DOJ Evaluation of Corporate Compliance Programs – September 2024 Updates, Changes and What It Means for Compliance Programs

The September 2024 update to the Department of Justice’s Evaluation of Corporate Compliance Programs brings significant changes that will impact compliance programs across industries. Understanding these changes and their implications is essential for staying compliant and ensuring your organization remains prepared to showcase its compliance program if needed. 

In this blog, we’ll break down the 2024 updates to the DOJ’s ECCP and share our insights on what has changed and provide actionable guidance on what compliance programs need to do next.

Overview of the 2024 DOJ Update

The Evaluation of Corporate Compliance Programs (ECCP) is a set of guiding principles used when deciding whether or not to prosecute a company for wrongdoing—namely, by asking three important questions: Is the corporation’s compliance program well designed? Does the program have the resources and support it needs to do its job? Does the program work in practice?

What Has Changed in the ECCP

This is the first Evaluation of Corporate Compliance Programs Update since March 2023, and the purpose of this update is to provide new and revised language around several key areas including artificial intelligence (AI), speak-up culture, risk assessments, program resourcing, and more.

• Speak-Up Culture. The September 2024 update includes new and updated language on speak-up culture that covers 1) how companies encourage and incentivize reporting of potential misconduct or violation of company policy, 2) if the company chills such reporting in any way, and 3) how the company assesses its employees’ willingness to report misconduct.

This focus on speak up is not new; the DOJ has been discussing building a strong speak up culture to support voluntary disclosure for some time now. The language used, though, especially around both internal AND external mechanisms to raise concerns, is amplified compared to prior iterations of the ECCP. Some of the language around external reporting mirrors what we have seen in the human rights sector, with a focus on listing external sources in your discussion around raising concerns. Given the breadth of the DOJ’s remit, however, this expansion is notable.

• Anti-Retaliation. Separately, the update also provides new language on how companies protect those who speak up against misconduct, namely around 1) if there is an anti-retaliation policy; 2) does the company train employes on both internal and external anti-retaliation and whistleblower protection policies, procedures, and laws; and 3) are employees who report treated differently because of it? 

Peers and managers are the most likely sources of retaliation, so a discussion around the need to train managers specifically would have strengthened this section.  That said, the emphasis on a robust policy and training is welcome.

• Artificial Intelligence (AI). This is one of the most detailed sections of the update with a total of 10 questions that ask companies how they identify and manage risks with potential compliance implications, especially around the use of AI within the business. The questions touch on 1) how companies incorporate AI into their enterprise risk management (ERM), 2) baseline human-decision-making for using AI, and 3) accountability for use of AI.

Like all of us, the DOJ is clearly grappling with how to navigate this new technology. The emphasis is on both the risks and opportunities AI presents and sets a clear expectation around the extent your organization is using AI in its products, and those products cause harm, the compliance team’s involvement in vetting those products will be subject to scrutiny.

Lest the reader think the news on AI in the ECCP Update is all bad, the DOJ also added the fact that any delta in technology investments for sales compared to compliance/risk will be looked at carefully and with a jaded eye. If you’re fighting to get dashboards like sales has, this is a useful addition for sure. 

• Risk Assessments. The update also asks if companies periodically review their risk assessment and whether they have a process for incorporating lessons learned from their own risk management issues or from those of other companies operating within the same industry and/or geographical region. It is clear from the text of the document that a risk assessment must be an ongoing process and not a one-and-done; arguably even an annual process should be augmented by periodic check-ins as the business evolves and lessons are learned. 

Each of these changes in compliance requirements and risk management requires a close look at your existing processes to ensure best practices. Ignoring these updates could lead to increased regulatory risk, fines, or even reputational damage.

What Compliance Programs Should Do Next

In light of such a substantive regulatory update, compliance teams should take the following steps to prepare:

1. Review Your Current Compliance Program: Conduct an internal audit to ensure your program aligns with the new requirements.
2. Update Policies and Procedures: Revise any policies that are impacted by the regulation changes.
3. Implement Training Programs: Train your employees and stakeholders on the new regulatory requirements.
4. Leverage Technology: Ensure your compliance technology is equipped to handle the changes, including real-time monitoring and reporting.

Taking these proactive steps will help ensure that your organization is fully compliant with the updated regulations and prepared for any future changes.