A PYMNTS Company

US Department of Justice Updates Guidance on Corporate Compliance Programs

 |  November 17, 2024

The U.S. Department of Justice (DOJ) has issued a revised version of its guidance on corporate compliance, alerting businesses to the evolving expectations prosecutors have when assessing a company’s compliance program, especially in light of criminal employee misconduct. This updated guidance, known as the Evaluation of Corporate Compliance Programs (ECCP), serves as a crucial tool for DOJ prosecutors when determining whether a corporation’s compliance efforts were effective at the time of an alleged offense, and whether they remain so during the investigation or resolution of a case.

According to the DOJ, the purpose of the ECCP is to assist prosecutors in evaluating how well a company has designed and implemented its compliance program to prevent and detect criminal activity. As the DOJ regularly updates this guidance, the latest revisions reflect key shifts in how technology, whistleblower protections, and data access should factor into corporate compliance evaluations.

Technology’s Role in Compliance

One of the notable updates to the ECCP is its emphasis on the role technology plays in business operations and its impact on corporate compliance. The new guidance instructs prosecutors to carefully consider a company’s use of technology, specifically its risk assessment related to technological risks and whether the company has taken steps to mitigate any vulnerabilities. This is particularly pertinent in an age where criminal activity can be facilitated by advanced technologies. For example, prosecutors will now assess whether a company has implemented measures to address the risks posed by artificial intelligence, such as the potential for AI to generate fraudulent approvals or documentation that could undermine internal controls.

The DOJ’s revised guidance highlights the importance of balancing the benefits of technology with its associated risks, reinforcing the need for companies to have a comprehensive strategy that accounts for both.

Whistleblower Protections and Reporting Misconduct

Another significant change in the updated guidance relates to the DOJ’s growing focus on whistleblower protections. The ECCP now explicitly states that prosecutors will evaluate how effectively a company encourages employees and others to report misconduct. Companies will be scrutinized to determine whether they have fostered a “speak up” culture or, conversely, whether they have inadvertently or intentionally discouraged whistleblower activity.

The DOJ’s attention to whistleblower protections is backed by recent legislative support, including the formation of “Whistleblower Protection Caucuses” in both the House and Senate. A robust whistleblower program, as part of a company’s compliance framework, will be a key factor for prosecutors assessing a company’s overall approach to preventing and addressing misconduct. Companies will need to demonstrate that they actively support whistleblowers and take appropriate action when misconduct is reported.

Data Access and Compliance Effectiveness

The updated ECCP also introduces new requirements regarding a company’s access to data and its ability to assess the effectiveness of its compliance program. Principal Deputy Assistant Attorney General Nicole Argentieri emphasized that prosecutors will now evaluate whether companies are leveraging the same resources and technology for compliance purposes that they use in their business operations. This shift reflects a growing recognition that data analysis can be a powerful tool for enhancing compliance efforts.

To support this focus, the DOJ has recently created a new position within its Criminal Division—Counsel for Compliance and Data Analytics. Moving forward, prosecutors will expect to see that companies are not only gathering data but are actively utilizing it to strengthen their compliance programs. Companies that fail to demonstrate a commitment to data-driven compliance may face increased scrutiny in the event of an investigation.

In conclusion, the updated ECCP makes clear that the DOJ’s expectations for corporate compliance are evolving, with a particular emphasis on technology, whistleblower protections, and data analysis.

Source: BHFS