How to Use the DOJ’s ECCP to Build (or Fix) Your Compliance Program [2026 Updates]

When it comes to ethics and compliance programs, “good enough” is anything but. From record-breaking FCPA settlements to sweeping investigations across industries, the U.S. Department of Justice (DOJ) has made it clear: if your compliance program can’t withstand scrutiny, your company is vulnerable — legally, financially, and reputationally.

The Evaluation of Corporate Compliance Programs (ECCP) is the DOJ’s playbook for evaluating corporate ethics and compliance (E&C) programs. But it’s not just a tool for prosecutors. For E&C leaders, it’s a roadmap for building a modern, risk-aligned, and effective program — and a defense against enforcement actions when things go wrong. 

Whether you're updating an existing compliance program or building one from scratch, the ECCP can be your best tool for avoiding fines, earning leniency in enforcement actions, and, most importantly, protecting your organization from real harm. 

2026 Perspective: As of late 2024 and 2025, the DOJ has clarified that an effective program is no longer just a "factor" in leniency—it is the primary gateway to a full declination of prosecution under the Voluntary Self-Disclosure Policy.

Let’s explore how you can use it as a proactive tool to enhance your ethics and compliance program.

Why the ECCP Matters

The DOJ’s Evaluation of Corporate Compliance Programs is a guidance document that outlines how prosecutors assess whether a company’s compliance program is effective. It plays a key role in determining whether a company is prosecuted — or granted leniency — in the event of corporate misconduct. Although DOJ has never directly defined what makes a company’s program “effective,” the ECCP has been amended and expanded since its publication in 2017 by successive administrations.

You don’t have to be a giant or U.S.-based organization to land in the DOJ’s crosshairs, either. In recent years, companies of all sizes — including Brazilian airline GOL and California beauty brand e.l.f. Cosmetics — have found themselves fined as a result of regulatory scrutiny. And the majority of fines for FCPA violations in the past 10 years have been paid by non-U.S. companies. These cases underscore a clear message: every company, regardless of size, needs a strong compliance program.

Using the ECCP as a Self-Assessment Tool

At its core, the ECCP is structured around three deceptively-simple questions:

1. Is your compliance program well-designed?
2. Is it being applied earnestly and in good faith?
3. Does it actually work in practice?

Let’s walk through each one and how to tackle them.

1. Is your program well-designed?

This is the foundation of any effective ethics and compliance program. A well-designed program isn’t a generic, off-the-shelf solution — it’s carefully crafted to reflect the specific risks, structure, and operations of your organization. The DOJ has made clear that it expects companies to tailor their programs to their unique risk profile, industry, and workforce — not simply replicate what another company is doing.

So what does good design actually look like?

• Risk assessments that are specific, ongoing, and dynamic. Your compliance efforts should be grounded in a deep understanding of where the greatest risks lie. This includes evaluating your industry, geographic footprint, supply chain, third-party relationships, and any prior misconduct on an ongoing basis. 
• AI Guardrails: In 2024, the ECCP was amended to include a dedicated assessment of how your organization uses emerging technologies, specifically Artificial Intelligence (AI), to ensure these tools do not inadvertently bypass internal controls or other compliance obligations.
• Clear, updated policies that are easy to find and understand. Every employee should be able to easily access and navigate your code of conduct and other issue-specific company policies like sexual harassment and anti-retaliation. Use plain language, real-world examples, and remember culturally relevant adaptations when operating globally. 
• Compliance training that’s tailored to employees' roles, interactive, and regularly updated. Ethena’s in-house production studio builds custom courses with this exact purpose in mind and makes it easy for E&C teams to edit or update them.
• Confidential reporting channels with clear investigation protocols. Ethics hotlines, web portals, mobile apps — the more accessible, the better. But just as important as the channel is what happens next: are investigation protocols standardized and well-documented? Regulators look for a track record of prompt, impartial investigations and responsive remediation when warranted.

Use your compliance training data to flag trends and tailor improvements. For example, if learners are consistently missing questions in a certain area, it can point to a policy gap or risk hotspot.

2. Is your program being applied in good faith?

It’s not enough to have a great E&C program on paper. Regulators want to see that it’s actually being used, championed, and integrated into the daily operations of the organization. This is where many companies stumble: a beautifully crafted code of conduct or a state-of-the-art training platform won’t matter if the program isn’t embedded in business decisions and enforced. 

Applying your program in good faith means going beyond checking boxes. It involves making a genuine effort to embed ethics and compliance into how business gets done. That includes:

• Tone at the top: Leadership must visibly and vocally champion the E&C program. When executives reference ethical behavior in all-hands meetings, tie it to performance metrics, and model it through ethical decision-making, it signals to employees that compliance isn’t optional — or superficial. As of 2026, the ECCP also includes "Tone from the Middle," ensuring that mid-level managers are empowered and held accountable for the ethical climate of their specific teams.
• Independence and resources: The E&C function should have the autonomy to carry out its mission and the budget and tools it needs to be effective. This includes access to data, decision-makers, and the ability to raise concerns directly to the board or audit committee when necessary. A key indicator of "good faith" is proportionality; the DOJ evaluates whether the compliance team has access to the same quality of data and analytical tools as the commercial/sales side of the business.
• Consistent enforcement: Ethical standards must apply to everyone. If a high-performing executive escapes accountability for a policy violation, it undermines the program’s credibility. The DOJ explicitly looks for documentation of disciplinary actions taken across roles and ranks to ensure fairness and follow-through.

Too often, ethics and compliance programs falter in this implementation stage. Programs that lack visible leadership support, proper funding, or real consequences for bad behavior quickly become what the DOJ calls “paper programs” — frameworks that exist in theory but are ignored in practice. 

A well-written policy might check a box, but a well-executed program is what earns respect if regulators ask questions.

3. Does your program actually work?

This is where theory meets practice. It’s one thing to design a comprehensive E&C program and say all the right things; it’s another to prove that your efforts are producing real, measurable outcomes. This third pillar of the ECCP is arguably the most critical, because it tests whether your E&C program is functioning effectively in the real world.

It doesn’t mean that an effective program prevents all misconduct all the time as the ECCP notes. An effective program should educate and motivate employees to do the right thing, detect misconduct, respond to it, and evolve in response to changing risks.

• Monitor effectiveness through data. Are employees completing training quickly or need repeated follow up? Are they retaining the material? Are any knowledge gaps identified and followed up on promptly? Culture surveys, training analytics, case management trends, and even test-out rates can all provide valuable insight into what’s working and where improvement is needed. Prosecutors expect compliance officers to have "timely and direct access" to all relevant business data. You must demonstrate that you are using this data to proactively identify risk hotspots. 
• Audit and test regularly. Conducting periodic audits, especially in high-risk areas, helps ensure policies and procedures are being followed. The DOJ also encourages companies to test internal systems proactively. For example, you might simulate a reporting scenario to test how your hotline, triage protocols, and investigation processes function in real time.
• Investigate incidents promptly and learn from them. Ensure every concern raised is evaluated, investigated thoroughly, include a root cause analysis and remediated promptly and fully. These investigations should feed back into your risk assessments, training updates, and policy revisions. If one team or category of employees has repeated violations, it may signal a leadership gap or unclear expectations — both of which should be addressed at the root.
• Adapt and evolve over time. Ethical and compliant culture doesn’t work on autopilot. New regulations, shifting enforcement priorities, internal growth, and emerging risks (like AI, data privacy, or hybrid work policies) require ongoing adaptation. Pressure for profits, unrealistic expectations or toxic leaders can cause damage. Your program should include a built-in process for culture surveys, regular policy reviews, training updates, and process improvements. This includes regularly auditing the algorithms and automated systems (AI) that drive business decisions to ensure they remain compliant with changing regulations.

In the end, the program that “works” is one that builds trust, both internally and externally. Employees feel confident raising concerns. Managers know how to respond. And when things go wrong (as they inevitably will), your organization has the processes and cultural foundation to respond with integrity. 

That’s what regulators want to see — and it’s what a truly effective ethics and compliance program delivers.

The Bottom Line

When you use the ECCP as more than just a regulatory reference, you can build something more durable: a workplace grounded in trust, transparency, and ethical decision-making.

An effective E&C program isn’t just a defense against prosecution. It’s a strategic asset that fosters a speak-up culture, earns stakeholder confidence, and enables sustainable growth. It shows stakeholders that you’re serious about accountability. It demonstrates to employees that their concerns matter. And it proves to investors and customers that ethics aren’t just part of your brand but part of your business

For more best practices, including a simple checklist for staying aligned with the ECCP, download our playbook on Aligning Your E&C Program with DOJ Guidelines.

Build a Better E&C Program with Ethena

Ethena’s ethics and compliance training platform is designed to keep you aligned with the ECCP and compliant with SOX, SOC II, and more. From a modular training library of 150+ customizable courses to our built-in ethics hotline, case manager, and phishing simulator, we help you meet — and exceed — compliance expectations. And our cutting edge AI tools make it easy to evolve and update your program as risks and requirements change.

Ready to see how your program stacks up? Book a demo with our team and explore how Ethena can help bring the ECCP to life at your organization.