09/26/2024 | News release | Distributed by Public on 09/26/2024 11:20
DOJ made changes to its Evaluation of Corporate Compliance Programs, the first since March 2023. The changes focus on the management of technology risk, including the use of artificial intelligence, as well as whistleblower retaliation, data analytics, M&A integration, and how companies handle instances of misconduct beyond those under investigation.
On September 23, 2024, the Department of Justice (DOJ) released a revised version of the Evaluation of Corporate Compliance Programs (ECCP), which is designed to guide prosecutors in evaluating the effectiveness of compliance programs, and is a resource for companies to understand DOJ's compliance expectations. The revisions reflect DOJ's continued efforts to heighten and refine its standards for an effective compliance program, a long-running evolution that now dates back more than a decade.
Technology risk/artificial intelligence. DOJ officials have made several recent announcements and speeches regarding the risks posed by artificial intelligence, and therefore it is not surprising that the ECCP revisions focus on technology risk. The ECCP questions and considerations now include:
Data access and data analytics. Although the ECCP has long asked whether compliance programs have appropriate access to data, it now asks whether the company is "appropriately leveraging data analytics tools to create efficiencies in compliance operations and measure the effectiveness of components of compliance programs," as well as how the "assets, resources, and technology available to compliance and risk management compare to those available elsewhere in the company." It specifically asks whether there is an "imbalance between the technology and resources used by the company to identify and capture market opportunities and the technology and resources used to detect and mitigate risks."
Lessons earned and training. Although the ECCP previously asked whether companies were incorporating "lessons learned" into their compliance programs in various ways, it now also asks whether companies are leveraging lessons learned from other companies in similar industries or operating in similar regions into their policy designs and trainings. It also asks whether the company's trainings are "tailored to the particular needs, interests, and values of relevant employees."
Anti-retaliation and reporting. The new ECCP added a section of questions on "Commitment to Whistleblower Protection and Anti-Retaliation," a heightened concern given DOJ's own new Whistleblower Pilot Program. This section includes whether the company has an anti-retaliation policy, trains employees on internal reporting systems as well as external whistleblower programs and regulatory regimes, and disciplines employees who reported internally differently than others involved in misconduct who did not.
M&A integration. As part of a company's M&A process, the ECCP now includes questions around the integration process, such as whether the company accounts for "migrating or combining critical enterprise resource planning systems," and the extent to which "compliance and risk management functions play a role in designing and executing the integration strategy." Along the same lines, the ECCP also now asks whether the company has a process in place "to ensure appropriate compliance oversight of the new Business," and whether and how the new business is incorporated into the company's risk assessment activities.
Proven track record. DOJ has also added language around the need for prosecutors to "consider whether the company's compliance program had a track record of preventing or detecting other instances of misconduct," which can include an analysis of how the company "responded to other instances of misconduct in addition to how the company addressed reports of potential misconduct and risks over time."