Effective compliance programs – Updated DOJ guidance

Updated DOJ guidance

Amy S. Matsuo

Amy S. Matsuo

Regulatory and ESG Insights Leader, KPMG US

+1 919-664-7100

KPMG Perspective: The updated DOJ compliance guidance increases attention to the sufficient and continuous investment in compliance programs, even as organizations are challenged by workforce, operations, and economic disruptions. Organizations must focus on compliance data analysis, market trends, training, and staffing, and demonstrate ongoing tracking, monitoring, testing, evaluating, and updating of their compliance program.

Key points

  • The U.S. Department of Justice Criminal Division has issued an updated version of its guidelines for evaluating the effectiveness of corporate compliance programs, with additions and clarifications to the April 2019 guidance.
  • Updates include an expectation that compliance programs should be evaluated on an ongoing basis and revised, as appropriate, based on relevant operational data and information as well as lessons learned.
  • Organizations are expected to invest adequate resources into the compliance function, including staffing, training, structure, and stature. 


The updated version of the U.S. Department of Justice Criminal Division’s guidelines continues to be organized around three overarching questions. However, DOJ has modified the second question, which had been focused on effective implementation, to ask whether the program is “adequately resourced and empowered to function effectively.” Key updates and additions within each of the sections follow. This summary is intended to supplement KPMG’s Regulatory Alert on the DOJ’s April 2019 guidelines, which is available here.

  1. Is the program well-designed?
    Organizations should be prepared to explain why they have chosen to set up their compliance program the way that they have, and why and how their compliance program has evolved over time. To the extent a compliance program is structured to meet the requirements of a foreign law, organizations should be prepared to explain the basis for their conclusions about the foreign law and how they have addressed the issue to “maintain the integrity and effectiveness” of their compliance program.
    • Risk assessments. Risk assessments should be used to tailor the compliance program, and the criteria periodically updated and continuously refined “in light of lessons learned.” Updates and revisions should be based on continuous access to operational data and information across functions rather than limited to a “snapshot” in time, and should also lead to updates/revisions in new and/or existing policies, procedures, and controls. A process should be in place to track and incorporate “lessons learned” into the risk assessments, including those from direct experience and from other organizations operating in the same industry or geographic region.
    • Policies and procedures. Policies and procedures should be published in a searchable format, and access should be tracked to identify those policies that are attracting the most attention of employees.
    • Training and communication. Organizations should consider offering shorter, targeted trainings that would enable employees to timely identify and raise issues to compliance, internal audit, and other risk management functions. The impact of trainings on employee behavior or operations should be evaluated.
    • Confidential reporting and investigations. Organizations should test their hotlines for i) employee and third party awareness and use, as well as ii) effectiveness, by tracking a report from start to finish.
    • Third-party management. Due diligence practices should go beyond initial onboarding and reflect ongoing third-party risk management throughout the lifespan of the relationship.
    • Mergers and acquisitions. The compliance program should include comprehensive due diligence of acquisition targets conducted pre- and post-acquisition, and include a documented process for timely and orderly integration of the acquisition into the organization’s compliance program and internal controls.
  2. Is the program adequately resourced and empowered to function effectively?
    The resources available to the compliance program are called out as contributing to its success; well-designed programs “may be unsuccessful in practice if implementation is lax, under-resourced, or otherwise ineffective."
    • Management commitment. Expectations for a culture of ethics and compliance are expanded to include the commitment of middle and top management and to exist at all levels of the organization. 
    • Autonomy and resources. Organizations should be able to explain decisions regarding the structure of the compliance function (e.g., where it is housed, what are its reporting lines, are personnel dedicated to the function) and efforts to maintain and develop skills of compliance staff over time. DOJ adds that compliance staff should have sufficient access (direct or indirect) to relevant sources of data to allow for timely and effective monitoring and testing of policies, controls, and transactions.
    • Incentives and disciplinary measures. The compliance function should monitor investigations and disciplinary measures to ensure consistent enforcement across the organization and commensurate with the violations.
  3. Does the program actually work?
    • Continuous improvement, periodic testing, and review. The organization must engage in meaningful efforts to review the compliance program and ensure it is not stale, as well as to promote improvement and sustainability, incorporating “lessons learned from its own misconduct and/or that of other companies facing similar risks.”

Related guidance

The updated guidance also references two documents that were issued after the April 2019 version. These include the:

  • Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations, published by the DOJ’s Antitrust Division in July 2019
  • Framework for OFAC Compliance Commitments, published by the Department of the Treasury’s Office of Foreign Assets Control in May 2019.

KPMG’s Regulatory Alerts for these publications are available here and here, respectively. 

Get the latest thinking from KPMG’s Regulatory Insights