On September 23, 2024, Principal Deputy Assistant Attorney General Nicole M. Argentieri announced much-anticipated revisions to the US Department of Justice (DOJ)’s Evaluation of Corporate Compliance Programs (Revised ECCP) in remarks to the Society of Corporate Compliance and Ethics at the 23rd Annual Compliance & Ethics Institute in Grapevine, Texas. The revisions were first previewed by Deputy Attorney General Lisa Monaco in March (for a deeper analysis of those remarks, see our earlier client alert).
DOJ’s latest amendments focus on three main categories:
- Whether the company is assessing and managing risks associated with the use of disruptive technologies, including artificial intelligence (AI) and blockchain
- Ensuring that the compliance function has appropriate access to relevant source of data and data analytics tools to monitor for noncompliance and evaluate the compliance function’s effectiveness, and
- Whether the company has a robust “speak-up culture,” including strong whistleblower protection and anti-retaliation policies, in line with DOJ’s Corporate Whistleblower Awards Pilot Program (Whistleblower Program), as described in our prior client alert.
Argentieri’s remarks highlighted that DOJ is continuing to expand its toolkit to emphasize the importance of a robust compliance program and strong ethical culture.
In this alert, we discuss the most salient revisions to the ECCP and what companies are encouraged to do in response.
Prudent companies will identify and manage risks associated with AI and other emerging technologies
The Revised ECCP directs prosecutors to consider a company’s efforts to identify and manage “emerging risks” when evaluating the effectiveness of the company’s compliance program. A core component of emerging risks is new and emerging technologies, including AI. While the use of AI is one of DOJ’s primary focuses, new and emerging technologies extend beyond AI to all disruptive technologies.
Under the Revised ECCP, prosecutors will likely consider the technology that a company uses to conduct its business, whether the company has assessed the risks associated with using that technology, and whether it has appropriately taken steps to mitigate the risks associated with that technology. One example of a potential emerging risk that Argentieri highlighted was “criminal schemes enabled by new technology – such as false approvals and documentation generated by AI.” As part of their assessment of such risks, prosecutors will likely also evaluate whether the company has compliance controls and tools in place to assess the accuracy and reliability of the data used by the business operations, and whether the company is monitoring and testing whether the technology is functioning as intended and in line with the company’s code of conduct.
Consistent with the Revised ECCP, companies should now consider:
- Assessing the potential impact of new technologies, such as AI, on its ability to comply with criminal laws
- Mitigating the negative or unintended consequences from the use of emerging technologies in business and in compliance programs
- Mitigating deliberate or reckless misuse of technologies, including by company insiders
- Maintaining controls to ensure that technology is trustworthy, reliable, and used in compliance with applicable laws and the company’s code of conduct
- Monitoring and enforcing accountability over the use of emerging technologies to quickly identify any noncompliance and ensure it is only used for its intended purposes
- Training employees on the use of emerging technologies
Compliance teams should have access to and utilize appropriate data to assess and manage risks
The Revised ECCP reemphasizes DOJ’s expectations that companies maintain a data-driven compliance program. Notably, both Argentieri’s remarks and the Revised ECCP underscore that DOJ will consider whether the company is investing “the same resources and technology into gathering and leveraging data for compliance purposes that they are using in their business.”
Compliance functions are now expected to:
- Leverage data analytics to make their compliance operations more efficient and evaluate the overall performance of the compliance function
- Quickly access data and information to identify – as soon as possible – potential misconduct or shortcomings in their compliance program
- Take steps to ensure that the data used to power the analytics is accurate and that the analytical models function correctly
These considerations signal to companies that they should consider devoting sufficient resources toward compliance personnel and technology, and that neglecting to properly support this function in the organization can adversely impact the company should a DOJ investigation identify misconduct.
Companies presenting their compliance program or assessment of their monitorship can expect deep, drill-down questions from prosecutors about the types of data they hold; how the company monitors this data; and how the data sets might be aggregated, harmonized, and visualized to enable ongoing monitoring and risk scoring.
Compliance officers should also consider leveraging data analytics to incorporate new data points to measure executives’ compliance performance, particularly in light of DOJ’s ongoing Compensation Incentives and Clawbacks Pilot Program (described in our prior client alert).
As Argentieri highlighted in her remarks, prosecutors expect companies to provide clear metrics to reward compliance and deter misconduct. These provisions are intended to align compensation with both a company’s financial performance as well as its ethical behavior. Argentieri noted that there are early indications that these provisions are changing corporate behavior and provided the example that one company – that was not named – has seen increased reports of potential misconduct from incorporating adherence to compliance standards in annual reviews.
By leveraging data analytics, companies may measure compliance performance using hundreds of data points, such as account payable activities, third-party management, conflicts of interest, audit performance, and substantiated investigation results.
Commitment to whistleblowers and anti-retaliation policies
In connection with the Whistleblower Program, the ECCP was also updated to help prosecutors evaluate the following aspects of a company’s whistleblower program:
- Whether the company is encouraging and incentivizing reporting misconduct
- The company’s formal steps to ensure anti-relation and whistleblower protection, including the existing of an anti-retaliation policy and the training provided to employees about the policy and applicable laws
- Whether employees who do report misconduct are treated differently than the employees who were involved in the misconduct
Argentieri shared that since the Whistleblower Program launched on August 1, 2024, more than 100 individuals have made reports to DOJ. The changes to the ECCP and Argentieri’s discussion of the Corporate Whistleblower Awards Pilot Program reflect DOJ’s stated intention (from Argentieri’s August remarks cited our prior client alert) to incentivize companies to develop workplace whistleblower schemes.
The incentives placed by companies to report misconduct are expected to create better environments for employees to come forward internally rather than going to DOJ. If companies fail to put these incentives into place, DOJ has put its own scheme into place, raising the risk that the companies lose the benefits that come with voluntary self-disclosure.
Key takeaways
Argentieri’s recent remarks make clear that DOJ continues to scrutinize how companies develop and maintain their compliance programs and will consider the relative resourcing of compliance programs in contrast to the resources available to other business functions. This includes not only funding, but also items such as technical literacy.
The revisions to the ECCP make clear that DOJ is changing its expectations to respond to available data and technology and that, as their expectations change, companies are encouraged respond.
In the short term, companies should consider:
1. Reassessing their budgets for compliance to ensure they are proportionate to the resources of the business and that compliance teams have the necessary resources to identify and address misconduct
2. Leveraging cross-functional resources including business, data analysts, and algorithm programmers to help build a data-driven compliance program
3. Reviewing and revising their compliance policies and initiatives to reflect the ECCP’s prioritization of risks related to AI and disruptive technologies, whistleblower complaints, and data access and analytics
4. Ensuring that their compliance officers are properly conversant in the technologies that are incorporated into the business
5. Evaluating prior communications efforts and testing employee awareness of internal reporting mechanisms
6. Updating employee evaluation and compensation programs to ensure that compliance and reporting is a component of performance management
7. Reviewing existing policies and procedures to ensure they reflect lessons learned both from the company’s prior issues, as well as mistakes of others in the same market, region, or industry
[View source.]
