Our White Collar & Regulatory Defense group has unparalleled experience and expertise, and is among the most respected and successful in the United States. We regularly represent Fortune 500 companies and their executives and boards in connection with investigations by federal and state enforcement authorities, and in courtrooms nationwide. We excel at developing creative and successful strategies and defenses for responding to or preventing government investigations and enforcement proceedings.
DOJ’s Updated Guidance for Evaluating Corporate Compliance Programs Emphasizes “Double-Edged Sword” of New Technologies
People
- Atkinson, Rush L.
- Carey, Jessica S.
- Carlin, John P.
- Dagnew, Lina
- Finzi, Roberto
- Fischman, Harris
- Forrest, Katherine B.
- Gonzalez, Roberto J.
- Hanft, Elizabeth
- Karp, Brad S.
- Lynch, Loretta E.
- Mendelsohn, Mark F.
- Rhee, Jeannie S.
- St. Matthew-Daniel, Eyitayo “Tee”
- Carey, Peter
- Gressel, Anna
- Kessler, David K.
- Klein, Benjamin
- Kleiner, Samuel
- Lerer, Justin
- McGregor, Michael
- Disler, Matthew J.
September 26, 2024 Download PDF
On September 23, 2024, the Criminal Division of the U.S. Department of Justice (“DOJ” or the “Department”) issued an update to its guidance titled Evaluation of Corporate Compliance Programs (the “ECCP”).[1] The ECCP has been revised periodically since its introduction in 2017, but this 2024 update notably shows the Department’s increasing emphasis on artificial intelligence (“AI”), data analysis, and whistleblower policies. As Principal Deputy Assistant Attorney General Nicole Argentieri explained when announcing the update, the revisions are intended “to account for changing circumstances and new risks.”[2] The updates also further align the ECCP with the Department’s additional initiatives, such as its efforts to assess the risks of disruptive technology and incentivize whistleblower reporting.
Together with DOJ’s other recent efforts, the updated ECCP illustrates DOJ’s recognition that companies’ increasing incorporation of AI and other emerging technologies into businesses results in new compliance risks. The new guidance aims more directly at bringing these technologies under corporate compliance frameworks. At the same time, by instructing prosecutors to consider how companies leverage AI and data analytics to monitor compliance activities and identify potential misconduct, the ECCP encourages companies to incorporate new tools into their compliance program.
Background
Initially released in 2017 as a series of 119 “common questions that the Fraud Section may ask in making an individualized determination” for corporate compliance programs,[3] the ECCP describes the factors that DOJ considers when conducting investigations of corporations, determining whether to bring charges, and negotiating pleas or other agreements. That guidance has been substantially revised and expanded since its release to reflect DOJ’s evolving enforcement priorities. In 2019, DOJ began to structure the guidance around three central questions,[4] which have continued in a similar form up to the present version: (1) Is a corporation’s compliance program well designed? (2) Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively? and (3) Does a corporation’s compliance program work in practice?[5]
Further revisions in 2020 and 2023 focused on features such as companies’ use of data and technology to improve and review employees’ access to compliance materials,[6] management of personal devices and third-party applications, and the preservation of communications.[7]
The Department also has sought to harmonize its compliance guidance with two additional areas of its own focus: addressing the role of AI in criminal activity and law enforcement, and incentivizing companies and individual whistleblowers to report suspected misconduct.
- Artificial Intelligence: In February 2024, Deputy Attorney General Lisa Monaco announced that DOJ would seek sentencing enhancements where offenses were made significantly more dangerous by the misuse of AI.[8] The following month, she reiterated this position and specifically stated that the same principles would apply to corporate criminal prosecutions and assessments of companies’ compliance programs, explaining: “When our prosecutors assess a company’s compliance program—as they do in all corporate resolutions—they consider how well the program mitigates the company’s most significant risks. And for a growing number of businesses, that now includes the risk of misusing AI.” [9] In the same announcement, the Deputy Attorney General also announced that she had directed the Criminal Division to incorporate the assessment of disruptive technology risks, including those associated with AI, into the ECCP guidance.[10]
- Incentivizing Reporting and Compliance: As Principal Deputy Assistant Attorney General Argentieri noted in this week’s announcement, recent DOJ initiatives have focused on encouraging whistleblower reports.[11] Most recently, in August 2024, DOJ announced a Whistleblower Pilot Program to provide financial incentives to certain individuals to report corporate misconduct to the Criminal Division in circumstances where another agency’s whistleblower program does not cover the misconduct at issue.[12] DOJ has reported that, to date, it has received tips from over 100 individuals as part of its whistleblower initiatives.[13] Furthermore, DOJ amended its Voluntary Self-Disclosure policy for corporations to make companies “eligible for the greatest benefit under [the] policy—a presumption of a declination,” if the company reports misconduct learned via an internal report from a whistleblower within 120 days, if the report is made before DOJ reaches out to the company, and if the company fully cooperates and remediates the issue.[14]
The 2024 Updates
The updated ECCP incorporates new discussions about the use of AI, data analysis, and whistleblower programs. The changes are largely additive: The revised guidance shares the structure of its predecessors and maintains the areas of inquiry that DOJ previously identified. Rather than marking a paradigm shift in how companies should approach their compliance programs, the updated ECCP suggests that DOJ will look for companies to incorporate these newer areas of DOJ focus into their existing programs.
Artificial Intelligence: Perhaps most notably, the updated ECCP explicitly provides that companies should address the compliance risks posed by AI and other emerging technologies. For example, prosecutors are expected to ask whether and how, in conducting risk assessments, a company “assess[es] the potential impact of new technologies, such as [AI], on its ability to comply with criminal laws.”[15] This inquiry includes asking whether a company has integrated AI into its enterprise risk management strategy and compliance program and whether a company is working to curb potential negative consequences resulting from the use of AI, including deliberate or reckless misuse of the technology. Similarly, DOJ indicated that it expects a company’s compliance policies and procedures to address “the use of new technologies,” including AI.[16] In addition, in determining whether a compliance program works in practice, the ECCP focuses on whether a company is “monitoring and testing” AI or other new technologies so that it can “evaluate whether they are functioning as intended and consistent with the company’s code of conduct” and detect or correct decisions made or informed by AI that are inconsistent with those values.[17]
In her remarks outlining the revisions to the ECCP, Principal Deputy Assistant Attorney General Argentieri explained that these questions could arise, in particular, in the context of “false approvals and documentation generated by AI” and that, as a result, DOJ “will consider whether compliance controls and tools are in place to identify and mitigate those risks, such as tools to confirm the accuracy or reliability of data used by the business” and efforts to “monitor[] and test[] its technology to evaluate if it is functioning as intended and consistent with the company’s code of conduct.”[18] More broadly, she explained that the intention of the 2024 additions to the ECCP was to evaluate companies’ assessment and management of AI-related risks “both in their business and in their compliance programs.”[19]
Leveraging Data: In line with its emphasis on emerging technologies, the updated ECCP identifies several areas in which a company will be expected to use appropriate tools to collect and analyze data about its compliance program. Principal Deputy Assistant Attorney General Argentieri noted that, as part of this evaluation, DOJ will also compare the resources and technology used for “gathering and leveraging data” for compliance purposes to those used for business activities.[20] Consequently, the updated ECCP notes that the resources and technology available to compliance and risk management functions will be compared against the tools available in other business areas to determine whether the compliance tools are “proportionate.”[21] Several discussions in the guidance anticipate that a company will collect additional data as a result of the revisions—from information about employees’ engagement with training materials to evaluations of vendor risks to the migration or combination of an acquired company’s enterprise resource planning system following an acquisition.[22] Furthermore, in assessing the effectiveness of the compliance function, DOJ will assess whether a company is “appropriately leveraging data analytics tools” to evaluate the effectiveness of the compliance program, measuring the accuracy of those tools, and managing the quality of the data inputs used.[23]
Strengthening Whistleblower Policies: The updated ECCP also emphasizes the evolution of expectations regarding companies’ whistleblower and anti‑retaliation efforts. In reviewing a company’s confidential reporting mechanisms for receiving and investigating allegations of potential misconduct, prosecutors will now ask whether a company has an anti-retaliation policy in place and trains employees on that policy, whistleblower protection laws, and internal and external avenues for reporting misconduct. They will also assess whether companies encourage or disincentivize the reporting of misconduct.[24]
Compliance Considerations
The updated ECCP underscores DOJ’s view of new technologies as, in Deputy Attorney General Monaco’s words, “a double-edged sword.”[25] On the one hand, companies are now expected to identify and manage risks stemming from new technologies—especially AI—in their corporate compliance programs and to implement controls to avoid misuse. On the other hand, DOJ’s guidance illustrates its view that new tools using those same technologies can be valuable assets in managing compliance risks going forward by monitoring for red flags, informing training initiatives, and improving detection of potential misconduct.
In evaluating their compliance programs, companies should consider both edges of this “sword” and identify ways in which they can manage compliance risks presented by emerging technologies and leverage new tools to improve compliance programs. Companies should also consider reviewing whether their existing whistleblower programs are aligned with the detailed guidance provided in the updated ECCP relating to whistleblower and anti-retaliation policies to ensure that those programs adequately incentivize the reporting of potential violations.
* * *
[1] U.S. Department of Justice, Criminal Division, Evaluation of Corporate Compliance Programs (updated Sept. 2024), available here (“2024 ECCP”).
[2] U.S. Department of Justice, Office of Public Affairs, Principal Deputy Assistant Attorney General Nicole M. Argentieri Delivers Remarks at the Society of Corporate Compliance and Ethics 23rd Annual Compliance & Ethics Institute (Sept. 23, 2024), available here.
[3] See Paul, Weiss, New DOJ Guidance For Evaluating Corporate Compliance Programs (Mar. 20, 2017), available here.
[4] Paul, Weiss, DOJ Updated Guidance for Evaluating Corporate Compliance Programs Focuses on Effectiveness (May 6, 2019), available here.
[5] 2024 ECCP, at 1–2; see also U.S. Department of Justice, Justice Manual § 9-28.800. DOJ has adopted a similar analytical structure in its guidance for corporate compliance programs in criminal antitrust investigations, and it has explained that the same three questions guide its evaluations in that context. See U.S. Department of Justice, Antitrust Division, Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations 2 (July 2019), available here.
[6] Paul, Weiss, DOJ 2020 Guidance for Evaluating Corporate Compliance Incorporates Feedback From Business and Compliance Communities (June 8, 2020), available here.
[7] Paul, Weiss, FCPA Enforcement and Anti-Corruption Developments: 2023 Year in Review (Jan. 17, 2024), available here.
[8] U.S. Department of Justice, Office of Public Affairs, Deputy Attorney General Lisa O. Monaco Delivers Remarks at the University of Oxford on the Promise and Peril of AI (Feb. 14, 2024), available here.
[9] U.S. Department of Justice, Office of Public Affairs, Deputy Attorney General Lisa Monaco Delivers Keynote Remarks at the American Bar Association’s 39th National Institute on White Collar Crime (Mar. 7, 2024), available here.
[10] Id.
[11] U.S. Department of Justice, Office of Public Affairs, Principal Deputy Assistant Attorney General Nicole M. Argentieri Delivers Remarks at the Society of Corporate Compliance and Ethics 23rd Annual Compliance & Ethics Institute (Sept. 23, 2024), available here.
[12] Paul, Weiss, DOJ Launches New Whistleblower Program Focused on Corporate Misconduct (Aug. 7, 2024), available here.
[13] U.S. Department of Justice, Office of Public Affairs, Principal Deputy Assistant Attorney General Nicole M. Argentieri Delivers Remarks at the Society of Corporate Compliance and Ethics 23rd Annual Compliance & Ethics Institute (Sept. 23, 2024), available here. In addition, DOJ also has reported that, under a related program to encourage companies to create compensation-based incentives for compliance, two companies—Albemarle and SAP—have received fine reductions when resolving Foreign Corrupt Practices Act (“FCPA”) investigations. See id.
[14] See id.; U.S. Department of Justice, Office of Public Affairs, Principal Deputy Assistant Attorney General Nicole M. Argentieri Delivers Remarks on New Corporate Whistleblower Awards Pilot Program (Aug. 1, 2024), available here.
[15] 2024 ECCP at 4.
[16] Id.
[17] Id. at 18.
[18] U.S. Department of Justice, Office of Public Affairs, Principal Deputy Assistant Attorney General Nicole M. Argentieri Delivers Remarks at the Society of Corporate Compliance and Ethics 23rd Annual Compliance & Ethics Institute (Sept. 23, 2024) available here.
[19] Id.
[20] Id.
[21] 2024 ECCP at 13.
[22] Id. at 6, 8–10.
[23] Id. at 13.
[24] Id. at 7.
[25] U.S. Department of Justice, Office of Public Affairs, Deputy Attorney General Lisa O. Monaco Delivers Remarks at the University of Oxford on the Promise and Peril of AI (Feb. 14, 2024), available here; U.S. Department of Justice, Office of Public Affairs, Deputy Attorney General Lisa Monaco Delivers Keynote Remarks at the American Bar Association’s 39th National Institute on White Collar Crime (Mar. 7, 2024), available here.