Putting the “AI” in Compliance—DOJ Updates its Corporate Compliance Program Guidance to Address Emerging AI Risks and Leveraging Data

On Monday, September 23, 2024, the Department of Justice (DOJ), released an update to its Evaluation of Corporate Compliance Programs (ECCP) guidance.  The ECCP guidance was last revised in March 2023, which brought a number of significant changes, including a focus on compensation and incentive structures (e.g., clawbacks), and third party messaging applications.  This 2024 update, while not as significant in scope as its predecessor, nonetheless highlights the DOJ’s focus on new and emerging technologies, such as artificial intelligence (AI), as part of its evolving assessment of what makes a corporate compliance program truly effective, and how prosecutors should evaluate risk assessments and other management tools at the time of a corporate resolution.

In the updated guidance, the DOJ identified key areas for companies to consider when bolstering compliance structures, policies, and training:

• • • Managing emerging risks and technologies: The updated ECCP directs prosecutors to consider whether companies are assessing and mitigating against the risk of using new and emerging technologies such as AI in their businesses and compliance programs. For example, prosecutors will consider whether a company’s Enterprise Risk Management (ERM) system effectively manages risks related to AI and other emerging technologies, whether a company has sufficient governance to curb any potential negative consequences from the use of those technologies, and whether the use of AI or similar technologies in a company’s compliance program is trustworthy, reliable, and in compliance with applicable law.  These revisions formalize prior guidance given by Deputy Attorney General Lisa Monaco, who in March 2024 directed prosecutors to evaluate how companies mitigate the risk of AI misuse.
    • Accessing and leveraging data: As part of the DOJ’s growing focus on data analysis and metrics, prosecutors are to consider whether corporate compliance and risk management personnel have appropriate access to data and resources. Prosecutors will also consider whether companies are disproportionately investing resources and technology into business development rather than to detect and mitigate risk.
    • Incorporating lessons learned: The DOJ further emphasized the importance of companies incorporating lessons learned—from their own prior misconduct and from issues at other similarly situated companies (e.g., in the same industry or geographical areas)—into their compliance programs. For example, prosecutors will consider whether companies have processes to assess risk and update policies and training with lessons learned.
    • Protecting Whistleblowers: Prosecutors will also assess commitments to whistleblower protection and anti-retaliation, including whether companies encourage employees to speak up and report misconduct or whether they use practices to chill reporting. These changes align with the DOJ’s aim to encourage whistleblower reporting through its new Corporate Whistleblower Awards Pilot Program.