Search for:
Corporate Compliance

United States: Department of Justice updates compliance program evaluation guidance with focus on artificial intelligence and evolving policy

By , , , , and 10 Mins Read

In brief

On September 23, 2024, the US Department of Justice Criminal Division (DOJ) issued an updated version of its Evaluation of Corporate Compliance Programs document. DOJ uses the Evaluation Guidance to assess the adequacy of compliance programs in place at companies subject to its criminal enforcement activities. DOJ has updated the Evaluation Guidance periodically since its release in 2017 to align with evolving DOJ policies, priorities, and compliance best practices. This latest iteration reflects current DOJ investigation and enforcement priorities and the increasing relevance of artificial intelligence and other emerging technologies to companies, their compliance programs, and DOJ’s enforcement efforts. DOJ also updated the Evaluation Guidance to encourage companies: 1) to incorporate a lessons learned approach; 2) focus on compliance due diligence and integration in acquisitions; and 3) properly incentivize internal reporting of wrongdoing.

Contents

  1. Background
  2. Key revisions to the Evaluation Guidance September 2024
    1. Use of artificial intelligence, data and emerging technologies
    2. Evolving DOJ policy in other areas
  3. Conclusion

Background

DOJ first released the Evaluation Guidance in February 2017 and has updated it periodically since (most recently in March 2023). The Evaluation Guidance is intended to assist Department prosecutors in their appraisal of corporate compliance programs at each stage of a corporate criminal prosecution (including charging, sentencing and considering whether to impose a compliance monitor). The Evaluation Guidance supplements compliance program requirements set forth in DOJ’s Justice Manual, the US Sentencing Guidelines, and in a number of subject-matter-specific documents such as the Resource Guide to the Foreign Corrupt Practices Act.

The Evaluation Guidance is organized around three “fundamental questions” and numerous sub-questions that prosecutors are expected to ask companies about their compliance programs:

  1. Is the corporation’s compliance program well designed?
  2. Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
  3. Does the corporation’s compliance program work in practice?

Companies subject to DOJ prosecution must be well-placed to answer these questions to maximize credit for their compliance program. At the same time, the Evaluation Guidance has become a valuable resource for all companies, even those not before DOJ, to measure their compliance program against the expectations of the U.S. Government, and resulting industry best practices.

Key revisions to the Evaluation Guidance September 2024

Use of artificial intelligence, data and emerging technologies

The use of data, analytics and emerging technologies have been a focus for DOJ for some time now and an expectation for compliance programs. The Department hired its own internal data analytics and compliance counsel in 2022 to advise the DOJ on these topics and it has also been a perennial topic addressed by DOJ leadership in recent compliance conferences and speeches. As a result, it is no surprise that the latest version of the Evaluation Guidance includes a significantly enhanced focus on these topics. It is clear that DOJ expects companies to address the risks and potential opportunities that emerging technologies present for companies and their compliance programs. DOJ focused on two primary additions to the Evaluation Guidance in this area:

  • Assessment of AI and emerging technology risks – The Evaluation Guidance prompts prosecutors to consider whether companies have processes in place to identify new technologies that could potentially impact the company’s ability to comply with the law. More specifically, in assessing compliance programs prosecutors will consider how companies manage and mitigate risks related to the use (and potential misuse) of AI and other emerging technologies, “what controls are in place to monitor and ensure trustworthiness, reliance, and its use in compliance with applicable laws and internal codes of conduct”, and “how accountability over use of AI is monitored and enforced.” Consistent with the focus on emerging technology, the revised Evaluation Guidance also considers how quickly companies can detect and correct decisions made by AI or new technology, if necessary.
  • Data analytics and evaluation – Additionally, several edits to the Evaluation Guidance stress the importance of collecting and evaluating data as part of an effective compliance program. The Guidance instructs prosecutors to ask whether “compliance personnel have knowledge of and means to access all relevant data sources in a reasonably timely manner?” and whether a company is “appropriately leveraging data analytics tools to create efficiencies in compliance operations and measur[ing] the effectiveness of components of compliance programs?” Importantly, DOJ seeks to evaluate whether companies are using data to proactively identify both areas of improvement for existing compliance programs and potential misconduct.

DOJ’s updated AI expectations codified in the Evaluation Guidance present various challenges for companies, particularly given the rapidly evolving nature of AI and its many potential applications, all of which are still emerging.  What is clear is that corporate compliance programs are expected to become more proactive and nimble than ever to assess and mitigate the risks posed by AI and other technologies. DOJ suggests that in considering resourcing, there must be a “[…]balance between the technology and resources used by the company to identify and capture market opportunities and the technology and resources used to detect and mitigate risks”.  Our recommendations in this regard include:

  • Staying ahead of emerging risks – With AI continuing to advance rapidly, compliance programs must proactively identify and manage emerging risks associated with its use and potential misuse.  The uncertainty surrounding future applications of AI and its rapid evolution – including its evolving potential for abuse – means that programs must continuously evolve as new potential use cases, abuses, and associated risks emerge. Prosecutors will closely examine a company’s practices for continuously testing, updating, and refining its AI systems and use cases based on lessons learned and evolving trends.
  • A cross-functional approach to AI compliance – AI systems can be complex and opaque, making it challenging to ensure their trustworthiness, reliability, and attendant risks without bringing technologists with the relevant expertise to the table. Companies should adopt a cross-functional approach to AI governance to ensure that a deep understanding of the technology and its risks informs the development of adequate controls and monitoring mechanisms.
  • Tabletop exercises – AI can be misused in furtherance of corporate criminal violations in a variety of ways, including in devising and executing sophisticated schemes to defraud investors, customers, or financial institutions, creating deepfakes and misinformation to deceive shareholders and others, manipulating markets, laundering money, and stealing trade secrets, among others.  In devising adequate AI governance and compliance programs, it can be useful to consider the worst possible outcomes across a company’s proposed AI use cases and work backward from there. Conducting live tabletop training exercises around these potential misuses with the right stakeholders can be an excellent way for a company to consider what controls and other proactive risk mitigation may be helpful to prevent undesirable outcomes from occurring.
  • Balancing innovation and compliance – Given the potential for internal pressure to quickly adopt and use AI technologies across a variety of corporate use cases, companies should balance the desire to leverage AI for business benefits with the need to ensure compliance with applicable laws and regulations. This balance ensures that the company can innovate with AI while maintaining control over compliance.
  • Continuous training and education – Companies should invest in continuous education and training programs to keep up with fast-paced developments in AI, including its emerging risks and challenges. This ongoing learning effort will help to prevent misuse and ensure that the company and its employees are well-informed and knowledgeable about the latest AI developments, thereby reducing other risks.

Evolving DOJ policy in other areas

While changes are less significant elsewhere in the Evaluation Guidance (and indeed many of the recent edits are purely semantic) there are a number of other revisions which provide companies and their compliance counsel with insight into DOJ’s current thinking and reminders of its recent policy priorities in a number of key areas, including:

  • Root cause analysis and integrating lessons learned – Several edits to the Evaluation Guidance stress a continued theme from DOJ that it expects companies to learn from their (and others’) mistakes. The latest version of the Evaluation Guidance instructs prosecutors to ask companies whether “there a process for updating policies and procedures to reflect lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region?” and if the company’s training then specifically addresses those topics and lessons. Good stories always form the basis of effective training and, with care, can be well leveraged to do so in the compliance context.
  • Continued focus on Mergers and Acquisitions – DOJ last year issued specific guidance on its expectations in connection with M&A due diligence and compliance integration, through its October 2023 Mergers & Acquisitions Safe Harbor Policy. Several of these elements have found their way into the revised Evaluation Guidance. This includes some very specific questions around post-acquisition integration of enterprise resource planning (ERP) systems, and timely post-acquisition compliance program integration, roll out, and audits of the newly acquired entity. Consideration of these topics, if done in a timely fashion, will allow companies to take advantage of the new M&A Safe Harbor program, if they choose to do so, as well as meeting the DOJ’s compliance program expectations.
  • Supporting whistleblowers… and punishing wrongdoing ­– Much of DOJ’s recent initiatives have revolved around encouraging those who are aware of corporate wrongdoing to report it to DOJ. This has included roll out of a comprehensive Pilot Program for Financial Rewards for Corporate Whistleblowers in August 2024 and new program issued earlier in the year which outlines how DOJ will treat whistleblowers who are themselves implicated in underlying wrongdoing, including offering potential leniency. DOJ also expects companies themselves to encourage and appropriately incentivize internal whistleblowing and to protect whistleblowers from retaliation. That is reflected in a number of the latest revisions to the Evaluation Guidance. For instance, consistent with its own efforts, DOJ now questions whether companies do enough to encourage employees, who may have been implicated in wrongdoing themselves, to report it. The Evaluation Guidance  asks: “To the extent that the company disciplines employees involved in misconduct, are employees who reported internally treated differently than others involved in misconduct who did not?”. Given DOJ’s own new whistleblower programs, companies are well advised to double-down on their own efforts to encourage internal reporting, so that potential whistleblowers are properly incentivized and supported in making internal reports first, rather than choosing to go directly to DOJ.

Conclusion

None of these revisions to the Evaluation Guidance come as a surprise to those who have been closely following the significant volume of policy and guidance materials issued by DOJ in recent months and years. Nevertheless, the revised Evaluation Guidance provide insight into those areas where companies should focus effort and resource as they continue to evolve and continuously improve their compliance programs, just as DOJ continues to evolve its own expectations to be increasingly complex and prescriptive.

* * * * *

Aeryka Fausett is an Associate at Baker McKenzie and is currently awaiting approval of her bar admission.

Categories:
Tags:
Author

Geoff Martin is a partner in the Litigation and Government Enforcement practice group in Washington, DC. Geoff started his career in Baker McKenzie's London office in 2007 and moved to Washington DC in 2012. Geoff represents clients in matters before the federal government arising out of anti-corruption, trade sanctions, fraud, anti-money laundering, national security, and related enforcement actions. He also represents clients in civil and criminal matters in federal court. Geoff has extensive experience conducting internal investigations relating to such matters around the world.

Author

Jess is a technology investigations partner practicing at the forefront of government enforcement in the technology industry. Jess leads Baker McKenzie's investigations and compliance practice on the West Coast.
For more than two decades, Jess has defended companies and individuals in government investigations and conducted internal investigations involving cutting-edge technology issues including AI, cybersecurity, and alleged misuse of all kinds of data. Jess has defended companies and individuals across the Asia Pacific region since the first DOJ Antitrust cartel investigations in 2003, and has a deep understanding of cultural issues impacting investigations in that region and across the globe.
Jess has been recognized by Chambers & Partners, The Legal 500, and Global Investigations Review for internal investigations and defense in cases involving White Collar Crime & Government Investigations.

Author

Jeff Martino brings an in-depth understanding of a wide variety of white collar and fraud related matters to his antitrust litigation and investigations practice. Jeff is co-lead of the Firm's Global Cartel Task Force and represents multinational corporations and their boards and executives in high-stakes criminal and civil investigations by the US Department of Justice (DOJ) and other federal and state agencies. Jeff draws upon his extensive criminal investigations, litigation, and enforcement experience to advise clients through sensitive matters pertaining to international cartel actions and white collar investigations. Prior to joining Baker McKenzie, Jeff spent nearly two decades at the DOJ and his last five years as Chief of DOJ Antitrust Division's New York Office. He has extensive experience as "first chair" on trials and investigations in the most complex areas of criminal antitrust and market manipulation. Jeff's work at the DOJ included providing technical assistance to competition agencies in Asia, Africa, the Americas and Europe and overseeing matters that included international corruption and antitrust cartel offenses that entangled the largest global banks and their key executives.

Author

Terry Gilroy is a partner in the New York office of Baker McKenzie and a member of the Compliance and Investigations Practice Group. Prior to joining the Firm in 2018, Terry served as Americas Head of the Financial Crime Legal function at Barclays. Terry advises businesses and individuals on white collar and financial crime issues and has significant experience conducting investigations relating to compliance with the US Foreign Corrupt Practices Act (FCPA) and related bribery and corruption statutes, economic sanctions regulations as administered by the US Department of the Treasury's Office of Foreign Assets Control (OFAC), and the Bank Secrecy Act and related anti-money laundering (AML) regulations and statutes. Terry spent six years on active duty in the United States Army as a Field Artillery officer.

Author

Byron Tuyay is a senior associate in Baker McKenzie's North America Antitrust & Competition Practice Group in Los Angeles. He has represented individuals and corporations on matters involving a broad range of antitrust law issues arising from investigations conducted by the US Department of Justice, Federal Trade Commission, and international competition authorities.
Byron was an Assistant United States Attorney at the US Attorney's Office for the Central District of California where he prosecuted a wide variety of federal crimes including white collar crimes and COVID-19 related fraud schemes, coordinated multi-agency investigations, and conducted federal criminal jury trials. As a federal prosecutor, Byron also briefed and argued appeals before the United States Court of Appeals for the Ninth Circuit.
Before Joining the US Attorney's Office, Byron was an attorney at a global law firm where he practiced antitrust and competition law.

Author

Aeryka Fausett is an Associate in Baker McKenzie, Washington, DC office.

Related Posts