On September 23rd, during the Society of Corporate Compliance and Ethics’ (SCCE) annual Compliance and Ethics Institute, the U.S. Department of Justice (DOJ) revealed significant updates to its Evaluation of Corporate Compliance Programs Memorandum (ECCP). These updates introduce both familiar concepts and surprising new directions, shaping the expectations for corporate compliance programs.
Although the practical impact of these changes on future DOJ investigations remains to be seen, organizations aiming to align with these evolving standards should take note of several key points:
- Emerging Technologies and AI: One of the most notable changes is the focus on how companies manage risks related to emerging technologies like artificial intelligence (AI). The DOJ wants to know if organizations are proactively assessing and mitigating the risks posed by these technologies or merely reacting to them. This includes the use of AI within compliance programs themselves, signalling the DOJ’s increasing interest in the intersection of technology and compliance.
- Enhanced Written Standards: The DOJ is broadening its evaluation of written policies, such as codes of conduct. Organizations will now be expected to demonstrate how these standards incorporate lessons learned from both internal and external incidents of misconduct. Additionally, written standards must address new and evolving risks, including those related to technology. The DOJ also plans to scrutinize how organizations ensure employees have access to these crucial documents.
- Employee Training: The updated guidance introduces a new emphasis on the relevance and engagement of employee training. Training should now be tailored to the “needs, interests, and values” of employees, with a focus on measuring not only learning outcomes but also engagement. The DOJ believes that for training to be effective, it must go beyond simply listing risks and expectations; it needs to resonate with employees and be continuously improved based on past experiences.
- Reporting Mechanisms and Anti-Retaliation: The DOJ is expanding its interest in how organizations incentivize or discourage reporting of compliance issues. They now want to see evidence of how companies measure employee willingness to report and how they protect whistleblowers from retaliation. The DOJ will review anti-retaliation policies, training, and reporting systems, emphasizing the need for robust protection mechanisms, including a new and eye-opening focus on training on external regulatory reporting options.
- Third-Party Risk Management: Organizations should expect questions about how they conduct due diligence on third-party vendors and manage vendor risk throughout the entire business relationship. This includes the timeliness and thoroughness of risk assessments. Read our blog on The DOJ’s 2024 guidance: Strengthening corporate compliance with ongoing third-party due diligence which provides further insights into how organizations can strengthen their compliance programs by maintaining a vigilant approach to vendor risk.
- Post-Merger Compliance Integration: The DOJ is paying closer attention to how compliance programs are integrated following mergers and acquisitions, ensuring that newly acquired businesses are seamlessly incorporated into existing compliance structures.
- Compliance Personnel Qualifications: The updated guidance clarifies that compliance personnel must have the necessary qualifications, seniority, and “actual and perceived” authority within the organization.
- Resource Allocation and Proportionality: Perhaps the most intriguing change relates to how resources are allocated for compliance. The DOJ expects organizations to have mechanisms in place to measure the commercial value of their compliance investments. New guidance also asks whether resources dedicated to compliance are proportionate to the size and scope of the business, highlighting a shift toward scrutinizing whether compliance is adequately resourced relative to business operations.
- Data Utilization and Analytics: The DOJ is placing a stronger emphasis on ensuring that compliance functions have access to the necessary data and analytical tools. Organizations are expected to demonstrate not only that they have data, but that it is used effectively to monitor and assess program effectiveness. Accurate data analysis is becoming a cornerstone of effective compliance management.
- Historical Misconduct and Program Effectiveness: In evaluating program effectiveness, the DOJ will now delve into an organization’s history of addressing misconduct. This includes reviewing unrelated past issues to assess how the company responded and applied lessons learned. Regular program evaluations and the frequency of these assessments will also be key areas of inquiry.
- Predictive Data and Risk Assessment: Finally, the DOJ is looking to see how organizations use data to predict and prevent compliance issues, moving toward a proactive, rather than reactive, approach to risk management.
In summary, these revisions signal a clear emphasis on leveraging data and technology to enhance both risk assessment and program implementation. The DOJ’s shift toward a more data-driven, risk-based approach has been in the works for some time, and this latest guidance reinforces the importance of equipping compliance functions with the resources and tools necessary to succeed in this evolving landscape.
