Featured Expert Contributor, White Collar Crime and Corporate Compliance
Gregory A. Brower is a Shareholder with Brownstein Hyatt Farber Schreck, LLP. He also serves on WLF’s Legal Policy Advisory Board and previously served as Chief Global Compliance Officer for Wynn Resorts.
Since 2017, the U.S. Department of Justice (“DOJ”) has published a guidance document known as Evaluation of Corporate Compliance Programs or “ECCP.” The document states that it is intended to “assist prosecutors in making informed decisions as to whether, and to what extent, the corporation’s compliance program was effective at the time of the offense and is effective at the time of a charging decision or resolution … .” DOJ’s periodic updates to this guidance draw considerable attention and discussion and these latest changes should be no exception. This post briefly summarizes the update and offers some practical tips for corporate counsel and compliance professionals.
The first change worth noting provides that prosecutors will consider a company’s use of technology to conduct its business, whether a company has conducted a risk assessment related to the use of that technology, and whether the company has taken appropriate steps to mitigate any risk associated with that technology. One such risk may be a company’s vulnerabilities to criminal schemes enabled by a specific technology. For example, the new ECCP requires prosecutors to evaluate whether the company has taken sufficient steps to identify and mitigate the risk of false approvals and documentation generated by artificial intelligence and intended to defeat internal controls.
Another significant change relates to DOJ’s recently announced new whistleblower program within the Criminal Division. The ECCP now contemplates prosecutors’ evaluation of whether a company is doing enough to encourage its employees and others to report misconduct or, conversely, whether the company is intentionally or unintentionally chilling whistleblower activity. With the support of key members of Congress, DOJ is increasingly focused on the importance of a robust “speak up” culture within companies and a company’s efforts in this regard can be an important factor in how prosecutors evaluate a company’s overall compliance program.
Finally, the updated ECCP directs prosecutors to assess whether a company’s compliance program has appropriate access to data such that it is able to assess its own effectiveness. Specifically on this point, Principal Deputy Assistant Attorney General Nicole Argentieri has described this newly required assessment as including a consideration of “whether companies are putting the same resources and technology into gathering and leveraging data for compliance purposes that they are using in their business.” DOJ’s recent creation of a new position within the Criminal Division, Counsel, Compliance and Data Analytics, is consistent with this new focus. Going forward, prosecutors will be looking for, and will expect to see, evidence that a company is investing in data analysis for the specific purpose of enhancing compliance.
What are the practical takeaways for companies that hope to meet DOJ’s elevated expectations? Here are the three “R’s” of effective compliance that the latest version of the ECCP reinforces are important to DOJ:
- Reporting. Companies should review their compliance reporting regime to ensure that it is user-friendly, that employees understand how it works, and that it actually works in practice. This starts with designing an easy-to-understand and easy-to-use reporting system that includes multiple ways for whistleblowers to make reports. Training is also critical, beginning with new employee orientation, but also as part of annual ethics training for all employees. And effective auditing of the program is also critical. A well-designed program that is the subject of adequate training but is rarely actually used, suggests a problem. Only through effective auditing will such problems be revealed.
- Risk Assessments. DOJ continues to acknowledge that the deployment of compliance resources should be based on risk. The updated ECCP emphasizes that only by conducting adequate risk assessments can a company be confident that its deployment of resources is logically connected to its specific risks. Risk assessments should be aimed at identifying, ranking, and mitigating all of the risks the enterprise faces, should be conducted on a regular basis, and should be reviewed and understood outside of the compliance department. In other words, senior level, including board of director, review and approval is critical.
- Resources. DOJ has long emphasized the importance of ensuring that a company’s compliance program is adequately resourced. With this updated ECCP, the Department is focusing specifically on technology resources and, specifically, whether the company’s investment in technology for the compliance function, whether related to AI or other types of technology, is commensurate with the investment being made in the profit-generating parts of the business. Simply put, under resourcing compliance is a surefire way to frustrate DOJ’s expectations.
In summary, DOJ’s focus on corporate compliance continues and its expectations continue to evolve. In light of this reality, companies of all types are well-advised to engage in a little self-critical analysis and make improvements where necessary. The updated ECCP provides a good rubric for companies to follow.