DOJ Updates Corporate Compliance Program Guidance With a Focus on AI and Emerging Technologies
In Short
The Situation: In September 2024, the U.S. Department of Justice ("DOJ" or "Department") announced updates to its Evaluation of Corporate Compliance Programs guidance covering three primary areas: (1) the risks of artificial intelligence ("AI") and emerging technologies; (2) data analytics for compliance program monitoring and continuous improvement; and (3) whistleblower protections.
The Result: Companies should carefully evaluate their compliance policies, procedures, and controls, particularly those related to these updates.
Looking Ahead: The updates to DOJ's compliance guidance are further indications that DOJ continues to raise the bar on corporate compliance program standards, and will closely evaluate the design and effectiveness of corporate compliance programs when resolving a corporate criminal investigation.
Background
At the Society of Corporate Compliance and Ethics ("SCCE") Compliance & Ethics Institute in September 2024, Principal Deputy Assistant Attorney General ("PDAAG") Nicole Argentieri announced an updated version of the U.S. Department of Justice Criminal Division's compliance program guidance, which was last updated in March 2023. The 2024 updates instruct DOJ prosecutors to assess how companies manage risk related to AI and other emerging technologies, use data for compliance program purposes, and protect whistleblowers.
DOJ prosecutors refer to the guidance when evaluating the adequacy of a company's compliance program in the context of a corporate criminal matter (at both the time of the offense and the time of a charging decision). These considerations help prosecutors ultimately determine the terms of a corporate resolution and whether to impose a corporate monitor.
Focus on AI and Data Compliance Risks
The updated guidance now asks prosecutors to evaluate how companies are assessing and managing risks related to AI and other emerging technologies. AI abuse is a particular area of focus for DOJ. Earlier this year, DOJ launched the "Justice AI Initiative" to help the Department better understand the "promise of AI and the perils of its misuse," and, in February, Deputy Attorney General Lisa Monaco directed the Criminal Division to pursue heftier penalties when AI is deliberately misused.
According to the updated guidance, going forward, prosecutors will assess whether the company has:
- Assessed the impact of compliance risks created by AI and other emerging technologies on its ability to comply with federal criminal laws;
- Implemented policies, procedures, and adequate controls to monitor these technologies' trustworthiness, reliability, and use in compliance with applicable law and the company's code of conduct;
- Trained employees on the use of these technologies; and
- Monitored and tested compliance with these procedures.
In her speech, the PDAAG noted that DOJ is interested in whether the company has assessed its exposure to the potential misuse of these technologies, such as AI-generated false approvals or false documentation, and whether compliance controls are in place to identify and mitigate those risks, such as tools to confirm the accuracy or reliability of data used by the business.
Companies that have adopted AI-based technologies or plan to do so in the future should assess whether their compliance program is tailored to any risks posed by these technologies.
Emphasis on the Compliance Function's Resources
Whether companies have dedicated adequate resources to their compliance functions has long been an area of DOJ interest, and the updated guidance sharpens this inquiry, particularly with respect to the availability of data and data analytics to identify and manage compliance risks. As updated, the guidance now directs prosecutors to assess whether the company is "appropriately leveraging data analytics tools to create efficiencies in compliance operations and measure the effectiveness of components of compliance programs."
Specifically, prosecutors will assess whether the company's compliance function:
- Has access to data analytics tools to measure the effectiveness of the compliance program, such as third-party vendor risk, and identify potential misconduct;
- Has leveraged data to gain insights into the effectiveness of its compliance program; and
- Has access to the same resources and technology for gathering and leveraging data for compliance purposes that they are using in their business.
Focus on Whistleblower Protections
The updates also reinforce preexisting guidance on internal reporting and add specific questions about corporate whistleblower protections. Prosecutors will now question whether the company:
- Has an anti-retaliation policy;
- Uses any practices that chill such reporting;
- Trains employees on anti-retaliation and whistleblower protection laws; and
- Disciplines employees who reported internally differently than others involved in misconduct.
These updates follow DOJ's launch of the Corporate Whistleblower Awards Pilot Program in August, a three-year pilot program designed to reward whistleblowers who report information about corporate misconduct, and recent amendments to DOJ's Corporate Enforcement and Voluntary Self-Disclosure Policy, which extend the presumption of a declination to companies that report internal whistleblower complaints of potential criminal violations to DOJ within 120 days of receipt.
In total, these policy pronouncements are a clear signal that DOJ is focused on the company's commitment to whistleblower protections and anti-retaliation and how it responds to those complaints.
Other Updates
The updated guidance expands on various preexisting compliance principles related to continuous improvement, training, and mergers and acquisitions by adding questions for DOJ prosecutors to pose covering these areas. They include the following areas of inquiry:
- Proven Track Record: Does the company have a "track record of preventing or detecting other instances of misconduct?"
- Measurement: How and how often does the company measure the success and effectiveness of its compliance program?
- Tailored Training: Has the company tailored its training and communications to the "particular needs, interests, and values of relevant employees," and incorporated lessons learned from other companies in similar industries or operating in similar regions?
- M&A Integration: Does the company have a process in place to ensure appropriate compliance oversight of a newly acquired business (this follows DOJ's announcement last year of the Safe Harbor Policy for voluntary self-disclosures to DOJ within six months after a merger or acquisition)?
Overall, DOJ's compliance program updates reflect the Department's continuing emphasis on compliance programs that are tailored to the company's risk profile and are proactive rather than purely reactive.
Three Key Takeaways
- The updates to the Criminal Division's Evaluation of Corporate Compliance Programs continue DOJ's trend of raising the bar on corporate compliance program standards. The guidance remains a useful tool to understand how DOJ would evaluate the compliance program of a company that is facing a corporate criminal investigation and particular ways companies can strengthen their programs.
- As DOJ works to implement the new guidance, companies should review their risk assessments and compliance programs with regard to the use of AI and other emerging technologies. Such a review should include assessments of corporate policies and controls governing these technologies.
- Companies should also assess whether their whistleblower protections are adequate and whether compliance functions have adequate access to relevant data and related tools.