On March 16, Assistant Attorney General for the Criminal Division Leslie R. Caldwell delivered remarks at the ACAMS Anti-Money Laundering & Financial Crime Conference in Hollywood, Florida.  Caldwell addressed DOJ’s expectations of businesses operating internationally and DOJ’s investigations of international conduct.  As to the former, Caldwell stressed that companies must prioritize cybersecurity and cybersecurity compliance.  She also spoke about the importance of a robust compliance program more generally.  Noting that there is not a “one size fits all” compliance program, she discussed what DOJ considers to be some hallmarks of effective compliance programs, including: (1) directors and senior management providing strong, explicit, and visible support for compliance policies, (2) compliance teams with stature, adequate funding and access to resources, (3) clear, written and understandable policies (translated into all necessary languages), (4) effective communication and accessibility of compliance policies, (5) periodic review of policies and practices, (6) mechanisms to enforce compliance policies, including incentives for compliance and even-handed discipline for violations, and (7) attitude toward partner compliance with vendors, agents or consultants.  In the anti-money laundering and sanctions context, Caldwell noted that compliance programs must also have additional components.  She said that a company must be aware of the risks posed by its  portfolio of customers, must comply with U.S. laws if it operates in the United States, and must be candid with regulators, often going further than filing a Suspicious Activity Report.  Next, Caldwell turned to a discussion of how DOJ investigates and prosecutes cases involving international financial institutions.  She discussed the many tools available through a deferred prosecution agreement (“DPA”) or non-prosecution agreements (“NPA”) and indicated that the Criminal Division would be willing to take action if a company breached such an agreement, stating, Make no mistake: the Criminal Division will not hesitate to tear up a DPA or NPA and file criminal charges, where such action is appropriate and proportional to the breach.