On September 23, 2024, the Department of Justice (DOJ) updated its Corporate Compliance Program Evaluation (ECCP) Policy, which outlines the key factors prosecutors consider when evaluating the effectiveness of a company’s compliance program in charging decisions and resolutions.
In this alert, we’ll highlight five key changes to PCEC and what businesses and leaders need to know. The main changes concern: (1) technology; (2) integrate lessons learned from company data and compliance issues within the same industry or geographic region; (3) anti-retaliation policies; (4) training; and (5) compliance regarding mergers and acquisitions.
1. Technology
The most important update concerns a company’s risk management and compliance associated with emerging technologies. The DOJ now expects companies to identify and manage risks related to new technologies and to assess the impact of the use of new technologies on their ability to comply with the law.
Senior DOJ officials have specifically highlighted the risks posed by AI, including the extent to which fraudulent approvals and documents can be used to circumvent compliance programs. If a company uses AI in its business or as part of its compliance program, prosecutors will assess whether the company has adequate governance and controls in place to ensure that the AI is trustworthy, reliable and used in accordance with applicable law. Additionally, the DOJ expects companies to use data-driven methods to identify issues with their compliance programs and adapt accordingly. The first step for corporate lawyers in managing these risks is to identify the programs and technologies used by their company.
2. Proactively improve compliance programs
The DOJ is pushing companies to more proactively improve their compliance programs in two new ways. First, a company should pay attention to any compliance issues occurring at other companies operating in the same industry or geographic region, and it should incorporate those learnings into its own compliance program. Second, a company should leverage data analytics tools to make its compliance operations more efficient and measure the effectiveness of its compliance program. Along the same lines, the DOJ will now evaluate whether the resources and technology a company devotes to its compliance function are commensurate with the resources and technology available to other functions within the company, such as sales.
3. Anti-retaliation
Prosecutors are increasingly focusing on the adequacy of companies’ internal anti-retaliation policies, in addition to compliance with external anti-retaliation and whistleblower protection laws. If employees involved in misconduct are disciplined by the company, the DOJ will now ask whether the treatment of any employee who reports misconduct differs from the treatment of employees who did not report misconduct. Companies should ensure that employees are encouraged to report misconduct, even when they are involved in it, and that they are not punished for raising concerns internally. Echoing previous themes of fostering a strong corporate culture of compliance, companies will be evaluated on whether they generally encourage employees to report misconduct or, alternatively, whether they curb reporting through retaliatory practices.
4. Training
A company’s compliance program is only effective if it is known and understood by employees, and the DOJ has provided new details on how it will evaluate a company’s compliance training. For example, the DOJ will examine whether employees are trained on internal and external anti-retaliation policies and lessons learned from compliance issues encountered by other companies operating in the same industry or geographic region. Additionally, the DOJ will evaluate how the company tracks employee engagement in trainings and how the company measures what employees learned from the trainings. Businesses can improve engagement by hosting live training sessions. Additionally, they can measure what employees have learned in several ways, such as testing employees before and after training sessions and comparing the results. Companies can also analyze reporting trends after training sessions.
5. Mergers and acquisitions
In the context of mergers and acquisitions, DOJ will now consider whether a company plans to migrate or combine critical enterprise resource planning systems during the integration process. It will also ask the extent to which compliance and risk management functions play a role in the design and execution of a company’s integration strategy. The ECCP revisions emphasize the importance of implementing or integrating post-acquisition compliance programs. For example, prosecutors will evaluate whether the company provides appropriate oversight of the new business and whether the new business adopts the company’s risk assessment protocols.
Conclusion
These changes highlight the increasing importance, from the DOJ’s perspective, of implementing a proactive, data-driven compliance program that uses cutting-edge technology. By thinking about how to apply these concepts to their own compliance programs, companies can benefit from leniency or avoid government action altogether.
For more information on DOJ policies, how to establish or strengthen your compliance program and internal controls, how to respond to a government investigation, or any related questions, please contact a DOJ member . white collar crime, government investigationsOr national security firms at Wilson Sonsini Goodrich & Rosati.
