Oct 82024

Compliance Programs Expected to Evolve With Technology: DOJ Updates Corporate Compliance Guidance to Include Artificial Intelligence

Data Matters Contributors
, ,

On September 23, 2024, the U.S. Department of Justice (DOJ) updated its Evaluation of Corporate Compliance Programs (the ECCP) to reflect DOJ’s evolving expectations with respect to corporate compliance programs, including how those programs appropriately address the compliance risks of new technology such as artificial intelligence (AI). While the ECCP is drafted as a guidance document for prosecutors to assess the effectiveness and adequacy of a company’s compliance program, the ECCP also is a tool for companies to conduct a similar assessment. With DOJ’s most recent update to this document, this tool now reflects DOJ’s focus on disruptive technology risks. This Update provides some general background on the ECCP and analyzes DOJ’s latest revisions to the ECCP, including the introduction of questions and considerations for companies concerning their use of new and emerging technology such as AI.

Background on the ECCP

The ECCP, first published in February 2017, has evolved to incorporate feedback and lessons learned from DOJ’s prosecutors, compliance professionals, and defense counsel. Since its introduction, the ECCP has been updated to reflect DOJ’s emphasis on the individualized and risk-based nature of compliance programs and the importance of continuous improvement and adaptation in response to new risks. Following the 2020 revisions (previously analyzed here), DOJ now asks three fundamental questions when evaluating the compliance program:

  1. Is the corporation’s compliance program well designed?
  2. Is the program adequately resourced and empowered to function effectively?
  3. Does the corporation’s compliance program work in practice?

As new challenges emerge to prosecutors and compliance programs alike, DOJ has adapted the ECCP to meet these changing circumstances. In March 2023, the ECCP was again revised (previously analyzed here) to consider, among other things, how a corporation’s compliance program addresses the use of personal devices (e.g., cellphones) and communications platforms including those that allow for ephemeral (i.e., disappearing) messages. Notably, the 2023 revisions explained that prosecutors will more actively seek data from third-party messaging applications, and a company’s failure to preserve and produce such data may negatively affect the resolution to any enforcement action.

With DOJ’s latest announcement late last month, DOJ is once again trying to conform its compliance expectations to the compliance risks presented by new technology.

The ECCP’s Recent Updates Regarding New Technology Risks

The key update to the ECCP recognizes that new technologies, such as AI, can pose both risks and opportunities for companies in their business and compliance operations. DOJ now expects companies to conduct risk assessments regarding the use of new and emerging technologies and to take appropriate steps to mitigate any risks associated with those technologies.

To evaluate these risks, prosecutors will ask whether a company is vulnerable to criminal schemes enabled by new technologies, such as false approvals and documentation generated by AI, and whether a company has compliance controls and tools to identify and mitigate those risks. The revisions to the ECCP also call on companies to monitor and test their technologies to evaluate whether they are functioning as intended and consistent with the company’s code of conduct and other policies and procedures.

Additional Updates to the ECCP

While DOJ’s compliance expectations on the use of new and emerging technologies is the most notable change to the ECCP in this recent update, other key updates include the following:

Greater incentives and protections for whistleblowers. The updated ECCP includes questions to evaluate whether companies are encouraging employees to speak up and report misconduct. DOJ will closely consider a company’s commitment to antiretaliation against whistleblowers by reviewing a company’s policies, communications, and training with respect to speaking up and antiretaliation. DOJ will also assess any actions that a company takes against whistleblowers and will take appropriate steps to penalize or prosecute companies that retaliate against these individuals.

Encouraged use and access to data for compliance functions. The latest revisions encourage companies to leverage new technologies to enhance their compliance programs. By using resources such as data analytics or automation to detect and prevent misconduct, DOJ believes that companies can better measure and improve the effectiveness of their compliance efforts. DOJ will, therefore, assess whether compliance personnel have adequate access to data resources and whether companies are using the same resources and technology for compliance purposes that they are using in their business.

Expectations to evolve compliance programs. The updated ECCP also expands on the concept of learning from a company’s own misconduct as well as the misconduct of others and updating a company’s compliance program accordingly. DOJ expects that companies track and incorporate into their periodic risk assessment lessons learned from their own prior issues and from other companies operating in the same industry and/or geographical region.

Review of post-transaction integration. Finally, the updated ECCP calls on companies to examine their compliance integration procedures following mergers, acquisitions, and other transactions. DOJ expects that newly acquired businesses will be incorporated into a company’s overall compliance program, including a company’s risk assessments activities and postacquisition audit plans.

As technology continues to evolve, so will DOJ’s compliance expectations and, in turn, the ECCP. Companies should assess their compliance programs in light of the new questions in the ECCP and take appropriate steps to address any gaps or weaknesses. To assist with understanding the ECCP’s complex and ever-changing guidance, experienced legal counsel is a helpful resource to support and test a company’s compliance program. Companies that continue to update their compliance programs in light of DOJ’s ECCP updates will put themselves in the best position to prevent misconduct from occurring or, otherwise, to detect misconduct early on and be in a position to obtain the benefits of having an effective, risk-based compliance program to mitigate the damage should they ultimately be the subject of a DOJ investigation.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Data Matters Contributors

sidleyprivacyblog@sidley.com

You might also like
CMS Proposes Artificial Intelligence Limits and Utilization Management Guardrails for Medicare Advantage

On December 10, 2024, the Centers for Medicare & Medicaid Services (CMS) published a proposed rule with technical changes for the Medicare Advantage (MA) Program and the Medicare Prescription Drug Benefit Program for Calendar Year 2026 (Proposed Rule). Citing the growing use of Artificial Intelligence (AI) within the healthcare sector and reports that the use of AI may lead to “algorithmic discrimination” that exacerbates inequalities within healthcare, CMS proposes, for the first time, new guardrails that must be adopted by MA plans when using AI to manage patient care. CMS also proposes several reforms addressing utilization management (UM) techniques adopted by MA plans, including requirements for such plans to conduct and report detailed analyses on the use of prior authorizations. Notably, the Proposed Rule primarily modifies MA regulations, without direct application to the Medicare Part D prescription drug program.

Post-Election Landscape: New Risks, New Opportunities

Sidley thought leaders explored risks and opportunities of a second Trump administration in a “lightning round”, covering key practice areas. Change is coming and along with it, new and fast-paced risks and opportunities.

EU AI Act: Are You Prepared for the “AI Literacy” Principle?

The EU AI Act is the world’s first horizontal and standalone law governing the commercialization and use of AI, and a landmark piece of legislation for the EU. Among the various provisions of the EU AI Act, the “AI literacy” principle is an often overlooked but key obligation which requires organizations to ensure that staff who are involved in the operation and use of AI have the necessary skills, knowledge and understanding to adequately assess AI-related risks and opportunities (e.g., through training and hiring staff with the appropriate background and skillset). This obligation – which applies from February 2, 2025 – is one of the few obligations under the EU AI Act that applies to all AI systems i.e., irrespective of the level of risk that the AI system presents. Indeed, by introducing AI literacy as one of the first provisions of the AI Act (Article 4), the EU legislators appear to underscore the significance of this requirement.