With Updated Corporate Compliance Guidance, DOJ Provides Companies with More Reasons to Focus on AI and Technology
On September 23, 2024, the U.S. Department of Justice (DOJ) released an updated version of its guidance to prosecutors on the Evaluation of Corporate Compliance Programs (“ECCP”). Tracking themes apparent in other recent guidance issued by DOJ, companies now have more reason to focus on AI and the effective use of emerging technologies and data analytics, even when engaging in M&A deals, to enhance corporate compliance programs.
Responsible Management of Artificial Intelligence
Perhaps most significantly, under the updated ECCP, DOJ now asks companies to demonstrate how they are utilizing newly available technology such as AI and whether the companies have adequately prepared for the risks associated with using such technologies. Building off of Deputy Attorney General (DAG) Lisa Monaco’s March 2024 speech, where she articulated a directive for the Criminal Division to incorporate the risk of disruptive technology into the ECCP, the new guidance directs prosecutors to consider whether companies have adequately examined the risks of technology such as algorithmic learning and artificial intelligence in the course of their business operations.
Specifically, in her speech unveiling the revitalized ECCP, Principal Deputy Assistant Attorney General Nicole Argentieri described a scenario in which a company is vulnerable to criminal schemes enabled by new technology, such as false approvals and documentation generated by AI and stated that DOJ will “consider whether compliance controls and tools are in place to identify and mitigate those risks, such as tools to confirm the accuracy or reliability of data used by the business.”
The ECCP lists several considerations for companies examining the risks posed by AI and whether their compliance program is appropriately tailored:
- Whether the company’s risk assessment processes consider and appropriately document the use of AI and other new technologies and how the risk level for intended use cases has been determined (e.g., in circumstances where the particular use of AI creates particular risks, such as confidentiality, privacy, cybersecurity, quality control, bias, etc.);
- Whether there is sufficient human oversight of AI systems that are deployed, especially for high-risk uses, and whether the performance of those systems is being assessed by reference to an appropriate “baseline of human decision-making” (e.g., the expected standard to which human decision-makers would be held for a given use case);
- Whether appropriate steps have been taken to prioritize and minimize the identified risks — including the potential for misuse of those technologies by company insiders — by implementing compliance tools and controls (e.g., through monitoring, alerts, technical guardrails, continuous testing, human review, or confirming the accuracy or reliability of data); and
- Whether the company is continuously monitoring and testing its technology to evaluate if it is functioning “as intended,” both in the company’s commercial business and its compliance program, and consistent with the laws and the company’s code of conduct. If there are significant deviations in performance, for example where an AI tool makes an inappropriate decision, prosecutors will look at how quickly a company is able to detect and subsequently correct errors and any subsequent decisions.
Effective Utilization of New Technologies for Compliance
The updated ECCP also sets forth new expectations that a company’s policies and procedures are regularly tested and evaluated and effectively utilize technology to manage risk. Among other things, a company should assess whether the technology the company is using creates new risks and whether the company has embraced innovative new technology to limit its exposure to criminal and civil violations. Prosecutors will take an especially dim view of a company that has invested in revenue-generating technology without effective utilization and while neglecting to invest in corresponding compliance upgrades.
Similarly, the ECCP expects that companies look both internally and externally to find solutions to their compliance problems. This focus on continuous improvement reflects the DOJ’s expectations that companies will adapt to evolving risks and regulatory landscapes. Prosecutors will ask:
- Is there a process for updating policies and procedures to reflect lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region?
- Is there a process for updating policies and procedures to address emerging risks, including those associated with the use of new technologies?
A company forced to defend its compliance program to DOJ will need to be prepared to measure and report on the effectiveness and deficiencies within the compliance function and how the company incorporated its evaluations into improving its compliance program and risk mitigation for the future.
The revised ECCP also explicitly references the use of data in evaluating third-party management programs. Prosecutors will assess whether a company’s third-party risk management process allows for the review of vendors in a timely manner and whether the company leverages available data to evaluate vendor risk in the course of its relationship with the vendor. DOJ’s emphasis on technology underscores that it expects companies to utilize data to be able to manage all external relationships throughout the lifespan of a business relationship — from onboarding to completion of a project.
Emphasis on Whistleblowing and Anti-Retaliation
In accordance with the recently released DOJ Corporate Whistleblower Awards Pilot Program, the ECCP revisions also offer additional alignment with DOJ’s policy goals. For example, the ECCP instructs prosecutors to consider whether a company incentivizes reporting of misconduct and whether a company measures the likelihood that an employee will report suspected misconduct. Prosecutors also are directed to examine whether the company trains employees on both internal reporting systems and “external whistleblower programs and regulatory regimes.” Given DOJ’s implementation of a new whistleblower program, the reference within the ECCP to external whistleblower programs is especially notable. Companies now will need to develop a sophisticated training program that emphasizes the trustworthiness and reliability of its internal reporting mechanisms while also alerting employees to the existence of the government’s own reporting avenues. Companies are obviously highly motivated to contain and remediate problems in-house, so compliance with this new government expectation will present a particularly thorny problem to navigate.
The new ECCP also directs prosecutors to consider the design and effectiveness of a company’s anti-retaliation policy. Similar to the recommended self-evaluation of a company’s compliance program, DOJ will consider whether a company has examined how employees who report misconduct are disciplined in comparison to others involved in the misconduct and any process and procedure changes that result from such self-evaluation.
Compliance Measures Must Extend to All M&A Activity
Consistent with DOJ’s M&A Safe Harbor Policy, the ECCP emphasizes the need for conducting “comprehensive due diligence” and for integrating compliance into the M&A process. The updates make clear that companies’ responsibilities do not end with pre-acquisition diligence. Rather, post-acquisition diligence and integration are just as important: “Flawed or incomplete pre- or post-acquisition due diligence and integration can allow misconduct to continue at the target company, causing resulting harm to a business’s profitability and reputation and risking civil and criminal liability.”
Stressing the importance of post-acquisition compliance integration, the ECCP outlines a list of questions prosecutors (and companies) should ask when evaluating the effectiveness of a compliance program, including but not limited to:
- What is the company’s process for implementing and/or integrating a compliance program post-transaction?
- Does the company have a process in place to ensure appropriate compliance oversight of the new business?
- How is the new business incorporated into the company’s risk assessment activities?
- How are compliance policies and procedures organized?
- Are post-acquisition audits conducted at newly acquired entities?
While these updates are relatively modest, they reinforce that examining M&A activity remains a key priority at DOJ and compliance integration is not exempt from that scrutiny.
Conclusion
The updates to the ECCP provide important insights into DOJ’s new priorities when evaluating corporate compliance programs. When read in connection with other recent DOJ policy proclamations, it is clear that DOJ is highly focused on ensuring that companies responsibly invest in AI and emerging technologies. DOJ also wants to ensure that internal reporting mechanisms are well-known and utilized, without fear of retaliation, while also ensuring employees know about government whistleblower opportunities. And, when engaging in M&A activity, these compliance measures must be part of any post-acquisition integration.
Companies should heed the guidance in the newest version of the ECCP and undertake the work necessary to determine whether their current suite of compliance policies and procedures meet the standards of the ECCP. The spate of recent DOJ initiatives and these updates to the ECCP are demonstrative of a sustained focus on corporate misconduct. Now more than ever, it is critically important that companies are confident in their compliance programs and know how to defend their compliance functions before the agencies.
Key Contacts
Related Insights
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.