Introduction
The revised Evaluation of Corporate Compliance Programs (ECCP) issued by the US Department of Justice (DOJ) provides a comprehensive framework for developing and implementing corporate compliance initiatives, with a particular focus on the healthcare sector. As businesses increasingly incorporate artificial intelligence (AI) into their operations, the ECCP offers guidance on establishing policies and procedures to ensure the effective and responsible use of AI technologies.
Description
The revised Evaluation of Corporate Compliance Programs (ECCP) issued by the US Department of Justice (DOJ) serves as a vital framework for designing and implementing corporate compliance initiatives, particularly within the healthcare sector. As businesses increasingly integrate artificial intelligence (AI) into their operations, it is essential for them to establish specific policies and procedures that ensure the effective deployment and ongoing functionality of their AI systems [1]. The ECCP defines AI broadly [4], encompassing any artificial system that operates without human oversight [4], learns from experience [4], and performs tasks requiring human-like capabilities [4], including technologies such as machine learning [4], reinforcement learning [4], transfer learning [4], and generative AI [4]. This includes both internally developed and third-party AI tools [4].
To effectively manage AI risks, companies must conduct thorough risk assessments [3], implement robust monitoring systems [2], and maintain ongoing evaluations [3], especially after significant changes [3]. Organizations are encouraged to reassess their compliance programs in light of the updated ECCP, evaluating the risks posed by AI and developing thoughtful processes to manage those risks [4], rather than striving for perfection [4]. Companies must also provide training for employees on the appropriate use of AI and adapt their training programs in response to industry-wide lessons and evolving technologies. Establishing mechanisms to detect misuse of AI and other emerging technologies is crucial [1], and compliance efforts should extend to third-party vendors, ensuring that all parties involved adhere to the established compliance standards.
The guidelines emphasize the necessity for human accountability [3], robust controls, and periodic testing of AI tools to mitigate risks. Senior leadership plays a crucial role in fostering a culture of compliance, particularly as the risks associated with AI evolve [3]. The DOJ highlights the importance of effective compliance programs [4], assessing the knowledge and access of compliance personnel to relevant data [4], the timeliness of that access [4], and the allocation of resources for compliance and risk management [4]. Companies are encouraged to develop dynamic compliance programs that learn from past issues [4], both their own and those of others in the industry [4], while embracing new tools and software to navigate emerging challenges and leverage opportunities in compliance [2].
The updated ECCP aligns with existing domestic and international legal frameworks [3], which require comprehensive risk assessments and governance structures to manage AI risks throughout its lifecycle [3]. Companies must demonstrate the effectiveness of their compliance programs during investigations [3], highlighting the importance of ongoing obligations that necessitate regular updates to risk assessments and compliance strategies in light of new technologies [3]. An effective compliance program must continuously integrate considerations for emerging technologies [3], ensuring that organizations remain proactive in addressing compliance challenges. A clear plan for investigating and addressing any criminal activity related to AI use is essential [3], ideally with the support of outside counsel [3]. The updated ECCP also underscores the DOJ’s commitment to investigating corporate crimes involving AI [4], emphasizing the need for companies to proactively identify and mitigate potential risks associated with these technologies [4].
Conclusion
The updated ECCP provides a critical framework for companies to navigate the complexities of AI integration within their operations. By emphasizing risk management, human accountability [3], and continuous improvement, the ECCP helps organizations align with legal standards and proactively address compliance challenges. This approach not only mitigates potential risks but also fosters a culture of compliance that can adapt to technological advancements, ultimately safeguarding both the company and its stakeholders.
References
[1] https://www.jdsupra.com/legalnews/new-doj-compliance-program-guidance-7908250/
[2] https://www.globalrelay.com/resources/the-compliance-hub/rules-and-regulations/key-updates-to-the-department-of-justice-evaluation-of-corporate-compliance-programs/
[3] https://news.bloomberglaw.com/us-law-week/doj-expects-companies-to-minimize-risk-of-ai-blunders-misconduct
[4] https://www.fenwick.com/insights/publications/dont-wait-for-the-doj-to-come-knocking-important-whistleblower-protection-and-ai-risk-management-updates