DOJ Announces Changes to Corporate Compliance Guidance Focused on Artificial Intelligence, Access to Data, and Whistleblowing Practices

[co-author: Molly Collett]

The U.S. Department of Justice (DOJ) recently updated the Evaluation of Corporate Compliance Programs (ECCP), which prosecutors use to assess the effectiveness of a corporation’s compliance program, in large part to address emerging risks related to artificial intelligence (AI) and similar rapidly developing technologies.¹ The ECCP, which was updated in September 2024, now requires prosecutors to assess whether a company has adequately evaluated risks and developed controls associated with emerging technologies, such as AI. As described in Principal Deputy Assistant Attorney General Nicole M. Argentieri’s remarks at the Society of Corporate Compliance and Ethics (SCCE) Compliance & Ethics Institute in September 2024, the ECCP updates address two other critical areas in addition to emerging technology and AI: whistleblower protections and access to data.

The ECCP, which was last revised in March 2023, serves as a key reference for companies seeking to understand the DOJ’s expectations. The evaluation is flexible, taking into account a company’s unique circumstances, including its size, industry, and risk profile. This guidance informs key prosecutorial decisions, including whether to bring charges and impose penalties and/or compliance obligations, such as monitorships, in corporate criminal cases.

Emerging Technologies and AI

In line with Deputy Attorney General Lisa Monaco’s March 2024 directive that the DOJ Criminal Division include an assessment of disruptive technology risks in the ECCP, the ECCP now includes a comprehensive assessment of companies’ use of emerging technologies, including AI. As companies increasingly integrate new technologies like AI into their business and compliance operations, the September 2024 ECCP updates emphasize the importance of managing risks associated with these technologies.

Prosecutors evaluating companies’ compliance programs will now closely scrutinize whether companies have conducted thorough risk assessments of the technologies they use, incorporated these risks into their broader enterprise risk management (ERM) strategies, and implemented controls to mitigate risks associated with these innovations. Key questions prosecutors will ask when evaluating a company’s compliance program include:

• How does the company assess the potential impact of new technologies, such as AI, on its ability to comply with criminal laws?
• Is management of risks related to use of AI and other new technologies integrated into broader ERM strategies?
• How is the company mitigating the potential for deliberate or reckless misuse of technologies, including by company insiders?
• How is the company curbing any potential negative or unintended consequences resulting from the use of technologies, both in its commercial business and in its compliance program?
• To the extent that the company uses AI and similar technologies in its business or as part of its compliance program, are controls in place to monitor and ensure its trustworthiness, reliability, and use in compliance with applicable law and the company’s code of conduct?
• Do controls exist to ensure that the technology is used only for its intended purposes?
• How is accountability over use of AI monitored and enforced?
• How does the company train its employees on the use of emerging technologies such as AI?

In addition, prosecutors will consider a company’s process for updating policies and procedures to address emerging risks, including those associated with the use of new technologies. Furthermore, the updated ECCP emphasizes the need for ongoing monitoring and testing of AI systems to ensure they are functioning as intended. This includes promptly detecting and correcting any decisions made by AI that conflict with a company’s values.

Whistleblower Protections

In alignment with the DOJ’s recent announcement of its whistleblower awards program, the ECCP now incorporates additional considerations around companies’ efforts to encourage internal reporting of misconduct. Prosecutors will assess whether companies have created an environment where employees feel comfortable reporting concerns without fear of retaliation, and whether companies have strong whistleblower protection policies in place.

The updated ECCP now includes questions to assess companies’ commitment to whistleblower protection and anti-retaliation practices, ensuring that employees who report misconduct are protected from adverse actions. The updates to the ECCP aim to assess whether companies actively incentivize and encourage reporting or engage in practices that could discourage or “chill” employees from coming forward. Key questions include whether:

• companies have an anti-retaliation policy;
• companies provide training to employees on both internal anti-retaliation policies and relevant external whistleblower protection laws as well as the company’s reporting systems; and
• employees who report internally are treated differently with regard to potential discipline from those involved in misconduct who did not report.

Access to Data

In her remarks at the SCCE, Deputy Assistant Attorney General Argentieri emphasized that prosecutors will assess whether compliance personnel have appropriate access to relevant data sources to assess the effectiveness of their companies’ compliance programs. This evaluation focuses on whether companies are providing their compliance teams with the assets, resources and technology necessary to monitor, analyze and assess compliance risks effectively. As Argentieri noted, a guiding consideration will be whether a company is allocating the same resources and technology to gathering and leveraging data for compliance purposes as it is using in other areas of its business.

Key questions in the updated ECCP include:

• whether compliance personnel are equipped to access all relevant data sources in a reasonably timely manner;
• whether companies are leveraging data analytics tools to create efficiencies in compliance operations and measure the effectiveness of their compliance programs;
• how companies are managing the quality of their data sources, including how they are measuring the accuracy and precision of any data analytics models in use; and
• how the assets, resources and technology available to compliance and risk management compare to those elsewhere in the company.

Additionally, prosecutors will assess whether companies use their data to gain insights into the effectiveness of their compliance programs and to promote a culture of ethical conduct and adherence to legal standards. This extends to the review of third parties, including the use of data to evaluate risks regarding a company’s relationships with vendors.

Other Areas of Focus

The updates to the ECCP also emphasize several additional areas of focus, including continuous improvement and measurement of compliance programs, the accessibility of policies and procedures, the effectiveness of compliance training and communications, the role of compliance in mergers and acquisitions (M&A), and the overall resources and empowerment of a compliance program.

• Continuous Improvement and Measurement: As Argentieri emphasized at the SCCE, the ECCP encourages companies to learn from their own past misconduct, as well as from the behaviors of other companies, to improve and update their compliance programs. This focus on continuous improvement reflects the DOJ’s expectations that companies will adapt to evolving risks and regulatory landscapes. Prosecutors will assess whether a company’s compliance program includes mechanisms for continuous improvement, including how and how often the company measures the success and effectiveness of its compliance program; whether a company’s compliance program has a track record of preventing or detecting misconduct; and whether the company has exercised due diligence to prevent and detect criminal conduct.
• Policies and Procedures: Prosecutors will consider whether there is a process for updating policies and procedures to reflect lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region. Prosecutors will also consider how the company obtains confirmation that employees know how to access relevant policies.
• Training and Communications: The updated ECCP asks whether a company’s training is tailored to the specific needs, values, and risks faced by relevant employees. Prosecutors will evaluate how a company measures employee engagement with compliance training and whether the employees have absorbed the content covered.
• Mergers and Acquisitions: The ECCP highlights the importance of incorporating compliance into the M&A process, both during and after the transaction. Prosecutors will evaluate whether compliance and risk management functions play an active role in designing and executing the integration strategy, including the migration or combination of critical systems. After a transaction, prosecutors will look at whether companies have processes in place for integrating acquired businesses into their compliance program, including ongoing risk assessments and compliance oversight of new entities.
• Autonomy and Resources: The adequacy of resources allocated to compliance is a significant focus of the September 2024 ECCP updates. Prosecutors will examine whether companies are dedicating proportionate resources to compliance relative to other areas of the business, such as market opportunities. The ECCP also questions whether companies measure the commercial value of their investments in compliance and risk management.

Key Considerations for Companies

• The DOJ has signaled that it is focused on risks associated with AI and emerging technologies. The ECCP updates make it clear that the DOJ will be scrutinizing company compliance programs in this area, and the DOJ has signaled an expectation that companies proactively assess how these technologies impact their ability to comply with laws and integrate these assessments into their ongoing risk management efforts.
• Companies should aim to foster a culture of trust and accountability by encouraging employees to report potential misconduct without fear of retaliation. The ECCP updates signal the DOJ’s expectation that this framework should include adoption and implementation of anti-retaliation policies as well as employee training. Companies should closely consider the content of their training regarding anti-retaliation and reporting mechanisms and policies. Significantly, and perhaps somewhat surprisingly, the DOJ, through the ECCP updates, has signaled an expectation that in addition to internal policies and procedures, employees should also be trained on “external whistleblower programs and regulatory regimes.”
• The ECCP updates make it clear that prosecutors will consider whether there is a process for updating policies and procedures to reflect lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region. Companies should consider whether they have implemented such a process and have updated their policies accordingly.
• Prosecutors will assess whether compliance personnel have access to relevant data sources and whether a company allocates sufficient resources and technology to compliance efforts. This includes using data analytics tools for evaluating compliance effectiveness, managing data quality, and identifying potential misconduct early. Companies should continue to assess their approach to providing relevant data and data analytic tools to their compliance program.
• The ECCP updates are further evidence of the DOJ’s seemingly ever-expanding expectations regarding corporate compliance programs. These expectations should be considered in connection with any government-facing investigation as well as in connection with any voluntary disclosure analysis. They also provide a reminder of the importance for companies to continuously evaluate, test and update their compliance programs in order to ensure that they are properly designed, resourced, implemented, and functioning to address the risks inherent in the company’s business and industry, including any potential risks associated with emerging technologies.

Footnotes

1. The ECCP adopts the definition of “artificial intelligence” set out in the White House March 28, 2024 Memorandum for the Heads of Executive Departments and Agencies, M-24-10. AI systems are broadly defined to include:

   • Artificial systems capable of performing tasks in unpredictable circumstances with minimal human oversight, improving through data exposure.
   • Systems designed to solve human-like cognitive tasks, whether developed in software or in hardware.
   • Techniques like machine learning and deep learning aimed at approximating human cognition or rational decision-making.
   • Systems that act autonomously or with human guidance, encompassing a range of AI subfields including reinforcement learning, transfer learning, and generative AI.

   Under this definition, the ECCP applies to all AI systems, regardless of their complexity, whether fully or partially autonomous, and whether they operate with or without human oversight. However, the ECCP definition excludes simpler systems like robotic process automation, which rely solely on preprogrammed rules.