On September 23, 2024, Principal Deputy Assistant Attorney General Nicole M. Argentieri announced updates to the U.S. Department of Justice’s (“DOJ”) guidance relative to its Principles of Federal Prosecution of Business Organizations through the Evaluation of Corporate Compliance Programs (“ECCP”).

The ECCP is “meant to assist prosecutors in making informed decisions as to whether, and to what extent, the corporation’s compliance program was effective at the time of [an offense under investigation], and is effective at the time of a charging decision or resolution, for purposes of determining the appropriate (1) form of any resolution or prosecution; (2) monetary penalty, if any; and (3) compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations)” with DOJ.

The ECCP was updated last year with new policies relating to a corporation’s access to and retention of employee electronic communications as well as a company’s compensation structure for executives and employees. This year’s updates focus on three new policies regarding evaluations of:

1. How companies are assessing and managing risk related to the use of new technology such as artificial intelligence (“AI”);
2. Companies’ “speak up” cultures; and
3. Compliance programs’ appropriate access to data, including to assess their own effectiveness.

Assessing and Managing Risk Associated with New Technologies, Like AI

The new additions to the ECCP focus on how companies assess and manage risks associated with new technologies, such as AI. Argentieri explained that “[u]nder the ECCP, prosecutors will consider the technology that a company and its employees use to conduct business, whether the company has conducted a risk assessment of the use of that technology, and whether the company has taken appropriate steps to mitigate any risk associated with the use of that technology.” Best practices call for companies to regularly perform risk assessments and to take steps toward mitigating identified risks. Now, DOJ is explicitly focusing on risks presented by emerging technologies and evaluating how companies address those risks, both in their businesses and in their compliance programs.

Additionally, Argentieri noted that DOJ wants to know “whether the company is monitoring and testing its technology to evaluate if it is functioning as intended and consistent with the company’s code of conduct.” Accordingly, companies should be aware that when determining an appropriate resolution of an investigation, DOJ will ask the following questions:

• Does the company have a process for identifying and managing emerging internal and external risks that could potentially impact the company’s ability to comply with the law, including risks related to the use of new technologies?
• How does the company assess the potential impact of new technologies, such as AI, on its ability to comply with criminal laws?
• Is management of risks related to use of AI and other new technologies integrated into broader enterprise risk management strategies?
• What is the company’s approach to governance regarding the use of new technologies such as AI in its commercial business and in its compliance program?
• How is the company curbing any potential negative or unintended consequences resulting from the use of technologies, both in its commercial business and in its compliance program?
• How is the company mitigating the potential for deliberate or reckless misuse of technologies, including by company insiders?
• To the extent that the company uses AI and similar technologies in its business or as part of its compliance program, are controls in place to monitor and ensure its trustworthiness, reliability, and use in compliance with applicable law and the company’s code of conduct?
• Do controls exist to ensure that the technology is used only for its intended purposes?
• What baseline of human decision-making is used to assess AI?
• How is accountability over use of AI monitored and enforced?
• How does the company train its employees on the use of emerging technologies such as AI?

In short, the questions posed in the ECCP underscore the importance of companies developing a data and technology governance structure within the organization, as well as policies, procedures, and trainings to help ensure employees’ compliant use of new technology well before an issue with DOJ ever arises.

Evaluating Companies’ “Speak Up” Cultures

Under the revised ECCP, when determining an appropriate resolution of an investigation, prosecutors will evaluate a company’s policies, training, and treatment of employees who report misconduct to assess a company’s commitment to whistleblower protection and anti-retaliation. Argentieri stated that prosecutors “will evaluate whether companies ensure that individuals who suspect misconduct know how to report it and feel comfortable doing so including by showing that there is no tolerance for retaliation.” This focus on whistleblower protection and anti-retaliation is not new to prosecutors, as DOJ’s recently launched Corporate Whistleblower Awards Pilot Program made clear that any retaliation from an employer against a whistleblower will be taken into account when assessing whether a company cooperated with or obstructed DOJ’s investigation. Specifically, the ECCP asks the following of a company’s commitment to whistleblower protection and anti-retaliation:

• Does the company have an anti-retaliation policy?
• Does the company train employees on both internal anti-retaliation policies and external anti-retaliation and whistleblower protection laws?
• To the extent that the company disciplines employees involved in misconduct, are employees who reported internally treated differently than others involved in misconduct who did not?
• Does the company train employees on internal reporting systems as well as external whistleblower programs and regulatory regimes?

Ensuring Compliance Programs’ Access to Data

In determining an appropriate resolution of an investigation, the updated ECCP also asks DOJ prosecutors to assess whether the company’s compliance program has appropriate access to data, including to assess its own effectiveness. This is the latest move by DOJ to incentivize companies to make the necessary investments into their compliance programs to ensure their effectiveness, and builds on a DOJ policy implemented in 2022, which asks prosecutors to consider whether a Chief Executive Officer and/or a Chief Compliance Officer of a company should be required to certify that a company’s compliance program is “reasonably designed and implemented” as part of a resolution with DOJ. Now, Argentieri explained, DOJ will evaluate “whether companies are putting the same resources and technology into gathering and leveraging data for compliance purposes that they are using in their business.” Therefore, companies should be prepared to address the following questions posed in the ECCP regarding access to data:

• Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions?
• Do any impediments exist that limit or delay access to relevant sources of data and, if so, what is the company doing to address the impediments?
• Do compliance personnel have knowledge of and means to access all relevant data sources in a reasonably timely manner?
• Is the company appropriately leveraging data analytics tools to create efficiencies in compliance operations and measure the effectiveness of components of compliance programs?
• How is the company managing the quality of its data sources?
• How is the company measuring the accuracy, precision, or recall of any data analytics models it is using?

***

While the ECCP is a guidance document for DOJ’s Criminal Division, companies would do well to proactively utilize the ECCP as a resource for developing and maintaining their compliance programs as it will also be likely to influence the resolution of civil and administrative enforcement matters. Between the qui tam provisions of the False Claims Act, DOJ’s new Corporate Whistleblower Rewards Pilot Program, and various federal and state whistleblower programs, potential whistleblowers are highly incentivized to report alleged misconduct or noncompliance. For example, in one of its highest whistleblower awards ever, the Internal Revenue Service recently collected a settlement of $263 million and awarded an anonymous whistleblower $74 million. Similarly, on September 23, the Commodity Futures Trading Commission issued four separate whistleblower awards (the most ever in a single day) which totaled $4.5 million to seven whistleblowers. And in late August, the Securities and Exchange Commission (“SEC”) issued four separate awards totaling $122 million ($98 million relating to one enforcement action and $24 million related to a separate enforcement action) to whistleblowers whose information and assistance led to enforcement actions by the SEC and other agencies. The updated ECCP makes it even clearer how crucial it is for companies to manage risk by continually monitoring, evaluating, and updating their compliance programs to ensure they can efficiently and satisfactorily address any potential issues well before problems arise.