On September 23, 2024, the Department of Justice (DOJ) updated its Evaluation of Corporate Compliance Programs policy (ECCP), which outlines the key factors prosecutors consider when evaluating the effectiveness of a corporation’s compliance program in connection with charging decisions and resolutions.
In this alert, we will highlight five key changes to the ECCP and what companies and executives need to know. The key changes involve: (1) technology; (2) incorporating lessons learned from the company’s data and from compliance issues in the same industry or geographical region; (3) anti-retaliation policies; (4) training; and (5) compliance surrounding mergers and acquisitions.
1. Technology
The most significant update concerns a company’s risk management and compliance associated with emerging technology. The DOJ now expects companies to identify and manage risks related to new technologies and to evaluate how the use of new technologies may impact their ability to comply with the law.
Top DOJ officials have expressly emphasized the risks posed by AI, including the extent to which fraudulent approvals and documentation can be used to circumvent compliance programs. If a company uses AI in its business or as part of its compliance program, prosecutors will evaluate whether the company has implemented adequate governance and controls to ensure that the AI is trustworthy, reliable, and used in compliance with applicable law. Additionally, the DOJ expects companies to use data-driven methods to identify issues with their compliance programs and to adjust accordingly. In-house attorneys’ first step in managing these risks is identifying which programs and technologies their companies use.
2. Proactively Improving Compliance Programs
The DOJ is pushing companies to more proactively improve their compliance programs in two new ways. First, a company should pay attention to any compliance problems arising at other companies operating in the same industry or geographic region, and it should incorporate those lessons into its own compliance program. Second, a company should leverage data analytics tools to make its compliance operations more efficient and to measure the effectiveness of its compliance program. Relatedly, the DOJ will now evaluate whether the resources and technology that a company devotes to its compliance function are proportionate to the resources and technology available to other functions within the company, such as sales.
3. Anti-Retaliation
Prosecutors are increasingly focused on the adequacy of companies’ internal anti-retaliation policies, in addition to compliance with external anti-retaliation and whistleblower protection laws. If employees involved in misconduct are disciplined by the company, the DOJ will now ask whether the treatment of any employee who reports misconduct differs from the treatment of employees who did not report misconduct. Companies should ensure that employees are encouraged to report misconduct—even when they are involved in it—and are not punished for raising their concerns internally. In an echo of previous themes of fostering a strong corporate culture of compliance, companies will be evaluated based on whether they generally encourage employees to report misconduct or, alternatively, whether they chill reporting with retaliatory practices.
4. Training
A company’s compliance program is only effective if it is known to and understood by employees, and the DOJ provided new details about how it will evaluate a company’s compliance training. For example, the DOJ will consider whether employees are trained on internal and external anti-retaliation policies and on lessons learned from compliance issues faced by other companies operating in the same industry or geographic region. Additionally, the DOJ will assess how the company tracks employee engagement with trainings and how the company measures what employees learned from the trainings. Companies can improve engagement by conducting live training sessions. Further, they can measure how much employees learned in multiple ways—for example, by testing employees before and after training sessions and comparing the results. Companies can also analyze reporting trends after training sessions.
5. Mergers & Acquisitions
In the M&A context, the DOJ will now consider whether a company plans to migrate or combine critical enterprise resource planning systems during the integration process. It will also ask to what extent the compliance and risk management functions play a role in designing and executing a company’s integration strategy. The ECCP revisions highlight the importance of implementing or integrating compliance programs post-acquisition. For example, prosecutors will evaluate whether the company ensures appropriate oversight of the new business and whether the new business adopts the company’s risk assessment protocols.
Conclusion
These changes highlight the burgeoning importance, in the DOJ’s view, of implementing a compliance program that is proactive and data-driven, and that uses cutting-edge technology. By considering how to apply these concepts to their own compliance programs, companies can qualify for leniency—or avoid government action altogether.
