Updated Justice Department Guidance on Corporate Criminal Enforcement Reveals New Focus on Artificial Intelligence Roles, Whistleblowing Protection, and Use of Data

I. Introduction

On September 23, 2024, during virtual remarks to the Society of Corporate Compliance and Ethics’ 23rd Annual Compliance & Ethics Institute in Grapevine, Texas, the U.S. Department of Justice’s (“DOJ”) Principal Deputy Assistant Attorney General announced a series of updates to the DOJ’s Evaluation of Corporate Compliance Programs (“ECCP”). The ECCP is a collection of DOJ guidance that forms “the roadmap Criminal Division prosecutors use to evaluate a company’s compliance program, including the questions prosecutors will ask as they assess a compliance program in determining how to resolve a criminal investigation.”¹

The announcement marked the first changes to the ECCP since March 2023 (see our previous alert here; and a redline showing the revisions here), and offers valuable insight into the DOJ’s current thinking and approach to corporate enforcement work. While not as fundamental as last year’s change, the new updates reveal the DOJ’s expectations for how corporate actors should responsibly leverage artificial intelligence (“AI”), machine learning, and other new technologies while continuing to meet their obligations under criminal law.

II. Background on the ECCP

When the DOJ prosecutes corporate crime, it considers “not just what happened, but why it happened and what the company has done to prevent misconduct from recurring”; to that end, “a critical component of [DOJ’s] corporate resolutions involves an assessment of the corporation’s compliance program, at both the time of the misconduct and at the time of resolution.”

A key part of the DOJ’s evaluation of corporate compliance programs is its expectation that corporations “continuously review and update their compliance programs to account for emerging risk factors.”² In the same vein, the DOJ’s latest updates to the ECCP reflect its own attention to changing circumstances and key risks.

III. The September 2024 Updates to the ECCP

The latest revisions include notable additions in several key areas:

A. Artificial Intelligence

Most conspicuously, the updated ECCP now includes “an evaluation of how companies are assessing and managing risk related to the use of new technology such as artificial intelligence both in their business and in their compliance programs.” In line with this new section, “prosecutors will consider the technology that a company and its employees use to conduct business, whether the company has conducted a risk assessment of the use of that technology, and whether the company has taken appropriate steps to mitigate any risk associated with the use of that technology.”³

A key question for prosecutors will be how a company is assessing the potential impact of AI and machine learning on its ability to comply with criminal laws—the implication being that the DOJ expects that a company’s addition of new technological capabilities will not detract from its compliance program or ability to cooperate with enforcement agencies. The DOJ is particularly interested in whether the company is vulnerable to criminal schemes enabled by new technology (e.g., AI-generated false approvals or documentation) and the potential for other deliberate or reckless misuse of new technology, both by employees and third parties. The DOJ will consider what risk assessments the company has undertaken and compliance controls it has implemented to identify and mitigate any potential negative or unintended consequences of AI, such as tools to confirm the accuracy or reliability of data used by the business.⁴

Notwithstanding these concerns, the ECCP updates also indicate that the DOJ recognizes the new opportunities afforded by the use of new technologies. In particular, and as discussed further below, prosecutors will now also assess how a company has leveraged its data—potentially via the use of AI or other new technologies—to gain insights into the effectiveness of its compliance program.⁵

B. Whistleblower Protections & Anti-Retaliation Measures

Under the revised ECCP, prosecutors are instructed to consider a company’s commitment to whistleblower protection and anti-retaliation by evaluating its policies, training, and treatment of employees who report misconduct. Although largely reinforcing preexisting guidance, the updates include a number of questions “designed to evaluate whether companies are encouraging employees to speak up and report misconduct or whether companies employ practices that chill reporting.”⁶ These questions include not only whether a company has an anti-retaliation policy in the first instance, but also whether employees are trained both on this internal policy and on external anti-retaliation and whistleblower protection laws. To the extent a company disciplines employees involved in misconduct, prosecutors should now also scrutinize whether internal reporters are treated differently from employees who did not use the internal reporting mechanism.

Notably, these revisions come on the heels of the DOJ’s recent announcement of the Corporate Whistleblower Awards Pilot Program, a three-year pilot program designed to incentivize individuals to report criminal misconduct, and amendments to the DOJ’s Corporate Enforcement and Voluntary Self-Disclosure Policy, pursuant to which companies that report whistleblower complaints to the DOJ within 120 days of receipt will be eligible for a presumption of declination. Taken collectively, it is clear that the DOJ is acutely focused both on the protections that companies afford whistleblowers and how proactively companies respond to whistleblower complaints.

C. Compliance Program Resources and Operations

The ECCP updates also include a variety of considerations of the support and maintenance of the company’s compliance program—key among which is the data available to the company’s compliance program, including for use in self-assessments and monitoring. While this also reinforces earlier guidance, new questions for prosecutors focus on “whether compliance personnel have adequate access to relevant data sources and the assets, resources, and technology that are available to compliance and risk management personnel.” Data access is also a consideration in how companies evaluate vendor risk during the course of the relationship with the vendor.

The updates set a new standard with respect to the extent of the use of data for compliance monitoring purposes by comparing it to the use of data for commercial purposes. Prosecutors will also assess whether the company is proportionately allocating resources and “putting the same resources and technology into gathering and leveraging data for compliance purposes that they are using in their business.” Taken at face value, this is a standard most companies will likely fall short of.

The ECCP updates also reveal the DOJ’s expectation that “companies should be learning lessons from both the company’s own prior misconduct and from issues at other companies to update their compliance programs and train employees.”⁷ This underscores the need for companies to periodically review and refresh trainings to ensure they reflect developing trends and risk.

The Principal Deputy Assistant Attorney General’s comments reiterated that companies should be proactive in the post-transaction stage in assessing, expanding, and auditing the compliance programs at newly acquired assets (in line with last year’s announcement of the DOJ’s Safe Harbor Policy for voluntary self-disclosures made in the context of the mergers and acquisition process).⁸ Under the new ECCP, prosecutors are instructed to consider the extent to which “compliance and risk management functions play a role in designing and executing the integration strategy” at newly-acquired entities.⁹ 

IV. Key Takeaways

With this week’s announcement and ECCP revisions, the DOJ has made clear that one of its key strategies to prevent and deter corporate crime is to incentivize companies to invest in their compliance programs, protect whistleblowers, and proactively investigate and self-disclose misconduct. Given these and other new revisions, companies should:

• Proactively ensure that broader enterprise risk management strategies include management of risks of AI, machine learning, and related new technologies, including an evaluation of any negative or unintended consequences of the technologies and whether there are controls in place to prevent fraud, misconduct, and the circumvention of the compliance program through AI.
• Explore ways to leverage AI to improve the company’s compliance monitoring programs, including related to third party transactions.
• Integrate considerations of new technologies into existing compliance trainings, and implement a system for evaluating employees’ engagement with compliance trainings generally.
• Implement a process to periodically refresh trainings to incorporate compliance lessons learned, peer industry and geographical case studies, developing enforcement trends, and updated guidance from regulators. 
• Consider reviewing and revising compliance trainings to emphasize both internal reporting systems and external whistleblower programs, assessing the sufficiency of other socialization efforts of the whistleblower system, and analyzing data regarding the usage of the whistleblower system to identify business units that may lack sufficient awareness or in which employees may fear retaliation.
• Conduct a broad assessment of available data, risks to the company, and how data analytics can be used to identify potentially problematic activity, trends, or misconduct.
• Allocate comparable levels and quality of resources and technology into gathering and leveraging data for compliance purposes as is deployed in other business units.
• Ensure that there is a formal process in place to periodically assess compliance issues that have arisen, both at the company and at companies operating in the same industry and/or geographical region, and consider appropriate updates to all aspects of the compliance program.
• Work promptly to assess and integrate acquired companies into the global compliance program.