DOJ Updates Corporate Compliance Program Guidance With a Focus on AI and Emerging Technologies

Background

At the Society of Corporate Compliance and Ethics ("SCCE") Compliance & Ethics Institute in September 2024, Principal Deputy Assistant Attorney General ("PDAAG") Nicole Argentieri announced an updated version of the U.S. Department of Justice Criminal Division's compliance program guidance, which was last updated in March 2023. The 2024 updates instruct DOJ prosecutors to assess how companies manage risk related to AI and other emerging technologies, use data for compliance program purposes, and protect whistleblowers. 

DOJ prosecutors refer to the guidance when evaluating the adequacy of a company's compliance program in the context of a corporate criminal matter (at both the time of the offense and the time of a charging decision). These considerations help prosecutors ultimately determine the terms of a corporate resolution and whether to impose a corporate monitor. 

Focus on AI and Data Compliance Risks

The updated guidance now asks prosecutors to evaluate how companies are assessing and managing risks related to AI and other emerging technologies. AI abuse is a particular area of focus for DOJ. Earlier this year, DOJ launched the "Justice AI Initiative" to help the Department better understand the "promise of AI and the perils of its misuse," and, in February, Deputy Attorney General Lisa Monaco directed the Criminal Division to pursue heftier penalties when AI is deliberately misused. 

According to the updated guidance, going forward, prosecutors will assess whether the company has: 

• Assessed the impact of compliance risks created by AI and other emerging technologies on its ability to comply with federal criminal laws;
• Implemented policies, procedures, and adequate controls to monitor these technologies' trustworthiness, reliability, and use in compliance with applicable law and the company's code of conduct;
• Trained employees on the use of these technologies; and
• Monitored and tested compliance with these procedures.

In her speech, the PDAAG noted that DOJ is interested in whether the company has assessed its exposure to the potential misuse of these technologies, such as AI-generated false approvals or false documentation, and whether compliance controls are in place to identify and mitigate those risks, such as tools to confirm the accuracy or reliability of data used by the business.

Companies that have adopted AI-based technologies or plan to do so in the future should assess whether their compliance program is tailored to any risks posed by these technologies. 

Emphasis on the Compliance Function's Resources

Whether companies have dedicated adequate resources to their compliance functions has long been an area of DOJ interest, and the updated guidance sharpens this inquiry, particularly with respect to the availability of data and data analytics to identify and manage compliance risks. As updated, the guidance now directs prosecutors to assess whether the company is "appropriately leveraging data analytics tools to create efficiencies in compliance operations and measure the effectiveness of components of compliance programs." 

Specifically, prosecutors will assess whether the company's compliance function: 

• Has access to data analytics tools to measure the effectiveness of the compliance program, such as third-party vendor risk, and identify potential misconduct; 
• Has leveraged data to gain insights into the effectiveness of its compliance program; and 
• Has access to the same resources and technology for gathering and leveraging data for compliance purposes that they are using in their business.

Focus on Whistleblower Protections

The updates also reinforce preexisting guidance on internal reporting and add specific questions about corporate whistleblower protections. Prosecutors will now question whether the company:

• Has an anti-retaliation policy;
• Uses any practices that chill such reporting;
• Trains employees on anti-retaliation and whistleblower protection laws; and
• Disciplines employees who reported internally differently than others involved in misconduct.

These updates follow DOJ's launch of the Corporate Whistleblower Awards Pilot Program in August, a three-year pilot program designed to reward whistleblowers who report information about corporate misconduct, and recent amendments to DOJ's Corporate Enforcement and Voluntary Self-Disclosure Policy, which extend the presumption of a declination to companies that report internal whistleblower complaints of potential criminal violations to DOJ within 120 days of receipt. 

In total, these policy pronouncements are a clear signal that DOJ is focused on the company's commitment to whistleblower protections and anti-retaliation and how it responds to those complaints. 

Other Updates

The updated guidance expands on various preexisting compliance principles related to continuous improvement, training, and mergers and acquisitions by adding questions for DOJ prosecutors to pose covering these areas. They include the following areas of inquiry:

• Proven Track Record: Does the company have a "track record of preventing or detecting other instances of misconduct?"
• Measurement: How and how often does the company measure the success and effectiveness of its compliance program?
• Tailored Training: Has the company tailored its training and communications to the "particular needs, interests, and values of relevant employees," and incorporated lessons learned from other companies in similar industries or operating in similar regions? 
• M&A Integration: Does the company have a process in place to ensure appropriate compliance oversight of a newly acquired business (this follows DOJ's announcement last year of the Safe Harbor Policy for voluntary self-disclosures to DOJ within six months after a merger or acquisition)?

Overall, DOJ's compliance program updates reflect the Department's continuing emphasis on compliance programs that are tailored to the company's risk profile and are proactive rather than purely reactive.