DOJ Has Issued New Compliance Guidance. Now What?

Allison Spagnolo
Guidepost Solutions LLC
Contact
LinkedIn
Facebook
X
Send
Embed

Guidepost Solutions LLC

What to Make of the US Justice Department’s Significant Compliance Guidance Updates

On September 23, 2024, the U.S. Department of Justice (“DOJ”) released updates to its Evaluation of Corporate Compliance Programs (“ECCP”) guidance. In a move that surprised no one (especially if companies have been reading DOJ’s tea leaves[1]), the updated guidance integrates and incorporates artificial intelligence (“AI”) and other emerging technologies. While the updated guidance maintains its core focus on designing and implementing a risk-based compliance program, these updates suggest in the strongest terms yet that managing the impact of technology on an organization’s compliance risks, and separately leveraging the data  that an organization creates and collects, should be among the core pillars.

Compliance practitioners know that DOJ’s ECCP guidance sets expectations for the practices an organization should have in place for a successful defense to reduce or eliminate enforcement penalties or other actions should it find itself under investigation for illegal or improper conduct. Along these lines, the guidance serves as a helpful tool for compliance practitioners to drive change and compliance culture in their company to obtain support for the adoption and implementation of compliance best practices.

Many areas of the guidance received updates, reflecting DOJ’s continually evolving analysis of the practices that result in a successful compliance program. Below is an overview of the most significant updates in the guidance and how in-house counsel and compliance officers should manage and address those updated expectations within your organization.

Emphasis on AI and Emerging Technologies

The updated DOJ corporate compliance guidance strongly emphasizes the importance of using AI and advanced technology in compliance programs:

Updated Guidance

What it Means

Questions to Ask

Companies need to evaluate emerging risks in their compliance programs.

Emerging technologies, including AI, should be considered in an organization’s overall compliance risk assessment. Further, AI tools themselves should undergo risk assessments and companies should document steps taken to mitigate risks arising from those technologies.

Have you ever conducted an inventory of the technology your company uses and the associated compliance risks? DOJ will expect compliance to know the different technologies in use and the compliance risks they create.

Manage emerging risks to ensure compliance with applicable laws.

Organizations utilizing AI and other emerging technologies should have a risk framework in place that assesses the impact of AI tools on the company’s ability to comply with relevant laws and regulations. The risk framework should be supported by a governance structure that ensures oversight, monitoring and accountability of AI usage and deployment.

Do you know how your company is using AI? DOJ will expect compliance to take a much greater role in technology and AI oversight than they likely previously have had.

Ensure policies and procedures are inclusive of emerging technologies.

Companies need to have a process by which policies and procedures are routinely updated to address emerging risks associated with the use of AI technologies.

When was the last time you updated your core suite of compliance policies? What compliance policies need to be updated to address your company’s use of AI? All companies should have a policy and accompanying procedure governing the use of AI but, importantly, existing policies, procedures, and controls should also be updated to account for the impact of AI technology on all compliance risks a company faces.

Conduct appropriate training for relevant employees.

Employees should be trained on the particular needs and risks related to them and their designated roles/responsibilities. For those employees who utilize or assess/evaluate AI tools for use, specialized training should be conducted and documented.

Who are your AI gatekeepers? i.e., the people who interface with and use AI most often? How should their AI training be customized to address the specific risks or compliance issues that may arise with their work?

Don’t Forget Data Compliance

While the AI-related updates are receiving most of the attention at the moment, organizations should equally prioritize understanding and addressing the data-related updates in the ECCP guidance:

Updated Guidance

What it Means

Questions to Ask

Update third party management risk-based processes to utilize data.

Review and due diligence of vendors and other third parties should incorporate and leverage data to evaluate vendor risk. Data should be integrated into the initial due diligence process as well as continuous review of the vendor relationship.

When did you last assess the data collected as part of third-party due diligence?

Enhance usage of data for compliance purposes.

Compliance personnel should have timely access to all relevant data sources in order to create efficiencies in compliance operations and measure the effectiveness of compliance programs and processes. Data analytics sources should be managed to ensure quality, accuracy and reliability.

When was the last time you connected with your business and operations colleagues to discuss the type of business data they generate and how that can be helpful to compliance’s assessment of compliance risk?

Take advantage of available data in order to identify misconduct or compliance issues.

Organizations should have processes by which compliance personnel have access to relevant data and information for the purpose of identifying potential misconduct or deficiencies in the compliance program. Processes should be designed to ensure that the misconduct can be identified at the earliest possible stage.

Do you know what kind of data your compliance program generates and what business data it collects?

There are several other areas of note that DOJ updated including additional guidance around the role of compliance in mergers and acquisitions and directives around how the company measures the effectiveness and success of its compliance program.

In a speech announcing the revised ECCP guidance, Deputy Assistant Attorney General Nicole M. Argentieri underscored the importance of robust compliance programs: “Companies are the first line of defense against corporate crime. And compliance professionals are charged with holding the line on compliance and good corporate culture.

We know how important it is for compliance programs to be robust and well-resourced and for compliance officers and their staff to be .”[2]

What Should You Do Next?

So, if you are a compliance, legal, or risk leader where should you go from here?

  1. Perform a technology audit, with a focus on AI, to understand and mitigate the compliance risks they create;
  2. Expand your data assessments to include the type of business data created and that compliance can use to improve its assessment of risk, as well as assessing the type of data compliance collects and how it can be leveraged by compliance to improve compliance risk assessment decisions;
  3. Ensure that your company has a merger and acquisitions process where compliance issues and risks drive post-transaction resource allocation and integration oversight strategy (this, of course, is in addition to a comprehensive post-transaction enterprise risk assessment); and
  4. Create a strategy to regularly measure the effectiveness of your compliance program, including periodically engaging a third-party to assess and verify its effectiveness and success.

Engaging with a compliance expert, like Guidepost, can be highly beneficial for your organization. Compliance experts bring a wealth of knowledge and experience in navigating complex regulatory landscapes, ensuring that your company adheres to all relevant laws and regulations. This not only helps in avoiding costly fines and legal issues but also enhances your company’s reputation and trustworthiness in the market.

Moreover, compliance experts can provide valuable insights and guidance on best practices, helping your organization to implement effective compliance programs and policies. This proactive approach can lead to improved operational efficiency, reduced risk, and a stronger overall governance framework.

[1] See Deputy Attorney General Lisa Monaco’s March 2024 remarks announcing that prosecutors would begin considering how companies mitigate the risk of misusing artificial intelligence. https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-monaco-delivers-keynote-remarks-american-bar-associations

[2] https://www.justice.gov/opa/speech/principal-deputy-assistant-attorney-general-nicole-m-argentieri-delivers-remarks-society

Written by:

Guidepost Solutions LLC
Guidepost Solutions LLC
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Guidepost Solutions LLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide