Earlier today, Monday, September 23, 2024, the U.S. Department of Justice (the “DOJ”) Criminal Division issued a revised Evaluation of Corporate Compliance Programs document (the "Updated ECCP"). The Updated ECCP is designed to assist prosecutors in evaluating the effectiveness of a corporation’s compliance program, and the role it should play in determining the appropriate form of any resolution or prosecution. As a result, the document also serves as a great resource for corporations looking to ensure that their corporate compliance programs are comprehensive, effective and would fare well if examined by DOJ. The Updated ECCP was announced today by Principal Deputy Assistant Attorney General Nicole M. Argentieri during her remarks at the Society of Corporate Compliance and Ethics 23rd Annual Compliance & Ethics Institute in Grapevine, Texas.
The DOJ does not utilize a rigid formula in its analysis of corporate compliance programs, but its Justice Manual (“JM”) outlines three “fundamental questions” a prosecutor should ask: (1) is the compliance program well designed, (2) is the program being applied earnestly and in good faith, and (3) does the corporation’s compliance program work in practice. See JM 9-28.800. While the Updated ECCP largely mirrors the March 2024 version, the Updated ECCP includes additional considerations that emphasize the role of emerging technologies and data analytics in the current corporate compliance landscape. The complete Updated ECCP is available here, but some key updates include the following:
Emerging technologies and risks. Understanding a company’s risk profile is a preliminary step a prosecutor must take in determining whether a company has a well-designed compliance program. The Updated ECCP specifically notes that the evaluation should account for emerging risks, which include the technology a company and its employees are using to conduct business.
Prosecutors may also “credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction.” In part, the Updated ECCP now counsels that prosecutors should consider a company’s management of emerging risks, such as artificial intelligence (AI), to ensure compliance with applicable law.
When determining whether the corporation’s compliance program works in practice, prosecutors are also instructed to consider whether the company is monitoring and testing new technologies so that it can evaluate whether they are functioning as intended and consistent with the company’s code of conduct.
Artificial intelligence. Unsurprisingly, the Updated ECCP has a particular focus on a company’s use of AI. In determining whether the compliance program is well designed, prosecutors are instructed to consider how the company would assess the use of new technologies, such as AI, on its ability to comply with criminal laws. This includes an assessment of whether management of risks related to use of AI is integrated into broader enterprise risk management strategies and the company’s approach to governance regarding the use of new technologies such as AI in its commercial business.
Later, in considering whether the corporation’s compliance program works in practice, the Updated ECCP also instructs prosecutors to consider how quickly the company can detect and correct decisions made by AI that are inconsistent with the company’s values
Notably, the Updated ECCP’s additional guidance documents also includes the AI Risk Management Framework released by the National Institute of Standards and Technology (NIST) in January 2023.
Data analytics tools. Prosecutors are also instructed to consider whether a compliance program is a “paper program” or is implemented and revised, as appropriate, in an effective manner. JM 9-28.800. In part, the Updated ECCP instructs prosecutors to consider whether compliance personnel have knowledge of and means to access all relevant data sources in a reasonably timely manner, as well as whether the company is appropriately leveraging data analytics tools to create efficiencies in its compliance operation.
When determining whether the corporation’s compliance program works in practice, prosecutors are also instructed to consider the extent to which the company has access to data and information to identify potential misconduct or deficiencies in its compliance program and whether it is proactively identifying either misconduct or issues with its compliance program at the earliest stage possible.
This newfound focus on data and technology reflects the changing landscape of corporate compliance and confirms the influence of Matthew Galvin, an attorney with significant compliance experience and the Department’s first ever Counsel for Compliance and Data Analytics serving in the Fraud Section. We anticipate corporate compliance programs becoming the centerpiece of the DOJ’s corporate enforcement activity and that is why ensuring that your program is aligned with the Updated ECCP is critical. If your company is looking to create an effective corporate compliance program that is compliant with the Update ECCP and implements bespoke technology and data analytics, do not hesitate to reach out to Reed Smith’s Regulatory & Investigations team.