Artificial Intelligence

DOJ Updates Guidance on Corporate Compliance Programs to Include AI Risk Management

By: Helen V. Cantwell, Avi Gesser, Andrew M. Levine, David A. O'Neil, Winston M. Paes, Jane Shvets, Douglas Zolkind and Erich O. Grosz September 25, 2024

On September 23, 2024, the U.S. Department of Justice updated its guidance to federal prosecutors related to the “Evaluation of Corporate Compliance Programs” (the “ECCP”).[1] This revision, the first since March 2023, addresses how companies manage risks associated with new and emerging technology, including artificial intelligence, and expands on preexisting guidance regarding employee reporting channels, whistleblower protection, post-acquisition compliance integration, and use of data for compliance purposes.

Noteworthy Changes to DOJ’s Guidance. Federal prosecutors use the ECCP in evaluating companies’ compliance programs in connection with charging decisions and penalty determinations, including whether to impose a monitor. First issued in February 2017 and revised in 2019, 2020, and 2023, the ECCP centers on three fundamental questions. In particular, the ECCP considers whether a compliance program is: (1) well designed; (2) applied earnestly and in good faith, with adequate resourcing and empowerment; and (3) working in practice.

The following are the key additions and other modifications in the latest ECCP:

Most significantly, the updated ECCP squarely addresses the impact of new technologies, such as AI. DOJ now asks prosecutors to consider what technology a company uses to conduct business, whether the company has conducted a risk assessment regarding the use of such technology, and whether the company has taken appropriate measures to mitigate risks associated with the technology. DOJ then lists an array of follow-up considerations, including how the company assesses the potential impact of AI or other new technology on the company’s ability to comply with applicable laws, what governance structure and controls the company has implemented with respect to the use of technology, what other steps the company has taken to mitigate technology-related risks and avert potential misuse of technology, and how the company trains its employees on the use of AI and other new technology.
The prior ECCP already stressed the importance of an effective mechanism by which employees can anonymously or confidentially report compliance issues, as well as measures to ensure that employees who report will not be subject to retaliation. The new ECCP builds on that guidance, instructing prosecutors to consider whether and how a company incentivizes reporting (or, conversely, engages in “practices that tend to chill such reporting”), whether the company has an anti-retaliation policy, and whether the company trains employees on internal reporting channels, anti-retaliation policies and laws, external whistleblower programs, and whistleblower protection laws.
In the transactional context, DOJ places additional emphasis on post-acquisition integration. The 2023 version of the ECCP called for assessment of a company’s process for implementing compliance policies and procedures, and conducting post-acquisition audits, at an acquired entity. DOJ reinforced the importance of those considerations when it announced, later in 2023, that it will apply a presumptive six-month post-closing “safe harbor” during which an acquiring company may self-report at an acquired entity without fear of prosecution. In the new ECCP, DOJ also asks what role the compliance and risk management functions have in planning and carrying out the integration process, how the company ensures compliance oversight of the acquired business, and how the new business is integrated into the company’s risk assessment procedures.
Similarly, with regard to the use of data for compliance purposes, the new ECCP expands on DOJ’s existing guidance. Specifically, prosecutors should ask not only whether a company’s compliance function has sufficient access to relevant data sources but also whether the company is “appropriately leveraging data analytics tools” for compliance purposes, how the company is managing the quality of its data, and how the company is ensuring the reliability of any data analytics models it is using.

Key Takeaways for Companies. The updated ECCP’s greatest impact likely will be on how companies tailor their compliance programs to address new technologies, particularly the expectation that companies will have “conducted a risk assessment regarding the use of [AI] . . . and . . . taken appropriate steps to mitigate any risk associated with the use of that technology.” To meet those expectations, companies that have deployed AI for significant business or compliance operations may be asked to explain and demonstrate:

where they have deployed AI;
which AI use cases, if any, are high risk;
who determines what uses are high risk and on what basis;
the process for determining that the benefits of high-risk AI uses outweigh the risks;
that this process includes assessing risks associated with malicious or unintended uses of the AI (e.g., through stress testing);
for high-risk uses, the company knows the specific risks that are elevated for the particular use case (e.g., privacy, bias, transparency, quality control, vendor management, cybersecurity, loss of IP protections, regulatory compliance, contractual compliance, conflicts, etc.), and people knowledgeable about those risks have either accepted the risks or mitigated the risks (e.g., through alerts, data controls, technical guardrails, training, labeling, human review, compliance affirmations, model validation, etc.);
high-risk uses are monitored on an ongoing basis to ensure that the risk remains acceptable or mitigated, that the AI continues to function as intended, and that significant deviations in the AI’s performance are detected quickly; and
the above process is adequately documented.

In addition, the revised ECCP puts companies on notice that, if their use of AI leads to significant compliance problems or fails to adequately identify and address those problems, as part of a charging decision, DOJ may examine the resources devoted to AI risk management and compliance. If those resources seem small compared to the resources devoted to other areas of similar risk within the company, or as a proportion of the overall expenditures on the commercial side of the AI ledger, then DOJ may find the compliance program lacking in resource allocation.

Most of DOJ’s other changes to the ECCP expand on principles already articulated in the guidance and that should be integral to any well-developed compliance program. Nevertheless, by providing additional questions and specific factors for prosecutors to consider when evaluating compliance reporting channels or post-acquisition integration procedures, for example, DOJ seeks to help companies and their compliance functions more effectively design and enhance their policies, procedures, and other compliance-related tools. The ECCP remains a valuable resource not only for companies that fall under DOJ’s investigative spotlight, but for any company seeking to ensure that its compliance program remains aligned with increasing regulatory expectations.

[1] U.S. Department of Justice, Criminal Division, “Evaluation of Corporate Compliance Programs” (Sept. 2024), https://www.justice.gov/criminal/criminal-fraud/page/file/937501/dl.

*****

To subscribe to the Data Blog, please click here.

The cover art used in this blog post was generated by Microsoft Copilot.

Author Helen V. Cantwell

Helen V. Cantwell is Co-Chair of the White Collar & Regulatory Defense Group at Debevoise and a litigation partner with extensive trial experience. She can be reached at hcantwell@debevoise.com.

Author Avi Gesser

Avi Gesser is Co-Chair of the Debevoise Data Strategy & Security Group. His practice focuses on advising major companies on a wide range of cybersecurity, privacy and artificial intelligence matters. He can be reached at agesser@debevoise.com.

Author Andrew M. Levine

Andrew Levine is a litigation partner who focuses his practice on white collar and regulatory defense, internal investigations and a broad range of complex commercial litigation. He regularly defends companies in criminal, civil and regulatory enforcement matters and has conducted numerous investigations throughout the world. Mr. Levine frequently advises companies on compliance matters, including with respect to the U.S. Foreign Corrupt Practices Act, and the assessment and management of risks presented by potential mergers, acquisitions and other transactions. In 2014, Mr. Levine was named to Global Investigations Review’s inaugural “40 Under 40” list of the world’s leading investigations lawyers, and he was recognized in 2013 as a Rising Star by the New York Law Journal. Mr. Levine is recommended for international litigation in The Legal 500 US (2022), where clients have described him as “smart, responsive, collaborative and sharp in his advice.” He is ranked as a leading lawyer for FCPA by Chambers USA (2022), where clients say “he is focused on pragmatic solutions.” Sources have also said that “his breadth of knowledge is unparalleled,” he is “exceptionally able and capable,” and “very pragmatic and hands-on. He’s able to conceptualize and simplify quite quickly complex considerations and situations.” In Chambers Global (2023) and Chambers Latin America (2023), where Mr. Levine is recommended as a top-tier lawyer, clients note that “he stands out for his client service and attention to detail,” describing him as “a lawyer that turns complexity into simplicity.” They also note that he is “extremely professional and technical” and he has “a deep experience in Latin America.” In previous editions of the guides, he has been lauded as “an impressive and tireless thought leader,” “an extremely well-known figure globally,” “a very thoughtful and service-oriented lawyer,” “a reassuring presence in tumultuous times,” “a calm, competent and thorough practitioner” and “brilliant, hard-working and thoughtful.” Clients are said to value his “encyclopedic knowledge” and his “ability to condense a complex situation into something understandable and manageable.” Mr. Levine is also ranked as a leading lawyer by The Legal 500 Latin America (2023), where clients describe him as “an amazing lawyer” and “the US lawyer that knows the Latin America compliance and investigation market the best.” In previous editions of the guide, he is described as a “superstar,” with clients noting that “he has a wealth of experience,” is “extremely articulate” and “he has an amazing analytical ability.” Latin Lawyer notes Mr. Levine’s “substantial work in Latin America,” recognizing him as one of the top lawyers active on anti-corruption matters in the region.

Author David A. O'Neil

David A. O’Neil is a litigation partner and member of the firm’s White Collar & Regulatory Defense Group. Recommended by Chambers USA (2021) and The Legal 500 US (2021) as a leading lawyer in White Collar Crime & Government Investigations and International Litigation, his practice focuses on white collar criminal defense, internal investigations, anti-corruption and FCPA defense and congressional investigations. In both 2018 and 2020, Mr. O’Neil was recognized as a Litigation Trailblazer by the National Law Journal and he was named a White Collar MVP by Law 360 in 2018. In Chambers USA (2020), clients report that he is “driven, practical and offers a level of common sense and solutions focus that few bring.” He has also been described as “responsive and sharp, he spots the key issues straightaway and is able to quickly analyze and break them down in a manner to be tackled.” Mr. O’Neil is also recommended for compliance and investigations by The Legal 500 Latin America (2021).

Author Winston M. Paes

Winston M. Paes is a litigation partner and a member of the White Collar & Regulatory Defense Group at Debevoise. He can be reached at wmpaes@debevoise.com.

Author Jane Shvets

Jane Shvets is a Debevoise partner in the firm’s White Collar & Regulatory Defense Group, focusing on white collar defense and internal investigations, in particular regarding compliance with corrupt practices legislation, as well as compliance assessments. Ms. Shvets also advises multinational clients on data protection and cybersecurity matters as well as a wide range of sanctions issues. She can be reached at jshvets@debevoise.com.

Author Douglas Zolkind

Douglas S. Zolkind is a litigation partner based in the New York office and a member of the firm’s White Collar & Regulatory Defense Group. He has extensive trial experience and focuses his practice on white collar criminal defense, government investigations, and internal investigations. He defends corporate and individual clients in criminal and regulatory enforcement matters around the world.

Author Erich O. Grosz

Erich Grosz is a member of the firm's Litigation Department who focuses his practice on white collar and regulatory defense, internal investigations, compliance advice and complex commercial litigation. He has represented companies and individuals in criminal, civil and SEC investigations and enforcement proceedings involving allegations, among others, of violations of the U.S. Foreign Corrupt Practices Act, securities and accounting fraud and employee misconduct. He also regularly advises companies on compliance matters as well as risk mitigation in connection with potential transactions. Mr. Grosz is also the co-executive editor of the FCPA Update, the firm's monthly newsletter addressing developments in anti-corruption law enforcement and related compliance topics. He can be reached at eogrosz@debevoise.com

European Data Protection Roundup – August 2024

ICO Dawn Raids: How to respond and what you can do to prepare – An FAQ

Related Posts

Part 2 – Helpful Guidance on Managing (Non-Cybersecurity) AI Risks from Hong Kong’s SFC

Helpful Guidance on Managing AI-Related Cybersecurity Risks from Hong Kong’s SFC

Part 500, One Year Later (Part Two) – Defining “Material Compliance”