Just as compliance professionals across the U.S. were re-evaluating their programs to ensure they align with the DOJ’s latest updates to its compliance program guidance, the presidential election completely changed their calculus. Regardless of who eventually gets the job leading the DOJ under Donald Trump, one thing seems clear: Corporate enforcement will look a lot different in 2025 than it did in 2024. Andrew Dawson, a former federal prosecutor and current partner at Keker, Van Nest & Peters, and Natalia Gindler Corsini, founder and managing director of corporate compliance consulting firm Prae Venire, make predictions about the Trump effect at the DOJ, as well as how guidance like the “Evaluation of Corporate Compliance Programs” more broadly affects compliance teams.
The DOJ’s September ECCP update was focused largely on how companies use technology, including artificial intelligence (AI), and ensuring the compliance function is as able as business units of leveraging advanced technologies. Those updates were of a piece with the department’s growing focus on the risks posed by AI, including the establishment of “Justice AI” and the appointment of a chief AI officer within the DOJ.
But with Attorney General Merrick Garland and Deputy Attorney General Lisa Monaco both on their way out in a new presidential administration, those initiatives may be dead in the water. Or perhaps not; after all, corporate criminal enforcement did take place during the previous four years Trump was president.
Andrew Dawson, a partner at Keker, Van Nest & Peters and former federal prosecutor, and Natalia Gindler Corsini, founder and managing director of the corporate compliance consulting firm Prae Venire, explore the Trump effect on the DOJ’s priorities and — assuming it will still matter in 2025 — what the DOJ’s focus on AI could mean.
CCI: Do you anticipate the DOJ under the incoming Trump Administration to continue the focus established by the latest updates to the ECCP guidance?
Andrew Dawson: I think it is very unlikely that the incoming administration will continue to focus on the most recent updates to ECCP guidance. This emphasis seems to have been the result of commitment from a core group of individuals within the department, with Monaco leading the charge. Her history as a white-collar prosecutor dating back to Enron and other high-profile matters reflects a long-standing commitment to combatting white-collar crime. While we can’t be sure which specific people will staff the relevant DOJ components in the next administration, none of the presumptive nominees thus far share DAG Monaco’s history in this area.
Natalia Gindler Corsini: Under the new administration, it’s true that priorities are expected to shift, placing less emphasis on the FCPA and promoting the misconception that FCPA enforcement restricts economic growth, thereby easing international regulatory constraints. This shift may include replacing the team currently responsible for program updates, which has prioritized reinforcing existing compliance requirements. Nevertheless, the incoming leadership is likely to leave the program largely unchanged, introducing only minor adjustments, if any. This might impact corporate compliance regarding bribery and corruption on a global scale as the misconception that strict regulations hinder business growth could encourage bad actors or regions with weaker adherence to rules to be less diligent. However, the FCPA generates substantial revenue for the federal government and the DOJ, so I personally don’t foresee a significant reduction in the rigor of penalty enforcement, though there might be a decreased reliance on innovative legal approaches.
CCI: What other changes, aside from DOJ leadership announcements, some of which have yet to be made formally, should compliance professionals expect in the coming four years?
AD: There is no doubt that the new administration will have vastly different priorities than the current one. If the past is any guide, we can expect far less scrutiny of corporate misconduct, and I imagine the DOJ’s resources and personnel will be re-directed elsewhere, though there are some areas where the populist coalition surrounding Trump could upset traditional expectations of conservative priorities — J.D. Vance, for example, has spoken approvingly of the FTC chair, Lina Khan, and her aggressive posture toward technology companies. But even if there is something to those statements, the smart money in a Republican administration is usually on deregulation and pro-business instincts.
NGC: Export controls remain high priorities, intensifying over four years with foreign policy shifts requiring program adjustments. Focus may move from Russia-Ukraine to China and Iran, requiring adapted risk management. Operations using Chinese goods and subsidiaries in China/Iran-linked countries face stricter U.S. controls, including secondary sanctions. Key compliance areas will include enhanced standards for U.S. subsidiaries, ongoing restricted-party screenings, supply chain reevaluations, increased secondary sanctions oversight and managing local/U.S. regulation conflicts. Teams must update assessments, policies, training and monitoring.
CCI: Each time the DOJ or other agency drops a new release like this, there seems to be a panic moment for compliance professionals. Do you think that happened in this case — and why (or why not)?
AD: It certainly makes sense that the compliance community pays close attention to the department’s expectations regarding compliance programs, but in this instance it’s more of an incremental announcement than a bold new vision. For years now, Monaco and the department have been laser-focused on corporate self-disclosure and corporate cooperation, and we’ve seen rolling announcements about details and implementation of related policies. This recent raft of updates is largely in line with that prior momentum.
NGC: The best answer to this question is: it depends. The DOJ’s ECCP and each of its updates are valuable for companies under DOJ investigation, as well as any company aiming to align its compliance programs with regulatory standards. The DOJ’s goal, as usual, is to guide companies and compliance teams in effectively designing and improving policies, procedures, and other compliance tools. Everyone in the compliance field knows (or should know) that updating compliance programs is essential to keeping them effective and relevant. The latest [global] advancements are now part of this guidance, helping companies implement modern compliance strategies. Rather than causing panic, this should provide reassurance. The updated guidance also emphasizes access to relevant data sources for compliance staff and the need for companies to invest in compliance resources, including data analytics tools. While this might seem obvious, without these guidelines, companies often fail to prioritize this access. This update encourages organizations to “walk the talk” by taking tangible compliance steps and providing the necessary support to their compliance teams. Companies genuinely committed to a culture of compliance have no reason to worry, while those less engaged may face challenges in adapting their programs and fostering the essential cultural shift.
CCI: How do the changes made in September add complexity (or simplify) to the application of the ECCP in the average compliance program?
AD: In some ways these changes should help simplify compliance programs. When DAG Monaco and her team first began emphasizing some of these ideas years ago, such as their emphasis on voluntary self-disclosure, it was impossible to know exactly how the ideas would be implemented and what the real-world impacts might be. Now that we’re a bit deeper into the development, we’re beginning to see the details fleshed out, which should remove some of the guesswork. The department has emphasized particular examples and discussed how it has weighed the various factors, so compliance professionals now have concrete examples to look to both when designing their programs and when selling them within the company.
NGC: The DOJ has always been clear: An effective compliance program must be well-designed, properly resourced and able to operate successfully in practice. For companies already committed to these guidelines, the updates from September provide helpful cues on where to focus when updating their program. They offer more guidance on how to proceed and clarify what authorities expect on topics that should already be covered, helping companies strengthen what’s already in place. However, for companies without a solid, well-designed program, it’s a different story. These organizations now need to rethink their framework and carefully review each element to ensure the new updates are effectively integrated. They’ll also need to rework any parts of their program that may have been implemented too superficially in the past.
CCI: The updated guidance stresses the need for compliance programs to learn from internal and external issues. What are the practical challenges in gathering and applying lessons from external failures? How does this guidance redefine the boundaries of a company’s compliance responsibilities? Does this broaden the scope of compliance to an unsustainable degree?
AD: I doubt this new language represents a shift in a company’s compliance responsibilities. The department has always expected companies to learn from their own mistakes and adapt compliance programs to ensure prior mistakes don’t recur. And it has also expected that companies don’t stick their heads in the sand and ignore what other, similar companies have gone through. The challenge, of course, is that “external failures” are not always publicized, and when they are, certain critical details might be invisible. So long as the department doesn’t expect perfect insight into non-public events elsewhere, this likely just represents a common-sense recognition that companies should learn from external failures of which they were, or should have been, aware.
NGC: This requirement encourages organizations to stay updated on trends and incidents in their industries and regions, recognizing that similar issues could impact them. To support this, the legal or compliance departments should regularly prepare reports on recent incidents, including details of what happened, when and with whom. This guidance emphasizes the need to fully support compliance teams, ensuring they have the right tools and opportunities to attend events in their field. Staying connected to the broader compliance landscape is essential for bringing fresh insights and innovations into the organization. Like any other profession, compliance teams benefit from an awareness of external developments, which allows them to introduce valuable intelligence and improvements to the company.
CCI: How do companies strike a balance between giving compliance teams the necessary independence and resources while avoiding the perception of compliance being a “cost center” that drains business functions?
AD: This is an age-old question that no new policy will be able to solve. But one virtue of the department’s ongoing focus on compliance and its broadcasting of the risks of non-compliance is that companies are on notice of the downsides of poorly designed or implemented compliance programs. This should help persuade companies that compliance teams serve vital, mission-critical interests, which in turn should give leverage to compliance teams to get adequate resources.
NGC: Achieving the right balance between giving compliance teams the independence and resources they need and avoiding the perception of compliance as a “cost center” includes how compliance leaders position themselves with other leaders. Once this partnership is established, leadership can see the compliance function as valuable as HR, for example. Is HR considered a “cost center”? Not typically, even though it doesn’t generate revenue. Yet, HR receives the resources it needs to operate effectively, and its team is frequently trained to serve the organization better. The same should apply to compliance departments.
CCI: The update points to the need for managing risks related to emerging technologies like AI. What does this imply for the responsibility of compliance teams to understand and govern the use of technologies within their company? Should compliance practitioners be worried about being held accountable for technological risks they don’t fully control? And should chief compliance officers prioritize new hires with technological capabilities (even those who lack legal training)?
NGC: Topics like data protection, harassment and export controls all fall under the compliance program umbrella. While these issues are closely related to compliance and are part of the compliance framework, compliance teams rely on experts who handle the technical aspects of these topics. They need to understand the new technology and the risks it poses, collaborating with experts to develop a sub-program that ensures compliance with the law and protects the organization. Compliance teams should not adopt the mindset that all members must have legal training. Depending on the organization’s size and the complexity of its operations, the team should include someone with a technological background. This expertise will assist with various tasks in the compliance department, including data analytics, managing ERPs to detect fraud or weaknesses in internal controls and collaborating with artificial intelligence experts to implement and maintain AI-related programs. If the team consists solely of individuals with legal training, at least one member should learn the basics of technology; otherwise, they may struggle to navigate the company’s ERP system, for example, which is essential for effective compliance.
CCI: How frequently should companies be expected to reassess their programs, and does this raise concerns about the practicality of ongoing compliance evaluations?
AD: Unfortunately, there is no way around keeping a watchful eye on a compliance program as the guidance from regulators shifts under our feet.
NGC: An effective compliance program requires organizations to conduct a thorough assessment of their programs at least every two years. Each year, the compliance team should evaluate the past year’s issues, raised concerns, audit findings, available tools, areas for improvement and other critical factors that enhance the program’s effectiveness. This annual review sets the foundation for updating and strengthening the program for the upcoming year. Additionally, whenever a new law or regulation is enacted, immediate steps must be taken to ensure the compliance program aligns with these requirements. Regularly scheduled assessments and responsive updates ensure that the compliance program remains active, dynamic and responsive to change.
