Evolving Corporate Compliance Programs: Keeping pace with regulator expectations

October 20, 2022
Back view of business woman sitting at panoramic skyscraper office desktop front PC computer with financial graphs and statistics on monitor.Analysis of digital market and investment in block chain

Recent compliance developments

There has been a flurry of activity by regulators that emphasizes the importance of an effective compliance program and the need to continually evolve a compliance program to foster an ethical culture. This includes remarks by Deputy Attorney General Lisa Monaco regarding shifting priorities of the Department of Justice (DOJ), revisions to the DOJ criminal enforcement policies, and recent enforcement activity.

The DOJ is taking more proactive steps to combat corporate crime, actively reviewing its own corporate enforcement efforts, building additional compliance and data analytics expertise within the department, and shifting priorities to further strengthen how it prioritizes and prosecutes corporate crime.

Organizations should take note, consider how the latest developments may impact their corporate compliance programs, and assess whether their programs work in practice to foster an ethical culture.

“Companies need to actively review their compliance programs to ensure they adequately monitor for and remediate misconduct – or else it’s going to cost them down the line.”
– Deputy Attorney General Lisa Monaco1

Action items for companies based on recent developments

Key action items in light of recent developments include evaluating how organizations 1) address the use of personal devices and third-party messaging apps, 2) use compensation structures to promote compliance, and 3) ensure the timely completion of investigations.

Use of personal devices and third-party applications
The DOJ and Securities and Exchange Commission (SEC) are placing greater emphasis on corporate governance of personal devices and third-party messaging apps in their evaluations of corporate compliance programs. Corporate policies may limit a corporation’s ability to monitor the use of such devices and gather relevant data for investigations.

Organizations should assess the use of such devices within their business, their policies governing their use, the effectiveness of training and communications about such policies, how relevant data can be collected and analyzed as part of an investigation, and how to monitor and enforce the policies.

Compensation structures that promote compliance
The DOJ is scrutinizing how organizations use compensation systems to deter risky behavior, incentivize compliant conduct, and foster an ethical culture. This includes whether compensation agreements incorporate clawbacks for unethical behavior, whether company policies allow for penalties to be levied for misconduct, and more.

Organizations should assess whether their compensation systems are appropriately designed and implemented to incentivize compliant behavior, deter risky behavior, and promote an ethical culture and whether these practices are actually enforced.

Timeliness of investigations
The DOJ is focused on assessing the timeliness of organizations’ investigations and related disclosures. Failing to complete an investigation in a timely manner may result in the dissipation of evidence, the expiration of the statute of limitations, or the lack of timely remediation of pervasive or serious misconduct. The DOJ has indicated the need to expedite its own investigations, empower prosecutors, and clear impediments to completing investigations timely. This is a warning sign to corporations that their internal investigations need to be completed and disclosed in a timely manner.

Organizations should assess the effectiveness of their investigations policies and procedures and determine whether such policies and the organizations’ resources and fundings facilitate the timely completion of investigations.

Recent case summary

The SEC charged 16 Wall Street firms for failing to maintain and preserve electronic communications. The SEC’s investigation uncovered pervasive off-channel communications.


From January 2018 through September 2021, the firms’ employees routinely communicated about business matters using text messaging applications on their personal devices, and the firms did not maintain or preserve the majority of these off-channel communications.



  • $1.1 billion in combined penalties
  • Acknowledgement by the banks that their conduct violated recordkeeping provisions of federal securities laws
  • Requirement by the SEC to engage compliance consultants to review the firms’ policies and procedures related to the retention of electronic communications found on personal devices and frameworks for addressing non-compliance

Strengthen your compliance program

Organizations must actively assess their compliance programs in light of the recent regulatory updates to foster an ethical culture, prevent and detect potential misconduct, and meet regulatory expectations. Organizations turn to CRA when they need to strengthen their compliance program. CRA has deep experience evaluating compliance program frameworks and delivery models, advising on the design and implementation of compliance program elements, and building and sustaining compliance programs.