septiembre 25 2024

DOJ’s Criminal Division Updates Policy on 3 Key Topics: Artificial Intelligence, Whistleblower Programs, and Compliance Program Resources

Share

On September 23, 2024, Principal Deputy Assistant Attorney General Nicole M. Argentieri (PDAAG), speaking at the Society of Corporate Compliance and Ethics Annual Compliance & Ethics Institute, announced three key updates to US Department of Justice (DOJ) policy on Evaluation of Corporate Compliance Programs (ECCP): the use of new technologies such as artificial intelligence (AI), whistleblower programs in practice, and the adequacy of resources for compliance programs to allow continuous monitoring and improvement.

The ECCP is the roadmap used by Criminal Division prosecutors to evaluate a company’s compliance program during a criminal investigation. In deciding how to resolve a criminal investigation, prosecutors focus on two points in time when evaluating a company’s compliance program: the time of the alleged misconduct and the time of resolution.

The PDAAG and acting head of the Criminal Division emphasized that “[c]ompanies are the first line of defense against corporate crime” and the Criminal Division views companies with robust corporate enforcement policies favorably. Companies should monitor risks associated with adopting new technologies in their business and compliance programs, including AI. Because of the ECCP updates, companies should also ensure that whistleblowers feel comfortable reporting misconduct and that the companies’ compliance programs have the same resources as business units.

See the attached PDF for a mark-up of the latest September 2024 DOJ Guidance on the ECCP against the earlier version (March 2023), which focused on ephemeral messaging, compensation clawbacks, and selection of corporate monitors.  We summarized that earlier version in a 2023 Legal Update.

DOJ’s Take on New and Emerging Technologies, Like Artificial Intelligence

Following Deputy Attorney General (DAG) Lisa Monaco’s warning in March 2024 to compliance officers that prosecutors will consider how companies mitigate the risk of misusing AI, the ECCP now defines artificial intelligence and provides technical context for the definition. Notably, the definition broadly “includes systems that are fully autonomous, partially autonomous, and not autonomous, and it includes systems that operate both with and without human oversight.”

Companies should carefully consider the technologies they employ, conduct a risk assessment regarding their use, and employ measures to mitigate any risk associated with that use. The PDAAG said prosecutors will ask whether companies have adequate controls in place to identify risks such as “false approvals and documentation generated by AI.”

Moreover, the ECCP guides prosecutors to consider whether a company using new technologies in its commercial operations or compliance program has conducted a risk assessment regarding the use of those technologies, is monitoring and testing the technologies to evaluate whether they are functioning as intended and consistent with the company’s code of conduct, and how quickly the company can detect any conduct inconsistent with its values.

ECCP’s Updated Questions on Whistleblower Programs

The ECCP now includes specific questions to evaluate whether companies encourage employees to speak up about misconduct or whether conditions at the company chill reporting. Prosecutors will also assess a company’s commitment to whistleblower protection and anti-retaliation by looking at whether the company has an anti-retaliation policy, the company’s training on both internal anti-retaliation and external anti-retaliation and whistleblower protection laws and internal and external reporting systems and regulatory regimes, and whether the company’s treatment of employees involved in the misconduct differs between those who internally reported misconduct versus those who did not. So prosecutors will analyze policies and training to determine whether companies ensure that employees know how to report misconduct and feel comfortable doing so. Another significant data point prosecutors will consider is the treatment of whistleblowers who have reported misconduct and any obstacles they faced in reporting.

A Focus on Whether Compliance Programs Are Adequately Resourced and Monitored

Prosecutors will consider how assets, resources, and technology available to compliance and risk management departments compare to those available elsewhere in a company. So companies should ensure that the same resources used in the business lines are made available to the compliance program. It’s important that compliance personnel have knowledge of and the means to access all relevant data and resources in a timely manner.

Prosecutors are now directed to consider the compliance program’s track record of preventing or detecting misconduct and how the company leverages data to improve the effectiveness of its compliance program. DOJ’s emphasis on leveraging data for continuous monitoring and improvement signals that companies should not sideline compliance for the sake of the business.

Other Notable Edits

In addition to the focus areas noted above, the updated ECCP includes a number of notable edits as to:

  • Risk assessment taking into account both internal and external circumstances that may impact a company’s evolving risk profile.
  • New questions prosecutors should ask on third-party management, specifically on the timely review of vendors and how a company is “leveraging available data to evaluate vendor risk during the course of the relationship with the vendor[.]”
  • More detailed guidance regarding the  evaluation of compliance integration efforts during and after the merger and acquisitions process. This includes questions as to whether an acquiror has migrated enterprise resource planning (ERP) systems as part of the integration, whether the new business has been incorporated into an acquiror’s risk assessment activities, and any conduct of post-acquisition audits.

Next Steps

Responding to the increasing reliance on data and emerging technologies in both business operations and compliance program controls, these revisions to the ECCP signal DOJ’s continued focus on the monitoring of these new technologies and effective use of quality data in compliance programs.
Companies should continue to invest resources in their compliance programs, critically evaluating and adapting them as necessary to meet DOJ’s latest guidance to address areas such as AI risks.  

While these are difficult issues, by proactively engaging with them, companies will be at a considerable advantage in the event of a criminal investigation because the ECCP guides how prosecutors weigh the effectiveness of a company’s compliance program when determining criminal wrongdoing.

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.
Subscribe