The Criminal Division of the US Department of Justice released a revised version of its Evaluation of Corporate Compliance Programs on September 23, 2024. The guidance is intended to help prosecutors assess the effectiveness of corporate compliance programs during a criminal investigation.
Principal Deputy Assistant Attorney General Nicole M. Argentieri announced the release of the Evaluation of Corporate Compliance Programs (Updated ECCP) during her remarks at the Society of Corporate Compliance and Ethics’ 23rd Annual Compliance and Ethics Institute. Argentieri shared that “[j]ust as we expect corporations to continuously review and update their compliance programs to account for emerging risk factors, we regularly evaluate our policies and enforcement tools, including the ECCP, to account for changing circumstances and new risks.”
Like previous updates, the US Department of Justice (DOJ) used this as an opportunity to finetune some language throughout the ECCP. The biggest shift in the updated guidance includes the following:
Under the Updated ECCP, prosecutors will consider (1) the emerging technology (specifically referring to and then later defining artificial intelligence (AI)) that a company and its employees use to conduct business, (2) whether the company has conducted a risk assessment of that technology to confirm that use not only complies with new and emerging AI legislation but also that it complies with the company’s code of conduct, and (3) whether the company has taken appropriate steps to mitigate associated risks, including updating policies, processes, and monitoring.
DOJ will also investigate whether a company is appropriately leveraging data analytics tools to both run efficient compliance programs and measure program effectiveness. Given the emergence of data analytics models in compliance, there is also an expectation that programs are using quality data sources, and that that such models are accurate and precise. Prosecutors will look at the availability of technology to a company’s compliance and risk management personnel compared to other areas of the business to ensure that there is not an imbalance in resources.
As discussed in a prior LawFlash, DOJ announced its whistleblower pilot program in August 2024. The program covers four areas of white-collar enforcement: (1) abuse of the financial system, (2) foreign corruption and bribery schemes, (3) domestic corruption, and (4) healthcare schemes targeting private insurers.
Nicole Argentieri stated that since August 2024, DOJ has received tips from more than 100 individuals. The Updated ECCP now includes questions to assess whether corporate practices encourage or discourage employee reporting of misconduct, including understanding whether the company employs practices that chill such reports. Prosecutors will evaluate a company’s policies, training, and treatment of employees who report misconduct, with a specific expectation that a company trains its employees on its anti-retaliation policies, which should discuss both internal and external whistleblower protection programs and laws.
In furtherance of the objectives stated in the DOJ Safe Harbor Policy for M&A and as discussed in a previous As Prescribed blog post, the ECCP was updated to clarify that prosecutors should be asking whether compliance and risk management are embedded in the company’s merger and acquisition (M&A) processes, and whether they are taken into account when designing and executing the integration strategy, which could impact the company’s ability to integrate internal controls timely.
In the Updated ECCP, DOJ reminds compliance of the importance of conducting appropriate risk-based due diligence pre-signing, and of ensuring that appropriate post-closing risk assessments and audits are completed. The Updated ECCP also requires that there be someone designated within the company who would be accountable for compliance oversight of the new business.
The above reinforces the need for strong, proactive compliance risk assessments that are closely connected to or embedded in the company’s larger enterprise risk management process to ensure appropriate level oversight and monitoring by senior management and the board.
The March 2023 ECCP updates were clear that each risk owner should specifically understand the risks that third parties, merger and acquisition activities, and new market entry or new product or service introductions create for their risk-specific compliance program and should be able to document how such were identified, mitigated, monitored, and/or audited. Risk owners should now update that list to include the specific risks new and emerging areas (i.e., technology such as AI) create. Compliance and risk management resources should then be deployed in a risk-based manner with a focus on the company’s highest risk areas.
In addition, the Updated ECCP reinforces that the DOJ continues to be focused on a culture of compliance, which is evidenced by creating a strong culture of reporting through internal or external whistleblower channels.
Finally, consistent with the DOJ Safe Harbor Policy for M&A, the DOJ seemingly appreciates the risks that M&A activity creates and the challenges that are created when compliance and also risk management does not have a seat at the table early on when discussing potential acquisition targets, integration strategy, identified risks, and the ability to timely integrate critical internal controls post-closing.
This DOJ update marks the second modification to the ECCP within two years and reflects DOJ’s prioritization of corporate compliance programs in criminal investigations. The lawyers at Morgan Lewis are prepared to advise on new and existing corporate compliance programs to incorporate the Updated ECCP provisions.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following: