In a post published earlier this year, we highlighted the importance of proactively managing artificial intelligence (“AI”) risks as part of an effective compliance program. Specifically, we explored the key considerations for organizations to effectively navigate AI-related risks and enhance their compliance efforts.  We also referenced Deputy Attorney General Lisa O. Monaco’s announcement incorporating an assessment of AI-related risks into its policy on Evaluation of Corporate Compliance Programs (“ECCP”).[1] On September 23, 2024, Principal Deputy Assistant Attorney General Nicole M. Argentieri announced that the U.S. Department of Justice (“DOJ”) updated the ECCP (“ECCP Update”) to guide federal prosecutors in analyzing how companies utilize new technologies, including AI, in their operations, and whether this use is accompanied by an appropriate assessment of the risks these technologies may present.[2]  The revisions in the ECCP Update aim to “account for changing circumstances and new risks” posed by AI and other emerging technologies in compliance programs, reinforcing the DOJ’s commitment on corporate compliance in an evolving technological landscape.[3]

While the ECCP Update does not introduce significant changes, it clarifies the DOJ’s expectations for responsibly integrating AI, machine learning, and other innovations while maintaining legal compliance.  The ECCP Update also provides insight into how prosecutors will evaluate a company’s efforts to prevent and address corporate misconduct as technology advances.  The ECCP Update is an essential resource for companies looking to stay ahead of DOJ expectations as they incorporate AI and other emerging technologies into their operations.

In addition to managing risks related to emerging technology, the ECCP Update also includes notable revisions to the following areas: compliance monitoring and data analytics, whistleblower protections and reporting channels, and post-acquisition integration, which we discuss below. 

Emerging Technology and Artificial Intelligence

The most noteworthy revision to the ECCP Update is its emphasis on AI and emerging technologies.  Under the ECCP Update, prosecutors are now directed to evaluate a company’s use of AI, whether the company has conducted a risk assessment for the technology, and what measures have been put in place to mitigate any associated risks.  The DOJ will scrutinize whether companies adequately assess the potential impact of AI on their ability to comply with legal and regulatory obligations.  Additionally, the DOJ is particularly interested in whether the company is vulnerable to criminal schemes enabled by new technology.  For example, the ECCP Update highlights concerns about AI potentially enabling misconduct, such as generating false approvals or documentation, and what safeguards companies have in place to prevent such risks.

Prosecutors will also examine the governance structures and controls a company has implemented regarding its use of AI. For example, how personnel decisions are integrated into AI, how accountability over AI is enforced, the adequacy of employee training on AI technologies, as well as whether the company has instituted processes to identify and mitigate risks of unintended or malicious AI activity. 

Going forward, the DOJ will expect companies to include (i) stress-testing AI applications to identify vulnerabilities; (ii) a continuous monitoring of high-risk AI use cases; and (iii) documenting risk mitigation efforts.  This focus on documenting mitigation steps aligns with the DOJ’s broader compliance expectations reinforcing the need for companies to assess and address AI-related risks proactively.

Compliance Monitoring, Data Analytics, and Operations

The ECCP Update also expands on the use of data analytics for compliance monitoring.  Prosecutors are asked to evaluate whether companies are effectively utilizing relevant data sources for compliance and whether their compliance functions have sufficient access to necessary data.  Prosecutors will assess whether companies allocate resources for compliance monitoring in proportion to their business operations and whether data analytics tools are being used effectively to identify compliance risks.  Companies will need to show that their compliance functions are supported by tools that improve efficiency and effectiveness, with measurable metrics such as the commercial value of compliance investments, the quality of data sources, and the accuracy of data models.

Additionally, the DOJ will closely review resource allocation, particularly if there is a significant gap between the technology used for business operations and that for compliance. Any imbalance between high-tech business tools and outdated compliance systems could be seen unfavorably by the DOJ. 

Strengthening Whistleblower Protections and Reporting Channels

Under the ECCP Update, prosecutors will consider whether companies are encouraging employees to speak up and report misconduct, reinforcing the importance of anti-retaliation, ensuring employees are trained on both internal reporting mechanisms and external whistleblower protection laws and regulations.

Prosecutors should consider whether a company treats employees who report misconduct internally are treated differently from those who did not, especially when a company disciplines individuals involved in the wrongdoing. 

The ECCP Update also asks whether companies incentivize employee reporting or, conversely, engage in practices that may deter reporting.  Notably, these revisions in the ECCP Update follow the DOJ’s Corporate Whistleblower Awards Pilot Program[4] and amendments to its Corporate Enforcement and Voluntary Self-Disclosure Policy[5], both designed to incentivize the proactive reporting of misconduct.  By enhancing scrutiny on whistleblower protections, the DOJ aims to ensure companies foster a culture of transparency and encourage employees to report potential compliance violations.

Post-Acquisition Compliance Integration

Another key area of focus in the ECCP Update relates to post-acquisition compliance.  The DOJ has expanded its scrutiny of how acquiring companies implement compliance policies, conduct post-acquisition audits, and integrate acquired entities into existing risk assessment frameworks.  These revisions align with the DOJ’s Safe Harbor Policy[6], which grants companies a presumptive six-month window post-acquisition to self-report potential compliance issues without fear of prosecution.

Under the ECCP Update, prosecutors will consider how the acquiring company’s compliance and risk management functions plan to carry out the integration, the extent of oversight provided to newly acquired businesses, and how effectively the compliance function incorporates the new business into its overall risk management framework.

Key Takeaways for Companies

The ECCP Update stresses need for companies to invest in mitigating compliance risks associated with emerging technologies, ensuring that compliance programs receive equal attention and resources.  It also highlights the DOJ’s ongoing commitment to fostering corporate environments that encourage whistleblowing, along with its expectation that companies stay informed about relevant developments and proactively enhance their compliance programs. 

Companies should take these updates seriously and revise their compliance policies and procedures as needed.  Failure to do so could result in increased scrutiny from federal prosecutors and potentially significant legal consequences.  As such, companies should consider the following:

• Conduct AI Risk Assessments: ensure that the use of AI and other technologies is thoroughly assessed for risks, including those related to privacy, transparency, and compliance.
• Implement AI Controls: establish governance frameworks and controls to mitigate risks related to AI misuse, both intentional and inadvertent.
• Monitor AI Use: continuously monitor high-risk AI use cases to ensure ongoing compliance and address any performance deviations swiftly.
• Bolster Whistleblower Protections: reinforce internal reporting mechanisms such as ensuring individuals can remain anonymous when reporting internally, anti-retaliation policies, and employee training on whistleblower protections.
• Integrate Acquisitions Effectively: develop robust post-acquisition compliance procedures to ensure that newly acquired entities are swiftly integrated into the broader compliance program.

[1] See our April 16, 2024 post “Navigating AI Risks: A Guide to Enhancing Corporate Compliance Programs”.

[2] U.S. Department of Justice, Office of Public Affairs, Principal Deputy Assistant Attorney General Nicole M. Argentieri Delivers Remarks at the Society of Corporate Compliance and Ethics 23rd Annual Compliance & Ethics Institute (September 23, 2024).

[3] U.S.  Department of Justice, Evaluation of Corporate Compliance Program (updated September 2024). 

[4] U.S. Dep’t of Justice, Department of Justice Corporate Whistleblower Awards Pilot Program (2024), https://www.justice.gov/criminal/media/1362321/dl?inline.

[5] U.S. Att’y’s Off. E.D.N.Y., Press Release (July 26, 2022), https://www.justice.gov/usao-edny/press-release/file/1569406/dl.

[6] U.S. Dep’t of Justice, Deputy Attorney General Lisa O. Monaco Announces New Safe Harbor Policy for Voluntary Self-Disclosure (2023), https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-announces-new-safe-harbor-policy-voluntary-self.