On September 23, 2024, the U.S. Department of Justice (DOJ) updated its Evaluation of Corporate Compliance Programs (ECCP) to reflect DOJ’s evolving expectations for corporate compliance programs , including how these programs appropriately address compliance risks related to new technologies such as artificial intelligence (AI). Although the ECCP is written as a guidance document for prosecutors to evaluate the effectiveness and adequacy of a company’s compliance program, the ECCP is also a tool for companies to conduct a similar evaluation . With DOJ’s most recent update of this document, this tool now reflects DOJ’s focus on disruptive technology risks. This update provides general context on the ECCP and analyzes the DOJ’s latest revisions to the ECCP, including introducing questions and considerations for businesses regarding their use of new and emerging technologies such as AI.
Background of the PECC
The ECCP, first published in February 2017, has evolved to incorporate feedback and lessons learned from DOJ prosecutors, compliance professionals, and defense attorneys. Since its introduction, the ECCP has been updated to reflect DOJ’s emphasis on the individualized, risk-based nature of compliance programs and the importance of continuous improvement and adaptation in response to new risks. Following the 2020 revisions (previously analyzed here), the DOJ now asks three fundamental questions when evaluating the compliance program:
- Is the company’s compliance program well designed?
- Is the program adequately resourced and empowered to operate effectively?
- Does the company’s compliance program work in practice?
As new challenges emerge for both prosecutors and compliance programs, DOJ has adapted the ECCP to meet these changing circumstances. In March 2023, the PCEC was revised again (previously analyzed here) to examine, among other things, how a company’s compliance program addresses the use of personal devices (e.g., cell phones) and communications platforms, including those that enable the distribution of ephemeral messages (i.e. disappearance). Notably, the 2023 revisions explained that prosecutors would more actively seek data from third-party messaging apps, and that a company’s inability to retain and produce such data could negatively impact the resolution of any action. coercive.
With the DOJ’s latest announcement late last month, the DOJ is once again attempting to align its compliance expectations with the compliance risks presented by new technologies.
Recent updates from the ECCP regarding risks related to new technologies
The ECCP’s key update recognizes that new technologies, such as AI, can present both risks and opportunities for businesses in their business and compliance operations. The DOJ now expects companies to conduct risk assessments regarding the use of new and emerging technologies and to take appropriate steps to mitigate the risks associated with those technologies.
To assess these risks, prosecutors will ask whether a company is vulnerable to criminal schemes enabled by new technologies, such as fake approvals and AI-generated documents, and whether the company has compliance controls and tools to identify and mitigate these risks. The ECCP revisions also call on companies to monitor and test their technologies to assess whether they are working as intended and whether they comply with the company’s code of conduct and other policies and procedures.
Additional PCEC Updates
Although the DOJ’s compliance expectations regarding the use of new and emerging technologies are the most notable change to the ECCP in this recent update, other key updates include:
Better incentives and protections for whistleblowers. The updated ECCP includes questions to assess whether companies encourage employees to speak up and report misconduct. The DOJ will carefully examine a company’s commitment to combating whistleblower retaliation by reviewing a company’s speaking out and anti-retaliation policies, communications, and training . The DOJ will also evaluate any actions taken by a company against whistleblowers and take appropriate action to penalize or prosecute companies that retaliate against these individuals.
Encouraged use and access of data for compliance functions. The latest revisions encourage companies to take advantage of new technologies to improve their compliance programs. By using resources such as data analytics or automation to detect and prevent misconduct, DOJ believes companies can better measure and improve the effectiveness of their compliance efforts. DOJ will therefore evaluate whether compliance personnel have adequate access to data resources and whether companies are using the same resources and technologies for compliance purposes that they use in their business.
Expectations to evolve compliance programs. The updated ECCP also expands on the concept of learning from a company’s own misconduct as well as the misconduct of others and updates a company’s compliance program accordingly. The DOJ expects companies to monitor and incorporate into their periodic risk assessment lessons learned from their own prior issues and from other companies operating in the same industry and/or geographic region.
Post-transaction integration review. Finally, the updated ECCP calls on companies to review their compliance integration procedures following mergers, acquisitions, and other transactions. The DOJ expects newly acquired companies to be integrated into a company’s overall compliance program, including risk assessment activities and post-acquisition audit plans.
As technology continues to evolve, the compliance expectations of the DOJ and, therefore, the ECCP will also evolve. Companies should evaluate their compliance programs in light of the new PCEC issues and take appropriate steps to address any gaps or weaknesses. To help you understand the complex and ever-changing ECCP guidelines, experienced legal counsel is a useful resource in supporting and testing a company’s compliance program. Companies that continue to update their compliance programs in light of the DOJ’s ECCP updates will put themselves in the best position to prevent malpractice or, alternatively, to detect malpractice at an early stage and be in compliance. able to benefit from the benefits of an effective risk management system. Department of Justice-based compliance program to mitigate damages should they ultimately become the subject of a DOJ investigation.