The U.S. Department of Justice has revised its Evaluation of Corporate Compliance Programs to enhance scrutiny on AI technologies and ensure companies effectively manage associated risks.
The U.S. Department of Justice (DOJ) has released an updated version of its Evaluation of Corporate Compliance Programs (ECCP), a vital framework used to guide federal prosecutors in assessing how companies integrate new technologies into their operational and compliance strategies. Announced by Principal Deputy Assistant Attorney General Nicole M. Argentieri on 23 September 2024, these revisions reflect an acute focus on artificial intelligence (AI) and similar emerging technologies, signalling the DOJ’s commitment to evolving corporate compliance standards amid rapid technological advancements.
The ECCP Update, aimed at including the assessment of AI-related risks, aligns with initiatives previously introduced by Deputy Attorney General Lisa O. Monaco. The update aims to accommodate new risks posed by technological innovations while maintaining stringent compliance with legal standards. While it does not overhaul previous guidelines substantially, the update clarifies the expectations for integrating AI and similar technologies without compromising legal obligations.
Central to the ECCP Update is its emphasis on AI. Federal prosecutors are now instructed to scrutinise a company’s AI utilisation, including whether a suitable risk assessment has been conducted and what measures are in place to mitigate potential associated risks. These evaluations include determining a company’s vulnerability to misconduct facilitated by AI, such as generating false approvals or falsified documentation. The DOJ intends to examine closely the governance and control structures that manage AI technologies, including the adequacy of training programs and processes set to prevent unintended or malicious AI activity.
Companies are expected to uphold certain standards as outlined in the ECCP Update. These include the stress-testing of AI applications to identify weaknesses, continuous monitoring of high-risk AI cases, and documentation of risk mitigation strategies. This requirement for documentation aligns with the DOJ’s broader philosophy of proactive risk management.
Expanding on compliance monitoring and data analytics, the update urges prosecutors to evaluate if companies utilise relevant data sources effectively and whether compliance functions have adequate access to necessary data. It highlights that resources should be proportionately allocated for compliance monitoring, factoring in technology’s role within business operations. Any disparity between cutting-edge business technology and outdated compliance systems might attract increased scrutiny from the DOJ.
The ECCP Update also reaffirms the importance of whistleblower protections. Companies must encourage employees to report misconduct and ensure that these individuals are not penalised. The update ties into the DOJ’s Corporate Whistleblower Awards Pilot Program, which incentivises the proactive reporting of compliance violations.
Another focus area of the update is the approach to post-acquisition compliance integration. The DOJ now places greater emphasis on how companies implement compliance policies following acquisitions, including post-acquisition audits and the integration of newly acquired businesses into the existing compliance framework. This focus aligns with the DOJ’s Safe Harbor Policy, which allows companies a presumptive six-month period post-acquisition to report any compliance issues without the threat of prosecution.
Overall, the ECCP Update emphasises the importance of adapting compliance programs to reflect the challenges and opportunities presented by emerging technologies. Companies are advised to conduct thorough risk assessments concerning AI use, establish robust AI controls and monitoring processes, bolster whistleblower protections, and ensure effective integration of acquisitions into their compliance strategies to meet DOJ expectations.
In summary, the ECCP Update from the DOJ reinforces the necessity for companies to navigate the complexities of AI and other emerging technologies prudently within their compliance frameworks. Such guidance aims to address legal and regulatory compliance issues effectively, ensuring corporate operations evolve in tandem with technological innovations.
Source: Noah Wire Services
