close
close

DOJ Highlights AI Risks and Whistleblower Protections in Revised Corporate Compliance Guidance | Foley & Lardner limited liability company

Posted on by darion

On Monday, September 23, the Department of Justice’s Criminal Division announced updates to its guidance on the Evaluation of Corporate Compliance Programs (“ECCP”). Principal Deputy Attorney General Nicole Argentieri also provided comments on the changes during a speech at the Society for Corporate Compliance and Ethics. The changes to the ECCP emphasize that an effective compliance program must:

  • Conduct appropriate risk assessments and implement compliance programs following a merger or acquisition;
  • Consider the risks associated with new technologies such as artificial intelligence (AI), both in commercial operations and in the compliance program itself;
  • Include robust whistleblower protection; AND
  • Be available and adequately equipped with both financial and data resources.

We have provided a redline here comparing the previous version of ECCP (updated in March 2023) with the new version to reflect all changes. Below we provide background on the ECCP, summarize the changes and explain their implications.

ECCP guides the Department of Justice’s charging and adjudication decisions and encourages robust compliance programs

The Department of Justice is increasingly using ECCP as a key tool to encourage changes in corporate compliance programs. The ECCP instructs prosecutors on how they should evaluate corporate compliance programs when deciding whether to bring charges against a company and how to resolve cases, including the possibility of reducing penalties or even refusing to prosecute. As a result, ECCP helps companies understand the DOJ’s expectations for what the DOJ considers an “effective” compliance program.

The Department of Justice’s updated ECCP should be viewed in the context of the Department of Justice’s efforts to increase enforcement of “white-collar crime.” The Department of Justice continually reminds companies that it will use “every tool at its disposal” to pursue corporate crimes, both through broader incentives and higher expectations for companies. In March 2024, we discussed the potential impact on companies following comments by Deputy Attorney General Lisa Monaco regarding the Department of Justice’s inclusion of disruptive technologies such as artificial intelligence and ephemeral messaging in assessing corporate compliance activities. This emphasis is also reflected in the Department of Justice’s 2023 modifications to the Department of Corrections’ Corporate Enforcement and Voluntary Disclosure Policy, which addressed companies’ responsibilities for retaining materials through collaboration tools and ephemeral messaging platforms. Last month, we discussed the impact of the Department of Justice’s pilot whistleblower bounty program on internal corporate investigations and disclosure issues. At the same time, the Department of Justice launched an individual disclosure pilot program.

Changes to ECCP emphasize forward thinking and proactive compliance

This week’s ECCP updates demonstrate the Department of Justice’s desire to encourage progressive, dynamic compliance programs that deter unethical conduct. In his speech, Argentieri emphasized that well-resourced compliance departments mean companies “are better prepared to prevent, detect and get ahead of misconduct when it occurs.”(1) Here we highlight the key changes to the ECCP.

1. Risk assessment and compliance integration after mergers and acquisitions

The revised ECCP emphasizes the importance of effectively integrating a compliance program when companies engage in mergers, acquisitions or other transactions. Although the previous ECCP covered this issue briefly, the Department of Justice’s latest developments call for greater scrutiny of post-agreement compliance efforts. Companies should consider conducting a risk assessment of newly acquired branches and adapting policies and procedures to address the new risks.

2. The impact of new technologies on commercial activities and compliance

A key change in the revised ECCP is the direction to consider whether companies take into account the risks associated with new technologies, including artificial intelligence. This needs to be considered in two ways: Companies must adequately address the risks arising from the use of new technologies both in their commercial operations and in the compliance program itself. For example, companies should implement controls to prevent the misuse of commercial technologies by insiders, as well as controls to ensure the reliability and trustworthiness of the technology used in compliance monitoring. Companies should conduct risk assessments on the use of new technologies in their daily operations and compliance monitoring. Proper training in the use of artificial intelligence and other emerging technologies is an absolute minimum for an effective compliance program.

Therefore, companies should have processes in place to update technology policies and procedures as new technologies emerge and evolve. Therefore, compliance programs should be integrated with the business in such a way that they can seamlessly adapt to new technologies or commercial transactions. Such integration will require frequent assessments and risk monitoring to ensure that what sounds good on paper works in practice.

3. Whistleblower Policy

The revised ECCP strengthens guidance on whistleblower protection and anti-retaliation policies and practices. At a minimum, companies should have an anti-retaliation policy and train employees on internal and external reporting mechanisms and whistleblower protection laws. Whistleblowers must be protected and companies’ responses to reports of misconduct should demonstrate “no tolerance for retaliation”(2).

Companies must also investigate and respond to whistleblower reports in a timely manner, and reporting channels should be organized so that all potential compliance complaints reach the compliance department for appropriate investigation. As a result, companies should consider the Department of Justice’s whistleblower rewards pilot program and the incentives it offers for employees and companies to self-report wrongdoing.

4. Compliance Resources

Finally, the revised ECCP placed greater emphasis on the allocation of resources to compliance programs. Prosecutors are advised to consider budgets for compliance programs, and businesses should consider adding commercial value to their compliance investments. The resources allocated to business capture should not be disproportionately greater than those allocated to compliance. Compliance programs should be adequately funded and staffed, and compliance officers should have access to the data and tools necessary to meaningfully assess a company’s compliance. Data analytics tools should also be used to assess the effectiveness of a company’s compliance program.

Taken together, the DOJ’s ECCP updates underscore the DOJ’s message for many years: when it comes to regulatory compliance, companies should put their money where their mouth is. Declarations alone will not be seen as having an “effective” corporate compliance program.

(1) Nicole Argentieri, Remarks at Society of Corporate Compliance and Ethics 23rd Annual Compliance & Ethics Institute (September 23, 2024).

(2) Id.

(See source.)