TheCorporateCounsel.net

Last week, the Criminal Division of the DOJ announced a number of updates to its Evaluation of Corporate Compliance Programs guidance, including updates addressing risks related to emerging technology such as artificial intelligence, whistleblowers and the DOJ’s use of data analytics. As this Alston & Bird alert notes, the most significant changes to the guidance relate to the following three areas:

Emerging technology

Recognizing the rapid development and deployment of new technologies such as artificial intelligence (AI) by companies in a wide variety of industries, the updated ECCP instructs prosecutors to consider what “new and emerging technology” companies are using in conducting their business, whether (and how) companies have assessed the risk of such technology (e.g., how it could impact a company’s ability to comply with the law), and what companies have done “to mitigate any risk associated with” such technology.

The ECCP then includes a litany of potential follow-up questions for prosecutors to ask, such as: What governance structures has the company put in place for the use of new technologies such as AI in its commercial business, and what controls exist to ensure the technologies are only used for their intended purpose? What other steps has the company taken to curb any unintended negative consequences from the use of AI? If a company’s compliance program uses AI, what controls are in place “to monitor and ensure its trustworthiness, reliability, and use in compliance with applicable law”? How is the company training its employees on the use of AI and other emerging technologies?

In her speech, Argentieri cited as an example of the risk posed by emerging technology “whether the company is vulnerable to criminal schemes enabled by new technology, such as false approvals and documentation generated by AI.” In these AI-related updates to the ECCP, as elsewhere, the DOJ signals that it will inquire about these topics but does not prescribe specific one-size-fits-all measures companies must take. Rather, companies are generally expected to monitor and test their technology “to evaluate if it is functioning as intended and consistent with the company’s code of conduct.”

Whistleblower incentives and protection

The updated ECCP instructs prosecutors to consider the extent to which companies “encourage and incentivize” reporting of misconduct (or conversely, the extent to which companies “use practices that tend to chill such reporting”) as well as companies’ “commitment to whistleblower protection and anti-retaliation,” as demonstrated by how they actually treat employees who report misconduct. These additions are unsurprising, given the raft of policies issued by various components of the DOJ in recent months that are designed to incentivize – through monetary rewards or immunity – reporting of corporate wrongdoing by individuals (analyzed in prior Alston & Bird advisories, including here and here).

Use of data

Senior DOJ personnel have for several years emphasized the importance of companies deploying data analytics as part of effective compliance programs, and this emphasis is echoed in the updated ECCP, which instructs prosecutors to consider whether compliance personnel have access to relevant sources of data and how effectively companies are using data analytics in assessing the effectiveness of their compliance programs, as well as in their management of third-party relationships.

This Debevoise alert also observes: “The updated ECCP’s greatest impact likely will be on how companies tailor their compliance programs to address new technologies, particularly the expectation that companies will have “conducted a risk assessment regarding the use of [AI] . . . and . . . taken appropriate steps to mitigate any risk associated with the use of that technology.”

– Dave Lynn