DOJ Stresses AI Risk, Whistleblower Protections, and Post-M&A Compliance in Updated ECCP Guidance
Sept 23, 2024
ECCP Guidelines
On September 23, 2024, the United States Department of Justice (DOJ) announced updates to its Evaluation of Corporate Compliance Programs (ECCP) guidance. The ECCP is a guideline used by the DOJ’s Criminal Division to evaluate corporate compliance programs. Prosecutors rely on it to assess these programs determine whether to bring charges against a company. Companies are incentivized to follow these guidelines to ensure that they have implemented an effective compliance program and reduced penalties, or even avoided prosecution altogether. The following sections discuss key changes to the updated ECCP:
Impact of New Technologies on Commercial and Compliance Operations
The new revision to the ECCP addresses risks associated with emerging technologies, such as artificial intelligence (AI). The ECCP advises that companies consider such risks under two different lenses; companies should address risk in their commercial operations, and in their compliance programs. For instance, companies that use new technologies in their everyday operations should conduct regular risk assessments to ensure that such technology is reliable and trustworthy. Companies should also implement robust compliance programs that educate employees and exert controls to prevent the misuse of commercial technology.
The aforementioned revisions to ECCP guidance reflect growing concerns over the use of emerging technology, particularly AI. As AI becomes more accessible to employees, the risk of biased decision-making and inaccurate communications rises when human oversight is lacking. Companies should develop robust compliance programs to ensure accountable usage of new technology. Such programs also satisfy growing stakeholder demands for transparency in the usage of AI.
Whistleblower policies
The September 23rd ECCP revisions bolster whistleblower protection and anti-retaliation policies and practices. Prosecutors should consider how companies encourage or incentivize employees to report misconduct and protect the anonymity of whistleblowers. Companies can protect themselves by implementing an anti-retaliation policy. A company’s response to reports of misconduct should demonstrate that there is no tolerance for retaliation. They should also train their employees regarding internal and external reporting mechanisms and whistleblower protection laws.
Post-Transaction Compliance
On October 5, 2023, the DOJ introduced a Safe Harbor Policy for voluntary self-disclosures related to Mergers & Acquisitions (M&A). In the recent ECCP updates, the importance of compliance function in the evaluation and mitigation of risks during the M&A process, particularly during post-transaction integration, is emphasized. Prosecutors are instructed to assess the following when evaluating a company’s post-transaction compliance efforts:
-
The company’s strategy for incorporating compliance and risk management functions in the design and execution of post-transaction integration plans.
-
The processes the company has in place for implementing or integrating compliance programs after the transaction, including the incorporation of the newly acquired business into the company’s risk assessment procedures and compliance oversight functions.
-
Whether post-acquisition audits are conducted at the newly acquired entities to ensure compliance standards are being upheld.
Summary
Companies should take a proactive approach in reviewing their compliance programs to ensure that their compliance frameworks are updated in accordance with the updated ECCP. Proper integration of compliance and risk management functions in M&A activities, regular assessments of emerging technologies like AI, and strengthened whistleblower protections are critical for reducing risks and ensuring compliance with legal and regulatory obligations.