DOJ Updates Its Guidance on Corporate Compliance Programs, with an Emphasis on AI and Whistleblowers

Key Takeaways

• On September 23, 2024, the Criminal Division of the U.S. Department of Justice (DOJ) revised its Evaluation of Corporate Compliance Programs or ECCP (the “September 2024 ECCP”).
• The September 2024 ECCP includes significant revisions in three areas since the last update in March 2023: (1) mitigating the risks of artificial intelligence (AI) and other emerging technologies; (2) encouraging whistleblowing; and (3) ensuring compliance personnel and tools have adequate access to data to carry out their functions.
• Principal Deputy Assistant Attorney General (PDAAG) for the Criminal Division Nicole Argentieri highlighted these revisions in remarks the same day the September 2024 ECCP was released.
• The September 2024 ECCP’s guidance on the importance of encouraging employees to report misconduct comes a month after DOJ announced a new Corporate Whistleblower Awards Pilot Program.

Background

The ECCP is intended to assist federal prosecutors in determining whether a corporation’s compliance program was effective at the time of the alleged offense(s) and, if not, what type of enforcement, monetary penalty, and mandatory compliance obligations are appropriate. The ECCP incorporates a topic-and-question format to guide prosecutors’ decision-making. In practice, the ECCP is as much a guide for prosecutors as it is for corporations intent on ensuring robust compliance and avoiding prosecution.

DOJ’s Criminal Division Fraud Section published the original ECCP in February 2017. Since then, the ECCP has undergone periodic revisions, in April 2019 (when it was expanded to apply to the entire Criminal Division), June 2020 (expanding guidance on acquisitions, utilizing data, and ensuring adequate resourcing), and March 2023 (adding guidance on the use of personal devices, communications platforms, and messaging applications, including ephemeral messaging applications). With each update, DOJ has expanded the number of issues companies are advised to address in their compliance programs to keep up with legal developments and new and emerging technologies. The September 2024 ECCP is a continuation of this trend.

Key Updates

Artificial Intelligence and Other Emerging Technologies

Addressing the advent of AI has been a focus for DOJ and, in particular, Deputy Attorney General (DAG) Lisa Monaco over the last year. In February 2024, DAG Monaco described AI as “a double-edged sword” and announced that federal prosecutors will seek harsher sentences for crimes “made significantly more dangerous” by the use of AI. In March 2024, she directed the Criminal Division to incorporate the risks of AI and other “disruptive technologies” into the ECCP.

The September 2024 ECCP answers this call by including a number of guiding questions related to AI and emerging technologies, including the following:

• Is management of risks related to use of AI and other new technologies integrated into broader enterprise risk management (ERM) strategies?
• How is the company curbing any potential negative or unintended consequences resulting from the use of technologies, both in its commercial business and in its compliance program?
• How is the company mitigating the potential for deliberate or reckless misuse of technologies, including by company insiders?
• To the extent that the company uses AI and similar technologies in its business or as part of its compliance program, are controls in place to monitor and ensure its trustworthiness, reliability, and use in compliance with applicable law and the company’s code of conduct?
• Do controls exist to ensure that the technology is used only for its intended purposes?
• What baseline of human decision-making is used to assess AI?
• How is accountability over use of AI monitored and enforced?
• How does the company train its employees on the use of emerging technologies such as AI?

In her recent remarks, PDAAG Argentieri gave the specific example of whether companies have in place compliance controls and tools to combat “criminal schemes enabled by new technology, such as false approvals and documentation generated by AI.”

Relying on Office of Management and Budget (OMB) Memo M-24-10, the September 2024 ECCP defines AI to include, inter alia, any system that “can learn from experience and improve performance when exposed to data sets” or is “designed to approximate a cognitive task.” DOJ adds that “no system should be considered too simple to qualify as a covered AI system due to a lack of technical complexity,” but clarifies that, for the purposes of the ECCP, AI does not include “robotic process automation or other systems whose behavior is defined only by human-defined rules or that learn solely by repeating an observed practice exactly as it was conducted.”

The September 2024 ECCP advises companies to conduct risk assessments of their use of new and emerging technologies and cites the January 2023 National Institute of Standards and Technology (NIST) AI Risk Management Framework as a resource.

Whistleblowers

In August 2024, DAG Monaco announced DOJ’s Corporate Whistleblower Awards Pilot Program, which seeks to incentivize individuals to report allegations of misconduct to DOJ’s Criminal Division. The September 2024 ECCP builds on this initiative by emphasizing companies’ commitment to whistleblower protection and anti-retaliation policies as a factor prosecutors should consider. New guiding questions include the following:

• Does the company encourage and incentivize reporting of potential misconduct or violation of company policy?
• Does the company use practices that tend to chill such reporting?
• Does the company train employees on internal reporting systems as well as external whistleblower programs and regulatory regimes?

PDAAG Argentieri said prosecutors will assess companies’ “treatment of employees who report misconduct” and whether companies have demonstrated that there is “no tolerance for retaliation.”

Access to Data

The September 2024 ECCP also emphasizes the importance of ensuring compliance personnel have timely access to “all relevant data sources” to carry out compliance functions. The updated ECCP focuses on companies’ use of data analytics in compliance, asking questions such as:

• Is the company appropriately leveraging data analytics tools to create efficiencies in compliance operations and measure the effectiveness of components of compliance programs?
• How is the company managing the quality of its data sources?
• How is the company measuring the accuracy, precision, or recall of any data analytics models it is using?

These questions relate to the September 2024 ECCP’s AI-related revisions. To the extent companies are using AI in compliance, they should ensure such AI tools are trained and acting on sound and comprehensive data inputs and continually tested for accuracy.

Additional Updates

Lessons Learned

As PDAAG Argentieri highlighted in her recent remarks, the September 2024 ECCP also expands on prior guidance that companies should incorporate into their compliance programs not only the lessons learned from their own prior misconduct, but also the compliance issues faced by other companies “operating in the same industry and/or geographical region.” This guidance underscores the need for companies to continually monitor enforcement actions and trends in order to enhance and improve their risk assessments, policies, and trainings.

Mergers and Acquisitions (M&A)

The September 2024 ECCP also includes limited updates to its M&A section. Of note, it asks whether companies have a plan for “implementing and/or integrating a compliance program post-transaction” and advises that companies should conduct post-acquisition audits of newly acquired entities.

Proportional Resources

As companies invest in new technologies like AI to grow their businesses, DOJ also wants to ensure they continue to invest in compliance. The September 2024 ECCP cautions against “an imbalance between the technology and resources used by the company to identify and capture market opportunities and the technology and resources used to detect and mitigate risks.”

Third-Party Risks

DOJ also expanded its guidance on third-party risk management, emphasizing that companies should review vendors in a timely manner and leverage available data to continuously evaluate vendor risk.

Conclusion

The September 2024 ECCP makes clear that now is the time for companies to invest in addressing the compliance risks of emerging technologies like AI and ensuring that compliance programs receive the same technology investments as business initiatives. It also underscores DOJ’s continued commitment to facilitating corporate environments conducive to whistleblowing and its expectation that companies actively monitor relevant developments and proactively update and expand their compliance programs. Companies should take note of these updates and review and revise their compliance policies and procedures accordingly.