The DOJ Now Wants Evidence Your Compliance Program Works, Not Proof It Exists

The DOJ does not just want assurance that your compliance program exists. It wants evidence that it is working with the actual current data available to it within the organization.

The Evaluation of Corporate Compliance Programs (ECCP), the document prosecutors use to assess program effectiveness during an investigation, now asks whether compliance has timely access to all relevant data sources and how the company manages the quality of those sources, including the quality of the analytics models it relies on. DOJ underscored the point by creating a new role inside the Criminal Division, Counsel for Compliance and Data Analytics. The message is clear. Prosecutors expect the same investment in data capability for compliance as for the business.

Four practical takeaways for CCOs preparing for this change:

First, data access matters more than capability. A compliance function with sophisticated analytics tools but slow or weak data request protocols is not adequate. Prosecutors are asking whether compliance has direct, ongoing access to the data it needs, not whether the company owns good software.

Second, data quality is now an explicit line of inquiry, not an assumption. Incomplete or inconsistent source data undermines every downstream control. If your monitoring program has never been tested against known data quality gaps, that gap will be a major liability.

Third, AI governance has entered the compliance conversation regardless of whether compliance owns the AI. If the business uses AI in decision making, lending, screening, or operations, compliance needs visibility into how that system is stress tested, monitored, and documented.

Fourth, benchmarking now extends beyond the company’s own history and its immediate industry peers. Prosecutors expect lessons learned from issues facing companies in the same industry and geography as well as best practice examples from outside. The companies most likely to share your next compliance failure are not always your direct peers or competitors.

The pattern across all four takeaways is that DOJ’s expectations for corporate compliance are converging with DOJ’s own investigative capabilities. A program built to satisfy a checklist from five years ago is not meeting today’s standard.