DOJ Updates Criteria for Review of Corporate Compliance Programs, Emphasizing AI Issues

On September 23, the Department of Justice updated the document it uses to evaluate a corporation’s compliance program in the context of wrongdoing by the corporation – the Evaluation of Corporate Compliance Programs, or ECCP. The ECCP is an invaluable tool that allows a company to see how a prosecutor will view a specific compliance program: it lays out the specific questions that a prosecutor will ask when evaluating whether the program will qualify to give the corporation real benefits in the context of resolving a criminal investigation. In announcing these most recent updates, Principal Deputy AAG Nicole Argentieri emphasized four changes – AI, whistleblowers, adequate access to data, and incorporating lessons learned.

Recognizing the burgeoning use of artificial intelligence (AI) by companies, both in their business and in their compliance programs, the ECCP now specifically calls out for a compliance program to manage risks, both internal and external, from the use of new technologies. It defines AI rather broadly, stating that it “includes systems that are fully autonomous, partially autonomous, and not autonomous, and it includes systems that operate both with and without human oversight.” It does not, however, include “robotic process automation.”

The revised ECCP asks questions whether the compliance program is assessing and managing risks associated with the use of AI, including both in its business and in its compliance program. For example,

How is the company curbing any potential negative or unintended consequences resulting from the use of technologies, both in its commercial business and in its compliance program? 

To the extent that the company uses AI and similar technologies in its business or as part of its compliance program, are controls in place to monitor and ensure its trustworthiness, reliability, and use in compliance with applicable law and the company’s code of conduct?

How quickly can the company detect and correct decisions made by AI or other new technologies that are inconsistent with the company’s values?

In other words, prosecutors will focus on this issue and will want to see that any use of AI by a company has appropriate guardrails and that the compliance program is monitoring the company’s use of AI. A compliance program should mitigate the new risks that are created by the use of AI and any other emerging technology.

Consistent with the new pilot program for awarding whistleblowers, the revisions also emphasize whistleblower protections. The ECCP has always provided a review of protections for whistleblowers, but the new questions go further into whether a company is encouraging employees to speak up and report misconduct. On the flip side, the questions are also directed at whether a company has practices that chill reporting. As AAG Argentieri stated: “Our prosecutors will closely consider the company’s commitment to whistleblower protection and anti-retaliation by assessing policies and training, as well as treatment of employees who report misconduct.” 

The revisions also further emphasize whether the compliance program is adequately resourced by asking questions about its access to data and whether it has the same resources and technology that the business in general is using. In other words, the compliance program should not be shut out of the data generated by a company and it should be using tools as sophisticated as the rest of the business. And the compliance program should be using these tools to assess its own effectiveness.

Finally, the revisions further emphasize that companies should not only be learning from their own experience with prior misconduct but also the compliance issues faced by other companies “operating in the same industry and/or geographical region.” Therefore, in conducting risk assessments and establishing best-practices standards, companies should cast a wide net to see what issues are arising in their industry and in the places where they operate.

Companies should refer to the ECCP when evaluating the effectiveness of their own compliance programs. In essence, the DOJ is letting you know the questions in advance of the test. Not all companies have to have the same bells and whistles, however. The ECCP recognizes that prosecutors must make a “reasonable, individualized determination in each case that considers various factors including . . . the company’s size . . . [and] geographic footprint . . .”  Nonetheless, asking the questions posed in the ECCP will help any company improve its compliance program.

BCLP’s White Collar practice group has a great deal of experience in assisting companies to institute, review, and strengthen compliance programs.