DOJ Updates Its Evaluation of Corporate Compliance Programs: Focus on AI and Emerging Technologies

The latest revisions to the DOJ's Evaluation of Corporate Compliance Programs (ECCP), announced on September 23, 2024, bring important updates that companies must consider to align their compliance programs with DOJ expectations. While not as extensive as the 2023 update, these changes carry significant implications.

Principal Deputy Assistant Attorney General Nicole M. Argentieri revealed the revisions during her speech at the Society of Corporate Compliance and Ethics Annual Compliance & Ethics Institute in Grapevine, Texas. The ECCP serves as a key framework for DOJ prosecutors assessing corporate compliance programs in enforcement decisions and is frequently referenced by companies aiming to strengthen their compliance measures.

Key Areas of Revision

The 2024 updates primarily focus on three critical areas:

1. AI and Emerging Technologies
The most notable change emphasizes the proactive identification and management of risks linked to emerging technologies, especially artificial intelligence (AI). The DOJ expects companies to adopt a forward-thinking approach to risk management rather than merely reacting to issues as they arise. Deputy Attorney General Lisa Monaco previously highlighted the potential for AI misuse and its implications for corporate criminal prosecutions, stating that compliance programs must address the risks associated with AI effectively.

Companies utilizing AI must ensure their compliance programs include:

• Comprehensive risk assessments documenting AI usage and associated risks, such as cybersecurity and bias.
• Sufficient human oversight for high-risk AI applications, compared against baseline human decision-making standards.
• Implementation of compliance tools to mitigate risks, including monitoring and testing technologies for accuracy.
• Ongoing evaluation of AI systems to ensure alignment with compliance standards and prompt correction of errors.

2. Emphasis on Data
The revisions underscore the significance of data in compliance efforts, promoting enhanced access for compliance personnel to company data for effective program assessment. DOJ's expectations now include the use of data analytics to measure compliance effectiveness and identify areas of non-compliance.

Key aspects include:

• Ensuring compliance teams have equal access to relevant data as business units.
• Timely review of vendor risks in third-party management, leveraging data to inform these evaluations.
• Incorporating data considerations during mergers and acquisitions, particularly in integrating enterprise resource planning systems.

3. Whistleblower Reporting
Recent updates align with the DOJ’s Corporate Whistleblower Awards Pilot Program, emphasizing the importance of whistleblower protections and anti-retaliation measures. Companies are encouraged to develop robust anti-retaliation policies and provide training on both internal and external reporting mechanisms.

Factors for prosecutors to consider include:

• Existence of anti-retaliation policies and training on these protections.
• Comparison of disciplinary actions for whistleblowers versus others involved in misconduct.
• Incentives for reporting misconduct and training on external whistleblower programs.

Additional Notable Revisions

Several other noteworthy updates include:

• A more general framework for risk-based resource allocation in compliance programs.
• Tailored compliance training that addresses the specific needs and values of employees.
• A focus on measuring the commercial value of compliance investments.

Six Key Takeaways

The updated ECCP significantly impacts how companies approach compliance in the context of AI and emerging technologies. Companies should develop effective governance frameworks and policies to address the new challenges presented by these technologies. Here are six essential takeaways:

1. Scope of AI : Companies must evaluate whether their technologies fall under the broadened definition of AI, which includes systems of varying complexity and human oversight. Understanding this scope is crucial for compliance.
2. Risk-Based Compliance: Compliance resources should be allocated based on the risk level, with a focus on proactive assessments of how new technologies are applied. The effectiveness of these technologies must align with legal requirements.
3. Accountability and Transparency: Companies need to ensure that AI systems operate transparently, with decisions subject to necessary human review. Effective diligence and procurement standards for third-party tools are essential.
4. Continuous Monitoring and Data Access: Regular risk assessments and real-time monitoring of AI technologies are vital. Companies should be prepared to address any non-compliance swiftly.
5. Resource Allocation: DOJ may scrutinize whether companies are allocating adequate resources for AI compliance and risk management. Companies must ensure that compliance is proportional to investments in new technologies.
6. Compliance Reporting Approach: Enhancements to whistleblower protections may encourage more reporting. Companies need to bolster their reporting systems and consider how to incentivize whistleblowing while training employees on both internal and external reporting mechanisms.

Conclusion

As the regulatory landscape for AI and emerging technologies continues to evolve, the updated ECCP highlights the DOJ's commitment to scrutinizing how these technologies impact corporate risk. Companies must proactively evaluate their compliance programs, update relevant policies, and leverage technology to enhance compliance controls. With extensive experience in these matters, our team is well-equipped to assist organizations in navigating these challenges as the DOJ intensifies its focus in this area.