On 23 September 2024, the DOJ announced another significant round of updates to its Evaluation of Corporate Compliance Programs (ECCP) – the guidance document Department of Justice (DOJ) prosecutors use to evaluate the effectiveness of a company’s compliance program when determining punishments for criminal wrongdoing.1 The three key updates involved Artificial Intelligence (AI), internal whistleblowers, and the use of data analytics.
The most noteworthy update relates to how DOJ prosecutors will evaluate how companies are assessing and managing the technology risks of AI and other disruptive technologies. In addition to AI, the updated ECCP also instructs prosecutors to look at how well companies encourage employees to report potential misconduct and how committed companies are to protecting whistleblowers. Lastly, the new ECCP also instructs prosecutors to assess whether a compliance program has appropriate access to relevant data sources, and whether companies are putting the same resources and technology into leveraging data for compliance purposes that they are using for their business.
Artificial Intelligence
In the updated ECCP, DOJ categorizes AI, along with other new technologies, as an emerging risk that may impact a company’s ability to comply with the law. Pursuant to the updated ECCP guidance, prosecutors will evaluate whether a company has processes in place to evaluate and assess the impact and risks of the technologies its employees use to conduct business. Prosecutors are instructed to evaluate the steps the company has taken to mitigate any risks associated with the use of the technologies.2
The DOJ has amended the ECCP to include the following questions that prosecutors will ask when evaluating how a company manages emerging risks, including new technology, that may impact both the company’s compliance with laws and the company’s compliance program:
- Does the company have a process for identifying and managing emerging internal and external risks that could potentially impact the company?
- How does the company assess the potential impact of new technologies, such as AI, on its ability to comply with criminal laws?
- Is management of risks related to use of AI and other new technologies integrated into broader enterprise risk management (ERM) strategies?
- What is the company’s approach to governance regarding the use of new technologies such as AI in its commercial business and in its compliance program?
- How is the company curbing any potential negative or unintended consequences resulting from the use of technologies, both in its commercial business and in its compliance program?
- How is the company mitigating the potential for deliberate or reckless misuse of technologies, including by company insiders?
- To the extent that the company uses AI and similar technologies in its business or as part of its compliance program, are controls in place to monitor and ensure its trustworthiness, reliability, and use in compliance with applicable law and the company’s code of conduct?
- Do controls exist to ensure that the technology is used only for its intended purposes?
- What baseline of human decision-making is used to assess AI?
- How is accountability over use of AI monitored and enforced?
- How does the company train its employees on the use of emerging technologies such as AI?
Given that earlier this year, Deputy Attorney General Monaco announced that DOJ prosecutors were instructed to seek harsher penalties when prosecuting cases where AI was intentionally used to commit crimes, it is critical to ensure that companies that utilize AI or other emerging technologies to further their business also ensure that risks associated with those technologies are evaluated and mitigated through an effective and tailored compliance program.3
Whistleblowers
Very much in the footsteps of the recently enacted Corporate Whistleblower Awards Pilot Program, the updated ECCP now instructs prosecutors, when evaluating the strength and efficacy of a company’s compliance program, to look at how the organization encourages and/or incentivizes employees to report potential misconduct through a company’s confidential reporting structure.4 Furthermore, DOJ will look at whether a company has and abides by an anti-retaliation policy and is committed to protecting the anonymity of whistleblowers.
Specifically, the updated ECCP instructs prosecutors to ask the following questions when looking at how a company encourages and protects internal whistleblower:
- Does the company encourage and incentivize reporting of potential misconduct or violation of company policy? Conversely, does the company use practices that tend to chill such reporting?
- How does the company assess employees’ willingness to report misconduct?
- Does the company have an anti-retaliation policy?
- Does the company train employees on both internal anti-retaliation policies and external anti-retaliation and whistleblower protection laws?
- To the extent that the company disciplines employees involved in misconduct, are employees who reported internally treated differently than others involved in misconduct who did not?
- Does the company train employees on internal reporting systems as well as external whistleblower programs and regulatory regimes?
Data and Resources
As it relates to data, the ECCP previously instructed DOJ prosecutors to assess whether the company’s compliance and control functions have access to relevant sources of data in order to timely monitor and assess risks to the business. The updated ECCP emphasizes access to and leveraging of data sources. The DOJ will analyze how the company uses data analytics tools to both create efficiencies in the compliance operations and to strengthen the overall compliance program.
For the data access analysis, DOJ prosecutors are directed to ask the following:
- Is the company appropriately leveraging data analytics tools to create efficiencies in compliance operations and measure the effectiveness of components of compliance programs?
- How is the company managing the quality of its data sources?
- How is the company measuring the accuracy, precision, or recall of any data analytics models it is using?
- To what extent does the company have access to data and information to identify potential misconduct or deficiencies in its compliance program?
- Can the company demonstrate that it is proactively identifying either misconduct or issues with its compliance program at the earliest stage possible?
The updated ECCP also now includes a section of questions designed to evaluate whether or not a company has proportionally allocated resources to its compliance function, considering the size, scope, and risk profile of the business. DOJ prosecutors are to assess the following:
- How do the assets, resources, and technology available to compliance and risk management compare to those available elsewhere in the company?
- Is there an imbalance between the technology and resources used by the company to identify and capture market opportunities and the technology and resources used to detect and mitigate risks?
IS YOUR COMPLIANCE PROGRAM UP-TO-DATE?
One of the guiding principles for how DOJ looks at the effectiveness of a company’s compliance program is whether or not the program is periodically updated. In fact, both the DOJ’s Justice Manual and the United State Sentencing Guidelines instruct that, “the organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement [of the compliance program] to reduce the risk of criminal conduct.”5
Given the new parameters released by DOJ in the updates to the ECCP, there is no better time than now to ensure your compliance program is right-sized for your organization, tailored to the company’s size and risk-profile, given the appropriate resources and access to the relevant data, and effectively implemented throughout the organization.
Companies that have adopted AI technologies, or those that plan on adopting AI-based technology in the future, should be on notice that a compliance program should be tailored to the risks posed by these changing technologies. The DOJ has now addressed, through the ECCP, how it expects companies will incorporate the use of AI and other new technologies into their compliance programs, and companies can now use those details to ensure the technologies have a proper framework. At the same time, companies should assess whether their compliance program encourages employees to self-report, and ensure their programs are up-to-date with respect to data access and analytics.
We will continue to closely monitor the application of the updated ECCP and its impact on global business and compliance. Our White Collar Defense and Investigations practice group includes former federal prosecutors and senior officials from the DOJ’s Criminal Division, Foreign Corrupt Practices Unit, the Securities and Exchange Commission’s Division of Enforcement, and US Attorney’s Offices throughout the country who have deep experience in all aspects of the DOJ and SEC investigations and enforcement actions. For more information regarding this client alert, do not hesitate to contact the authors or other members of our White Collar Defense and Investigations practice group.
1 Office of Public Affairs | Principal Deputy Assistant Attorney General Nicole M. Argentieri Delivers Remarks at the Society of Corporate Compliance and Ethics 23rd Annual Compliance & Ethics Institute (September 23, 2024), https://www.justice.gov/opa/speech/principal-deputy-assistant-attorney-general-nicole-m-argentieri-delivers-remarks-society.
2 U.S. Department of Justice Criminal Division Evaluation of Corporate Compliance Programs, available here https://www.justice.gov/criminal/criminal-fraud/page/file/937501/dl.
3 Deputy Attorney General Lisa Monaco Delivers Keynote Remarks at the American Bar Association’s 39th National Institute on White Collar Crime (March 7, 2024), https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-monaco-delivers-keynote-remarks-american-bar-associations. Office of Public Affairs | Deputy Attorney General Lisa Monaco Delivers Keynote Remarks at the American Bar Association’s 39th National Institute on White Collar Crime | United States Department of Justice
4 For discussion of the Corporate Whistleblower Awards Pilot Program, see our previous alert: https://www.klgates.com/Department-of-Justice-Launches-First-Of-Its-Kind-Corporate-Whistleblower-Awards-Program-8-5-2024.
5 U.S. Dep’t of Just., Just. Manual, § 9-47.120(2)© (2024), https://www .justice.gov/criminal-fraud/file/1562831/download; U.S. Sent’g Guidelines Manual § 8B2.1(c) (U.S. Sent’g Comm’n 2023).