the expectations of the US authorities.
The Evaluation Guidance is organised around three core questions and the compliance hallmarks under each question to help federal prosecutors and (by extension) companies understand how the various hallmarks interact:
| Risk assessment | Commitment by senior and middle management | Continuous improvement, periodic testing and review |
| Policies and procedures | Autonomy and resources | Investigation of misconduct |
| Training and communications | Compensation structures and consequence management | Analysis and remediation of any underlying misconduct |
| Confidential reporting structure and investigation process | ||
| Third-party management | ||
| Mergers and acquisitions |
Building on the FCPA Resource Guide, the Evaluation Guidance applies a broader lens to compliance: it seeks first to capture a company’s general approach to its compliance programme, then to focus on a company’s application of its programme and finally to how the programme did or did not work in connection with the alleged misconduct under investigation. A few aspects of the Evaluation Guidance are of particular note.
Emphasis on decision-making rationale
The Evaluation Guidance reflects increased sensitivity to the circumstances and business realities of companies. For example, in its introductory paragraphs, the DOJ notes that certain portions of the Evaluation Guidance may be more or less relevant to companies depending on their specific circumstances: ‘In any particular case, the topics and questions set forth below may not all be relevant, and others may be more salient given the particular facts at issue and the circumstances of the company.’[38]
The Evaluation Guidance drives this point by including questions intended to prompt prosecutors to enquire about a company’s rationale for decision-making regarding the design and implementation of its compliance programme – both broadly and at a more detailed level. For example, the section covering continuous improvement, periodic testing and review prompts prosecutors to enquire not only whether internal audits occurred but also about the company’s rationale supporting its process for determining where and how frequently audits occurred.
Language included in the section on autonomy and resources regarding whether compliance personnel have non-compliance responsibilities drives at the same point. In its discussion of mergers and acquisitions, rather than assuming that a company will conduct all due diligence prior to an acquisition, the DOJ explicitly acknowledges that may not be the case, adding the following question: ‘Was the company able to complete pre-acquisition due diligence and, if not, why not?’[39] These enquiries do not preclude a company from choosing a particular course but, rather, suggest that a company should be prepared to defend the rationales that informed programme design and resource allocations.
Focus on programme integration
The Evaluation Guidance prompts prosecutors not only to determine whether certain elements of the programme exist but also how they work in concert with other components of the programme and are integrated into the day-to-day rhythms of the company. For example, the Evaluation Guidance not only references the importance of having comprehensive policies and procedures but also prompts prosecutors to ask how the policies and procedures are reinforced through a company’s internal control systems.
Increasing emphasis on the use of data to track and test
In a few areas of the Evaluation Guidance, the DOJ emphasises its expectations regarding data collection and use. The autonomy and resources section introduces new questions for prosecutors to assess whether compliance personnel have timely access to the data they need, and whether the company is effectively using data analytics tools to enhance efficiency in compliance operations and to evaluate the effectiveness of various elements of its compliance programmes.[40] This may signal both the value the DOJ sees in data as a necessary tool for monitoring and testing compliance programmes, and an awareness of the European Union’s General Data Protection Regulation and other restrictions that have come into force in more recent years, which can limit access to data for international companies. The Evaluation Guidance also makes clear the DOJ’s expectations that companies gather operational data across the company and on employee access to policies. These data points feed into updates to risk assessments and evaluate access to governing documents, respectively.
In March 2023, the DOJ revised the Evaluation Guidance to update its expectations regarding the management of corporate data on employees’ personal devices and when using third-party applications, especially those with end-to-end encryption or auto-delete features. Overall, the Evaluation Guidance states that company policies on these issues ‘should be tailored to the corporation’s risk profile and specific business needs and ensure that, as appropriate and to the greatest extent possible, business-related electronic data and communications are accessible and amenable to preservation by the company’.[41] Prosecutors will consider factors such as the types of electronic communication channels used by company employees in different countries and any company policies that ensure preservation of data and communications in various situations, such as ephemeral message deletion settings, replacement of company devices and use of personal devices under, for example, bring-your-own-device policies.
Focus on corporate use of data and technology
The most significant revision of the Evaluation Guide (in 2024) focuses on corporate use of data and technology. In the risk assessment section, the DOJ now includes questions to evaluate how companies are leveraging technology, especially emerging technologies like AI, and whether they have assessed associated risks. In essence, companies should integrate emerging technology into both enterprise risk management and compliance risk assessment processes.
Additionally, the DOJ introduced a new section focused on managing emerging risks in compliance with applicable laws. This section includes 10 key questions designed to guide compliance risk management related to emerging technologies. These questions position AI as both an employee, subject to oversight to align with company values and policies, and as an internal control or business process that should be monitored and tested to confirm it meets it intended purpose. Lastly, the DOJ emphasises the need to update policies and procedures to reflect the use of new technologies.
Focus on the evolution of compliance programmes
Throughout the Evaluation Guidance, the DOJ emphasises both a company’s own efforts to evolve its compliance programme and the DOJ’s understanding of that evolution. With respect to the company’s own efforts, the Guidance includes language in the section on risk assessment under ‘Lessons Learned’, asking: ‘Does the company have a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region?’[42] Further, in its discussion of continuous improvement, periodic testing and review, under ‘Evolving Updates’, the DOJ guides prosecutors to ask: ‘Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?’[43] Both questions highlight the importance of learning from internal and external issues and of incorporating that learning into the programmatic changes.
The Evaluation Guidance also makes clear the DOJ’s interest in understanding the reasoning behind the evolution of a company’s compliance programme. In the introduction to the document, the DOJ states that it will be specifically evaluating compliance programmes at multiple points in time: ‘both at the time of the offense and at the time of the charging decision and resolution’.[44] The Guidance emphasises this point by the following addition under ‘Risk Assessments’: ‘In short, prosecutors should endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.’[45] For companies on the receiving end of questions from the DOJ, documentation on changes to their compliance programme – including the ‘why’ behind changes – will be critical.
Additionally, the 2024 revision highlights the expectation that companies will not only learn from their own experiences but also from market and industry peers. The section regarding the design of policies and procedures guides prosecutors to ask: ‘Is there a process for updating policies and procedures to reflect lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region? Is there a process for updating policies and procedures to address emerging risks, including those associated with the use of new technologies?’[46] Also, the training and communications section introduces questions regarding whether the training includes ‘lessons learned’ from compliance challenges experienced by other companies in the same industry or geographical area.
Operationalising continuous improvement
Across various sections, the Evaluation Guidance prompts prosecutors to evaluate how a company measures programme effectiveness. For example, the document emphasises in several places the importance of capturing and tracking data to analyse trends and missed opportunities.
Additional explanatory text encourages prosecutors to go beyond simply asking if a programme and its elements are effective, and instead prompts them to ask how that effectiveness is measured in practice. For example, the section on training and communications prompts prosecutors to ask how training effectiveness is measured and improved. In the context of ‘continuous improvement, periodic testing and review’, the Evaluation Guidance prompts prosecutors to enquire how and how often the company’s compliance culture is measured and how that analysis is used to inform the continuous improvement of the company’s programme.
Risk assessment as the starting point
The Evaluation Guidance emphasises that:
The starting point for a prosecutor’s evaluation of whether a company has a well-designed compliance program is to understand the company’s business from a commercial perspective, how the company has identified, assessed, and defined its risk profile, including specific factors that mitigate the company’s risk, and the degree to which the program devotes appropriate scrutiny and resources to the remaining spectrum of risks.[47]
Notably, the Evaluation Guidance does not mention ‘manifested risks’ (a focus in an earlier guidance document) but instead highlights the importance of ‘risk-tailored resource allocation’ (i.e., ‘Does the company devote a disproportionate amount of time to policing low-risk areas instead of high-risk areas?’),[48] as well as the importance of updates and revisions to a company’s risk assessment and policies and procedures ‘in light of lessons learned’.[49] Companies can expect prosecutors to spend more time: (1) understanding how risk assessments inform resource allocations, and to scrutinise those decisions; and (2) evaluating whether a company’s risk management strategy is reactive or proactive. Of course, a company can rightly hope that this line of questioning, in some cases, may lead the DOJ to determine that a specific incident of misconduct in one area does not render the compliance programme ineffective or poorly designed.
Guidance on reporting mechanisms and investigation response
The Evaluation Guidance includes questions about whether a company has established and publicised an anonymous reporting mechanism, underscoring the DOJ’s concerns regarding retaliation against reporting of compliance issues. In addition, it includes enquiries about the timing and quality of the company’s responsiveness to the results of investigations and the remediation of identified issues. It also underscores the importance of tracking and learning from investigation results (consistent with the Guidance’s more general theme of capturing and tracking data to inform continuous improvement). Lastly, the 2024 update supported the DOJ’s policy to encourage and reward whistleblowers by including some edits directing prosecutors to inquire whether companies encourage the reporting of misconduct or engage in practices that discourage such reporting.[50]
Proactive justification of business rationales for third parties
The Evaluation Guidance’s section on third-party management assesses how the company ensures appropriate business rationales for the use of third parties, more generally. These questions evidence the view that the first, and arguably most important, step in managing compliance risk posed by third parties is to evaluate whether there is a clear business need to engage them and, if so, to articulate the qualifications required to meet that need. Companies will be well served to consider whether their compliance programmes require this step and, if so, whether it is documented and maintained as part of due diligence.
Addressing the potential advantages of data use, the DOJ’s latest Evaluation of Corporate Compliance Programs (ECCP) revisions highlight its role in third-party management by posing key questions that aim to understand if the company’s third-party management process enables timely vendor review, and if the company is using available data to assess vendor risk throughout the relationship. These updates build on the 2023 updates aimed at ensuring that third-party onboarding keeps pace with business needs and that ongoing management persists throughout the entire vendor relationship life cycle.
Importance of compensation incentives and clawbacks
In the revisions to the Evaluation Guidance in March 2023, the DOJ emphasises compensation to drive compliance. In a retitled section on ‘Compensation Structures and Consequence Management’ (previously ‘Incentives and Disciplinary Measures’), the Guidance defines ‘consequence management’ processes as ‘procedures to identify, investigate, discipline and remediate violations of law, regulation, or policy’.[51] Specifically, it directs prosecutors to consider whether a company has incentivised compliance by designing compensation systems and non-financial incentives (e.g., promotions and rewards) that are tied to conduct consistent with the company’s values and policies, including by asking questions about, for example, the percentage of executive compensation that is ‘structured to encourage enduring ethical business objectives’ and the role the company’s compliance team has in ‘designing and awarding financial incentives at senior levels of the organization’.[52]
In addition to compensation incentives, the Evaluation Guidance also instructs prosecutors to consider whether a company has ‘policies or procedures in place to recoup compensation that would not have been achieved but for misconduct attributable directly or indirectly to the executive or employee’.[53] This consideration is further reinforced by the three-year ‘Compensation Incentives and Clawbacks Pilot Program’ that the DOJ launched in March 2023. Under this Program, the DOJ can provide fine reductions to companies that have sought ‘to recoup compensation from culpable employees and others’ within the parameters set by the DOJ.[54]
Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy
In May 2025, the DOJ updated the Enforcement Policy, formerly known as the FCPA Corporate Enforcement Policy, which applies to all corporate criminal matters handled by the Criminal Division.[55] The revised Enforcement Policy continues to offer companies the presumption that the DOJ will decline prosecution if (1) they voluntarily self-disclose misconduct, fully cooperate with the government’s investigation and remediate the compliance failures in a timely and appropriate manner, and (2) there are no ‘aggravating circumstances involving the seriousness of the offense or the nature of the offender’.[56]
The Enforcement Policy establishes that even where aggravating circumstances are present, prosecutors have the discretion to recommend declination depending on the ‘severity’ of the circumstances and the ‘company’s cooperation and remediation’.[57]
The Enforcement Policy imposes an obligation to self-disclose and requires companies to disclose ‘all relevant, non-privileged facts known to [them], including all relevant facts and evidence about all individuals involved in or responsible for the misconduct at issue, including individuals inside and outside of the company regardless of their position, status, or seniority’.[58]
In addition, the DOJ also ‘encourages self-disclosure of potential wrongdoing at the earliest possible time, even when a company has not yet completed an internal investigation, if it chooses to conduct one’.[59] For example, when the DOJ declined to prosecute Lifecore Biomedical, Inc for violations of the FCPA in November 2023, the DOJ highlighted that the company made its initial disclosure to the DOJ within three months of when it first discovered the potential misconduct and hours after its internal investigation confirmed the misconduct.[60]
The Enforcement Policy also continues to emphasise proactive, rather than reactive, cooperation, requiring companies to inform the DOJ ‘where the company is aware of opportunities for the Criminal Division to obtain relevant evidence not in the company’s possession and not otherwise known to the Criminal Division’.[61] The Enforcement Policy makes it clear that if a company claims that disclosure of data is prohibited or restricted by foreign law, it must establish the existence of those prohibitions or restrictions and identify ‘reasonable and legal alternatives to help the Criminal Division preserve and obtain the necessary facts, documents, and evidence for its investigations and prosecutions’.[62]
The Enforcement Policy outlines two exceptions to automatic declinations: ‘near-miss’ disclosures and cases with aggravating factors. If companies fully cooperate and remediate, the DOJ must offer more lenient outcomes. These include non-prosecution agreements (absent egregious factors), shorter term lengths, and no compliance monitor. The changes significantly limit prosecutorial discretion and are more favourable than prior policies.
Whistleblower Awards Pilot Program
In August 2024, the DOJ launched a new initiative called the Corporate Whistleblower Awards Pilot Program (the Whistleblower Program). The Whistleblower Program offers potential monetary rewards to individuals who submit original written information that leads to over US$1 million in net criminal or civil forfeitures. To qualify, the information must contribute to successful enforcement actions involving corporate misconduct in key DOJ priority areas, such as foreign corruption, domestic bribery, financial institution crimes and healthcare fraud involving private insurers.[63]
The Whistleblower Program increases pressure on companies to report corporate misconduct, particularly in key enforcement areas. As mentioned above, these areas include foreign corruption, domestic bribery, financial institution crimes and healthcare fraud related to private insurance. The Program clarifies what the DOJ considers a ‘timely self-disclosure’, motivating companies to report violations promptly within a 120-day window, which mirrors the SEC’s whistleblower model.[64]
Whistleblowers who cooperate with internal reporting systems and contribute to internal investigations in these priority areas may qualify for larger awards. The DOJ may reduce the reward if whistleblowers disrupt internal processes or provide false information. Companies that retaliate against whistleblowers or try to block direct communication with the DOJ – particularly in relation to the Program’s focus areas – could lose cooperation credit or face obstruction charges. The 120-day window serves as a clear incentive for companies to quickly report violations to gain potential benefits.[65]
In May 2025, the DOJ updated the Whistleblower Program to expand the range of qualifying violations. New areas now include corporate misconduct involving cartels and transnational criminal organisations (TCOs), federal immigration violations, material support of terrorism, and trade-related offences such as sanctions evasion, customs fraud and procurement fraud. Despite these additions, the Program’s eligibility criteria and core requirements remain unchanged.[66]
Monitorships
In March 2025, the DOJ moved to terminate the monitorship imposed on Glencore plc following the company’s 2022 resolution of charges related to foreign bribery and market manipulation.[67] However, DOJ prosecutors, exercising their discretion under the terms of the plea agreement, decided to end the monitorship approximately 15 months earlier than originally planned. The DOJ indicated that this decision was based on a review of the relevant facts and circumstances, though it did not elaborate on the specific factors that influenced the early termination. Notably, the DOJ’s revised monitorship policy, implemented during the Biden Administration, was subsequently removed from the DOJ’s website.[68]
Thereafter, in the white-collar enforcement plan, the DOJ highlighted its efforts to limit the use of independent compliance monitors in corporate settlements, aiming to achieve necessary compliance improvements while minimising costs, burdens and business disruptions,[69]
Additionally, on 12 May 2025, Matthew R. Galeotti, (Head of the US Department of Justice’s Criminal Division) issued the ‘Memorandum on Selection of Monitors in Criminal Division Matters’. On the one hand, the Memorandum clarifies the ‘factors that prosecutors must consider when determining whether a monitor is appropriate and how those factors should be applied’, and on the other it outlines steps to ensure monitorships are proportionate, cost-effective and targeted at the misconduct being addressed.
Overall, the purpose of the Memorandum is to establish a more targeted and efficient approach to using independent compliance monitors in corporate resolutions. The Memorandum stresses that monitors should only be imposed after careful evaluation of factors such as the likelihood of repeat criminal conduct, the effectiveness of other forms of oversight and the maturity of the company’s compliance programme.[70]
Additionally, the Memorandum removes diversity, equity and inclusion provisions from the previous policy and highlights that the Criminal Division will closely manage the scope and costs of monitorships by implementing measures like fee caps, approving workplan budgets and holding biannual meetings between the DOJ, the monitor and the company.[71]
Mergers and Acquisitions Safe Harbor Policy
On 4 October 2024, former Deputy Attorney General Lisa O Monaco gave a speech in which she introduced the DOJ’s Mergers and Acquisitions (M&A) Safe Harbor Policy.[72] The M&A Safe Harbor Policy allows companies to ‘expect a presumption of a declination for criminal conduct uncovered during M&A due diligence’[73] if it meets the DOJ’s requirements to self-disclose the misconduct in a timely manner, to fully remediate the misconduct within certain set timelines and to agree to pay all disgorgement, forfeiture, restitution and victim compensation payments. The policy is not intended to prevent companies with robust compliance programmes from acquiring those with weaker programmes or a history of misconduct. Instead, the DOJ aims to encourage acquiring companies to disclose any misconduct they uncover in the frame of M&A transactions.
Conclusion
The expansion of compliance guidance issued by the DOJ and the SEC and the increasing depth of that guidance signals to US and foreign corporations a heightened expectation of proactive and considered compliance programme development. Collectively, the guidance documents discussed provide a blueprint for companies seeking to develop and enhance their compliance programmes and for those having to defend their existing programmes.
However, as the various guidelines and statements by enforcement officials have made clear, compliance programme design and effectiveness are a particularised and individualised art, where one size does not fit all and continued customisation, evaluation and improvement is the expectation. Companies would do well, therefore, to incorporate the guidance provided into their own internal monitoring and testing efforts to ensure their compliance programme stays relevant to their operations.
* The authors thank Manuela Jaramillo, who served as a visiting law clerk at Miller & Chevalier during 2024–2025, for her contributions.
