The Impact of DOJ’s Evaluation of Corporate Compliance Programs on FDA-Regulated Products

By Madeleine Giaquinto and Cynthia Schnedar


In April 2019, the U.S. Department of Justice (DOJ) Criminal Division updated guidance entitled “Evaluation of Corporate Compliance Programs” (the “2019 DOJ Guidance”).[1] Generally, this guidance identifies specific factors prosecutors should consider when conducting an investigation of a corporation, determining whether to bring charges, and negotiating pleas or other agreements.[2] Of particular interest, the guidance spells out how prosecutors should evaluate the effectiveness of a corporate compliance program and what weight ought to be given to the evaluation in making prosecutorial decisions.[3] Typically, the guidance has been front and center in DOJ discussion of criminal fraud cases, such as those brought under the Foreign Corrupt Practices Act or the Anti-Kickback Statute, although it is not as consistently featured in DOJ discussion of cases prosecuted under the Federal Food, Drug, and Cosmetic Act (FDCA).

However, at the Food and Drug Law Institute (FDLI) Enforcement, Litigation, and Compliance Conference in December 2019, DOJ signaled that the 2019 DOJ Guidance should be of interest to companies who are regulated by the Food and Drug Administration (FDA).[4] In his keynote remarks, DOJ Deputy Assistant Attorney General David Morrel stated that actions taken by the DOJ Consumer Protection Branch (CPB) in conjunction with FDA are “all caused by failures of corporate compliance programs.”[5] He went on to state that the CPB “follows the same principles as the DOJ’s Criminal Division of assessing compliance programs for charging and resolution purposes”, announcing the emphasis DOJ will place on the 2019 DOJ Guidance when making decisions of whether to investigate, bring charges, or resolve cases brought under the FDCA.[6]

Given that DOJ has stated it will use the 2019 DOJ Guidance in evaluating and prosecuting cases brought under the FDCA, companies should be aware of what specifically DOJ will be evaluating. By proactively adopting some of the principles in the guidance, companies may be able to avoid an investigation or prosecution. However, companies should not be too daunted by this task because many of the key principles found in the 2019 DOJ Guidance are consistent with quality principles governing industries that produce FDA-regulated products.

Thus, this article will review DOJ’s current approach to enforcement, enumerate the key best practices that DOJ will expect to see when evaluating a corporate compliance program, and identify thematic overlap between the 2019 DOJ Guidance and quality management principles found in some of the major regulations and guidances that apply to FDA-regulated products.

DOJ Enforcement in Practice

During his keynote remarks, Deputy Assistant Attorney General Morrel spoke about the work of the CPB, which is responsible for enforcing statutes protecting public health and safety, and is central to DOJ’s enforcement activity within the food, drug, and medical device industries.[7] More specifically, the CPB investigates and litigates violations of the FDCA and the Controlled Substance Act (CSA), focusing on safety and compliance while imposing civil and criminal enforcement mechanisms when appropriate.

Deputy Assistant Attorney General Morrell explained that since 2017, the CPB has expanded its capacities to engage in enforcement activity against violators, having grown from “fewer than 40 attorneys . . . to nearly 70” and tripling its support staff, in addition to having newly developed analytical tools and increased resources.[8] Deputy Assistant Attorney General Morrell said that with these enhanced capabilities, the CPB would take broader enforcement actions that would include a focus on failures of corporate compliance programs. He stated that “[we aim] to progress more intelligently and more predictably . . . [through] application of a consistent policy on the assessment and crediting of corporate compliance programs.” These statements indicate DOJ intends to place a heightened focus on its evaluation of corporate compliance, requiring more than was previously required from such programs.

Deputy Assistant Attorney General Morrell then went on to explain that the CPB follows the same principles of DOJ’s Criminal Division “in assessing compliance programs for charging and resolution purposes.”[9] Specific to these principles is the idea that prosecution is minimal where companies “timely report wrongdoing, cooperate fully, and remediate adequately,” each of which require a competent compliance system “to identify and report a problem in the first place.” With this, Deputy Assistant Attorney General Morrell stressed the importance of “voluntary compliance up and down the product supply chain,” especially in the context of the FDCA.[10] Voluntary compliance indicates efforts made beyond what is minimally required under basic good practice standards (GXP). Thus, Deputy Assistant Attorney General Morrell’s statements suggest companies should implement compliance programs that are proactive rather than reactive, self-aware when errors occur, and corrective in nature.

DOJ Framework for Evaluating Corporate Compliance Programs

Prior to 2017, DOJ evaluated corporate compliance programs using the U.S. Attorneys’ Manual under the section entitled, “The Principles of Federal Prosecution of Business Organizations.”[11] In assessing whether to bring charges or negotiate a plea, DOJ used the “Filip Factors” outlined in this section, which were named after their 2008 revision and expansion under the leadership of then-Deputy Attorney General Mark Filip.[12] Only two of these factors specifically addressed evaluating corporate compliance programs (i.e., consideration of existence and effectiveness of a compliance program, and remedial actions taken by a corporation to implement or improve a compliance program).

In 2017, DOJ issued its initial guidance entitled, “Evaluation of Corporate Compliance Programs” (the “2017 DOJ Guidance”), which was meant to be used by prosecutors in conjunction with the Filip Factors when evaluating the effectiveness of corporate compliance programs.[13] The 2017 DOJ Guidance provided a checklist of 11 key principles which, when weighed together, were meant to signal the strength of a compliance program. This evaluation looked for competencies in the following elements of a compliance program: (1) an analysis and remediation of underlying misconduct; (2) senior and middle management involvement; (3) autonomy and resources; (4) policies and procedures; (5) risk assessments; (6) training and communications; (7) confidential reporting and investigations; (8) incentives and disciplinary measures; (9) continuous improvement, periodic testing, and review; (10) third-party management; and (11) mergers and acquisitions.[14]

In April 2019, the DOJ Criminal Division published the 2019 DOJ Guidance, expounding on the 11 key principles of the 2017 DOJ Guidance. This updated guidance was designed to be a comprehensive tool for prosecutors to use across all three stages of enforcement, including determining charges, calculating penalties, and deciding how and which entities should be scrutinized and evaluated (the previous guidance merely focused on the determination of charges).[15] The 2019 DOJ Guidance also provided additional insights into criteria involved in prosecutors’ assessment by providing more prescriptive statements about what is considered to be an “effective” compliance program. The 2019 DOJ Guidance framed the prosecutorial assessment into three fundamental questions, asking whether: (1) the program is well designed; (2) the program is being implemented effectively; and (3) the program works in practice.[16]

The first fundamental question, dealing with the design of the compliance program, asks whether the program aims to prevent and detect wrongdoing and whether the program is enforced by management.[17] This determination requires the existence and analysis of prescriptive elements such as risk assessments, policies and procedures aimed at reducing identified risk, necessary training and communications of relevant employees, confidential reporting of mechanisms and internal investigative processes, and third-party management of risk-based due diligence. Moreover, the determination of an adequate and effective risk assessment takes into account analyses of a risk management process and risk-tailored resource allocation, and it requires updates and revisions be made to the risk assessment itself. Under this fundamental question, essentially every component of a well-designed compliance program is aimed at identifying and dealing with risk.[18]

The second fundamental question, dealing with effective implementation of the compliance program, asks whether the company’s top leaders promulgate a culture of compliance, which is evident throughout production lines.[19] A culture of compliance is based on tangible evidence, including a commitment to such culture made by senior and middle management, demonstrated by concrete actions and conduct. A culture of compliance can also be supported by sufficient investigative resources, enforcement independence, established incentives, and written disciplinary procedures for program violations. The idea here is that a company’s compliance program is not merely a “paper program,” but one that is “implemented, reviewed, and revised . . . in an effective manner” and is ensured by high-level personnel.[20]

Lastly, the third fundamental question, dealing with whether the compliance program effectively works in practice, asks companies to assess a program’s ability to minimize risk of future misconduct.[21] This analysis distinguishes a single instance of misconduct from an ineffective program entirely, arguing that the identification of misconduct, followed by timely remediation and self-reporting, is an indication of an effective compliance program. It looks at the mechanisms of internal auditing, the identification of misconduct, and the remediation of underlying misconduct, all allowing for continuous improvement. Thus, this analysis requires a company to have made significant investments in “internal control systems” as part of its compliance program, beyond what is minimally required under appropriate GXP requirements.[22]

ICH Q10 Overlap

Despite the 2019 DOJ Guidance proposing a new framework for corporate compliance programs, companies of FDA-regulated products should not feel like they are being asked to reinvent the wheel in terms of implementing novel concepts of quality compliance systems. The 2019 DOJ Guidance, and stated enforcement trends of the CPB, overlap in part with concepts of quality system regulations for all product areas falling under FDA purview. For example, in October 2019, the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use (ICH)[23] published guidance entitled “Q10 on Pharmaceutical Quality Systems” (“ICH Q10”), which is applied by FDA in its regulation of drugs and biologics, and describes a model for an effective quality management system resembling concepts of the 2019 DOJ Guidance.[24] Similar overlap also exists in guidances and regulations for medical devices (i.e., Quality System (QS) Regulation/Medical Device Good Manufacturing Practices)[25], as well as for food, tobacco, and veterinary drugs.

 For instance, one overlapping concept of ICH Q10 and the 2019 DOJ Guidance is the idea that quality risk management is a pathway to the successful implementation of an effective pharmaceutical quality system.[26] The quality risk management concept positions ICH Q10 as a proactive method for ensuring product quality, emphasizing the identification, scientific evaluation, and control of associated risk. It also creates a function of continuous process improvement, which furthers product quality, within pharmaceutical quality systems (discussed below).

This concept resembles the prioritization of risk assessment made in the first fundamental question of the 2019 DOJ Guidance, dealing with whether the program is well designed, which states that “[t]he starting point for a prosecutor’s evaluation of whether a company has a well-designed compliance program is to understand . . . how the company has identified, assessed, and defined its risk profile, and the degree to which the program devotes appropriate scrutiny and resources to the spectrum of risks.”[27] That is to say, a risk-based approach is integral to the adequacy of a corporate compliance program design, both under a DOJ evaluation and according to ICH Q10’s quality risk management principle.  

Another overlapping concept of ICH Q10 is the idea that senior management leadership is essential to achieving quality system commitment and success.[28] ICH Q10 states that “[s]enior management has the ultimate responsibility to ensure an effective pharmaceutical quality system is in place to achieve the quality objectives, and that roles, responsibilities, and authorities are defined, communicated, and implemented throughout the company.”[29] The basis of this idea is that senior management should be involved throughout the development, implementation, review, and maintenance of a company’s quality policies and system, which is, in essence, addressed in the second fundamental question in the 2019 DOJ Guidance dealing with effective implementation of the program.

Under this fundamental question, a compliance program is implemented effectively, in part, when there is an established commitment by senior and middle management. The guidance states, “the effectiveness of a compliance program requires a high-level commitment by company leadership to implement a culture of compliance from the top.”[30] This commitment requires that concrete actions be taken by senior leadership in promoting compliance efforts, including potentially involving compliance expertise on the board of directors.

Yet another overlapping concept of ICH Q10 is the emphasis on continual improvement of process performance through implementation of process monitoring systems, corrective and preventive action (CAPA) systems, change monitoring systems, and management review throughout a product’s lifecycle.[31] This concept relates to a DOJ prosecutor’s evaluation under the third fundamental question, i.e., whether the compliance program is effective in practice. Both evaluative approaches require investment in internal monitoring and control strategies that are expansive of GXP requirements and facilitate continual improvement of program effectiveness.


What does this mean for companies involved in producing FDA-regulated products and their corporate compliance programs? With DOJ’s added resources and CPB signaling it will comprehensively evaluate quality systems based on DOJ’s most recent guidance, companies should take note of repeating trends and overlapping concepts of quality system regulation of FDA-regulated products when implementing an effective corporate compliance program. By doing so, companies can ensure they are prioritizing risk assessments and risk-based decision-making in effectuating compliance programs, placing responsibility of quality culture on senior management, and implementing internal control strategies to perpetuate ever-improving processes.


[1] DOJ Criminal Division, “Evaluation of Corporate Compliance Programs,” (February 2017, updated April 2019), available at

[2] Id. at 1.

[3] Id. See also Karl Buch, Eric Christofferson, Grayson Stratton, & Elan Gershoni, “DOJ Revises its Guidance on Corporate Compliance Programs,” DLA Piper (May 2, 2019), available at

[4] Deputy Assistant Attorney General David Morrell Remarks at the FDLI Enforcement, Litigation, and Compliance Conference, (December 11, 2019), available at

[5] Id.

[6] Id.

[7] Id.

[8] Id.

[9] Id.

[10] Id.

[11] JM § 9-28.000, “Principles of Federal Prosecution of Business Organizations,” Justice Manual (JM), available at

[12] Id. See also Karl Buch, Eric Christofferson, Grayson Stratton, & Elan Gershoni, “DOJ Revises its Guidance on Corporate Compliance Programs,” DLA Piper, (May 2, 2019), available at

[13] DOJ Criminal Division, “Evaluation of Corporate Compliance Programs,” (February 2017, updated April 30, 2019), available at

[14] Id.

[15] Id. See also John Nassikas, John Tan, & Lindsey Carson, “New DOJ Compliance Program Guidance,” Harvard Law School Forum on Corporate Governance, (June 10, 2019), available at

[16] Id.

[17] Id. at 2–8.

[18] Id.

[19] Id. at 9–13.

[20] Id.

[21] Id. at 13–17.

[22] Id.

[23] ICH brings together regulatory authorities and the pharmaceutical industry in discussion of scientific and technical aspects of pharmaceuticals for the development of ICH guidelines, which are applied by a growing number of regulatory authorities around the world. ICH’s stated mission is “to achieve greater harmonisation worldwide to ensure that safe, effective, and high quality medicines are developed and registered in the most resource-efficient manner.” See ICH, “Mission: Harmonisation for Better Health,” available at

[24] FDA, “Q10 Pharmaceutical Quality System: Guidance for Industry,” (April 2019), available at

[25] 21 CFR § 820. See also FDA, “Quality System (QS) Regulation/Medical Device Good Manufacturing Practices,” available at

[26] Id. at 4.

[27] DOJ Criminal Division, “Evaluation of Corporate Compliance Programs,” (February 2017, updated April 30, 2019), p. 2, available at

[28] FDA, “Q10 Pharmaceutical Quality System: Guidance for Industry,” (April 2019), p. 5, available at

[29] Id.

[30] DOJ Criminal Division, “Evaluation of Corporate Compliance Programs,” (February 2017, updated April 30, 2019), p. 9, available at

[31] FDA, “Q10 Pharmaceutical Quality System: Guidance for Industry,” (April 2019), p. 8, available at