On September 23, 2024, the Criminal Division of the US Department of Justice (DOJ) issued an updated Evaluation of Corporate Compliance Programs (ECCP). The updated ECCP emphasizes that companies should address risks associated with new technologies, such as artificial intelligence (AI). The updated ECCP also highlights the importance of incentivizing and protecting whistleblowers, and reflects the DOJ’s continued focus on the assets, resources and technology available to compliance personnel.
In front of a live audience at the Society of Corporate Compliance and Ethics’ Annual Compliance & Ethics Institute, Principal Deputy Assistant Attorney General Nicole Argentieri delivered remarks regarding the latest changes to the ECCP – which is, in her words, “the roadmap Criminal Division prosecutors use to evaluate a company’s compliance program, including the questions prosecutors will ask as they assess a compliance program in determining how to resolve a criminal investigation.” Argentieri left no question about the message she hoped to convey to companies: “Now is the time to make the necessary compliance investments to help prevent, detect, and remediate misconduct.”
Background
The DOJ’s Criminal Division introduced the original ECCP in 2017 and has revised it four times, in April 2019, June 2020, March 2023 and September 2024. The ECCP helps prosecutors evaluate the effectiveness of corporate compliance programs – a factor prosecutors consider in making charging decisions, sentencing recommendations and determining the appropriate resolution in corporate criminal enforcement actions.
Instead of a rigid formula, the ECCP provides sample questions on 12 topics relevant to the evaluation of a corporate compliance program. The 12 topics are organized under three fundamental questions a prosecutor should ask:
- Is the corporation’s compliance program well-designed?
- Is the program being applied earnestly and in good faith?
- Does the corporation’s compliance program work in practice?
In Argentieri’s remarks regarding the latest changes to the ECCP, she highlighted key additions in three areas:
- Emerging technologies (including AI)
- Whistleblower incentives and protection
- Whether a compliance program has appropriate access to data
AI and emerging technologies
While many companies view AI and related technologies as tools to help combat risk, the updated guidance explores technology as a source of risk. In particular, the updated ECCP instructs prosecutors to evaluate how companies manage the risks associated with the use of emerging technologies – both in their business and in their compliance programs. Prosecutors will consider:
- Whether and how the company assesses the potential impact of new technologies, including on the company’s ability to comply with criminal laws.
- Whether the company has controls to ensure that the technology is used only for its intended purposes and has taken steps to mitigate risks associated with the use of new technologies.
- Whether management of risks related to the use of AI and other new technologies is integrated into broader enterprise risk management (ERM) strategies.
- The company’s approach to governance regarding the use of new technologies.
- If the company uses AI for its compliance program, whether controls are in place to ensure the technology’s trustworthiness, reliability and compliance with law.
- The baseline of human decision-making used to assess AI.
- How accountability over use of AI is monitored and enforced.
- How the company trains its employees on the use of emerging technologies.
Whistleblower incentives and protection
The updated ECCP also highlights the DOJ’s continued commitment to whistleblower reward and protection, and includes additional questions to assess companies’ commitment to whistleblower protection and anti-retaliation, including:
- Whether the company incentivizes or disincentivizes its employees to speak up and report misconduct.
- Whether the company has an anti-retaliation policy.
- Whether the company trains its employees on its internal anti-retaliation policy as well as external whistleblower protection laws.
- To the extent the company disciplines employees involved in misconduct, whether the company treats those who reported internally differently from those who did not.
For more information on the DOJ’s incentive programs for corporate whistleblowers, check out our August 2024 and September 2024 blog posts.
Access to data
The updated ECCP also expands existing considerations regarding a compliance program’s access to data and resources. In addition to assessing whether compliance personnel have sufficient access to relevant sources of data, the ECCP now asks prosecutors to consider:
- Whether compliance personnel have access to relevant data sources in a timely manner.
- Whether the company leverages data analytics tools to increase efficiency of compliance.
- How the company manages the quality of its data sources and measures the accuracy of any data analytics tools.
- How the assets and resources available to compliance compare to those available elsewhere in the company, including whether there is an imbalance between the two.
Key takeaways
- The updated ECCP illustrates the dual nature of emerging technologies for corporate compliance. On the one hand, companies are expected to identify and manage risks related to new technologies in their business and compliance programs. On the other hand, companies are encouraged to leverage data analytics tools to improve their compliance programs.
- Companies should consider whether there is an imbalance in the technologies they use for their business and the technologies they use for compliance.
- In light of the DOJ’s continued focus on whistleblower incentives, companies should have appropriate whistleblower policies in place and train their employees on those policies, as well as on whistleblower protection laws.