DOJ Updates Guidance for Evaluation of Corporate Compliance Programs, Focusing on Artificial Intelligence, Data, and Whistleblower Protections

DOJ Updates Guidance for Evaluation of Corporate Compliance Programs, Focusing on Artificial Intelligence, Data, and Whistleblower Protections

October 2, 2024, Covington Alert

On September 23, 2024, DOJ’s Criminal Division released an updated version of its Evaluation of Corporate Compliance Programs document (the “Guidance”), which serves as a reference for prosecutors in assessing corporate compliance programs in the context of investigations.

The September 2024 revisions to the Guidance set forth the Criminal Division’s expectations on how compliance programs should assess and manage risk associated with AI and other emerging technologies, and set new expectations regarding the use of data, resourcing of compliance programs, and whistleblower protections. To a lesser extent, the updates also refine the Criminal Division’s views on compliance policies, training, third-party management, and post-acquisition integration. A redline illustrating DOJ’s specific revisions can be found here, and the key takeaways are summarized below.

1. The Guidance Seeks to Align Compliance Efforts with Technological Advances, Including AI

Most prominently, the revised Guidance demonstrates DOJ’s continued effort to encourage compliance programs to keep pace with technological advances by pushing companies to continually assess and uplevel their compliance programs in response to new technologies. The Guidance focuses in particular on management of risks associated with AI, using an especially broad definition of AI and adding an entirely new subsection under the Risk Assessment heading, entitled “Management of Emerging Risks to Ensure Compliance with Applicable Law.” The Criminal Division added a number of questions under this new subsection, including:

• “Does the company have a process for identifying and managing emerging internal and external risks that could potentially impact the company’s ability to comply with the law, including risks related to the use of new technologies?”
• “How does the company assess the potential impact of new technologies, such as artificial intelligence (AI), on its ability to comply with criminal laws?”
• “Is management of risks related to use of AI and other new technologies integrated into broader enterprise risk management (ERM) strategies?”
• “To the extent that the company uses AI and similar technologies in its business or as part of its compliance program, are controls in place to monitor and ensure its trustworthiness, reliability, and use in compliance with applicable law and the company’s code of conduct?”

The updated Guidance also adds questions about AI and new technologies in other sections. In several instances, the Guidance looks beyond corporate compliance departments to consider more broadly how companies use, and assess risks associated with, these new technologies. For example, the Guidance asks about a “company’s approach to governance regarding the use of new technologies such as AI in its commercial business and in its compliance program.” Elsewhere, the Guidance asks how companies “curb[] any potential negative or unintended consequences from the use of technologies, both in [their] commercial business and in [their] compliance program,” how companies ensure technology is used for its intended purposes, and how accountability over the use of AI is enforced. This framing reflects an expansion from assessing how technology can be leveraged to mitigate compliance risk, to more broadly asking how companies use and control technologies that themselves may create or contribute to compliance risk. While many companies are already well advanced in developing and implementing risk-based AI governance frameworks, DOJ’s focus on AI in the updated Guidance is all the more reason for companies to put AI risks front and center in compliance risk and program assessments.

2. Resourcing and Data Remain at the Forefront of DOJ’s Compliance Expectations

The Guidance reinforces the Criminal Division’s expectations that compliance personnel access and leverage compliance-relevant data for monitoring and assessment, and it clarifies the Criminal Division’s expectations regarding resourcing.

In recent years, the Criminal Division has placed heightened emphasis on a company’s ability to collect and use data for compliance monitoring and testing. The revised Guidance reflects increased expectations and sophistication around the use of data. For example, the Guidance asks if companies are “appropriately leveraging data analytics tools to create efficiencies in compliance operations and measure the effectiveness of components of compliance programs.” The Criminal Division also added questions focusing on the quality of a company’s compliance-relevant data. For example, citing concepts that are familiar in the context of Technology Assisted Review, the Guidance asks how a company manages the quality of its data sources, and how a company measures “the accuracy, precision, or recall of any data analytics models it is using.” The Guidance’s updated expectations on leveraging data reflect lofty applications of data analytics in compliance settings, potentially most relevant to companies on the leading edge of compliance program sophistication and maturity. Corporate compliance departments should evaluate their data capabilities, guided by risk-based judgments regarding whether and to what extent they should prioritize data analytics enhancement projects.

As to resourcing, the Guidance now asks if “compliance personnel have knowledge of and means to access all relevant data sources in a reasonably timely manner.” Significantly, under a new subsection entitled “Proportionate Resource Allocation,” the Guidance expressly directs prosecutors to compare “the assets, resources and technology available to compliance and risk management . . . to those available elsewhere in the company.” While this has long been an area of interest for enforcement authorities, the explicit articulation of this question should focus companies on this issue, and remind them that they may be criticized if they devote significant effort upleveling the systems and resources available to commercial functions but ignore opportunities to do the same for compliance. Together, these additions demonstrate that compliance programs’ access to and sophisticated use of data will receive even greater pressure testing in the context of resolution discussions than was previously the case.

3. Following Announcement of the Criminal Division’s Corporate Whistleblower Awards Pilot Program, the Guidance Emphasizes Whistleblower Protection and Employee Training on External Reporting Avenues

The Guidance includes a new series of questions underscoring DOJ’s additional expectations around confidential reporting and whistleblower protection. Prosecutors are now directed to consider whether a company incentivizes reporting or instead “use[s] practices that tend to chill such reporting.” Such practices may include disciplining whistleblowers more severely than “others involved in misconduct who did not” report it. And in alignment with the Criminal Division’s focus on data, testing, and continuous improvement, the Guidance invites prosecutors to question how “the company assess[es] employees’ willingness to report.” Perhaps most noteworthy is the Guidance’s suggestion that companies should train their employees not only on internal anti-retaliation policies and reporting systems, but also on “external anti-retaliation and whistleblower protection laws,” “programs[,] and regulatory regimes.”

DOJ has long endeavored to incentivize voluntary reporting of corporate misconduct. As we have discussed in prior alerts (here, here, and here), this effort has taken the form of rewarding companies’ voluntary disclosures and, by extension, effectively penalizing companies when misconduct is discovered by DOJ in the absence of a voluntary disclosure. Recently, the Criminal Division has also undertaken significant efforts to encourage individual whistleblowing by individuals not meaningfully involved in corporate misconduct, launching its Corporate Whistleblower Awards Pilot Program (the “Pilot Program”) in August 2024, which we discussed in a prior alert. Similarly, the Criminal Division and various U.S. Attorneys’ Offices have issued their own individual voluntary disclosure programs in recent months, which we covered in a prior alert, encouraging individuals involved in corporate and other misconduct to come forward in exchange for leniency. Against this backdrop, the Guidance’s focus on external whistleblower mechanisms and protection for whistleblowers could be viewed as an effort to reinforce the Pilot Program, foster awareness of it among a company’s employees, and generate potential additional corporate enforcement matters. Companies may view incorporating information about external reporting mechanisms into their compliance training as a loaded and nuanced topic, potentially viewing such efforts as having the capacity to interfere with the effectiveness of internal reporting, investigation, and remediation mechanisms. Overall, this focus on external reporting adds another layer of complexity for companies that are wrestling with the patchwork of international whistleblowing regulations.

4. Continued Evolution from Anti-Corruption-Specific Guidance to Generally Applicable Compliance Guidance

Finally, the revisions to the Guidance reinforce the evolution in the Guidance from a document that originated with a focus on anti-corruption compliance to one that is applicable to corporate compliance programs more broadly—a trend we discussed in a prior alert. For example, the prior guidance asked questions about risk-tailored resource allocation that had an anti-corruption bent, such as whether the company gave greater scrutiny to high-risk transactions, such as large dollar contracts with a government agency in a high-risk country. Those questions have been replaced with a broader question focused on whether the company deploys compliance resources in a risk-based manner with greater scrutiny applied to areas of greater risk. The vast majority of the questions in the current version of the Guidance are subject-matter agnostic and can apply equally to sanctions and export controls, anti-money-laundering / countering the financing of terrorism, privacy, and other risk areas that may fall within the scope of a corporate compliance program. Compliance professionals, even those not responsible for anti-corruption, should thus be familiar with the Guidance and how it may apply to the areas within their scope.

If you have any questions concerning the material discussed in this client alert, please contact the members of our White Collar Defense and Investigations practice.