DOJ Updates Evaluation of Corporate Compliance Programs Guidance: What Companies Need to Know

On September 23, 2024, the U.S. Department of Justice (DOJ) released updates to its Evaluation of Corporate Compliance Programs (ECCP) guidance — the framework prosecutors use to evaluate corporate compliance programs during investigations. The ECCP provides a roadmap for companies to meet DOJ expectations and reduce the risk of enforcement actions.

The revisions focus on three areas: (i) address risks associated with emerging technologies, including artificial intelligence; (ii) strengthen protections for whistleblowers, emphasizing the importance of encouraging internal reporting without fear of retaliation; and (iii) stress the need for compliance teams to have adequate resources and access to data to identify and mitigate risks effectively.

This article discusses the critical questions companies should answer to analyze whether their compliance programs are on track to meet DOJ standards.

Managing Risks Associated With New and Emerging Technologies

The DOJ’s updated ECCP places significant emphasis on the need for companies to implement structured processes to assess and manage risks tied to AI and other emerging technologies. As a result, when assessing the following areas, companies should determine:

• Identify and Assess Risks: Does the company have a process to identify and evaluate internal and external risks associated with emerging technologies, such as AI, including the impact on the company’s ability to comply with criminal laws?
• Integrate Risks into Enterprise Risk Management (ERM): Is the management of technological risks, such as those related to AI, embedded within broader ERM strategies?
• Establish Governance Frameworks: What governance frameworks guide the company’s use of AI and other technologies in both commercial operations and compliance programs?
• Mitigate Negative Consequences: How does the company address unintended or adverse effects resulting from the use of technologies, both in its business and compliance program? How is the company mitigating the potential for deliberate or reckless misuse, including by insiders?
• Monitor and Control: How does the company monitor and ensure the reliability and trustworthiness of AI systems in compliance with applicable laws and internal policies? Are there controls in place to ensure technologies are used only for their intended purposes?
• Ensure Accountability: How is accountability for the use of AI monitored and enforced?
• Provide Training: Does the company provide adequate training for employees on the use of emerging technologies such as AI?

Enhancing Whistleblower Protections and Addressing Retaliation

The updated ECCP also places greater emphasis on whistleblower protections, requiring prosecutors to evaluate whether companies have mechanisms that encourage employees to report misconduct while protecting them from retaliation. Companies should be able to answer the following questions:

• Encouraging Reporting: Does the company encourage and incentivize employees to report misconduct? Conversely, are there practices in place that might discourage such reporting, such as a lack of confidentiality or fear of retaliation?
• Anti-Retaliation Policies: Does the company have an anti-retaliation policy? How does the company ensure that whistleblowers are protected, and their anonymity maintained?
• Employee Training: Are employees trained on internal reporting systems and anti-retaliation policies? Does this training extend to external whistleblower protection laws and regulatory regimes?
• Assessing Employees’ Willingness to Report: How does the company assess employees’ willingness to report misconduct?
• Treatment of Whistleblowers: When employees report misconduct, how are they treated compared to those involved in misconduct who did not report? Are whistleblowers subjected to harsher treatment or discipline?

These updates align with the DOJ’s broader initiatives, including the Corporate Whistleblower Awards Pilot Program launched in 2024, which incentivizes employees to report misconduct, underscoring the importance of building robust whistleblower programs with comprehensive training and strict anti-retaliation enforcement.

Access to Data and Resources for Compliance Functions

The updated ECCP also highlights the DOJ’s expectation that companies use analytics to identify risks and measure program effectiveness, as well as provide their compliance teams with sufficient resources and timely access to relevant data. Prosecutors will now evaluate whether companies:

• Leverage Data Analytics: Are companies leveraging data analytics tools to create efficiencies in compliance operations and measure the effectiveness of components of compliance programs?
• Ensure Data Quality: How does the company manage the quality of its data sources and measure the accuracy, precision, or recall of its analytics models?
• Provide Timely Data Access: Do compliance personnel have access to relevant data sources in a timely manner?
• Allocate Resources Equitably: How do the assets, resources, and technology dedicated to compliance and risk management compare to those allocated to other business functions? Is there a disproportionate investment in commercial technologies versus compliance technologies?
• Identify Issues Proactively: Can the company demonstrate proactive efforts to identify misconduct or issues with its compliance program at the earliest stage possible?

Conclusion

An effective compliance program must continuously adapt to regulatory changes and emerging risks, particularly those identified in the DOJ’s updated ECCP. For companies using AI and other advanced technologies, the updated ECCP offers guidance on managing risks and integrating these tools into compliance processes. The updates also emphasize the importance of robust whistleblower protections, timely access to quality data, and equitable allocation of resources.

Given this ECCP update, and the DOJ’s focus on periodic updates to a company’s compliance function, companies are encouraged to add a review of their compliance programs in the first quarter of 2025. With substantial experience in regulatory compliance, risk management, and internal investigations, Carlton Fields can assist in reviewing your program’s alignment with DOJ standards. Failing to meet these standards may otherwise subject your organization to heightened scrutiny during investigations, making proactive compliance efforts even more critical.