Rules Navigator

The DOJ revises Evaluation of Corporate Compliance Programs to spotlight new tech

Image of a courthouse with a sculpture of Lady Justice in front of it.
Photo: Bonnie Cash/Getty Images

Julie DiMauro

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

Changes to the document mainly emphasize emerging technologies and data analytics.

This week, the Department of Justice (DOJ) Criminal Division issued a revised Evaluation of Corporate Compliance Programs (ECCP) document, which was announced by Principal Deputy Assistant Attorney General Nicole Argentieri during her remarks at the Society of Corporate Compliance and Ethics (SCCE) Annual Compliance & Ethics event.

The ECCP was created to assist prosecutors in evaluating the effectiveness of a corporation’s compliance program, and the role it should play in determining the appropriate form of any resolution or prosecution.

As a result, the document also serves as a great resource for corporations looking to ensure that their corporate compliance programs are comprehensive, applied earnestly and effective in practice – or at least implemented in a manner that would satisfy DOJ examiners.

The updated ECCP largely mirrors the last-updated March 2024 version, but it includes additional considerations that emphasize the role of emerging technologies and data analytics in the current corporate compliance landscape. It also puts added emphasis on ensuring companies encourage and incentivize the reporting of potential misconduct.

Emerging technology and its risks

The ECCP reminds businesses that an assessment of their risk profile is a preliminary step a prosecutor must take in determining whether a company has a well-designed compliance program.

The Updated ECCP explicitly notes that the evaluation should account for the technology the company and its employees are using to conduct business and count it as a potential emerging risk.

Prosecutors may also “credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction.” The updated ECCP now states that prosecutors should consider a company’s management of emerging risks, such as artificial intelligence (AI), to ensure compliance with applicable law.

When determining whether the corporation’s compliance program works in practice, prosecutors are also instructed to consider whether the company is monitoring and testing new technologies so they can evaluate whether they are functioning as intended and are consistent with the company’s code of conduct.

Company use of AI

It was only a matter of time before the ECCP focused on a company’s use of AI. In determining whether the compliance program is well designed, prosecutors are now instructed to consider how the company would assess the use of new technologies, such as AI, on its ability to comply with criminal laws.

This includes an assessment of whether the management of risks related to the use of AI is integrated into the firm’s broader enterprise risk management strategies as well as an evaluation whether it has a risk-based approach to governance regarding the use of new technologies in any part of its commercial business.

In the section considering whether the corporation’s compliance program works in practice, the revised ECCP also instructs prosecutors to consider how quickly the company can detect and correct decisions made by AI “that are inconsistent with the company’s values.”

The updated document reminds prosecutors that the company should be mitigating the potential for deliberate or reckless misuse of technologies, including by company insiders. And it asks them to evaluate the extent to which the company uses AI and similar technologies in its business or as part of its compliance program “with the right controls in place to monitor and ensure its trustworthiness, reliability, and use in compliance with applicable law and the company’s code of conduct.”

Notably, the ECCP’s additional guidance documents also includes the AI Risk Management Framework released by the National Institute of Standards and Technology in January 2023. And it adopts the definition of AI put forward by the White House in March that includes systems that are fully autonomous, partially autonomous, and not autonomous, and systems that operate both with and without human oversight, including (but not limited to) machine learning, reinforcement learning, transfer learning, and generative AI

Data analytics tools

The updated ECCP instructs prosecutors to consider whether compliance personnel have knowledge of and means to access all relevant data sources in a reasonably timely manner, as well as whether the company is appropriately leveraging data analytics tools to create efficiencies in its compliance operation.

When determining whether the corporation’s compliance program works in practice, prosecutors are also instructed to consider the extent to which the company has access to data and information to identify potential misconduct or deficiencies in its compliance program and whether it is proactively identifying either misconduct or issues with its compliance program at the earliest stage possible.

“Now is the time to make the necessary compliance investments to help prevent, detect, and remediate misconduct. And when you uncover misconduct: call us before we call you.”

Principal Deputy Assistant Attorney General Nicole Argentieri

It asks prosecutors to ascertain how the company is managing the quality of its data sources and the accuracy, precision, or recall of any data analytics models it is using.

An interesting comparison its asks prosecutors to make when determining whether the corporation’s compliance program works in practice is this in the updated ECCP: “Prosecutors are instructed to consider the extent to which the company has access to data and information to identify potential misconduct or deficiencies in its compliance program and whether it is proactively identifying either misconduct or issues with its compliance program at the earliest stage possible.”

Whistleblower incentives

The ECCP now includes questions designed to evaluate whether companies are encouraging employees to speak up and report misconduct or whether companies employ practices that chill reporting. Prosecutors will closely consider the company’s commitment to whistleblower protection and anti-retaliation by assessing policies and training, as well as treatment of employees who report misconduct.

And they will evaluate whether companies ensure that individuals who suspect misconduct know how to report it and feel comfortable doing so including by showing that there is no tolerance for retaliation.

Argentieri – clawbacks are working

Speaking at the SCCE annual conference this week in Grapevine, Texas, Argentieri mentioned the updates to the ECCP, highlighting the data analytics, AI and whistleblower components noted above and pointing out that the updated version expands upon an important concept: “companies should be learning lessons from both the company’s own prior misconduct and from issues at other companies to update their compliance programs and train employees.”

Learning from what befalls one’s competitors is instructive training material and easily accessible. And training must be a large component of any effective compliance program.

Argentieri also mentioned how the DOJ’s three-year compensation clawback pilot program is doing at its midway point.

The program has two parts, she explained. First, each of the corporate resolutions now requires that the company include criteria related to compliance in its compensation and bonus system, with the DOJ asking companies to provide clear metrics both to reward compliance-promoting behavior and to deter misconduct. That language is required in every Criminal Division resolution now, and since the program’s launch, DOJ has included the requirement in nine corporate resolutions.

Argentieri asked the audience to consider the significance of her words: “Nine companies across five industries are upping their game in using their compensation systems to promote compliance.” These companies in the tech, finance, crypto, manufacturing, and energy sectors are considering how to align compensation not just with the company’s financial performance – but with conducting business in an ethical manner. “And they are setting the tone for others in the marketplace,” she said.

She noted how one company under an agreement with the DOJ required consideration of adherence to compliance standards and reporting of misconduct in its annual reviews. She indicated that as a result of these efforts, and a company-wide messaging campaign, the company is seeing more reports of potential compliance issues.

Argentieri highlighted another company that had incorporated a performance review metric that measured employees across categories including individual and team performance, goal accomplishment, and demonstration of core values and was factored into both compensation and promotion decisions.

In concluding her remarks, Argentieri said: “I hope today you’ll take this message back to your companies: ‘now is the time to make the necessary compliance investments to help prevent, detect, and remediate misconduct. And when you uncover misconduct: call us before we call you.’”

, , , , , , , , , , , ,

You may also like