In an era where corporate transparency and ethical conduct are under the spotlight, strong compliance becomes a strategic asset, not just a defensive measure.
On September 23, 2024, the U.S. Department of Justice Criminal Division (DOJ) released the latest updates to its Evaluation of Corporate Compliance Programs (ECCP), offering valuable insight into how prosecutors will assess the strength of corporate compliance efforts. The purpose of the ECCP is to provide transparency and a measure of guidance to companies about how prosecutors assess whether a corporation has a culture that embraces ethics and compliance. For this most recent iteration, Deputy Attorney General Lisa Monaco directed the DOJ “to incorporate assessment of disruptive technology risks—including risks associated with AI—into its guidance on Evaluation of Corporate Compliance Programs.” This recent publication reflects the DOJ’s heightened focus on critical issues like emerging technology-related risks and employee whistleblower protections. But the real question is: Will your compliance program stand up to this new level of scrutiny?
Why Your Company Should Care―Even if You’re Not Under Investigation
Improving and adhering to the latest DOJ compliance standards is not just about avoiding potential government inquiries or investigations. It is about fostering long-term business resilience, protecting your brand’s reputation and building trust with your stakeholders. A strong compliance program signals to your employees, customers and partners that your organization operates with integrity and accountability—key factors in a competitive, risk-conscious marketplace. Companies that take compliance seriously not only avoid legal pitfalls but are also more likely to prevent ethical breaches from escalating into full-blown crises. In an era where corporate transparency and ethical conduct are under the spotlight, strong compliance becomes a strategic asset, not just a defensive measure.
Navigating the Complexities of Emerging Technology Risks
The most notable update to the ECCP centers around the use of new and emerging technologies, particularly artificial intelligence. With this revision, companies must now demonstrate both a comprehensive risk assessment of these technologies and proactive steps to mitigate any associated legal and compliance risks. This includes under a section in the ECCP titled “Management of Emerging Risks to Ensure Compliance with Applicable Law,” new DOJ direct questions about how businesses ensure their tech practices comply with both criminal and internal codes of conduct, and under the ECCP’s “Policies and Procedures” section, whether companies’ policies and procedures contemplate mitigating intentional or reckless use of emerging technologies. Is your company prepared to answer these questions?
Strengthening the Company Culture of Compliance: Whistleblower Incentives and Protection
In light of the DOJ’s recent focus on whistleblower protections (including the new Corporate Whistleblower Awards Pilot Program), prosecutors will scrutinize whether your organization has created an environment that encourages reporting misconduct. This update goes beyond just having reporting mechanisms in place. It asks whether employees are incentivized to come forward and whether the company’s policies protect whistleblowers from retaliation. Does your company’s current approach empower employees to speak up?
Ensuring Compliance Programs Have the Tools They Need
Another key change to the ECCP focuses on the data to which company compliance teams have access. The DOJ is now asking whether a company’s compliance team has the resources and tools needed to access relevant data in a timely manner and whether the company is using technology to make compliance efforts more efficient. Prosecutors will assess whether there is an imbalance between the tools a company’s compliance team uses to manage risk and those used elsewhere in the business to drive growth.
Learning from Mistakes: Is the Company Adapting to Lessons Learned?
The revised ECCP policies and procedures guidance encourages prosecutors to look at how well companies update their policies based on past issues—both from within their organization and across their industry. This includes reviewing whether company employee training programs reflect lessons learned from compliance challenges faced by peers. Companies should therefore carefully examine whether its compliance strategies are evolving to stay ahead of risks.
In short, the DOJ’s latest updates make it clear that corporate compliance is no longer just about ticking boxes—it is about fostering a proactive, data-driven and adaptable approach to risk management. A robust compliance program is not merely a shield from DOJ scrutiny, but a vital tool for safeguarding a company’s future. Now is the time for companies to ensure its compliance program is not just adequate, but truly exemplary.
For More Information
If you have any questions about this Alert, please contact Eric R. Breslin, Tarsha A. Phillibert, Kiana Givpoor, any of the attorneys in our White-Collar Criminal Defense, Corporate Investigations and Regulatory Compliance Group or the attorney in the firm with whom you are regularly in contact.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.