Introduction

In September 2023 [1] [4] [5], the US Department of Justice (DOJ) revised its Evaluation of Corporate Compliance Programs (ECCP) to address the increasing significance of corporate responsibility and compliance, particularly in the realm of disruptive technologies like artificial intelligence (AI). This update introduces AI-specific guidelines and questions to assist corporations in identifying and mitigating AI-related risks, with a focus on preparing for AI compliance reviews anticipated to begin in 2025.

Description

In this update [2], the DOJ emphasizes the necessity of establishing and enforcing clear guidelines [4], policies [2] [4] [5], and procedures for the development [4], implementation [2] [3] [4] [5], and monitoring of AI technologies [4]. Key updates highlight the importance of evaluating risk management strategies for emerging technologies, especially concerning data confidentiality, cybersecurity [2], and bias [2]. Companies are advised to assess their internal use of AI [1] [5], conduct thorough risk assessments [1] [4] [5], and ensure alignment with their code of conduct [1] [5]. The ECCP encourages leveraging the National Institute of Standards and Technology AI Risk Management Framework as a valuable resource for these evaluations [5]. Additionally, companies should routinely assess data privacy concerns [4], biased algorithms [4], and potential misuse of AI while developing effective mitigation strategies [4].

The DOJ has underscored the critical role of data analytics in corporate compliance, urging companies to ensure that compliance personnel have timely access to quality data for comprehensive risk evaluation. This includes developing procedures that enable the collection and analysis of data to enhance compliance operations and overall program effectiveness. The updated guidance stresses the importance of balancing resources allocated for market opportunities with those dedicated to risk detection, as under-investment in compliance can lead to significant legal risks.

Furthermore, the DOJ is committed to strengthening whistleblower protections [5], introducing a program that offers financial rewards for reporting misconduct [5]. Companies are expected to cultivate an environment that encourages internal reporting [5], implement effective reporting mechanisms [5], and ensure robust anti-retaliation policies and training that align with the updated ECCP [5]. Enhanced whistleblower training and protection measures are essential to ensure employees feel secure in reporting misconduct [2].

A critical aspect of the update is the emphasis on establishing a baseline of human decision-making to evaluate AI outputs, necessitating proactive measures to document and address misconduct [2]. Best practices for compliance include routine performance checks [2], auditing data quality [2], and implementing technical safeguards for AI systems [2]. The DOJ expects corporations to utilize robust compliance tools for monitoring and testing if existing practices are inadequate.

In addition, third-party risk management is a focal point [2], with an emphasis on continuous monitoring of vendor risks [2], particularly in supply chain management [2]. The alignment of the ECCP updates with the DOJ’s Corporate Whistleblower Awards Pilot Program reinforces the importance of evaluating corporate commitment to anti-retaliation policies and ensuring well-designed, continuously monitored compliance programs [2], especially regarding AI governance and data transparency.

Key recommendations from the updated ECCP include:

  1. Strengthening risk assessment and documentation for AI-specific risks [2].
  2. Establishing continuous monitoring and human oversight for AI systems [2].
  3. Prioritizing data access and analytics for compliance personnel [2].
  4. Ensuring proportional allocation of resources for compliance programs [2].
  5. Enhancing whistleblower training and protection policies [2].
  6. Developing data models that utilize accurate [4], diverse [4], and non-biased data to foster customer trust [4].
  7. Maintaining data integrity while adapting AI models to growing datasets.
  8. Implementing strong data governance practices and prioritizing transparency and explainability in AI systems [4].

Conclusion

The comprehensive update to the ECCP reflects the DOJ’s evolving priorities and expectations for robust compliance programs [3]. It presents opportunities for companies to enhance their compliance investments effectively while addressing the challenges posed by emerging technologies. By focusing on AI-specific risks, data analytics [1] [2] [5], and whistleblower protections [1] [2] [5], the DOJ aims to ensure that corporations are well-prepared to navigate the complexities of AI governance and maintain high standards of corporate responsibility.

References

[1] https://www.natlawreview.com/article/recent-updates-dojs-evaluation-corporate-compliance-programs
[2] https://www.parkerpoe.com/news/2024/11/what-dojs-latest-guidance-on-artificial-intelligence-corporate
[3] https://www.law.com/newyorklawjournal/2024/11/13/a-blueprint-for-targeted-enhancements-to-corporate-compliance-programs/
[4] https://www.lexology.com/library/detail.aspx?g=73ed8be8-3369-471a-a10e-4016b6b25314
[5] https://www.jdsupra.com/legalnews/recent-updates-to-the-doj-s-evaluation-2928370/