On September 23, 2024, the Criminal Division of the U.S Department of Justice (“DOJ”) released revised Evaluation of Corporate Compliance Programs guidance (“September 2024 Guidance)1, last updated in March 2023.
The latest guidance covers three primary areas of on-going interest for the DOJ: (1) how companies are identifying and mitigating emerging risks related to new technologies, including artificial intelligence (AI); (2) how companies are encouraging employees to report misconduct; and (3) whether there are appropriate resources and access to data allowing for companies to measure the effectiveness of their compliance programs.
The Evaluation of Corporate Compliance Programs guidance serves as a roadmap for prosecutors and corporations, setting forth factors and questions for evaluating the effectiveness of a company’s compliance program. These considerations aid prosecutors in determining whether and to what extent a company should be penalized in connection with a resolution or criminal investigation. While the guidance is aimed at assisting DOJ prosecutors, the head of DOJ’s Criminal Division recently described the guidance as an “invaluable resource for companies,” providing companies a useful tool for developing, implementing, and reviewing their own compliance programs.
DOJ has identified the fundamental elements that it looks for when assessing whether a company’s compliance program is well designed, adequately resourced, and effective. These elements cover:
- Risk Assessments
- Policies and Procedures
- Training and Communication
- Confidential Reporting and Investigation Process
- Third Party Management
- Mergers & Acquisitions
- Commitment by Senior and Middle Management
- Autonomy and Resources
- Compensation Structures and Consequence Management
- Continuous Improvement, Periodic Testing and Review
- Investigations of Misconduct
- Analysis and Remediation of Underlying Misconduct
The most recent revisions to the guidance echo the DOJ’s continued focus on regular testing, review, and updating of a company’s compliance program to account for evolving and emerging risks that the company may face. This includes emphasis on the DOJ now looking at how companies are incorporating lessons learned from either their own prior issues or those issues of other companies into the design of their compliance programs, including policies and procedures as well as trainings and communication.
Emerging Risks and New Technologies
The DOJ’s emphasis on emerging risks in the September 2024 Guidance focuses on new technologies, notably the use of AI. The DOJ now asks whether a company has conducted a risk assessment as well as deployed risk mitigating measures to address the company’s use of new technologies. Going forward, prosecutors will consider how companies address the potential impact of the use of new technologies on a company’s ability to comply with applicable criminal laws as well as how companies are managing the risks posed by new technologies, such as AI, and the potential negative or unintended consequences. The DOJ will also look to how a company is monitoring its use of AI and what internal controls a company has implemented, such as training mechanisms, to ensure that AI is being used by employees solely for its intended purpose.
These measures come on the heels of Deputy Attorney General Lisa Monaco’s remarks in March 2024, at the American Bar Association’s 39th National Institute on White Collar Crime where Deputy Attorney General Monaco announced that the DOJ will pursue heftier penalties when AI is deliberately misused to perpetuate white collar crime, and also directed the Criminal Division to incorporate an assessment of the risks posed by new and emerging technologies in the Evaluation of Corporate Compliance Programs guidance.2
Reporting
In August 2024, the Criminal Division of the DOJ launched the Corporate Whistleblower Awards Pilot Program (“Whistleblower Pilot Program”), an initiative designed to detect and prosecute corporate crime.3 The Pilot Program incentivizes the reporting of misconduct by making whistleblowers who come forward with truthful information potentially eligible for an award. To fall under the Pilot Program, the information reported must relate to certain defined areas of misconduct, including: (1) crimes involving financial institutions; (2) foreign corruption involving companies; (3) domestic corruption involving companies; or (4) health care fraud schemes involving private insurance plans.
The 2024 September Guidance now incorporates specific questions around whistleblower protections, including whether a company maintains an anti-retaliation policy, how a company is incentivizing its employees to report potential misconduct, and whether employees involved in the misconduct who report are treated differently compared to those employees who were also involved and did not report. Conversely, the DOJ now asks companies to consider whether they have any practices that may have the effect of chilling an employee’s decision or willingness to report. Further, under the 2024 Guidance, the DOJ will assess a company’s internal controls and training around anti-retaliation and reporting mechanisms to evaluate how a company ensures that its employees feel comfortable in raising concerns and know how to do so.
Resources and Access to Data
The 2024 September Guidance also includes considerations around resources and access to data. Specifically, the DOJ now asks not just whether compliance personnel have access to the relevant data, but whether they also have knowledge of and the means to timely access those relevant data sources. In addition, the 2024 September Guidance asks how companies are measuring the accuracy and efficacy of those data analytics models they may be using.
Regarding resources, the DOJ has raised new questions around how assets, resources, and technology made available for compliance and risk mitigation purposes compare to what is utilized across other core company functions, including whether there is a disparate allocation or imbalance.
Takeaways
Companies should assess the risks posed by the use of new and emerging technologies, including AI, and determine whether existing compliance policies sufficiently address that risk. Compliance policies should also address whistleblower protections and detail treatment for those who report misconduct. DOJ’s expectation is that compliance personnel have access to equivalent or reasonably similar resources as other key company functions and teams.
The 2024 September Guidance provides valuable insight for companies into the DOJ’s evolving and expanding expectations regarding corporate compliance programs as well as what companies should consider when assessing and evaluating whether their corporate compliance programs align with those expectations.
1 https://www.justice.gov/criminal/criminal-fraud/page/file/937501/dl?inline.
2 https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-monaco-delivers-keynote-remarks-american-bar-associations.
3 https://www.justice.gov/criminal/media/1362321/dl?inline.