DOJ’s New Compliance Rules: AI Risks, Whistleblowers, and Data Updates

New compliance rules are coming. This week, the U.S. Department of Justice (DOJ) released updated guidance on its Evaluation of Corporate Compliance Programs (ECCP). This news marks a significant shift in focus for organizations.  

What Do Organizations Need to Know? 

A September 2024 update now emphasizes the importance of managing risks associated with artificial intelligence (AI) compliance, enhancing whistleblower protection systems, and leveraging data analytics in compliance software solutions. These changes reflect the evolving regulatory landscape and the need for businesses to address emerging regulatory compliance challenges while maintaining robust compliance structures. 

What’s Been Added? 

One of the most prominent additions to the guidance is the focus on ethical AI development and emerging technologies. Companies must now evaluate how their AI use impacts criminal risk management. Prosecutors will assess whether companies have conducted thorough risk assessments for AI-related technologies and whether adequate steps have been taken to mitigate those risks.  

For example, the DOJ is particularly interested in AI’s fraud detection capabilities, such as generating fraudulent approvals or tampering with documentation, and whether companies have controls in place to prevent this.  

The guidance also highlights the need for ongoing monitoring of AI monitoring tools to ensure they are functioning as intended and that any potential legal compliance violations are identified and addressed quickly. 

What Else Has Been Updated?  

Additionally, the updated ECCP emphasizes the importance of strengthening corporate whistleblower protections. Companies must ensure internal whistleblower reporting mechanisms are not only available but also actively encouraged. Prosecutors will examine whether organizations have adequate anti-retaliation policies in place and whether employees feel comfortable reporting misconduct without fear of retaliation.  

The launch of the DOJ’s Corporate Whistleblower Awards Pilot Program–which offers incentives for timely reporting–underscores the importance of a strong whistleblower system. Now, companies are expected to allocate appropriate resources to compliance risk management programs. Here, data analytics plays a key role in monitoring and detecting potential violations. Compliance teams should have access to the same quality of data and technology as other business functions to maintain an effective compliance monitoring program.  

What Else Does the New Guidance Emphasize? 

The guidance also stresses the need for businesses to leverage AI and emerging regulatory technology solutions in their compliance efforts. Beyond managing risks, the DOJ encourages companies to use these tools to enhance their compliance risk management monitoring and data analytics.  

Compliance personnel should be empowered with access to relevant data, similar to that used by business units, to effectively monitor compliance best practices. This focus on data ensures companies are identifying potential issues and are using technology to monitor compliance and prevent future violations. 

Final Thoughts 

These updates serve as a critical reminder that proactive action is essential. Businesses must now manage AI risks. And use technologies to enhance compliance programs.  

What’s next? Prioritizing whistleblower safety initiatives and regulatory data access will be crucial for maintaining regulatory alignment.  

Let’s Start a Conversation

Schedule a virtual coffee with a team member: Click here to demo our GRC solutions. Click here to learn more about our Learning solutions. 

Sources: 

 – U.S. Department of Justice. (2024, September). Evaluation of Corporate Compliance Programs. [https://www.justice.gov/criminal/criminal-fraud/page/file/937501/dl?inline] 

– Ropes & Gray LLP. (2024, September 26). Updated Justice Department Guidance on Corporate Criminal Enforcement Reveals New Focus on Artificial Intelligence Roles, Whistleblowing Protection, and Use of Data. [https://www.ropesgray.com/en/insights/alerts/2024/09/updated-justice-department-guidance-on-corporate-criminal-enforcement] 

– Debevoise & Plimpton LLP. (2024, September 25). DOJ Updates Guidance on Corporate Compliance Programs to Include AI Risk Management. [https://www.debevoise.com/insights/publications/2024/09/doj-updates-guidance-on-corporate-compliance-pro] 

– Paul, Weiss. (2024, September 26). DOJ’s Updated Guidance for Evaluating Corporate Compliance Programs Emphasizes ‘Double-Edged Sword’ of New Technologies. [https://www.paulweiss.com/practices/litigation/white-collar-regulatory-defense/publications/doj-s-updated-guidance-for-evaluating-corporate-compliance-programs-emphasizes-double-edged-sword-of-new-technologies?id=54670]