Stop obsessing over the ECCP.

by Hui CHEN

"While ECCP can be incredibly useful, using it as a best practice guide overrlooks and overstates its true purpose and intent." 

Whenever DOJ updates its Evaluation of Corporate Compliance Programs (“ECCP”), the compliance community becomes abuzz with much tea leaf reading.  Many blogs, articles and summaries present the ECCP as guidance to necessary compliance upgrades. This view, however, misses the mark. While ECCP can be incredibly useful, using it as a best practice guide overlooks and overstates its true purpose and intent.

As the author of the original ECCP, I offer a very different perspective. Understanding the purpose behind the questions in ECCP, rather than simply using them as a checklist, is the key to using the guidance in the design, implementation and assessment of a compliance program.

The ECCP has never been intended to establish a compliance program best practice guide: it exists to help prosecutors assess compliance programs in the specific context of a criminal investigation. That purpose remains true today. The ECCP itself clearly states its purpose: “This document is meant to assist prosecutors in making informed decisions” as they conduct investigations, calculate criminal fines, and consider monitor imposition. It is intended for the defendant in the dock, not the citizens on the street. For the same reason most parents would not model their child-rearing practices based on guidance from the Office of Juvenile Delinquency, treating the ECCP as your compliance program “bible” would be misguided. Prosecutors understand that most of the companies answering the questions before them are far from the standards of best practices. To be fair to these corporate defendants, the standard has to be set at just above the lowest common denominators.

How, then, should in-house compliance officers view and use the ECCP? Below we offer three myth busters and three recommendations.

Myth #1: The ECCP updates are significant shifts in how DOJ evaluates compliance programs.

The ECCP updates are frequent and incremental. Mostly, the updates add new nuances to questions and topics that DOJ has been asking for years, if not decades. Much, for example, has been made of the “new” emphasis on data access and whistleblower protection. Let’s look at the newly added sentence of “Do compliance personnel have knowledge of and means to access all relevant data sources in a reasonably timely manner?” Compare that with the pre-existing opening sentence of that section: “Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions?” Is the new sentence such a dramatic new development from the old? As to whistleblower, when was DOJ ever not interested in how a company treats whistleblowers?

Myth #2: I have to have the right answers to the ECCP questions.

First, remember DOJ will not be in a position to ask you any questions unless your company is under investigation and discussing a resolution in a federal criminal case. Second, if you find yourself in that position, DOJ’s questions to you will be focused on the specific facts of the case that brought you there: nobody will have the time to go through all the questions in ECCP. If your case had nothing to do with whistleblowers, no one would be asking you about your whistleblower protection and training programs. Third, each company will have its unique answers. What you would need to do is to be able to defend your answers given the facts of your case.

Myth #3: ECCP is my leading (predictive) indicator of the risk landscape.

ECCP offers lagging (reactive)—not leading (predictive)—indicators of the risk landscape. They reflect what the prosecutors have seen in their investigations: in othr words, they represent observations from criminal actions that have not only occurred, but made their way through the lengthy process of both internal and government investigations. They point you to the risks of yesterday and today, but not all the risks of tomorrow. In addition to being reactions to what prosecutors see in their cases, ECCP reflects primarily the risk view of the Fraud Section. There is little mention, for example, of risks such as data theft and cyber-attacks. Most of those cases are prosecuted by the United States Attorneys’ Offices or by the Computer Crime and Intellectual Property Section of the Criminal Division, which is not involved in the ECCP. If you take ECCP as your guide, you would limit your risk view to the universe defined by the Fraud Section, and miss critical risk areas including cybercrimes, antitrust, money laundering, environmental crimes, and trade sanctions.

So, how should you use the ECCP? Here are my recommendations:

Recommendation #1: DO use ECCP as a high-level conceptual framework in thinking about the structure of your compliance program.

Rather than getting lost in the tealeaf reading and word counting, step back and look at the key concepts that run throughout the document. ECCP offers good conceptual framework for different phases of your compliance program: for example, as you design your program or its components, focus on how you assess your risks, draft and roll-out your policies and procedures, and how you convey expectations and guidance through training and communications. In everything you do, think about the goals you are trying to achieve and how you would evidence and measure the achievement. Have clear rational for your decisions and document them.

Recommendation #2: DO upskill your data capabilities.

Compliance functions not only need to understand and use data, but to have documented and well-thought-out strategies on how data is collected, governed, and used. This is not because the DOJ shows interest in its recent ECCP updates: it is because everybody—certainly all your internal stakeholders—are interested. Data is the language of business and decision-making today. Our colleagues in marketing, sales, supply chain, finance, and operations have been using data to demonstrate their value in companies for years, if not decades. Instead of lamenting about not having a seat at the table, earn a seat at the table by showing your value just like any of your peer functions.

Recommendation #3: Stop obsessing about the ECCP. Instead, do what is right by your organization and your immediate stakeholders.

Your goal is never to have to sit in front of DOJ to answer any of the ECCP questions. Your organization is unique: it has its own risks, culture, and stakeholder interests that are not contemplated by prosecutors who are questioning criminal defendants in front of them. If you always strive to do what is right by your organization and its immediate stakeholders—employees, supplier, investors, surrounding communities—you will not have to worry about DOJ or ECCP.