The U.S. Department of Justice, Criminal Division (DOJ) recently updated its policy document on the Evaluation of Corporate Compliance Programs (ECCP). The ECCP is used by prosecutors to evaluate the effectiveness of compliance programs to determine whether to prosecute or impose fines. To require certain ongoing compliance obligations, such as under a corporate integrity agreement. Notably, the September 23, 2024 ECCP amendments require companies' compliance programs to ensure that the deployment of new technologies, including artificial intelligence (AI), does not lead to “intentional or reckless misuse”. Prosecutors are required to assess whether safeguards are included. Violates criminal law or the company's code of conduct.
background
The Justice Manual (formerly the U.S. Attorney's Manual) describes certain factors that prosecutors should consider when exercising enforcement discretion over corporate entities during criminal investigations. One important factor is the effectiveness of the company's corporate compliance program. The ECCP establishes criteria that prosecutors use to evaluate whether a program is effective. The ECCP is important as a reference document for the design and implementation of a company's compliance program and as a guidance document for understanding how the Department of Justice makes prosecutorial decisions. As a general matter, at least companies involved in the healthcare industry should ensure that their compliance programs meet the standards set by the ECCP.
Assessing risks with emerging technologies/AI
In March 2024, U.S. Deputy Attorney General Lisa Monaco directed the Department of Justice's Criminal Division to incorporate into the ECCP an assessment of the risks posed by new technologies, including AI. Following this Directive, the ECCP includes criteria for prosecutors to utilize when assessing whether a company has adequate controls in place to mitigate the risks associated with the use of AI. Federal prosecutors should ask:
Does the company have a process to identify and manage new internal and external risks that may impact the company's ability to comply with laws and regulations, including risks associated with the use of new technologies? How do you assess the potential impact of new technologies, such as AI, on your ability to comply? Managing the risks associated with the use of AI and other new technologies fits into your broader enterprise risk management (ERM) strategy. Is it integrated? AI in commercial business and compliance programs What is the company's approach to governance regarding the use of new technologies, such as the How are companies mitigating the potential for intentional or reckless misuse of technology, including by internal parties? How are companies mitigating the potential for intentional or reckless misuse of technology, including by internal parties? For as long as it is used as part of a program, are there controls in place to monitor and ensure that the technology is trustworthy, trustworthy, and used in compliance with applicable law and the company's code of conduct? Are there controls in place to ensure that AI is only used for Will you be monitored and coerced? The company uses AI How do you train your employees to use emerging technologies such as?1
The above standards require that companies that utilize AI as a core part of their business operations must have specific policies and procedures in their compliance programs to ensure that AI software is deployed and continues to function properly. Shown comprehensively. This includes policies and procedures for auditing AI performance, training employees on the proper use of AI, and detecting misuse of AI or other new technologies.
Data resources and access
The September 2024 revisions to the ECCP also include new standards for the use and exploitation of data analytics in a company's compliance program. For example, the latest ECCP requires prosecutors to assess whether compliance officers have access to relevant data systems that can adequately monitor the effectiveness of a company's compliance program. The updated ECCP has additional questions, including:
Is the company properly leveraging data analytics tools to streamline compliance operations and measure the effectiveness of compliance program components? How does the company manage the quality of its data sources? How do you measure precision, precision, and recall of the data analysis models you use?2
The new standard conveys the Department of Justice's expectations that companies leverage data tools as part of their compliance efforts and provide compliance staff with access to all the data they need to implement their compliance programs. I am.
takeout
Monaco said that “fraud using AI is still fraud.” The revised ECCP confirms that the Department of Justice takes the potential risks associated with the misuse of AI seriously and will scrutinize companies' compliance programs to ensure they address and mitigate these risks. Masu. Additionally, the revised ECCP requires the Department of Justice to ensure that 1) compliance officers have access to relevant data sources necessary to meet their responsibilities under their compliance programs, and 2) companies have sufficient resources, including data analysis tools, to We make it clear what we expect them to put into their compliance efforts.
Note:
1 ECCP, pages 3-4.
2 ECCP p. 13.