The ECCP is intended to assist federal prosecutors in determining whether a corporation’s compliance program was effective at the time of the alleged offense(s) and, if not, what type of enforcement, monetary penalty, and mandatory compliance obligations are appropriate. The ECCP incorporates a topic-and-question format to guide prosecutors’ decision-making. In practice, the ECCP is as much a guide for prosecutors as it is for corporations intent on ensuring robust compliance and avoiding prosecution.
DOJ’s Criminal Division Fraud Section published the original ECCP in February 2017. Since then, the ECCP has undergone periodic revisions, in April 2019 (when it was expanded to apply to the entire Criminal Division), June 2020 (expanding guidance on acquisitions, utilizing data, and ensuring adequate resourcing), and March 2023 (adding guidance on the use of personal devices, communications platforms, and messaging applications, including ephemeral messaging applications). With each update, DOJ has expanded the number of issues companies are advised to address in their compliance programs to keep up with legal developments and new and emerging technologies. The September 2024 ECCP is a continuation of this trend.
Addressing the advent of AI has been a focus for DOJ and, in particular, Deputy Attorney General (DAG) Lisa Monaco over the last year. In February 2024, DAG Monaco described AI as “a double-edged sword” and announced that federal prosecutors will seek harsher sentences for crimes “made significantly more dangerous” by the use of AI. In March 2024, she directed the Criminal Division to incorporate the risks of AI and other “disruptive technologies” into the ECCP.
The September 2024 ECCP answers this call by including a number of guiding questions related to AI and emerging technologies, including the following:
In her recent remarks, PDAAG Argentieri gave the specific example of whether companies have in place compliance controls and tools to combat “criminal schemes enabled by new technology, such as false approvals and documentation generated by AI.”
Relying on Office of Management and Budget (OMB) Memo M-24-10, the September 2024 ECCP defines AI to include, inter alia, any system that “can learn from experience and improve performance when exposed to data sets” or is “designed to approximate a cognitive task.” DOJ adds that “no system should be considered too simple to qualify as a covered AI system due to a lack of technical complexity,” but clarifies that, for the purposes of the ECCP, AI does not include “robotic process automation or other systems whose behavior is defined only by human-defined rules or that learn solely by repeating an observed practice exactly as it was conducted.”
The September 2024 ECCP advises companies to conduct risk assessments of their use of new and emerging technologies and cites the January 2023 National Institute of Standards and Technology (NIST) AI Risk Management Framework as a resource.
In August 2024, DAG Monaco announced DOJ’s Corporate Whistleblower Awards Pilot Program, which seeks to incentivize individuals to report allegations of misconduct to DOJ’s Criminal Division. The September 2024 ECCP builds on this initiative by emphasizing companies’ commitment to whistleblower protection and anti-retaliation policies as a factor prosecutors should consider. New guiding questions include the following:
PDAAG Argentieri said prosecutors will assess companies’ “treatment of employees who report misconduct” and whether companies have demonstrated that there is “no tolerance for retaliation.”
The September 2024 ECCP also emphasizes the importance of ensuring compliance personnel have timely access to “all relevant data sources” to carry out compliance functions. The updated ECCP focuses on companies’ use of data analytics in compliance, asking questions such as:
These questions relate to the September 2024 ECCP’s AI-related revisions. To the extent companies are using AI in compliance, they should ensure such AI tools are trained and acting on sound and comprehensive data inputs and continually tested for accuracy.
As PDAAG Argentieri highlighted in her recent remarks, the September 2024 ECCP also expands on prior guidance that companies should incorporate into their compliance programs not only the lessons learned from their own prior misconduct, but also the compliance issues faced by other companies “operating in the same industry and/or geographical region.” This guidance underscores the need for companies to continually monitor enforcement actions and trends in order to enhance and improve their risk assessments, policies, and trainings.
The September 2024 ECCP also includes limited updates to its M&A section. Of note, it asks whether companies have a plan for “implementing and/or integrating a compliance program post-transaction” and advises that companies should conduct post-acquisition audits of newly acquired entities.
As companies invest in new technologies like AI to grow their businesses, DOJ also wants to ensure they continue to invest in compliance. The September 2024 ECCP cautions against “an imbalance between the technology and resources used by the company to identify and capture market opportunities and the technology and resources used to detect and mitigate risks.”
DOJ also expanded its guidance on third-party risk management, emphasizing that companies should review vendors in a timely manner and leverage available data to continuously evaluate vendor risk.
The September 2024 ECCP makes clear that now is the time for companies to invest in addressing the compliance risks of emerging technologies like AI and ensuring that compliance programs receive the same technology investments as business initiatives. It also underscores DOJ’s continued commitment to facilitating corporate environments conducive to whistleblowing and its expectation that companies actively monitor relevant developments and proactively update and expand their compliance programs. Companies should take note of these updates and review and revise their compliance policies and procedures accordingly.