In brief
On September 23, 2024, the US Department of Justice Criminal Division (DOJ) issued an updated version of its Evaluation of Corporate Compliance Programs document. DOJ uses the Evaluation Guidance to assess the adequacy of compliance programs in place at companies subject to its criminal enforcement activities. DOJ has updated the Evaluation Guidance periodically since its release in 2017 to align with evolving DOJ policies, priorities, and compliance best practices. This latest iteration reflects current DOJ investigation and enforcement priorities and the increasing relevance of artificial intelligence and other emerging technologies to companies, their compliance programs, and DOJ’s enforcement efforts. DOJ also updated the Evaluation Guidance to encourage companies: 1) to incorporate a lessons learned approach; 2) focus on compliance due diligence and integration in acquisitions; and 3) properly incentivize internal reporting of wrongdoing.
Contents
Background
DOJ first released the Evaluation Guidance in February 2017 and has updated it periodically since (most recently in March 2023). The Evaluation Guidance is intended to assist Department prosecutors in their appraisal of corporate compliance programs at each stage of a corporate criminal prosecution (including charging, sentencing and considering whether to impose a compliance monitor). The Evaluation Guidance supplements compliance program requirements set forth in DOJ’s Justice Manual, the US Sentencing Guidelines, and in a number of subject-matter-specific documents such as the Resource Guide to the Foreign Corrupt Practices Act.
The Evaluation Guidance is organized around three “fundamental questions” and numerous sub-questions that prosecutors are expected to ask companies about their compliance programs:
- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
- Does the corporation’s compliance program work in practice?
Companies subject to DOJ prosecution must be well-placed to answer these questions to maximize credit for their compliance program. At the same time, the Evaluation Guidance has become a valuable resource for all companies, even those not before DOJ, to measure their compliance program against the expectations of the U.S. Government, and resulting industry best practices.
Key revisions to the Evaluation Guidance September 2024
Use of artificial intelligence, data and emerging technologies
The use of data, analytics and emerging technologies have been a focus for DOJ for some time now and an expectation for compliance programs. The Department hired its own internal data analytics and compliance counsel in 2022 to advise the DOJ on these topics and it has also been a perennial topic addressed by DOJ leadership in recent compliance conferences and speeches. As a result, it is no surprise that the latest version of the Evaluation Guidance includes a significantly enhanced focus on these topics. It is clear that DOJ expects companies to address the risks and potential opportunities that emerging technologies present for companies and their compliance programs. DOJ focused on two primary additions to the Evaluation Guidance in this area:
- Assessment of AI and emerging technology risks – The Evaluation Guidance prompts prosecutors to consider whether companies have processes in place to identify new technologies that could potentially impact the company’s ability to comply with the law. More specifically, in assessing compliance programs prosecutors will consider how companies manage and mitigate risks related to the use (and potential misuse) of AI and other emerging technologies, “what controls are in place to monitor and ensure trustworthiness, reliance, and its use in compliance with applicable laws and internal codes of conduct”, and “how accountability over use of AI is monitored and enforced.” Consistent with the focus on emerging technology, the revised Evaluation Guidance also considers how quickly companies can detect and correct decisions made by AI or new technology, if necessary.
- Data analytics and evaluation – Additionally, several edits to the Evaluation Guidance stress the importance of collecting and evaluating data as part of an effective compliance program. The Guidance instructs prosecutors to ask whether “compliance personnel have knowledge of and means to access all relevant data sources in a reasonably timely manner?” and whether a company is “appropriately leveraging data analytics tools to create efficiencies in compliance operations and measur[ing] the effectiveness of components of compliance programs?” Importantly, DOJ seeks to evaluate whether companies are using data to proactively identify both areas of improvement for existing compliance programs and potential misconduct.
DOJ’s updated AI expectations codified in the Evaluation Guidance present various challenges for companies, particularly given the rapidly evolving nature of AI and its many potential applications, all of which are still emerging. What is clear is that corporate compliance programs are expected to become more proactive and nimble than ever to assess and mitigate the risks posed by AI and other technologies. DOJ suggests that in considering resourcing, there must be a “[…]balance between the technology and resources used by the company to identify and capture market opportunities and the technology and resources used to detect and mitigate risks”. Our recommendations in this regard include:
- Staying ahead of emerging risks – With AI continuing to advance rapidly, compliance programs must proactively identify and manage emerging risks associated with its use and potential misuse. The uncertainty surrounding future applications of AI and its rapid evolution – including its evolving potential for abuse – means that programs must continuously evolve as new potential use cases, abuses, and associated risks emerge. Prosecutors will closely examine a company’s practices for continuously testing, updating, and refining its AI systems and use cases based on lessons learned and evolving trends.
- A cross-functional approach to AI compliance – AI systems can be complex and opaque, making it challenging to ensure their trustworthiness, reliability, and attendant risks without bringing technologists with the relevant expertise to the table. Companies should adopt a cross-functional approach to AI governance to ensure that a deep understanding of the technology and its risks informs the development of adequate controls and monitoring mechanisms.
- Tabletop exercises – AI can be misused in furtherance of corporate criminal violations in a variety of ways, including in devising and executing sophisticated schemes to defraud investors, customers, or financial institutions, creating deepfakes and misinformation to deceive shareholders and others, manipulating markets, laundering money, and stealing trade secrets, among others. In devising adequate AI governance and compliance programs, it can be useful to consider the worst possible outcomes across a company’s proposed AI use cases and work backward from there. Conducting live tabletop training exercises around these potential misuses with the right stakeholders can be an excellent way for a company to consider what controls and other proactive risk mitigation may be helpful to prevent undesirable outcomes from occurring.
- Balancing innovation and compliance – Given the potential for internal pressure to quickly adopt and use AI technologies across a variety of corporate use cases, companies should balance the desire to leverage AI for business benefits with the need to ensure compliance with applicable laws and regulations. This balance ensures that the company can innovate with AI while maintaining control over compliance.
- Continuous training and education – Companies should invest in continuous education and training programs to keep up with fast-paced developments in AI, including its emerging risks and challenges. This ongoing learning effort will help to prevent misuse and ensure that the company and its employees are well-informed and knowledgeable about the latest AI developments, thereby reducing other risks.
Evolving DOJ policy in other areas
While changes are less significant elsewhere in the Evaluation Guidance (and indeed many of the recent edits are purely semantic) there are a number of other revisions which provide companies and their compliance counsel with insight into DOJ’s current thinking and reminders of its recent policy priorities in a number of key areas, including:
- Root cause analysis and integrating lessons learned – Several edits to the Evaluation Guidance stress a continued theme from DOJ that it expects companies to learn from their (and others’) mistakes. The latest version of the Evaluation Guidance instructs prosecutors to ask companies whether “there a process for updating policies and procedures to reflect lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region?” and if the company’s training then specifically addresses those topics and lessons. Good stories always form the basis of effective training and, with care, can be well leveraged to do so in the compliance context.
- Continued focus on Mergers and Acquisitions – DOJ last year issued specific guidance on its expectations in connection with M&A due diligence and compliance integration, through its October 2023 Mergers & Acquisitions Safe Harbor Policy. Several of these elements have found their way into the revised Evaluation Guidance. This includes some very specific questions around post-acquisition integration of enterprise resource planning (ERP) systems, and timely post-acquisition compliance program integration, roll out, and audits of the newly acquired entity. Consideration of these topics, if done in a timely fashion, will allow companies to take advantage of the new M&A Safe Harbor program, if they choose to do so, as well as meeting the DOJ’s compliance program expectations.
- Supporting whistleblowers… and punishing wrongdoing – Much of DOJ’s recent initiatives have revolved around encouraging those who are aware of corporate wrongdoing to report it to DOJ. This has included roll out of a comprehensive Pilot Program for Financial Rewards for Corporate Whistleblowers in August 2024 and new program issued earlier in the year which outlines how DOJ will treat whistleblowers who are themselves implicated in underlying wrongdoing, including offering potential leniency. DOJ also expects companies themselves to encourage and appropriately incentivize internal whistleblowing and to protect whistleblowers from retaliation. That is reflected in a number of the latest revisions to the Evaluation Guidance. For instance, consistent with its own efforts, DOJ now questions whether companies do enough to encourage employees, who may have been implicated in wrongdoing themselves, to report it. The Evaluation Guidance asks: “To the extent that the company disciplines employees involved in misconduct, are employees who reported internally treated differently than others involved in misconduct who did not?”. Given DOJ’s own new whistleblower programs, companies are well advised to double-down on their own efforts to encourage internal reporting, so that potential whistleblowers are properly incentivized and supported in making internal reports first, rather than choosing to go directly to DOJ.
Conclusion
None of these revisions to the Evaluation Guidance come as a surprise to those who have been closely following the significant volume of policy and guidance materials issued by DOJ in recent months and years. Nevertheless, the revised Evaluation Guidance provide insight into those areas where companies should focus effort and resource as they continue to evolve and continuously improve their compliance programs, just as DOJ continues to evolve its own expectations to be increasingly complex and prescriptive.
* * * * *
Aeryka Fausett is an Associate at Baker McKenzie and is currently awaiting approval of her bar admission.