On September 23, 2024, the U.S. Department of Justice (DOJ) updated its Evaluation of Corporate Compliance Programs (ECCP) guidance.
The ECCP provides prosecutors with questions and factors to consider when assessing a company’s compliance program. Prosecutors use the guidance to assist in making decisions about whether to charge a company and how to resolve cases. The guidance is equally instrumental for companies as they build, strengthen, and internally assess their compliance structure and controls.
DOJ updated the ECCP last year to incorporate guidance relating to a company’s access to and retention of employee electronic communications on personal devices and third-party messaging platforms. That update also added DOJ’s expectation that companies use compensation structures to reward compliant behavior. This year’s revisions emphasize DOJ’s expectation that an effective compliance program must: (1) monitor and manage risks associated with the use of emerging technologies, such as artificial intelligence; (2) empower employees to speak up and report misconduct, including providing robust whistleblower and retaliation protections; and (3) be dynamic, well-resourced, and responsive to lessons learned and the company’s risk assessments.
The key revisions to the ECCP, and their implications, are explained below.
Emerging Technologies and Artificial Intelligence.
In recent months, DOJ has stepped up its efforts to address the mainstream adoption of emerging technologies, including artificial intelligence (AI), by companies and individuals across the globe. For example, in February, DOJ named its first chief science and technology advisor and chief AI officer (link). Several weeks later, DOJ leadership “directed the Criminal Division to incorporate assessment of disruptive technology risks — including risks associated with AI — into [the ECCP guidance].” (link). The September 2024 update to the ECCP does just that. The most significant revisions focus on how companies must incorporate technology risk management into their overall compliance strategy.
In addition to defining “artificial intelligence,” the ECCP now outlines several factors that prosecutors should consider in evaluating a company’s compliance controls related to emerging technology. Those factors include:
Risk Assessment:
- As part of its overall risk management strategy, a company must have a governance framework in place to identify risks posed by the technologies it utilizes. This includes risks posed by the unintended consequences of employees or vendors using AI or other technologies to conduct their business operations. For example, the company should consider risks posed by using AI to conduct market analysis or provide financial advice to customers. Similarly, the company should address risks associated with vendors using AI to manage client data, monitor inventories, and coordinate product sales or logistics.
- In addition, the company should evaluate risks posed by the intentional misuse of technology by employees, vendors, or outsiders. This could include, for example, harnessing AI to falsify records or to gain unauthorized access to proprietary or confidential information.
- Among other factors, prosecutors must now consider whether the company has a process to identify and monitor risks posed by technology; whether that process is proactive; whether greater scrutiny is applied to higher risk areas; and, as referenced below, whether the resources allocated to this effort are proportionate to those committed to other aspects of the company’s business.
Risk Mitigation:
- In addition to having a framework to identify risks associated with the use of technology, companies must appropriately mitigate, and commit sufficient resources to mitigating, those risks. Such risk mitigation strategies must include sufficient controls and ongoing monitoring and training.
- In assessing a company’s risk mitigation efforts, prosecutors will now consider numerous factors related to mitigating technology-related risks. This includes how such risks are incorporated into the company’s overall risk management strategy. Prosecutors must focus on the limitations or controls the company has in place to ensure that technology is only used as intended. Further, prosecutors will look for procedures aimed at minimizing the likelihood and extent of any harms caused by the use, and deliberate misuse, of technologies, such as procedures to ensure that the company’s AI use complies with applicable laws and policies. They will also consider the extent of human decision-making and accountability for assessing, monitoring, and enforcing company policies, as well as the extent and effectiveness of training employees receive on the use of emerging technology. Reinforcing the need for human oversight, a company’s risk mitigation cannot solely rely on the use of technology.
These updates provide a roadmap for any company that currently uses, or intends to use, any emerging technologies, especially AI. The revised ECCP makes clear that companies must not only assess and mitigate the risks of AI, but must also have an established governance framework in place to demonstrate transparency and accountability should they face regulatory scrutiny. At a minimum, companies must:
- Establish and maintain an AI governance framework with clear policies for identifying, monitoring, and mitigating risks. Companies should pay particular attention to maintaining human oversight of AI systems and requiring any AI decision-making to be reviewable by audit.
- Ensure collaboration across the company and with third-party vendors to maintain visibility into how technology is implemented in each area of the business. Consideration of the technology a vendor uses is especially important, as even companies with robust internal compliance programs are vulnerable to breaches by vendors with poor internal controls.
- Create and implement comprehensive training and education programs for all employees, covering the risks and proper usage of emerging technologies, including AI. Training should be particularly robust in high-risk areas and for legal and compliance personnel.
- Thoroughly document governance policies, risk assessment, testing, and compliance efforts. In the event of regulatory scrutiny, the existence of detailed records is critically important.
- Continuously assess and update technology governance policies and procedures. Compliance efforts must advance with the emerging technologies companies seek to address. Where appropriate, companies should turn to specialized outside counsel and other industry experts to keep pace with legal and technological developments.
The updated ECCP underscores DOJ’s increasing concerns over the potential compliance risks AI and other emerging technologies pose and signals that now is the time for companies to address these emerging technologies.
Creating a Speak Up Culture with Strong Whistleblower Protections.
DOJ has long urged companies to foster a culture that encourages employees to report potential misconduct or violation of company policy without fear of retaliation. DOJ often refers to this as a “Speak Up” culture. (link) The revised ECCP refines and strengthens that expectation. The guidance specifically notes the importance of creating effective employee reporting mechanisms, encouraging or incentivizing reporting, and assessing employees’ willingness to report misconduct. Prosecutors are now directed to consider whether companies use practices that tend to, directly or indirectly, chill employee reporting.
Relatedly, prosecutors will evaluate whether a company’s policies ensure that employees are comfortable reporting potential misconduct. The revisions included a focus on assessing the strength of a company’s anti-retaliation policies. Further, and in response to DOJ’s new Corporate Whistleblower Awards Pilot Program (link), the revised ECCP reemphasizes the importance of maintaining a compliance program with an effective whistleblower protection policy.
At minimum, companies should have an anti-retaliation policy and train employees about both internal and external reporting mechanisms and whistleblower laws. The revised ECCP also directs companies to consider disciplinary fairness in connection with internal reporting channels. Prosecutors will evaluate whether companies treat employees who internally reported misconduct differently than employees involved in similar misconduct who did not raise any concerns.
While not new, the message is clear. DOJ expects companies to encourage reporting, and it will probe whether a compliance program’s whistleblower protections empower that.
Dynamic, Well-Resourced, and Responsive.
The recent updates underscore DOJ’s expectation that companies dedicate sufficient resources — personnel, technology systems, and funds — to their compliance program. And prosecutors now have something new to consider in that regard. They revised guidance directs them to assess how resources are allocated across the entire company and whether the compliance program receives a proportionate share. Imbalanced resources may indicate to DOJ that the company does not value an effective compliance program.
Though inherent in its previous guidance, DOJ has now explicitly stated that companies should also implement mechanisms to measure the success and effectiveness of each element of its compliance program. This includes considering information from employee engagement in training sessions, to assessing employee knowledge of how to access relevant policies, to evaluating the commercial value of investments in compliance and risk management.
While the ECCP directs prosecutors to review the quality of data and models available to the compliance program, it does not specify the mechanisms or data that a company should utilize. Further, the revised ECCP suggests that a company should adjust its compliance programs based on the data findings. This will require compliance personnel to have adequate access to data analytics tools.
Finally, compliance is not static. It requires constant evolution and evaluation based on relevant data, emerging risks, and lessons learned. The ECCP revisions stress the need for compliance programs to learn from past issues, whether those occurred within the company or from others operating in the same industry or geographic area. The updated guidance directs prosecutors to assess whether a company’s compliance program incorporates lessons learned and appropriately trains employees to avoid recurrence of similar issues.
While the ECCP is intended to guide prosecutors, it also provides a useful roadmap for companies to assess the current state of their compliance program and focus their efforts to strengthen it. The effectiveness of a compliance program – at the time of a criminal offense and at the time of a charging decision or resolution – is weighed heavily by prosecutors in determining the form of a resolution, potential monetary penalty, and potential monitorships or reporting obligations in connection with a corporate criminal resolution. As such, its guidance companies should closely monitor.
McGuireWoods understands that not one size fits all and companies must tailor their compliance programs appropriately to their individual risk profiles. We regularly design, implement, audit, and monitor corporate compliance solutions for clients of all types and sizes. And our clients trust us to balance properly-scoped compliance programs with real-world business demands. McGuireWoods will continue to monitor and report on DOJ’s enforcement trends and assist clients in aligning their compliance structures with available government guidance.
Please contact any of the listed authors for additional assistance.