DOJ Updates Its Corporate Compliance Programs Guidance
On September 23, 2024, the Criminal Division of the U.S. Department of Justice (DOJ) released revised Evaluation of Corporate Compliance Programs guidance, last updated in March 2023. The latest guidance covers three primary areas of on-going interest for the DOJ: (1) how companies are identifying and mitigating emerging risks related to new technologies, including artificial intelligence (AI); (2) how companies are encouraging employees to report misconduct; and (3) whether there are appropriate resources and access to data allowing companies to measure the effectiveness of their compliance programs.
Compliance Roadmap
The Evaluation of Corporate Compliance Programs guidance serves as a roadmap for prosecutors and corporations, setting forth factors and questions for evaluating the effectiveness of a company’s compliance program. These considerations aid prosecutors in determining whether and to what extent a company should be penalized in connection with a resolution or criminal investigation. While the guidance is aimed at assisting DOJ prosecutors, the head of DOJ’s Criminal Division recently described the guidance as an “invaluable resource for companies,” providing a useful tool for developing, implementing, and reviewing their own compliance programs.
DOJ has identified the fundamental elements that it looks for when assessing whether a company’s compliance program is well designed, adequately resourced, and effective. These elements cover:
- Risk assessments;
- Policies and procedures;
- Training and communication;
- Confidential reporting and investigation process;
- Third-party management;
- Mergers and acquisitions;
- Commitment by senior and middle management;
- Autonomy and resources;
- Compensation structures and consequence management;
- Continuous improvement, periodic testing, and review;
- Investigations of misconduct; and
- Analysis and remediation of underlying misconduct.
The most recent revisions to the guidance echo the DOJ’s continued focus on regular testing, review, and updating of a company’s compliance program to account for evolving and emerging risks that the company may face. This includes emphasis on the DOJ now looking at how companies are incorporating lessons learned from either their own prior issues or those issues of other companies into the design of their compliance programs, including policies and procedures as well as trainings and communication.
Emerging Risks and New Technologies
The DOJ’s emphasis on emerging risks in the September 2024 guidance focuses on new technologies, notably the use of AI. The DOJ now asks whether a company has conducted a risk assessment as well as deployed risk-mitigating measures to address the company’s use of new technologies. Going forward, prosecutors will consider how companies address the potential impact of the use of new technologies on a company’s ability to comply with applicable criminal laws as well as how companies are managing the risks posed by new technologies—such as AI—and the potential negative or unintended consequences. The DOJ will also look at how a company is monitoring its use of AI and what internal controls a company has implemented—such as training mechanisms—to ensure that AI is being used by employees solely for its intended purpose.
These measures come on the heels of Deputy Attorney General Lisa Monaco’s remarks in March 2024 at the American Bar Association’s 39th National Institute on White Collar Crime, where Monaco announced the DOJ will pursue heftier penalties when AI is deliberately misused to perpetuate white collar crime, and also directed the Criminal Division to incorporate an assessment of the risks posed by new and emerging technologies in the Evaluation of Corporate Compliance Programs guidance.
Reporting
In August 2024, the DOJ Criminal Division launched the Corporate Whistleblower Awards Pilot Program, an initiative designed to detect and prosecute corporate crime. The pilot program incentivizes the reporting of misconduct by making whistleblowers who come forward with truthful information potentially eligible for an award. To fall under the pilot program, the information reported must relate to certain defined areas of misconduct, including: (1) crimes involving financial institutions; (2) foreign corruption involving companies; (3) domestic corruption involving companies; or (4) healthcare fraud schemes involving private insurance plans.
The 2024 September guidance now incorporates specific questions around whistleblower protections, including whether a company maintains an antiretaliation policy, how a company is incentivizing its employees to report potential misconduct, and whether employees involved in the misconduct who report are treated differently compared to those employees who were also involved and did not report.
Conversely, the DOJ now asks companies to consider whether they have any practices that may have the effect of chilling an employee’s decision or willingness to report. Further, under the 2024 guidance, the DOJ will assess a company’s internal controls and training around antiretaliation and reporting mechanisms to evaluate how a company ensures its employees feel comfortable in raising concerns and know how to do so.
Resources and Access to Data
The 2024 September guidance also includes considerations around resources and access to data. Specifically, the DOJ now asks not just whether compliance personnel have access to the relevant data but whether they also have knowledge of and the means to timely access those relevant data sources. In addition, the 2024 September guidance asks how companies are measuring the accuracy and efficacy of those data analytics models they may be using.
Regarding resources, the DOJ has raised new questions around how assets, resources, and technology made available for compliance and risk mitigation purposes compare to what is used across other core company functions, including whether there is a disparate allocation or imbalance.
Takeaways
You should assess the risks posed by the use of new and emerging technologies—including AI—and determine whether existing compliance policies sufficiently address the risk. Compliance policies should also address whistleblower protections and detail treatment for those who report misconduct. DOJ’s expectation is that compliance personnel have access to equivalent or reasonably similar resources as other key company functions and teams.
The 2024 September guidance provides valuable insight for companies into the DOJ’s evolving and expanding expectations regarding corporate compliance programs as well as what you should consider when assessing and evaluating whether your corporate compliance programs align with those expectations.
Audrey N. Karman and Luke Cass are attorneys with Womble Bond Dickinson (US) LLP and can be reached at audrey.karman@wbd-us.com and luke.cass@wbd-us.com.
The post DOJ Updates Its Corporate Compliance Programs Guidance appeared first on HR Daily Advisor.