The U.S. Department of Justice ("DOJ") has, once again, updated its guidance on corporate compliance. This document, known as the Evaluation of Corporate Compliance Programs or "ECCP," serves to put corporate America on notice of what DOJ expects to see when it has reason to examine a company's compliance program, usually in the context of an investigation of criminal employee misconduct. Indeed, the ECCP itself states that it is intended to "assist prosecutors in making informed decisions as to whether, and to what extent, the corporation's compliance program was effective at the time of the offense and is effective at the time of a charging decision or resolution ... ." DOJ's periodic updates to this guidance draw considerable attention and discussion and these latest changes should be no exception. This client alert briefly summarizes this recent update and offers some practical tips for corporate counsel and compliance professionals.
The first change worth noting makes clear that prosecutors will consider a company's use of technology to conduct its business, including whether a company has conducted a risk assessment related to the use of that technology, and whether the company has taken appropriate steps to mitigate any risk associated with that technology. One such risk may be a company's vulnerability to criminal schemes enabled by a specific technology. For example, the new ECCP requires prosecutors to evaluate whether the company has taken sufficient steps to identify and mitigate the risk of false approvals and documentation generated by artificial intelligence and intended to defeat internal controls. The use of technology, including both the opportunities it presents for enhancing compliance, and the vulnerabilities it creates for companies to be victims, has long since been a focus for DOJ. The new ECCP makes it clear that Department prosecutors will expect to see a thoughtful consideration of both sides of this coin in relation to how a company uses technology.
Another significant change to the ECCP relates to DOJ's recently announced new whistleblower program within the Criminal Division. The ECCP now clearly provides that prosecutors will give careful consideration to whether a company is doing enough to encourage its employees and others to report misconduct or, conversely, whether the company is intentionally or unintentionally chilling whistleblower activity. With the support of key members of Congress, some of whom have formed "Whistleblower Protection Caucuses" in both the Senate and the House, DOJ is increasingly focused on the importance of a robust "speak up" culture within companies and a company's efforts in this regard can be an important factor in how prosecutors evaluate a company's overall compliance program. Accordingly, a company should expect that how it encourages, facilitates and investigates reports of misconduct will be scrutinized by DOJ if and when misconduct becomes the focus of a criminal investigation of a company and the company claims to have been ignorant of the misconduct.
Finally, the updated ECCP directs prosecutors to assess whether a company's compliance program has appropriate access to data such that it is able to assess its own effectiveness. Specifically on this point, Principal Deputy Assistant Attorney General Nicole Argentieri has described this newly required assessment as including a consideration of "whether companies are putting the same resources and technology into gathering and leveraging data for compliance purposes that they are using in their business." DOJ's recent creation of a new position within the Criminal Division—Counsel, Compliance and Data Analytics—is consistent with this new focus. Going forward, prosecutors will be looking for, and will expect to see, evidence that a company is investing in data analysis for the specific purpose of enhancing compliance. Companies seeking to avoid prosecution for employee misconduct will have to demonstrate that the misconduct occurred despite their best efforts to maintain a data-driven compliance program.
What are the practical takeaways for companies that hope to meet DOJ's elevated expectations? Here are the three "R's" of effective compliance that the latest version of the ECCP reinforces are important to DOJ:
1. Reporting. Companies should review their compliance reporting regime to ensure that it is user-friendly, that employees understand how it works and that it actually works in practice. This starts with designing an easy-to-understand and easy-to-use reporting system that includes multiple ways for whistleblowers to make reports. Training is also critical, beginning with new employee orientation, but also as part of annual ethics training for all employees. And effective auditing of the program is also critical. A well-designed program that is the subject of adequate training but is rarely actually used suggests a problem. Only through effective auditing will such problems be revealed.
2. Risk Assessments. DOJ continues to acknowledge that the deployment of compliance resources should be based on risk. The updated ECCP emphasizes that only by conducting adequate risk assessments can a company be confident that its deployment of resources is logically connected to its specific risks. Risk assessments should be aimed at identifying, ranking and mitigating all of the risks the enterprise faces; should be conducted on a regular basis; and should be reviewed and understood outside of the compliance department. In other words, senior-level (including the board of directors) review and approval is critical.
3. Resources. DOJ has long emphasized the importance of ensuring that a company's compliance program is adequately resourced. With this updated ECCP, DOJ is focusing specifically on technology resources and, specifically, whether the company's investment in technology for the compliance function, whether related to AI or other types of technology, is commensurate with the investment being made in the profit-generating parts of the business. Simply put, under-resourcing compliance is a surefire way to frustrate DOJ's expectations.
In summary, DOJ's focus on corporate compliance continues and its expectations continue to evolve. In light of this reality, companies of all types are well-advised to engage in a little self-critical analysis and make improvements where necessary. The updated ECCP provides a good rubric for companies to follow.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.