Evaluation of Corporate Compliance Programs (ECCP)

What Is the Evaluation of Corporate Compliance Programs?

The Evaluation of Corporate Compliance Programs (ECCP) is a guidance document issued by the U.S. Department of Justice (DOJ) Criminal Division. It sets out a framework for prosecutors to assess the design, implementation, and operational effectiveness of a company’s compliance program when making charging decisions and calculating penalties in criminal investigations.

Following its 2024 regulatory update, the ECCP was expanded to include three additional factors for consideration. These include the management of emerging technologies, such as AI; improved whistleblower protections and anti-retaliation mechanisms; and requirements for compliance teams to have adequate data access and resources to identify and mitigate risks.

The ECCP is not a regulation and creates no direct legal obligation. However, it carries substantial practical weight. For a company, a well-designed and operationally effective compliance program can be the difference between a criminal prosecution and a declination of charges, a deferred prosecution and a guilty plea, and maximum and reduced financial penalties.

Under the Criminal Division’s Corporate Enforcement and Voluntary Self-Disclosure Policy, companies with effective compliance programs that voluntarily disclose misconduct, fully cooperate with the investigation, and remediate in a timely and appropriate way may receive a presumption of declination of prosecution. 

Who Is Responsible for the ECCP?

The Criminal Division of the DOJ issues and updates the ECCP. The Corporate Enforcement, Compliance and Policy Unit of the Criminal Division applies the ECCP framework in practice. Federal prosecutors across the U.S. Attorney’s Offices also reference the ECCP alongside the Antitrust Division’s parallel guidance for antitrust-specific compliance evaluations.

The DOJ’s Corporate Whistleblower Awards Pilot Program operates alongside the ECCP as a complementary enforcement mechanism, although it primarily focuses on institutional financial fraud, healthcare fraud, and domestic or foreign bribery cases under the Foreign Corrupt Practices Act (FCPA).

What Are the Possible Penalties Under the ECCP?

As a guidance framework, the ECCP itself carries no direct penalty. Instead, it controls the size and form of criminal sanctions in DOJ resolutions. Organizations with demonstrably effective compliance programs can significantly reduce fines by lowering their culpability score under the U.S. Sentencing Guidelines’ culpability-score framework.

On top of reduced sanctions, compliant companies can also benefit from the aforementioned declinations of prosecution and from avoiding independent compliance monitors, which often cost tens of millions of dollars over their two-to-three-year terms. Meanwhile, organizations with insufficient programs may face maximum fines, extended monitoring, and debarment from federal contracting.

What Does the Evaluation of Corporate Compliance Programs Require?

To receive meaningful credit under the ECCP, companies must demonstrate operational depth across several key areas of their compliance programs. These include:

Why Is the ECCP Important?

The ECCP reinforces a growing trend in U.S. regulation: encouraging organizations to self-police misconduct. Laws like the Dodd-Frank Act and the False Claims Act incentivize whistleblowing with financial rewards, increasing the likelihood that misconduct is reported directly to authorities and that it results in significant penalties.

The ECCP works in the opposite direction, enabling organizations to reduce the risk of external whistleblowing through robust internal reporting channels. It also reduces legal liability by demonstrating a genuine commitment to lawful conduct through a well-designed and operationally effective compliance program.

How FaceUp Helps Comply with the ECCP

The ECCP's confidential reporting requirement is closely aligned with the whistleblowing standards in the Sarbanes-Oxley Act and the Dodd-Frank Act. FaceUp helps businesses address these legal obligations quickly and easily with its out-of-the-box solution.

Multi-channel intake across web forms, iOS/Android mobile apps, and Live, Automated, and AI-powered Hotlines allows employees to anonymously report at any time in 113+ languages. This feeds into centralized case management with role-based permissions and audit-ready data logging, providing a clear and structured view of compliance activity.