On September 23, 2024, the Criminal Division of the U.S. Department of Justice (DOJ) announced a number of updates to its Evaluation of Corporate Compliance Programs guidance (ECCP), designed to account for changing circumstances and new risks. Particularly notable aspects of the updates are (1) a focus on risks related to “emerging technology” such as artificial intelligence; (2) the DOJ’s continued emphasis on whistleblowers; and (3) the DOJ’s incorporation of concepts related to data and the use of data analytics.
The ECCP
Rightly described by DOJ Criminal Division head Nicole Argentieri in a speech announcing the updated ECCP as “an invaluable resource for companies,” the ECCP guides DOJ Criminal Division prosecutors’ assessments of the effectiveness of corporate compliance programs in the context of case charging and resolution decisions. The DOJ long has emphasized that it “does not use any rigid formula to assess the effectiveness of corporate compliance programs,” but the ECCP includes “common questions” that the DOJ “may ask in the course of making an individualized determination.” Those questions are grouped into three categories of “fundamental questions”:
- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
- Does the corporation’s compliance program work in practice?
The ECCP has been subject to a number of updates and revisions since it was originally issued in 2017, typically to incorporate new areas of focus for the Criminal Division, which has for many years led the DOJ’s corporate criminal enforcement efforts.
September 2024 ECCP Updates
The latest edition of the ECCP includes several tweaks to preexisting language, including the addition of language that encourages:
- A proactive (rather than a reactive) approach to risk management.
- Updating policies and procedures to incorporate lessons learned from prior company or comparable third-party experience.
- Incorporating lessons learned from similarly situated companies into training.
- Involvement of compliance and risk management functions in post-M&A integration.
- Evaluation of compliance and risk management resourcing relative to resourcing elsewhere in the company.
However, the most significant additions to the ECCP relate to three areas.
Emerging technology
Recognizing the rapid development and deployment of new technologies such as artificial intelligence (AI) by companies in a wide variety of industries, the updated ECCP instructs prosecutors to consider what “new and emerging technology” companies are using in conducting their business, whether (and how) companies have assessed the risk of such technology (e.g., how it could impact a company’s ability to comply with the law), and what companies have done “to mitigate any risk associated with” such technology.
The ECCP then includes a litany of potential follow-up questions for prosecutors to ask, such as: What governance structures has the company put in place for the use of new technologies such as AI in its commercial business, and what controls exist to ensure the technologies are only used for their intended purpose? What other steps has the company taken to curb any unintended negative consequences from the use of AI? If a company’s compliance program uses AI, what controls are in place “to monitor and ensure its trustworthiness, reliability, and use in compliance with applicable law”? How is the company training its employees on the use of AI and other emerging technologies?
In her speech, Argentieri cited as an example of the risk posed by emerging technology “whether the company is vulnerable to criminal schemes enabled by new technology, such as false approvals and documentation generated by AI.” In these AI-related updates to the ECCP, as elsewhere, the DOJ signals that it will inquire about these topics but does not prescribe specific one-size-fits-all measures companies must take. Rather, companies are generally expected to monitor and test their technology “to evaluate if it is functioning as intended and consistent with the company’s code of conduct.”
Whistleblower incentives and protection
The updated ECCP instructs prosecutors to consider the extent to which companies “encourage and incentivize” reporting of misconduct (or conversely, the extent to which companies “use practices that tend to chill such reporting”) as well as companies’ “commitment to whistleblower protection and anti-retaliation,” as demonstrated by how they actually treat employees who report misconduct. These additions are unsurprising, given the raft of policies issued by various components of the DOJ in recent months that are designed to incentivize – through monetary rewards or immunity – reporting of corporate wrongdoing by individuals (analyzed in prior Alston & Bird advisories, including here and here).
Use of data
Senior DOJ personnel have for several years emphasized the importance of companies deploying data analytics as part of effective compliance programs, and this emphasis is echoed in the updated ECCP, which instructs prosecutors to consider whether compliance personnel have access to relevant sources of data and how effectively companies are using data analytics in assessing the effectiveness of their compliance programs, as well as in their management of third-party relationships.
Attention to and Investments in Compliance Programs Remain Critical
Argentieri warned in her speech that companies should “[r]est assured, we take notice of companies that make the right choices and invest in and support effective compliance programs.” These updates to the ECCP reflect continued DOJ attention to and sophistication with compliance issues and are a powerful reminder of the importance of regular review, evaluation, and investment in companies’ compliance programs. Perhaps most notably, the updates reflect the DOJ’s expectation that compliance programs evolve in response to new risks, such as those presented by emerging technology like AI.
Prosecutors will expect companies to have “conducted a risk assessment regarding the use of [AI] … and … taken appropriate steps to mitigate any risk associated with the use of that technology.” Argentieri noted that “now is the time to make the necessary compliance investments to help prevent, detect, and remediate misconduct,” and the DOJ’s targeted and detailed updates to the ECCP leave no doubt that such attention to and investment in compliance will significantly increase companies’ ability to successfully navigate DOJ scrutiny, or better yet avoid it altogether.
You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.
If you have any questions, or would like additional information, please contact one of the attorneys with our White Collar, Government & Internal Investigations Team.