On September 23, 2024, the DOJ announced another set of significant updates to its Evaluation of Corporate Compliance Programs (ECCP) – the guidance document that Department of Justice (DOJ) prosecutors use to evaluate the he effectiveness of a company’s compliance program when determining penalties for criminal acts. .1 The three key updates concerned artificial intelligence (AI), internal whistleblowers and the use of data analytics.
The most notable update concerns how DOJ prosecutors will evaluate how companies assess and manage technology risks related to AI and other disruptive technologies. In addition to AI, the updated ECCP also requires prosecutors to examine the extent to which companies encourage employees to report potential misconduct and the extent to which companies commit to protecting whistleblowers. Finally, the new ECCP also requires prosecutors to evaluate whether a compliance program has appropriate access to relevant data sources and whether companies are putting the same resources and technologies into leveraging data for compliance purposes as those they use for their activity.
Artificial intelligence
In the updated ECCP, the DOJ classifies AI, along with other new technologies, as an emerging risk that could impact a company’s ability to comply with the law. Under the updated ECCP guidance, prosecutors will evaluate whether a company has processes in place to assess and evaluate the impact and risks of the technologies its employees use to conduct their business. Prosecutors are responsible for evaluating the steps the company has taken to mitigate the risks associated with the use of these technologies.2
The DOJ has amended the ECCP to include the following questions that prosecutors will ask when evaluating how a company manages emerging risks, including new technologies, which may impact both the compliance of the company to the laws and its compliance program:
- Does the company have a process for identifying and managing emerging internal and external risks that could potentially impact the business?
- How does the company assess the potential impact of new technologies, such as AI, on its ability to comply with criminal laws?
- Is risk management related to the use of AI and other new technologies integrated into broader enterprise risk management (ERM) strategies?
- What is the company’s approach to governance regarding the use of new technologies such as AI in its business operations and compliance program?
- How does the company limit potential negative or unintended consequences resulting from the use of technologies, both in its business operations and in its compliance program?
- How does the company mitigate the potential for deliberate or reckless misuse of technologies, including by company internals?
- To the extent the company uses AI and similar technologies as part of its business or as part of its compliance program, are controls in place to monitor and ensure its reliability, reliability and use in accordance with applicable law and the company’s code of conduct?
- Are there controls to ensure that the technology is used only for its intended purposes?
- What basis for human decision is used to evaluate AI?
- How is accountability for AI use monitored and enforced?
- How does the company train its employees to use emerging technologies like AI?
Given that earlier this year, the Deputy Attorney General of Monaco announced that prosecutors at the Ministry of Justice were instructed to seek harsher sanctions when prosecuting cases in which the AI has been intentionally used to commit crimes, it is essential to ensure that companies that use AI or other emerging technologies to grow their businesses also ensure that the risks associated with these technologies are assessed and mitigated through an effective and appropriate compliance program.3
Whistleblowers
Following in the footsteps of the recently passed corporate whistleblower rewards pilot program, the updated ECCP now requires prosecutors, when evaluating the strength and effectiveness of a company’s compliance program, to examine how the organization encourages and/or incentivizes employees to report potential misconduct. through a company’s confidential reporting structure.4 Additionally, the DOJ will review whether a company has and follows an anti-retaliation policy and is committed to protecting the anonymity of whistleblowers.
Specifically, the updated ECCP asks prosecutors to ask the following questions when considering how a company encourages and protects internal whistleblowers:
- Does the company encourage and encourage the reporting of potential misconduct or violation of company policy? Conversely, does the company use practices that tend to discourage this type of reporting?
- How does the company assess employees’ willingness to report misconduct?
- Does the company have an anti-retaliation policy?
- Does the company train its employees on both internal anti-retaliation policies and external anti-retaliation laws and whistleblower protections?
- To the extent that the company sanctions employees involved in misconduct, are employees who have reported misconduct internally treated differently than other employees involved in misconduct who have not?
- Does the company train its employees on internal reporting systems as well as external whistleblowing programs and regulatory regimes?
Data and resources
Regarding data, ECCP previously asked DOJ prosecutors to assess whether the company’s compliance and control functions have access to relevant data sources in order to timely monitor and evaluate data risks for the company. The updated ECCP emphasizes access to and exploitation of data sources. The DOJ will analyze how the company uses data analytics tools to both create efficiencies in compliance operations and strengthen the overall compliance program.
When analyzing data access, DOJ prosecutors should ask the following questions:
- Is the company appropriately leveraging data analytics tools to drive efficiencies in compliance operations and measure the effectiveness of compliance program components?
- How does the company manage the quality of its data sources?
- How does the company measure the accuracy, precision, or recall of the data analysis models it uses?
- To what extent does the company have access to data and information to identify potential misconduct or gaps in its compliance program?
- Can the company demonstrate that it is proactively identifying misconduct or issues with its compliance program as early as possible?
The updated ECCP also now includes a section of questions designed to assess whether or not a company has proportionately allocated resources to its compliance function, taking into account the size, scope and risk profile of the company. business. DOJ prosecutors must evaluate the following:
- How do the assets, resources and technology available for compliance and risk management compare to those available elsewhere in the enterprise?
- Is there an imbalance between the technology and resources used by the company to identify and seize market opportunities and the technology and resources used to detect and mitigate risks?
IS YOUR COMPLIANCE PROGRAM UP TO DATE?
One of the guiding principles of how the DOJ examines the effectiveness of a company’s compliance program is whether or not the program is periodically updated. In fact, the Justice Department’s Justice Manual and the United States Sentencing Guidelines state that “the organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement or modify each requirement (of the compliance program) to reduce the risk of criminal behavior.5
Given the new metrics released by the DOJ in the ECCP updates, there is no better time than now to ensure your compliance program is right for your organization, size and profile. of the company’s risk, given appropriate resources and access. to relevant data and implemented effectively across the organization.
Companies that have adopted AI technologies, or those considering adopting AI-based technologies in the future, should be aware that a compliance program must be tailored to the risks posed by these changing technologies. The DOJ has now explained, through the ECCP, how it expects companies to integrate the use of AI and other new technologies into their compliance programs, and companies can now use these details to ensure that the technologies have an appropriate framework. At the same time, companies should evaluate whether their compliance program encourages employees to self-report and ensure their programs are up to date with respect to data access and analytics.
We will continue to closely monitor the implementation of the updated ECCP and its impact on global operations and compliance. Our White Collar Defense and Investigations practice group includes former federal prosecutors and senior officials from the Department of Justice’s Criminal Division, Foreign Corrupt Practices Unit, Enforcement Division from the Securities and Exchange Commission and U.S. Attorneys’ Offices across the country, who have extensive experience in all aspects of DOJ and SEC investigations and enforcement actions. For additional information regarding this client alert, please do not hesitate to contact the authors or other members of our White Collar Defense and Investigations practice group.