Article
Emerging Technologies, Investigations and Acquisitions are the Focus for Department of Justice Update to Compliance Guidance
In keeping with its mandate that companies continuously review and update their compliance programs in light of emerging risk factors, the Department of Justice (DOJ) updated its formative ECCP – Evaluation of Corporate Compliance Programs – to “account for changing circumstances and new risks” (the Update).
New and Emerging Technologies
In addition to all of the considerations already described in the ECCP (originally drafted in 2017, updated several times since then), the Update suggests that prosecutors should also now consider if/how companies are limiting the risk of artificial intelligence (AI) by examining the impact of “disruptive technology risks,” including AI, when assessing culpability, making charging decisions, and negotiating plea agreements. While all of the existing principles of the ECCP still apply, the Update specifically addresses how DOJ expects companies to address the use of new and emerging technologies, such as, but not limited to, AI, in their Corporate Compliance Program(s). Notably, DOJ took a broad approach to what it considers “AI,” providing a definition in the Update, but also stating that AI includes full, partial and non-autonomous systems as well as systems that operate both “with and without human oversight.”
When evaluating a Corporate Compliance Program, the three fundamental questions prosecutors should ask, according to the ECCP, are:
- Is the corporation’s compliance program well-designed?
- Is the program being applied earnestly and in good faith, i.e., is the program adequately resourced and empowered to function effectively?
- Does the corporation’s compliance program work in practice?
While those questions have not changed, the Update suggests including additional considerations that address emerging risk factors, such as the advent of new technologies. To the extent that your company uses AI or any new or emerging technology, policies (and accompanying training) should reflect DOJ’s latest proscriptions, summarized in part below.
The DOJ has long maintained that the size and design of a corporate compliance program is not a one-size-fits-all inquiry, and prosecutors should endeavor to understand the company’s business, in particular, how it has “identified, assessed, and defined its risk profile.” That is – why it has chosen to set up its compliance program the way it has and how the company’s compliance program has evolved over time. The Update includes a new section, “Management of Emerging Risks to Ensure Compliance with Applicable Law,” which suggests that prosecutors consider the company’s technology, especially new and emerging technologies, and whether it has (i) conducted a risk assessment regarding the use of such technology, and (ii) taken appropriate steps to mitigate any risks associated with it when formalizing its corporate compliance program. (emphasis added)
In particular, the Update emphasizes the need for companies to evaluate their process(es) for both identifying and managing risks that could potentially affect the company’s ability to comply with the law relating to the use of new technologies. Other considerations include:
- How the company assesses the potential impact of new technologies, such as AI, on their ability to comply with criminal laws.
- What the company’s governance approach is regarding the use of new technologies, such as AI, in its commercial business and in its compliance program. Specifically, how the company is curbing any potential negative or unintended consequences in its commercial business and compliance program as a result of new technologies.
- How the company is mitigating the potential for deliberate or reckless misuse of technologies, including by company personnel.
- Are there controls in place to ensure that technology is only used for its intended purposes, and how company employees are trained on the use of emerging technologies, including AI. (emphasis added)
Finally, the Update reiterates the need to continuously monitor and implement policies and procedures that accurately reflect compliance risks, including the use of new technologies.
The Investigations Process
The Update also addresses the investigations process, including the existence of a confidential and anonymous reporting mechanism. In assessing the suitability of its compliance program, DOJ will evaluate whether (i) the company’s reporting mechanism is effective and how such information is utilized, (ii) the scope of the investigation is appropriate and staffed by the proper personnel, and (iii) the company’s response to complaints is timely. The Update contains a new section entitled “Commitment to Whistleblower Protection and Anti-Retaliation” that suggests prosecutors should also determine whether the company has an anti-retaliation policy and whether employees are trained on the policy and applicable state and federal law, including relevant whistleblower protection laws.
Acquisitions
The DOJ has long held that a well-designed compliance program must include due diligence of any acquisition targets and the timely integration of the acquired entity’s existing compliance program structures and internal controls. To that end, the Update includes a new inquiry, “Post-Transaction Compliance Program,” intended to assess the company’s process for integrating (or implementing) a compliance program post-acquisition. Prosecutors should determine if the company has a process in place to ensure (compliance) oversight of the new/acquired business and whether the new business was incorporated into the company’s risk assessment activities.
Finally, for purposes of assessing whether a company’s compliance program works in practice, the Update includes an examination of whether the compliance program has a track record of preventing or detecting additional misconduct and, specifically, if it “exercised due diligence” to prevent and detect criminal conduct. In addition, the Update now suggests prosecutors evaluate how the company has used its data to evaluate the effectiveness of its compliance program and whether it has sought to promote a culture of compliance that encourages ethical conduct and a commitment to compliance with the law.
While the Update only built upon the ECCP, adding details to the suggested roadmap that prosecutors should follow as they begin their investigative or charging process, it is a good reminder for companies to not only make sure that they have an active compliance program in place, but are undertaking periodic risk assessments to ensure they are accurately weighing the company’s business needs against the current enforcement landscape.
If you have any questions about whether your company has met the standards set forth in the ECCP and/or the Update, Porzio’s team of Life Sciences attorneys can help you navigate the DOJ’s as well as industry-specific requirements.