The Next Step in DOJ’s Strategy to Enlist Companies to Fight Corporate Crime: Updates to the Evaluation of Corporate Compliance Programs
This September, the Department of Justice’s (DOJ) Criminal Division released an update of its Evaluation of Corporate Compliance Programs (ECCP) for the second time in the past 18 months, following its March 2023 update. On the heels of DOJ’s pilot programs on Corporate Whistleblower Awards, Voluntary Self-Disclosures for Individuals, and Compensation Incentives and Clawbacks, this ECCP update is another step in DOJ’s efforts to prevent and deter corporate crime by incentivizing corporations to invest in robust compliance programs and to self-report misconduct when it occurs.
Refresher on the ECCP
The ECCP is the framework that federal prosecutors use to evaluate a company’s compliance program in the context of a criminal investigation. The ECCP is organized around three “fundamental questions”:
- Is the corporation’s compliance program well-designed?
- Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
- Does the corporation’s compliance program work in practice?
For each fundamental question, the ECCP provides a series of additional questions designed to drill down into the design, application, and efficacy of a corporation’s compliance program. As a practical matter, these questions provide DOJ’s take on “best practices” for compliance programs. A company’s answers can impact what kind of resolution DOJ may insist upon, how much of a penalty the company will have to pay, and what kind of ongoing obligations DOJ may impose (such as a monitorship or other reporting requirements).
ECCP Updates: Artificial Intelligence, Whistleblowers, Data, and Lessons Learned
Last week, Principal Deputy Assistant Attorney General (PDAAG) Nicole Argentieri, the head of DOJ’s Criminal Division, delivered a speech announcing the changes to the ECCP. Calling the ECCP an “invaluable resource for companies” and “the roadmap Criminal Division prosecutors use to evaluate a company’s compliance program,” she noted that the primary new additions include:
- Managing risks associated with new and emerging technologies, such as artificial intelligence (AI)
- Encouraging employees to speak up and report misconduct through whistleblower protections
- Empowering compliance programs with appropriate access to data
- Incorporating lessons learned into compliance programs and training
These changes reflect DOJ’s strategy of incentivizing companies and their employees to serve as partners in preventing and deterring corporate crime. Readers of Enforcement Edge are well versed on other measures that DOJ has implemented in the past 18 months to do just that, including launching the Compensation Incentives and Clawbacks Pilot Program in March 2023, the Pilot Program on Voluntary Self-Disclosures for Individuals in April 2024, and the Corporate Whistleblower Awards Pilot Program in August 2024.
The updates to the ECCP are keenly focused on the threats associated with emerging technologies and reflect DOJ’s expectation that companies should be on the front line of mitigating associated risks. Earlier this year, Deputy Attorney General (DAG) Lisa Monaco announced that federal prosecutors may seek tougher sentences for crimes related to the use of AI, and in March she directed the Criminal Division to incorporate a company’s use of AI and disruptive technologies into the ECCP.
Below is our analysis of each of the focus areas highlighted by PDAAG Argentieri.
Managing Risks of AI and Emerging Technologies
In line with DAG Monaco’s March directive, some of the newly added questions provide guidance on developing or maintaining corporate compliance programs that manage risks associated with new technologies:
- Does the company have a process for identifying and managing emerging internal and external risks that could potentially impact the company’s ability to comply with the law, including risks related to new technologies?
- How does the company assess the potential impact of new technologies, such as AI, on its ability to comply with criminal laws?
- Is management of risks related to use of AI and other new technologies integrated into broader enterprise risk management (ERM) strategies?
- What is the company’s approach to governance regarding the use of new technologies, such as AI in its commercial business and in its compliance program?
- How is the company curbing any potential negative or unintended consequences resulting from the use of technologies, both in its commercial business and in its compliance program?
- How is the company mitigating the potential for deliberate or reckless misuse of technologies, including by company insiders?
- To the extent that the company uses AI and similar technologies in its business or as part of its compliance program, are controls in place to monitor and ensure its trustworthiness, reliability, and use in compliance with applicable law and the company’s code of conduct?
- Do controls exist to ensure that the technology is used only for its intended purposes?
- What baseline of human decision-making is used to assess AI?
- How is accountability over use of AI monitored and enforced?
- How does the company train its employees on the use of emerging technologies such as AI?
Companies that use AI and emerging technologies will want to carefully assess each of these questions, and work to ensure that they implement appropriate policies and processes to prevent misuse by, for example, adequately training their employees and monitoring the ongoing use of these new technological tools.
Encouraging Employees to Speak up and Report Misconduct Through Whistleblower Protections
DOJ recently announced its Corporate Whistleblower Awards Pilot Program, which is designed to incentivize individuals to report allegations of corporate misconduct to DOJ’s Criminal Division. As with other whistleblower programs, including the program run by the Securities and Exchange Commission, DOJ’s program cautions companies against retaliating against employees who report misconduct. This update to the ECCP reinforces the government’s prioritization of anti-retaliation measures in a company’s compliance program. Some of the new questions added to the ECCP regarding anti-retaliation and whistleblowing protections include:
- Does the company encourage and incentivize reporting of potential misconduct or violation of company policy?
- Does the company use practices that tend to chill such reporting?
- How does the company assess employees’ willingness to report misconduct?
- Does the company have an anti-retaliation policy?
- Does the company train employees on both internal anti-retaliation policies and external anti-retaliation and whistleblower protection laws?
- To the extent that the company disciplines employees involved in misconduct, are employees who reported internally treated differently than others involved in misconduct who did not?
- Does the company train employees on internal reporting systems as well as external whistleblower programs and regulatory regimes?
These questions come under the subject heading “Commitment to Whistleblower Protection and Anti-Retaliation,” demonstrating DOJ’s emphasis on protecting employees who report misconduct. Companies should design and implement substantive and comprehensive policies, procedures, and training to ensure that they have created a secure environment where employees are comfortable raising potential concerns.
Empowering Compliance Programs With Appropriate Access to Data
The ECCP updates also focus on ensuring that compliance personnel can access the data needed for their work, from relevant sources and in sufficient quantities. Now prosecutors should ask:
- Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions?
- Do any impediments exist that limit or delay access to relevant sources of data and, if so, what is the company doing to address the impediments?
- Do compliance personnel have knowledge of and means to access all relevant data sources in a reasonably timely manner?
- Is the company appropriately leveraging data analytics tools to create efficiencies in compliance operations and measure the effectiveness of components of compliance programs?
- How is the company managing the quality of its data sources?
- How is the company measuring the accuracy, precision, or recall of any data analytics models it is using?
- How do the assets, resources, and technology available to compliance and risk management compare to those available elsewhere in the company?
- Is there an imbalance between the technology and resources used by the company to identify and capture market opportunities and the technology and resources used to detect and mitigate risks?
Incorporating Lessons Learned
While the prior version of the ECCP included questions related to incorporating lessons learned from “both the company’s own prior misconduct and from issues at other companies,” in the words of PDAAG Argentieri, the new updates “expand upon” this important concept. Questions added on this topic include:
- Is there a process for updating policies and procedures to reflect lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region?
- Is there a process for updating policies and procedures to address emerging risks, including those associated with the use of new technologies?
- Has the training addressed lessons learned from compliance issues faced by other companies operating in the same industry and/or geographical region?
Updates on DOJ’s Clawback Program and Whistleblower Program
In last week’s announcement, PDAAG Argentieri also provided updates on both the Compensation Incentives and Clawbacks Pilot Program (Clawback Program) and the Corporate Whistleblower Awards Pilot Program (Whistleblower Program), referenced above.
First, corporate resolutions involving the Criminal Division now require the corporation to develop a compensation and bonus system tied to criteria that promote compliance. PDAAG Argentieri shared that since the Clawback Program launched, nine companies have agreed to implement criteria related to compliance in their compensation and bonus systems as part of their resolutions with the Criminal Division.
The second component of the Clawback Program is that the Criminal Division will consider a reduction of fines when companies seek to recoup compensation from corporate wrongdoers. The PDAAG shared that two companies have received fine reductions to date under the program, both in Foreign Corrupt Practices Act cases. In both instances, the companies were rewarded a reduction of 40% or more for withholding compensation from culpable employees, sending a “clear message that there will be consequences for those who do not stand against misconduct.”
PDAAG Argentieri also shared that while the Whistleblower Program has only been up and running for a few weeks, the Criminal Division has already been receiving “good tips.”
The Future of Corporate Compliance
The changes to the ECCP highlight that companies need to continually work to bolster their corporate compliance programs. DOJ continues to emphasize voluntary reporting and strengthening corporate compliance culture, as exhibited by its continued emphasis on the Clawback Program and the Whistleblower Program. DOJ also has moved quickly to address challenges with AI and emerging technologies. DOJ has made clear that it views companies as the first line of defense against corporate crime and, to that end, has encouraged companies to be responsible corporate citizens by maintaining robust and up-to-date corporate compliance programs and protecting employees that report misconduct.
A strong corporate compliance program can be a key factor in reducing or avoiding corporate criminal penalties. Companies that demonstrate forward-looking, risk-based compliance efforts are more likely to receive favorable treatment, including deferred prosecution agreements or reduced fines.
For questions on this or any other subject, please reach out to the authors or any of their colleagues in Arnold & Porter’s White Collar Defense & Investigations practice group.
© Arnold & Porter Kaye Scholer LLP 2024 All Rights Reserved. This Blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.