Putting the “AI” in Compliance—DOJ Updates its Corporate Compliance Program Guidance to Address Emerging AI Risks and Leveraging Data
What You Need to Know
Key takeaway #1
In announcing the Department’s updated ECCP, Principal Deputy Assistant Attorney General Nicole Argentieri took the opportunity to emphasize that DOJ considers incentivizing corporations to invest in robust compliance programs to be a “key aspect” of its mission to deter corporate crime, and that the Department believes it is crucial for compliance officers and their staff to be empowered. She closed her remarks with a clear message for companies: “now is the time to make the necessary compliance investments to help prevent, detect, and remediate misconduct. And when you uncover misconduct: call us before we call you.”
Key takeaway #2
The updated ECCP highlights the DOJ’s growing expectations for corporate compliance programs and personnel in an environment with changing technology and business pressures, and it directs prosecutors to consider whether corporate compliance programs are reactive or proactive. This recent update is an evergreen reminder that companies should continually reassess their compliance programs to ensure they are keeping pace with the organization’s risk profile—including risks presented by technological advances.
Client Alert | 2 min read | 09.25.24
On Monday, September 23, 2024, the Department of Justice (DOJ), released an update to its Evaluation of Corporate Compliance Programs (ECCP) guidance. The ECCP guidance was last revised in March 2023, which brought a number of significant changes, including a focus on compensation and incentive structures (e.g., clawbacks), and third party messaging applications. This 2024 update, while not as significant in scope as its predecessor, nonetheless highlights the DOJ’s focus on new and emerging technologies, such as artificial intelligence (AI), as part of its evolving assessment of what makes a corporate compliance program truly effective, and how prosecutors should evaluate risk assessments and other management tools at the time of a corporate resolution.
In the updated guidance, the DOJ identified key areas for companies to consider when bolstering compliance structures, policies, and training:
-
-
- Managing emerging risks and technologies: The updated ECCP directs prosecutors to consider whether companies are assessing and mitigating against the risk of using new and emerging technologies such as AI in their businesses and compliance programs. For example, prosecutors will consider whether a company’s Enterprise Risk Management (ERM) system effectively manages risks related to AI and other emerging technologies, whether a company has sufficient governance to curb any potential negative consequences from the use of those technologies, and whether the use of AI or similar technologies in a company’s compliance program is trustworthy, reliable, and in compliance with applicable law. These revisions formalize prior guidance given by Deputy Attorney General Lisa Monaco, who in March 2024 directed prosecutors to evaluate how companies mitigate the risk of AI misuse.
- Accessing and leveraging data: As part of the DOJ’s growing focus on data analysis and metrics, prosecutors are to consider whether corporate compliance and risk management personnel have appropriate access to data and resources. Prosecutors will also consider whether companies are disproportionately investing resources and technology into business development rather than to detect and mitigate risk.
- Incorporating lessons learned: The DOJ further emphasized the importance of companies incorporating lessons learned—from their own prior misconduct and from issues at other similarly situated companies (e.g., in the same industry or geographical areas)—into their compliance programs. For example, prosecutors will consider whether companies have processes to assess risk and update policies and training with lessons learned.
- Protecting Whistleblowers: Prosecutors will also assess commitments to whistleblower protection and anti-retaliation, including whether companies encourage employees to speak up and report misconduct or whether they use practices to chill reporting. These changes align with the DOJ’s aim to encourage whistleblower reporting through its new Corporate Whistleblower Awards Pilot Program.
-
Insights
Client Alert | 2 min read | 11.14.24
SEC ESG Enforcement Is Still Alive
On November 8, 2024 the SEC announced a settled enforcement action against Invesco Advisers, Inc. for making misleading statements about its integration of environmental, social, and governance (ESG) factors into the firm’s investment decisions. Invesco agreed to pay a $17.5 million civil penalty to settle the matter. This enforcement action makes it clear that, even though the SEC dissolved its ESG Task Force, the Commission continues to monitor firms’ statements and representations for misleading statements about ESG.
Client Alert | 8 min read | 11.12.24
Client Alert | 3 min read | 11.11.24
Allegations of a Litany of Lyin’: Penn State Settles Claims of Cybersecurity Noncompliance
Client Alert | 1 min read | 11.08.24
A Common-Sense Change to the Continuous SAM Registration Requirement at FAR 52.204 7