External compliance monitoring: A new approach

By Alon Kohalny, 2 March 2026

The appointment of an external Chief Compliance Officer (CCO) at TD Bank in April 2025,[1] following unprecedented anti money laundering (AML) penalties of roughly $3 billion, illustrates the growing willingness of the US Department of Justice (DOJ) to intervene directly in corporate governance. 

The appointment, imposed as part of the settlement package, reignited debate in the United States regarding the legitimacy of such intrusive oversight and the division of responsibility between internal and external compliance officers.

Although similar steps had been taken in previous cases, such as Wells Fargo and Danske Bank, the TD Bank monitorship represented a turning point: governmental involvement became a mechanism for correcting systemic compliance failure, rather than a sanction. 

In this context, the DOJ’s Criminal Division released an update last year to its policy on the appointment, selection, and supervision of independent compliance monitors.[2]

Evolution and rationale

The 2025 Galeotti Memorandum (named after US Assistant Attorney General Matthew R. Galeotti) consolidates and supersedes two earlier policy documents: the Morford Memorandum (2008) [3] and the Benczkowski Memorandum (2018).[4]

Each iteration has sought to find a balance between deterrence and rehabilitation, ensuring compliance programme reform without being unnecessarily intrusive or costly. The DOJ has recognised that a monitor can impose “substantial expense and interfere with lawful business operations”[5] and therefore this latest memorandum aims to promote a more selective and transparent approach.

From a governmental standpoint, the update enhances predictability and uniformity across divisions. From a corporate perspective, it offers procedural safeguards: greater input in selection, defined cost limits, and clearer exit criteria.

What are the key features of the 2025 policy?

The memorandum clarifies four main dimensions of the DOJ’s approach.

(a) Criteria for appointment.

A monitor will be considered only where:

• A company’s misconduct was systemic or pervasive;
• There is a high risk of recurrence;
• The company has failed to demonstrate effective remediation; or
• The existing compliance function lacks independence or credibility.

In short, appointment must be justified by identifiable risk, not as an automatic response to wrongdoing.

(b) Selection procedure.

The selection of an external monitor will be conducted by a standing committee of senior prosecutors, including an ethics adviser, the head of the relevant section, and one additional experienced attorney. The corporation may propose three qualified candidates, from which the DOJ will select one, assessing integrity, expertise, and absence of conflicts.

(c) Scope and proportionality.

The monitor’s mandate must be narrowly defined and proportionate to the identified deficiencies. Duration is limited, typically between 18 and 36 months, and costs must be “reasonably tailored to the corporation’s size, resources, and risk exposure.”

(d) Oversight and evaluation.

The memorandum introduces structured oversight: periodic reporting to the DOJ, a defined budget, and mid-term assessments. Monitors must engage with both senior management and the board to ensure implementation of recommendations while avoiding duplication of the internal compliance function.

What are the governance implications?

The revised policy carries broad implications for corporate governance and the compliance profession.

1. From exception to structured instrument.
   While the DOJ insists that monitorships remain exceptional, the clearer framework and enhanced legitimacy may paradoxically make them more frequent. Once formalised within DOJ policy, the external monitor becomes an accepted compliance instrument rather than a last-resort measure.
2. Redefinition of internal compliance authority.
   Appointment of an external monitor can temporarily dilute the authority of the internal compliance officer. Part of the compliance budget and decision-making shifts outward. Internal CCOs must therefore strengthen their documentation, ensure traceability of decisions, and maintain robust relationships with both the board and regulators to prevent marginalisation.
3. Integration with enterprise risk management.
   Because monitor appointment decisions hinge on the maturity of compliance systems, companies should embed compliance monitoring within broader risk frameworks. Demonstrating self-testing, audit integration, and board-level oversight significantly reduces the likelihood of external imposition.
4. Transparency and accountability expectations.
   Under the Galeotti Memorandum, companies are expected to certify remediation efforts at the conclusion of a monitorship. This requirement aligns with the DOJ’s broader trend towards CEO and CCO certifications in settlement agreements, reinforcing personal accountability.

Lessons for compliance officers

The updated memorandum conveys several practical lessons.

(a) Readiness matters.

The DOJ explicitly examines whether a company’s internal compliance function could have prevented or detected the misconduct. Demonstrable maturity (i.e. policies, training, audits, risk mapping, escalation procedures, etc.) reduces the need for external supervision.

(b) Documentation and evidence of effectiveness.

Compliance officers must maintain comprehensive records of programme design, testing, and corrective actions. Evidence establishes credibility.

(c) Coordination with external monitors.

Where a monitor is appointed, the internal CCO should define boundaries early: information flows, confidentiality protocols, approval processes, and budget implications. Cooperation should not impact independence.

(d) Professionalisation and certification.

The trend towards formal standards makes international certification (such as CCO or CAMLO credentials) increasingly relevant. These attest to competence, independence and adherence to recognised ethics codes.[6]

e) Anticipate global reach.

For multinational corporations, the DOJ’s policy has extraterritorial significance. The Department can require monitors even where most misconduct occurred abroad, provided there is a US nexus. Global compliance heads should therefore ensure alignment with US expectations in AML, sanctions and anti-bribery programmes.

What are the strategic implications for boards?

Boards should treat the updated DOJ policy as part of their risk management oversight. Key questions include:

• Has the board independently reviewed the effectiveness of the compliance programme?
• Are remediation efforts after investigations adequately documented?
• Does management receive regular compliance performance metrics?
• Are resource allocations sufficient for independent testing and assurance?

Addressing these questions can both strengthen governance and reduce the likelihood of monitorship.

Ensuring a credible compliance function

This policy update is a valuable reminder that the presence or absence of a monitor often depends on the credibility and demonstrable effectiveness of the internal compliance function. 

For banks and financial institutions, effective transaction monitoring, customer due diligence systems, and governance of suspicious activity reporting are not merely prudential expectations, but safeguards against external intrusion.

A well-structured, well-documented programme, regularly tested and transparently reported to the board, remains the most effective defence against external oversight.

As corporate enforcement becomes increasingly global, the distinction between internal and external compliance roles will continue to blur. Professional competence, independence, and readiness are the only sustainable guarantees of trust, in the eyes of both management and regulators.