DOJ Updates Evaluation of Corporate Compliance Programs
DOJ understands the importance of this document. In recognition of evolving technology and compliance program innovations, DOJ updated its guidance to incorporate new technologies and risks in response to the development of artificial intelligence (“AI”) capabilities. At the same time, DOJ added important language to address: (1) risk assessments and risk-based allocation of resources; (2) policies and procedures; (3) training; (4) investigations and retaliation; (5) third-party management; (6) compliance access to data; (7) mergers and acquisitions and post-acquisition integration; (8) compliance autonomy and resources; (9) compliance program effectiveness measurement; and (10) compliance program track record in detecting and preventing misconduct.
AI Technology: Under the rubric of new technologies, DOJ focuses compliance attention to two uses of AI: (1) by the business; and (2) by compliance. In conducting risk assessments as a starting point in the design of a compliance program, DOJ directs that companies “have a process for identifying and managing emerging internal and external risks that could potentially impact the company’s ability to comply with the law, including AI. DOJ directs that AI risks have to be identified and incorporated within the company’s broader enterprise risk management (ERM) strategies. To the extent that a company uses AI and similar technologies in its business or as part of its compliance program, DOJ asks whether the company has controls in place to monitor and ensure its trustworthiness, reliability, and use in compliance with applicable law and the company’s code of conduct.
Policies & Procedures: With respect topolicies and procedures, companies have to incorporate lessons learned (either the company’s own, or those of similar companies) and address the use of emerging technologies Companies.
Training: Training and communications should be tailored to the needs, interests, and values of employees, and should address and incorporate lessons learned by the company or similar companies. Further, companies should measure how employees engaged with the training and test whether employees learned the subject matter.
Investigations and Whistleblower Protection: DOJ added new guidance to encourage employees to speak up, to measure employee willingness to report, to protect whistleblowers from retaliation, and to monitor consequences to employees that report misconduct.
Third-Party Management: DOJ noted that third-party vendors should be evaluated over the course of the relationship.
Mergers & Acquisitions: DOJ added language to focus compliance and risk management on post-closing integration planning and execution. To this end, companies have to establish a process for the integration and for program oversight.
Compliance and Data Analytics: In recognition to availability of data analytics tools, DOJ outlined new guidance on access to data and use of data analytics. On the access issue, DOJ added language to emphasize compliance access to relevant sources of data needed for timely and effective monitoring and testing. With respect to data analytics, DOJ highlighted the importance of leveraging data analytics tools to create efficiencies in compliance operations and measurement.
On broader compliance topics, DOJ noted the need for companies to measure the commercial value of investments in compliance and risk management. In addition, DOJ added an inquiry into whether the company’s allocation of resources — personnel and technology — to risk management is proportionate to technology and resources used by the company to identify and capture business opportunities.