Overview

The ECCP serves as guidance to federal prosecutors for evaluating companies’ compliance programs when making enforcement decisions.¹ It is also a resource for companies to ensure their compliance programs are effective and meet DOJ’s expectations. Last year, the guidance was updated to address the risks associated with the growing popularity of third-party messaging applications and personal devices.² PDAAG Argentieri identified the following three key updates to this year’s ECCP: (1) mitigating the risks associated with emerging technologies, including artificial intelligence (“AI”); (2) promoting whistleblower protection and anti-retaliation policies and programs; and (3) ensuring compliance programs have appropriate access to data to be effective. Also noteworthy are the updates to the M&A section of the ECCP which focus on integration processes and ensuring compliance oversight over new businesses.³

Emerging technology & AI risks

The ECCP’s updates surrounding the use and assessment of risks associated with emerging technologies come six months after Deputy Attorney General Lisa Monaco announced that prosecutors would assess how companies mitigate AI related risk as part of their compliance efforts.⁴ The new guidance directs prosecutors to look for evidence that companies have conducted assessments and implemented mitigation efforts vis à vis the use of new and emerging technologies, specifically warning of the “deliberate or reckless misuse” of such technology by “company insiders.” ⁵ As PDAAG Argentieri aptly explained, under the updated ECCP, “prosecutors will consider the technology that a company and its employees use to conduct business, whether the company has conducted a risk assessment of the use of that technology, and whether the company has taken appropriate steps to mitigate any risk associated with the use of that technology.”⁶ PDAAG Argentieri cited companies’ vulnerability to criminal schemes such as AI-generated false documentation and approvals as an example of the types of risks prosecutors will be assessing.⁷

The ECCP also asks prosecutors to consider whether the management of risk related to the use of AI and other new technologies is integrated into broader enterprise risk management (“ERM”) strategies; whether controls are in place to monitor and ensure the trustworthiness, reliability, and use of such technologies in compliance with applicable laws and a company’s code of conduct; and whether controls exist to ensure technology is used only for its intended purpose and employees are trained in the use of emerging technologies.⁸ The updated ECCP cites the National Institute of Standards and Technology’s (“NIST”) January 26, 2023 report,  AI Risk Management Framework, as a resource for companies.⁹

Whistleblower protections

In support of the Department’s recently-launched Whistleblower Awards Program¹⁰, the ECCP expands DOJ’s commitment to whistleblower protection and anti-retaliation. In assessing a company’s compliance program, the ECCP asks prosecutors to consider questions aimed at measuring companies’ efforts to encourage internal reporting.¹¹ Prosecutors are now asked to evaluate whether companies have anti-retaliation policies; whether companies train employees on those internal policies and systems, and external anti-retaliation and whistleblower protection laws; and whether companies treat employees involved in misconduct differently based on whether they reported the misconduct internally or not.¹²

Before September 2024, the ECCP defined a “well-designed compliance program” as one that “entails policies and procedures that give both content and effect to ethical norms and that address and aim to reduce risks[.]”¹³ This most recent update uses stronger language, demanding that such programs actually utilize policies and procedures to mitigate – not just aim to reduce – risk.¹⁴ Additionally, prosecutors are told to “consider whether the company’s compliance program had a track record of preventing or detecting [] misconduct.”¹⁵

The updated guidance expands on the expectations set in previous versions of the ECCP that corporations observe and learn from other similarly-situated companies, be they in the same industry or the same geographical region.

The Justice Manual already directed prosecutors assessing companies’ compliance programs to ask whether the program was well designed, being applied earnestly, and efficacious in practice¹⁶, but the Department appears to be reiterating a stance it has historically taken: that “companies ensure that individuals who suspect misconduct know how to report it and feel comfortable doing so including by showing that there is no tolerance for retaliation.”¹⁷

Access to data

The updated ECCP asks prosecutors to assess whether compliance programs have appropriate access to data to carry out their compliance functions. PDAAG Argentieri stated that the ECCP now includes “questions about whether compliance personnel have adequate access to relevant data sources and the assets, resources, and technology that are available to compliance and risk management personnel,” and “whether companies are putting the same resources and technology into gathering and leveraging data for compliance purposes that they are using in their business.”¹⁸ This guidance expands on existing guidance regarding compliance personnel’s access to relevant data resources.¹⁹

M&A transactions & integration

In the September 2024 ECCP, the Department also fleshed out its guiding questions regarding compliance in the M&A context, asking prosecutors to consider the role companies' compliance and risk management functions play in designing and executing an integration strategy and implementing a compliance program post-transaction.²⁰ The revised ECCP also asks whether the company has considered migrating or combining enterprise risk management (“ERM”) systems as part of the integration process, which can have significant cost implications for a company trying to manage disparate legacy systems. This year’s updates to the guidance also advise prosecutors to consider whether companies extend their risk management assessment processes to interactions with third-party vendors in a timely and effective manner.²¹ Prosecutors will not be satisfied by claims that data was theoretically available. Time and time again, the ECCP emphasizes the importance of leveraging relevant information at the relevant time.

Takeaway

The 2024 updates demonstrate DOJ’s resolve to stay at the forefront of enforcement and root out misconduct in an ever-evolving environment. The ECCP updates also show that DOJ intends to deliver on policies and initiatives announced over the course of this year. As risks evolve, so too must companies’ compliance programs.

It’s not enough to have established nominally-relevant employee training materials; prosecutors want to see that programs are appropriately tailored, targeted, and effective. The DOJ is paying special attention to companies with a marked imbalance in the technological and financial resources devoted to capturing market opportunities as opposed to those devoted to risk detection and mitigation.

When the Department of Justice comes knocking, corporations need to be able to point to results and prove that they’ve taken a thoughtful and comprehensive approach to their compliance programs. The September 2024 ECCP makes clear that companies must continually reassess their compliance programs to ensure they have the best processes in place to identify and evaluate the compliance implications of emerging technologies and mitigate technological risks. Companies must ensure that they are dedicating similar resources and technology investments in their compliance and risk management functions as they are in their business functions. Finally, companies must also make sure that they have policies and processes in place to protect whistleblowers.

Sophisticated companies need experienced counsel. Hogan Lovells has the expertise to advise companies in a wide-range of industries on all of their compliance needs: from design to evaluation to mitigation.

Authored by Peter Spivack, Rupinder Garcha, and Toni Cross.

References

1  https://www.justice.gov/criminal/criminal-fraud/page/file/937501/dl  (2024 ECCP)

2 https://www.engage.hoganlovells.com/knowledgeservices/news/doj-announces-new-polices-concerning-third-party-messaging-apps-and-compensation-clawbacks

3 https://www.justice.gov/opa/speech/principal-deputy-assistant-attorney-general-nicole-m-argentieri-delivers-remarks-society

4 https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-monaco-delivers-keynote-remarks-american-bar-associations

5 2024 ECCP, pp. 4-5

6 https://www.justice.gov/opa/speech/principal-deputy-assistant-attorney-general-nicole-m-argentieri-delivers-remarks-society

7 https://www.justice.gov/opa/speech/principal-deputy-assistant-attorney-general-nicole-m-argentieri-delivers-remarks-society

8 2024 ECCP, pp. 4-5. The NIST AI Risk Management Framework can be found here: https://www.nist.gov/publications/artificial-intelligence-risk-management-framework-ai-rmf-10#:~:text=The%20AI%20RMF%20is%20intended%20to.

9 2024 ECCP, p. 25

10 https://www.engage.hoganlovells.com/knowledgeservices/insights-and-analysis/doj-launches-new-corporate-whistleblower-awards-pilot-program

11 2024 ECCP, p. 8

12 2024 ECCP, p. 8

13 2023 ECCP, p. 3

14 2024 ECCP, p. 5

15 2024 ECCP, p. 16

16 2023 ECCP, p. 1

17 https://www.justice.gov/opa/speech/principal-deputy-assistant-attorney-general-nicole-m-argentieri-delivers-remarks-society

18 https://www.justice.gov/opa/speech/principal-deputy-assistant-attorney-general-nicole-m-argentieri-delivers-remarks-society

19 2024 ECCP, pp. 14-15

20 2024 ECCP, p. 11

21 2024 ECCP, p. 8