On September 23, 2024, Principal Deputy Assistant Attorney General Nicole Argentieri announced that the US Department of Justice (DOJ) had issued updated guidance to federal prosecutors in its “Evaluation of Corporate Compliance Programs” (ECCP). The 2024 ECCP both affirms themes DOJ has emphasized in recent years and brings a new focus to companies’ management of risks associated with emerging technologies, including artificial intelligence.
At a high level, the guidance instructs that an effective compliance program must:
- Consider risks associated with emerging technologies like artificial intelligence (AI), both in commercial operations and the compliance program itself;
- Conduct appropriate risk assessments and implement compliance programs after a merger or acquisition;
- Include robust whistleblower protections; and
- Be accessible and adequately resourced.
Below, we discuss the background of the ECCP, the updates, and their implications.
The ECCP is meant to inform prosecutors’ evaluation of companies’ compliance programs in connection with charging decisions and penalty determinations, and focuses on three key issues: whether the program is (1) well designed; (2) applied earnestly and in good faith, with adequate resourcing and empowerment and (3) actually working in practice. Though directed at prosecutors, the ECCP is a valuable resource for companies in developing, implementing, and reviewing their own compliance programs to ensure they are adequate and aligned with regulatory expectations. Significantly, this assessment is of the compliance program at both the time of the misconduct and the time of resolution.
Accounting for AI
In March of this year, Deputy Attorney General Lisa Monaco foreshadowed DOJ’s increasing efforts to combat AI abuse, warning of the Department’s intent to seek stiffer sentences for criminals who rely on generative technology to advance their misconduct. The 2024 ECCP marks another element of this effort, instructing prosecutors to consider how companies are engaging with and accounting for emerging technology, especially AI.
Argentieri explained that “[p]rosecutors will consider the technology that a company and its employees use to conduct business, whether the company has conducted a risk assessment of the use of that technology, and whether the company has taken appropriate steps to mitigate any risk.” For example, prosecutors are instructed to consider whether the company is vulnerable to criminal schemes enabled by new technology, such as false approvals and documentation generated by AI.
The DOJ will also look at how a company is monitoring its use of AI and what internal controls a company has implemented to ensure that employees are using AI solely for its intended purpose. The ECCP instructs prosecutors to consider how the company uses AI as part of its compliance system that detects internal fraud and other wrongdoing, including asking, “what baseline of human decision-making is used to assess AI,” how such accountability is monitored and enforced and how the company trains employees on AI and other emerging technologies. Relatedly, compliance programs should be integrated into the business in such a way that the programs can seamlessly adapt to new technologies or commercial transactions.
It is worth noting that this increased federal scrutiny of AI comes at a time when California’s Governor Gavin Newsom on September 29 vetoed a first-of-its-kind AI safety bill, which would have required safety testing of large AI systems, or models, before their release to the public. The bill would also have given the state’s attorney general the right to sue companies over serious harm caused by their technologies, like death or property damage, and mandated a kill switch to turn off AI systems in case of potential biowarfare, mass casualties or property damage.
Monitoring Mergers
Diligence in mergers and acquisitions is another throughline in the Department’s priorities. The 2023 ECCP called for evaluation of a company’s process for implementing compliance policies and procedures, and conducting post-acquisition diligence, at an acquired entity. In November 2023, we discussed the Department’s new M&A Safe Harbor Policy under which an acquiring company has six months to self-report misconduct at an acquired entity without fear of prosecution, reinforcing the importance of these elements. The 2024 ECCP advances the ball by asking what role the compliance and risk management functions have in planning and carrying out the integration process, how the company ensures compliance oversight of the acquired business and how the new business is integrated into the company’s risk assessment procedures.
Transparency Through Technology
While adequate resourcing of compliance programs has long been an issue in DOJ’s review of corporate compliance programs, the 2024 ECCP focuses on access to company data, asking whether compliance personnel have access to all relevant data sources to empower their function. The update also touches on the use of “data analytics tools” both in operation of the compliance program and to assess its efficacy, indicating for the first time an expectation that companies should be using data analytics to proactively identify misconduct or compliance program failures.
While the current trend in compliance data analytics is geared towards more complex AI or machine learning tools, there remain simple analytical systems that can prove to be just as effective for certain risks. As companies advance in this area, compliance professionals will need to be increasingly competent in assessing the right technological tool and avoid being overly enamored with nascent technology.
Watching Out for Whistleblowers
The 2024 ECCP also doubles down on DOJ’s attention to confidential reporting systems. This update expects, for the first time, an anti-retaliation policy and consideration of the likely impact of business actions on whistleblowing within the organization. Larger organizations are likely to already have appropriate policies and metrics in place, but smaller organizations will need to consider what additional measures to assess the efficacy of internal reporting are proportionate to the risks that the organization faces.
The focus on whistleblowing is a clear reminder that the DOJ wants to leverage whistleblowing to uncover corporate misconduct. And, indeed, this focus is evident in various DOJ pilot programs.
Pilot Program Progress
Argentieri also provided an update on two Criminal Division pilot programs: the Compensation Incentives and Clawbacks pilot program and the Corporate Whistleblower Awards pilot program. These programs follow the recent rollout of voluntary self-disclosure and whistleblower programs at Main Justice and in United States Attorneys’ Offices around the country.
- Announced as a three-year pilot in March 2023, the Compensation Clawback pilot program has two parts. First, each corporate resolution now requires that the company include criteria related to compliance — both rewarding good conduct and deterring bad — in its compensation and bonus system. While the Department historically included similar language in some corporate resolutions, it is now mandatory in every Criminal Division resolution, including the nine since the program launched. Second, the Department will provide a fine reduction to companies that recoup or withhold compensation from culpable employees and others who had supervisory authority over the employees engaged in the misconduct and knew of, or were willfully blind to, the misconduct. Under this aspect of the program, companies will receive a fine reduction equal to the amount of the withheld compensation, and the Department will also factor it in when considering a company’s remediation. To date, two companies have received fine reductions under the pilot program, both in Foreign Corrupt Practices Act cases.
- The Corporate Whistleblower Awards pilot program (CWA) is a newer pilot, having only been up and running for a few weeks, but Argenteri reported that it is already generating quality tips. This program covers four priority areas of white collar enforcement that are not covered by an existing whistleblower program: (i) abuses of the financial system by financial institutions and insiders; (ii) foreign corruption and bribery schemes; (iii) domestic corruption and (iv) health care schemes targeting private insurers. Under this program, a whistleblower who makes an internal report at their company will be eligible for an award if they report to the department within 120 days of their internal report. Critically, making an internal report before reporting to the Department will increase the amount of a potential whistleblower award. In turn, companies that receive internal reports also have a powerful incentive to come forward.
- Recognizing that the CWA will change the calculus for companies considering whether to make a voluntary self-disclosure, the Department also announced an amendment to the Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP). Now, where a company receives an internal whistleblower report and reports the misconduct to the Department within 120 days, and before the Department reaches out to the company, it will be eligible for the greatest benefit under the CEP — a presumption of a declination — so long as it fully cooperates and remediates. This is a both a significant departure from Department practice and a significant benefit to companies because a company can qualify for a presumption of a declination even if the whistleblower comes to the department first.