Categories
Blog

Argentieri Speech and 2024 ECCP: Complying with the 2024 ECCP on AI

The Department of Justice (DOJ), in its 2024 Update, has explicitly directed companies to ensure they have robust processes in place to identify, manage, and mitigate emerging risks related to new technologies, including AI. As compliance professionals, it’s crucial to integrate these mandates into your enterprise risk management (ERM) strategies and broader compliance programs. The DOJ posed two sets of queries for compliance professionals. The first was found in Section I, entitled Is the Corporation’s Compliance Program Well Designed? These are the following questions a prosecutor could ask a company or compliance professional going through an investigation.

Management of Emerging Risks to Ensure Compliance with Applicable Law

  • Does the company have a process for identifying and managing emerging internal and external risks, including risks related to the use of new technologies, that could potentially impact its ability to comply with the law?
  • How does the company assess the potential impact of new technologies, such as artificial intelligence (AI), on its ability to comply with criminal laws?
  • Is management of risks related to using AI and other new technologies integrated into broader enterprise risk management (ERM)  strategies?
  • What is the company’s approach to governance regarding the use of new technologies, such as AI, in its commercial business and compliance program?
  • How is the company curbing any potential negative or unintended consequences resulting from using technologies in its commercial business and compliance program?
  • How is the company mitigating the potential for deliberate or reckless misuse of technologies, including by company insiders?
  • To the extent that the company uses AI and similar technologies in its business or as part of its compliance program, are controls in place to monitor and ensure its trustworthiness, reliability, and use in compliance with applicable law and the company’s code of conduct?
  • Do controls exist to ensure the technology is used only for its intended purposes?
  • What baseline of human decision-making is used to assess AI?
  • How is accountability over the use of AI monitored and enforced?
  • How does the company train its employees on using emerging technologies such as AI?

The second question ties AI to a company’s values, ethics, and, most importantly, culture. It is found in Section III, entitled Does the Corporation’s Compliance Program Work in Practice?, Evolving Updates, and poses the following questions:

  • If the company is using new technologies such as AI in its commercial operations or compliance program, is the company monitoring and testing the technologies so that it can evaluate whether they are functioning as intended and consistent with the company’s code of conduct?
  • How quickly can the company detect and correct decisions made by AI or other new technologies that are inconsistent with the company’s values?

Thinking across both questions will lead to more questions and a deep dive into your compliance culture, philosophy, and corporate ethos. It will also bring about unprecedented opportunities for businesses. However, with these opportunities come significant risks, especially in the context of legal compliance. The DOJ has now explicitly directed companies to ensure they have robust processes to identify, manage, and mitigate emerging risks related to new technologies, including AI. As compliance professionals, it is both crucial and even obligatory to integrate these mandates into your ERM strategies and broader compliance programs. Below are some ways a compliance professional can think through and you can effectively respond to the DOJ’s latest guidance for the first series of questions.

Establish a Proactive Risk Identification Process

Managing emerging risks begins with a proactive approach to identifying potential threats before they manifest into significant compliance issues.

  • Implement a Dynamic Risk Assessment Framework. Develop a risk assessment process that continuously scans internal and external environments for emerging risks. This should include regular updates to risk profiles based on the latest technological developments, industry trends, and regulatory changes. Incorporating AI into your business and compliance operations requires that you assess its immediate impact and anticipate future risks it might pose as the technology evolves.
  • Engage Cross-Functional Teams. Ensure that your risk identification process is not siloed within the compliance function. Engage cross-functional teams, including IT, legal, HR, and operations, to provide diverse perspectives on potential risks associated with new technologies. This collaboration will help you capture a more comprehensive view of the risks and their potential impact on your organization’s ability to comply with applicable laws.

Establish Rigorous Monitoring Protocols

Monitoring AI and other new technologies isn’t just a box-ticking exercise; it’s a continuous process that requires a deep understanding of the technology and the ethical standards it must uphold.

  • Set Up Continuous Monitoring Systems. Implement real-time monitoring systems that track AI outputs and decisions as they occur. This is crucial for identifying deviations from expected behavior or ethical standards as soon as they happen. Automated monitoring tools can flag anomalies, such as decisions that fall outside predefined parameters, for further review by compliance officers.
  • Define Key Performance Indicators (KPIs). Develop KPIs that specifically measure the alignment of AI outputs with your company’s code of conduct. These include fairness, transparency, accuracy, and ethical impact metrics. Regularly review these KPIs to ensure that AI systems perform within acceptable boundaries and contribute positively to your compliance objectives.

Integrate AI Risk Management into Your ERM Strategy

The DOJ expects companies to manage AI and other technological risks within the broader context of their enterprise risk management strategies.

  • Align AI Risk Management with ERM. Ensure that risks related to AI and other new technologies are integrated into your ERM framework. This means treating AI-related risks like any other enterprise with appropriate controls, governance, and oversight. AI should not be viewed as a standalone issue but as an integral part of your organization’s overall risk landscape.
  • Develop AI-Specific Risk Controls. Establish controls that specifically address the unique risks posed by AI. These might include measures to prevent algorithmic bias, safeguards against AI-driven fraud, and protocols to ensure data privacy and security. Regularly review and update these controls to keep pace with technological advancements and emerging threats.

Implement Comprehensive Testing and Validation

Testing and validating AI technologies should be an ongoing practice, not just a one-time event during the deployment phase. The DOJ expects companies to evaluate whether these technologies are functioning as intended rigorously.

  • Stress-Test AI Systems. Subject your AI systems to scenarios that test their decision-making processes under different conditions. This includes testing for biases, errors, and unintended consequences. By simulating real-world situations, you can better understand how the AI might behave in practice and identify any potential risks before they manifest.
  • Periodic Audits and Reviews. Conduct regular audits of your AI systems to verify their continued compliance with company policies and ethical standards. These audits should include technical assessments and ethical evaluations, ensuring the AI’s decisions remain consistent with your company’s values over time.
  • External Validation. Consider bringing in third-party experts to validate your AI systems. External validation can objectively assess your AI’s functionality and ethical alignment, offering insights that might not be apparent to internal teams.

Develop a Rapid Response Mechanism

Every system is infallible; even the best-monitored AI systems can make mistakes. The key is how quickly and effectively your company can detect and correct these errors.

  • Establish a Rapid Response Team. Create a dedicated team within your compliance function responsible for addressing AI-related issues as they arise. This team should be equipped to investigate flagged decisions quickly, determine the root cause of any inconsistencies, and implement corrective actions.
  • Implement Feedback Loops. Develop feedback loops that allow for continuous learning and improvement of AI systems. When an error is detected, ensure that the AI system is updated or retrained to prevent similar issues in the future. This iterative process is essential for maintaining the integrity of AI systems over time.
  • Document and Report Corrections. Keep detailed records of any AI-related issues and the steps taken to correct them. This documentation is critical for internal tracking and for demonstrating to regulators, like the DOJ, that your company is serious about maintaining ethical AI practices.

Strengthen AI Governance and Accountability

Governance is key to ensuring that AI and other new technologies are used responsibly and in compliance with the law.

  • Create a Governance Framework for Technology Use. Develop a governance framework outlining how AI and other emerging technologies will be used within your organization. This framework should define roles and responsibilities, set clear guidelines for the ethical use of technology, and establish protocols for monitoring and enforcement. Ensure that this framework is aligned with your company’s code of conduct and compliance objectives. Ensure these guidelines are communicated clearly to all stakeholders, including AI developers, compliance teams, and business leaders.
  • Enforce Accountability. Accountability for the use of AI should be clearly defined and enforced. This includes assigning specific oversight roles to ensure that AI systems are used as intended and that any deliberate or reckless misuse is swiftly addressed. Establish a chain of accountability spanning from the C-suite to the operational level, ensuring all stakeholders understand their responsibilities in managing AI risks.

Mitigate Unintended Consequences and Misuse

The DOJ is particularly concerned with the potential for AI and other technologies to be misused, deliberately or unintentionally, leading to compliance breaches.

  • Monitor for Unintended Consequences. Implement monitoring systems that can detect unintended consequences of AI use, such as biased decision-making, unethical outcomes, or operational inefficiencies. These systems should be capable of flagging anomalies in real-time, allowing your compliance team to intervene before issues escalate.
  • Restrict AI Usage to Intended Purposes. Ensure that AI and other technologies are used only for their intended purposes. This involves setting clear boundaries on how AI can be applied and establishing controls to prevent misuse. Regular audits should be conducted to verify that AI systems operate within these defined parameters and that any deviations are promptly corrected.

Ensure Trustworthiness and Human Oversight

As Sam Silverstein continually reminds us, culture is all about trust. The same is true for the use of AI in the workplace. AI’s trustworthiness and reliability are paramount in maintaining compliance and protecting your company’s reputation.

  • Implement Trustworthiness Controls. Develop controls to ensure the trustworthiness of AI systems, including regular validation of AI models, thorough testing for accuracy and reliability, and ongoing monitoring for performance consistency. These controls should be designed to prevent the AI from producing outputs that could lead to legal or ethical violations.
  • Maintain a Human Baseline. AI should complement, not replace, human judgment. Establish a baseline of human decision-making to assess AI outputs and ensure that human oversight is maintained where necessary. This could involve having human review processes for high-stakes decisions or integrating AI outputs into broader decision-making frameworks that involve human input.

Train Employees on Emerging Technologies

As AI and other technologies become more prevalent, employee training is essential to ensure that your workforce understands both the benefits and risks.

  • Develop Comprehensive Training Programs. Create training programs that educate employees on using AI and other emerging technologies, focusing on compliance and ethical considerations. Training should cover the potential risks, the importance of adhering to the company’s code of conduct, and the specific controls to mitigate those risks. Employees should understand how the technology works and how to identify and address any decisions that may conflict with company values. Regular training sessions reinforce the importance of ethical AI use across the organization.
  • Promote a Culture of Awareness. Encourage a culture where employees are vigilant about the risks associated with new technologies. This involves fostering an environment where employees feel empowered to speak up if they notice potential issues and are actively engaged in ensuring that AI and other technologies are used responsibly.
  • Promote a Speak-Up Culture. Encourage employees to report concerns about AI-driven decisions, just as they would report other misconduct. A robust speak-up culture is critical for catching ethical lapses early and ensuring that AI systems remain aligned with company values.

The DOJ’s mandate on managing emerging risks, particularly those related to AI and other new technologies, underscores the need for a proactive, integrated approach to compliance. Compliance professionals can confidently navigate this complex landscape by embedding AI risk management within your broader ERM strategy, strengthening governance and accountability, mitigating unintended consequences, ensuring trustworthiness, and investing in employee training. The stakes are high, but with the right plan in place, your organization can harness the power of AI while staying firmly on the right side of the law.

Categories
Blog

Argentieri Speech and 2024 ECCP: Argentieri on Navigating AI Risks

Deputy Assistant Attorney General Nicole M. Argentieri’s speech highlighted a critical shift in the Department of Justice’s (DOJ) approach to evaluating corporate compliance programs. As outlined in the updated 2024 Evaluation of Corporate Compliance Programs (2024 ECCP), the emphasis on data access signals a new era where compliance professionals are expected to wield data with the same rigor and sophistication as their business counterparts. This week, I am reviewing the speech and 2024 ECCP. Over the next couple of blog posts, I will look at the most significant addition, that around AI. Today, I will review Argentieri’s remarks to see what she has said. Tomorrow, I will dive deeply into the new areas in the 2024 ECCP around new technologies such as Artificial Intelligence (AI).

In her remarks, Argentieri said, “First, … Our updated ECCP includes an evaluation of how companies assess and manage risk related to using new technology such as artificial intelligence in their business and compliance programs. Under the ECCP, prosecutors will consider the technology that a company and its employees use to conduct business, whether the company has conducted a risk assessment of using that technology, and whether the company has taken appropriate steps to mitigate any associated risk. For example, prosecutors will consider whether the company is vulnerable to criminal schemes enabled by new technology, such as false approvals and documentation generated by AI. If so, we will consider whether compliance controls and tools are in place to identify and mitigate those risks, such as tools to confirm the accuracy or reliability of data the business uses. We also want to know whether the company monitors and tests its technology to evaluate its functioning as intended and consistent with its code of conduct.”

Argentieri emphasizes the importance of managing risks associated with disruptive technologies like AI. These updates signal a clear directive for compliance professionals: you must take a proactive stance on AI risk management. You can take the following steps to align your compliance program with the DOJ’s latest expectations.

Conduct a Comprehensive Risk Assessment of AI Technologies

The first step in meeting the DOJ is to thoroughly assess the risks that AI and other disruptive technologies pose to your organization.

  • Identify AI Use Cases. Start by mapping out where AI is being used across your business operations. This could include everything from automated decision-making processes to AI-driven data analytics. Understanding the scope of AI use is essential for identifying potential risk areas.
  • Evaluate Vulnerabilities. Once you have a clear picture of how AI is utilized, conduct a detailed risk assessment. Look for vulnerabilities, such as the potential for AI to generate false approvals or fraudulent documentation. Consider scenarios where AI could be manipulated or fail to perform as expected, leading to compliance breaches or unethical outcomes.
  • Prioritize Risks. Not all risks are created equal. Prioritize them based on their potential impact on your business and the likelihood of occurrence. This prioritization will guide the allocation of resources and the development of mitigation strategies.

Implement Robust Compliance Controls and Tools

Once risks have been identified, the next step is to ensure that your compliance program includes strong controls and tools specifically designed to manage AI-related risks.

  • Develop AI-Specific Controls. Traditional compliance controls may not be sufficient to address AI’s unique challenges. Develop or adapt controls to monitor AI-generated outputs, ensuring accuracy and consistency with company policies. This might include cross-referencing AI decisions with manual checks or implementing algorithms that flag unusual patterns for further review.
  • Invest in AI-Compliance Tools. Specialized tools are available that can help compliance teams monitor AI systems and detect potential issues. Invest in these tools to enhance your ability to identify and mitigate AI-related risks. These tools should be capable of real-time monitoring and provide insights into the functioning of AI systems, including the accuracy and reliability of the data they generate.
  • Regular Testing and Validation. AI systems should not be a set-it-and-forget-it solution. Regularly test and validate your AI tools to ensure they function as intended. This should include stress testing under different scenarios to identify any weaknesses or biases in the system. The DOJ expects your company to implement AI and rigorously monitor its performance and alignment with your compliance objectives.

Monitor, Evaluate, and Adapt

AI technology and its associated risks constantly evolve, so your compliance program must be flexible and responsive.

  • Ongoing Monitoring. Continuously monitor AI systems’ performance to ensure they align with your company’s code of conduct and compliance requirements. This involves technical monitoring and assessing the ethical implications of AI decisions.
  • Adapt to New Risks. As AI technology advances, new risks will emerge. Stay informed about the latest developments in AI and disruptive technologies, and be ready to adapt your compliance program accordingly. This may involve updating risk assessments, enhancing controls, or revising your company’s overall approach to AI.
  • Engage with Technology Experts. Compliance professionals should work closely with IT and AI experts to stay ahead of potential risks. This collaboration is crucial for understanding the technical nuances of AI and ensuring that compliance strategies are technically sound and effectively implemented.

Ensure Alignment with the Company’s Code of Conduct

Finally, all AI initiatives must follow your code of conduct and ethical standards.

  • Training and Awareness. Ensure that all employees, particularly those involved in AI development and deployment, are trained on the ethical implications of AI and the company’s code of conduct. This training should cover the importance of transparency, fairness, and accountability in AI operations.
  • Ethical AI Use. Embed ethical considerations into the AI development process. This means complying with the law and striving to use AI to reflect your company’s values. The DOJ will be looking to see if your company is avoiding harm and proactively promoting ethical AI use.

Argentieri’s remarks underscore the importance of managing the risks associated with AI and other disruptive technologies. Compliance professionals must take a proactive approach by conducting thorough risk assessments, implementing robust controls, and continuously monitoring AI systems to ensure they align with regulatory requirements and the company’s ethical standards. By taking these initial steps, you can meet the DOJ’s expectations and leverage AI to enhance your compliance program and overall business integrity. Join us tomorrow to take a deep dive into the new language of the 2024 ECCP and explore how to implement it.

Categories
Blog

Argentieri Speech and 2024 ECCP: Data Access and Data Analytics

Deputy Assistant Attorney General Nicole M. Argentieri’s speech highlighted a critical shift in the DOJ’s approach to evaluating corporate compliance programs. As outlined in the updated 2024 Evaluation of Corporate Compliance Programs (2024 ECCP), the emphasis on data access signals a new era where compliance professionals are expected to wield data with the same rigor and sophistication as their business counterparts.

In her remarks, Argentieri said, “Third, under the updated ECCP, our prosecutors will assess whether a compliance program has appropriate access to data, including to assess its effectiveness. We have added questions about whether compliance personnel have adequate access to relevant data sources and the assets, resources, and technology available to compliance and risk management personnel. As part of this assessment, we will also consider whether companies are putting the same resources and technology into gathering and leveraging data for compliance purposes they use in their business.”

Her remarks were paired with new language in the 2024 ECCP, which stated:

Data Resources and Access – Do compliance and control personnel have sufficient direct or indirect access to relevant data sources for timely and effective monitoring and/or testing of policies, controls, and transactions? Do any impediments exist that limit or delay access to relevant data sources, and if so, what is the company doing to address the impediments? Do compliance personnel know of and have the means to access all relevant data sources reasonably timely? Is the company appropriately leveraging data analytics tools to create efficiencies in compliance operations and measure the effectiveness of components of compliance programs? How is the company managing the quality of its data sources? How does the company measure the accuracy, precision, or recall of any data analytics models it uses?

Proportionate Resource Allocation – How do the assets, resources, and technology available to compliance and risk management compare to those available elsewhere in the company? Is there an imbalance between the technology and resources used by the company to identify and capture market opportunities and the technology and resources used to detect and mitigate risks?

The speech and the 2024 ECCP put new and additional requirements around a corporate compliance program in the areas of data and data analytics. But how exactly should compliance teams navigate these heightened expectations? Here’s what you must do to ensure your compliance program meets these new standards.

Evaluate Your Data Access to Ensure Unimpeded Access to Relevant Data

The first step in aligning with the DOJ’s expectations is to conduct a comprehensive audit of your current data access. Compliance professionals must ask:

  • Conduct a Data Access Audit. Identify all the critical data sources for monitoring and testing your compliance policies, controls, and transactions. This includes financial transactions, communications, third-party interactions, and other data relevant to your risk profile.
  • Identify and Eliminate Barriers. Once you have a map of your data landscape, scrutinize it for any impediments that may limit or delay access to critical data. These barriers could be technical, such as legacy systems that do not integrate well, or organizational, like departmental silos that restrict data flow. Develop a plan to remove these impediments, whether through technology upgrades, process improvements, or changes in data governance.
  • Educate and Empower Compliance Teams. It is not enough for data to be accessible; your compliance personnel must also have the knowledge and tools to access it effectively. Invest in training programs that enhance data literacy among your team members, ensuring they can navigate and leverage data to its full potential.

The DOJ will scrutinize whether your compliance team has the same data visibility as other business units. If you find gaps, now is the time to bridge them.

Assess Resource Allocation for Data Analytics

Argentieri’s remarks also underscore the importance of resourcing. It is more than having data; your corporate compliance function must have the tools and talent to analyze it effectively. The 2024 ECCP emphasizes the importance of using data analytics tools to create efficiencies in compliance operations and measure the effectiveness of compliance programs.

  • Technology Investment. Are you using advanced analytics tools? Leverage AI and machine learning to proactively identify patterns, anomalies, and potential compliance risks.
  • Invest specifically in Advanced Analytics Tools. Ensure that your compliance program is equipped with state-of-the-art data analytics tools. These tools should be capable of processing large volumes of data, identifying patterns, and flagging potential risks in real-time. Artificial intelligence (AI) and machine learning (ML) can be particularly useful in predictive analytics, helping you stay ahead of emerging risks.
  • Human Resources. Do you have data-savvy compliance professionals on your team? Consider upskilling current staff or hiring data analysts who understand the technical and regulatory landscapes.
  • Benchmark Resources Across the Organization. Start by comparing the assets, resources, and technology available to your compliance and risk management teams with those available in other departments, particularly those focused on capturing market opportunities. Look for any imbalances that could undermine the effectiveness of your compliance efforts.
  • Make a case for compliance. If compliance is underresourced, build a compelling business case for increased investment. Highlight the risks associated with inadequate compliance resources, including the potential for regulatory breaches, reputational damage, and financial losses. Use data to demonstrate how enhanced resources could improve compliance outcomes and protect the organization.

Implement Real-Time Monitoring

The DOJ’s focus on data access and analytics also means that real-time monitoring should be a cornerstone of your compliance strategy. Static, periodic reviews are no longer sufficient.

  • Continuous Data Feeds. Implement systems that provide compliance officers with ongoing, real-time data. This allows for immediate detection of potential issues.
  • Automated Alerts. Set up automated alerts for key risk indicators, such as unusual transaction patterns or policy violations. This ensures that your team can respond to potential breaches before they escalate.
  • Integrate Compliance into Business Strategy. To ensure ongoing support, integrate compliance more closely with business strategy. Show how robust compliance efforts contribute to long-term success, aligning compliance goals with the company’s objectives.

Leverage Data to Assess Compliance Program Effectiveness

The ultimate goal of data access and analytics is to measure and improve the effectiveness of your compliance program. The DOJ is looking for companies that can demonstrate how they use data to inform their compliance efforts.

  • KPIs and Metrics. Develop key performance indicators (KPIs) that track compliance program success. Metrics might include the number of detected compliance incidents, response times, or the effectiveness of training programs.
  • Data-Driven Adjustments. Use data insights to make real-time adjustments to your compliance strategy. If the data shows a particular area of concern, pivot quickly and address it with targeted interventions.
  • Measure the Effectiveness of Analytics Models. Develop metrics to evaluate the performance of your data analytics models. These could include detection rates, false positive/negative ratios, and the speed at which issues are identified and resolved. Review and refine these models to ensure they deliver accurate and actionable insights.

Ensure Transparency and Documentation

Finally, remember that the DOJ will be looking for transparency. Be prepared to demonstrate how you use data, make decisions, and allocate resources.

  • Document, Document, Document. Keep thorough records of your data access, analysis processes, and any adjustments based on data insights.
  • Audit Trails. Maintain clear audit trails that show how data influenced compliance decisions. This will be critical in demonstrating to the DOJ that your program is reactive and proactively leveraging data to prevent compliance failures.
  • Monitor Data Quality. High-quality data is the backbone of effective compliance. Regularly assess the quality of your data sources, checking for accuracy, precision, and recall. Implement data governance frameworks that ensure data integrity and reliability, ensuring your analytics models are based on the best available data.

Finally, under Part III of the 2024 ECCP, in the section entitled, Does the Corporation’s Compliance Program Work in Practice?, the DOJ said prosecutors would pose the following question, “Prosecutors should also assess how the company has leveraged its  data to gain insights into the effectiveness of its compliance program and otherwise sought to  promote an organizational culture that encourages ethical conduct and a commitment to  compliance with the law.”

Coupling that language from the 2024 ECCP with Nicole Argentieri’s speech, you see a clarion call for compliance professionals to elevate their programs through the availability and utilization of data and data analytics to meet the DOJ’s evolving expectations. The message is clear: data is not just a business asset but a compliance imperative. By ensuring unimpeded and robust data access, investing in analytics, implementing real-time monitoring, leveraging data to assess program effectiveness, and achieving resource parity for compliance, your compliance program will meet the DOJ’s standards and drive greater organizational integrity and resilience. In this new era of data-driven compliance, the key to success lies in strategic investment and proactive management.

The stakes have never been higher, but with the right approach, the rewards—reducing risk and increasing trust—are worth the effort.

Categories
Compliance Into the Weeds

Compliance into the Weeds: Argentieri Speech and Updated ECCP – The First Analysis

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds!

In this episode, Tom Fox and Matt Kelly take a deep dive into the speech by Principal Deputy Assistant Attorney General Nicole M. Argentieri at the Society of Corporate Compliance and Ethics 23rd Annual Compliance & Ethics Institute.

Argentieri, revealed substantial updates to the department’s Evaluation guidelines for effective compliance programs, focusing on whistleblower protections and the effectiveness of reporting mechanisms. Matt, reporting live from Dallas, discussed the implications of these updates, especially regarding the DOJ’s increased scrutiny on companies speak-up cultures and the protection of whistleblowers.

Tom and Matt explored the practical steps compliance officers need to take to meet these new DOJ expectations, including ensuring anonymous reporting mechanisms are well-publicized and effectively utilized, fostering a culture that encourages reporting without fear of retaliation, and aligning company policies with the latest external whistleblower protection laws. They also touched on the potential challenges of balancing AI risks with these new guidelines and the broader impact on compliance programs.

Key Highlights:

  • Key focus on enhancing whistleblower protections.
  • Compliance officers must ensure that reporting mechanisms are well-publicized.
  • Importance of aligning internal policies with external whistleblower protection laws to ensure comprehensive employee training.
  • Balancing the challenges of AI risks with the need to adhere to new DOJ guidelines.
  • The practical steps for compliance professionals to align their programs with DOJ’s evolving expectations.

Resources:

Matt in Radical Compliance

Tom in the FCPA Compliance and Ethics Blog

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Argentieri Speech and 2024 ECCP: Whistleblowers and Anti-Retaliation

Deputy Assistant Attorney General Nicole M. Argentieri’s speech highlighted a critical shift in the Department of Justice’s (DOJ) approach to evaluating corporate compliance programs. As outlined in the updated 2024 Evaluation of Corporate Compliance Programs (2024 ECCP), the emphasis on data access signals a new era where compliance professionals are expected to wield data with the same rigor and sophistication as their business counterparts.

In her remarks, Argentieri said, “Second, following the recent announcement of our whistleblower awards program, the ECCP now includes questions designed to evaluate whether companies encourage employees to speak up and report misconduct or employ practices that chill reporting. Our prosecutors will closely consider the company’s commitment to whistleblower protection and anti-retaliation by assessing policies and training, as well as the treatment of employees who report misconduct. We will evaluate whether companies ensure that individuals who suspect misconduct know how to report it and feel comfortable doing so by showing that there is no tolerance for retaliation.”

Her remarks were paired with new language in the 2024 ECCP, which stated:

Effectiveness of the Reporting Mechanism – Does the company have an anonymous reporting mechanism, and why not? How is the reporting mechanism publicized to the company’s employees and other third parties? Has it been used? Does the company test whether employees know the hotline and feel comfortable using it? Does the company encourage and incentivize reporting of potential misconduct or violation of company policy? Conversely, does the company use practices that tend to chill such reporting? How does the company assess employees’ willingness to report? How has the company assessed the seriousness of the allegations it received? Has the compliance function had full access to reporting and investigative information? 

Commitment to Whistleblower Protection and Anti-Retaliation. Does the company have an anti-retaliation policy? Does the company train employees on internal and external anti-retaliation policies and whistleblower protection laws? To the extent that the company disciplines employees involved in misconduct, are employees who reported internally treated differently than others involved in misconduct who did not? Does the company train employees on internal reporting systems, external whistleblower programs, and regulatory regimes?

The speech and the 2024 ECCP impose new and additional requirements on a corporate compliance program in internal reporting, whistleblower protection, and anti-retaliation. But how exactly should compliance teams navigate these heightened expectations? Here’s what you must do to ensure your compliance program meets these new standards.

The DOJ has made it abundantly clear that companies must have effective, accessible, and well-publicized reporting mechanisms coupled with ironclad whistleblower protections. For compliance professionals, this mandate represents a critical component of a company’s overall compliance program that cannot be overlooked or underestimated. Here is what you need to do to implement these DOJ requirements effectively.

Establish and Maintain an Anonymous Reporting Mechanism

First and foremost, your company must have an anonymous reporting mechanism—commonly known as a hotline. If your company lacks this, it’s time to address this gap immediately.

  • Set Up a Hotline. Implement a reliable, user-friendly, anonymous reporting mechanism. This could be a dedicated phone line, an online portal, or both. The key is to ensure that employees and third parties can report misconduct without fear of exposure.
  • Publicize the Mechanism Effectively. Once in place, make sure everyone knows about it. Publicize the hotline through multiple channels—email announcements, posters in common areas, mentions in training sessions, and inclusion in employee handbooks. The goal is to ensure that no one in the organization can claim ignorance of its existence.
  • Test Awareness and Comfort Levels. Regularly survey employees to gauge their awareness of the hotline and their comfort in using it. This can be done through anonymous questionnaires or during training sessions. The DOJ expects companies to have a hotline that employees know and trust.

Encourage and Incentivize Reporting

A reporting mechanism is only as effective as the culture that surrounds it. Compliance professionals must work to foster an environment where reporting is encouraged and valued.

  • Positive Reinforcement. Encourage reporting by framing it as a positive, company-supportive action. Highlight success stories where reports led to meaningful change or helped the company avoid greater risks. Consider incentivizing reporting through recognition programs or other rewards that align with your company’s culture.
  • Avoid Chilling Practices. Be mindful of practices or policies that might discourage reporting. For example, employees will quickly learn to stay silent if your company has a history of disregarding reports or retaliating against reporters. Review your policies to ensure they don’t inadvertently dissuade reporting and correct any past practices that might have had this effect.
  • Leadership Commitment. The tone from the top is critical. Senior leaders must openly support and advocate for whistleblower protections. This includes publicly acknowledging the importance of reporting misconduct and demonstrating zero tolerance for retaliation. Leaders should actively participate in training sessions and speak about the value of transparency and accountability.
  • Anonymous Reporting Channels. While encouraging open dialogue is important, some employees may feel more comfortable reporting anonymously. Ensure that your organization has robust, confidential reporting channels in place. These might include hotlines, online portals, or third-party reporting services. Make sure these channels are well-publicized and easy to use.

Assess and Act on Internal Reports Thoroughly

The DOJ wants to know that companies take reports seriously. This means evaluating the seriousness of allegations promptly and thoroughly.

  • Rigorous Investigation Process. Ensure that all reports are promptly reviewed and assessed for seriousness. Develop a standardized process for triaging reports based on their nature and potential impact. This should involve clear guidelines for escalating significant issues to senior management or the board.
  • Full Access for Compliance. Your compliance function must have unrestricted access to all reporting and investigative information. This ensures that investigations are conducted independently and without interference and that the compliance team can assess trends, identify systemic issues, and recommend corrective actions.
  • 120 Days. Remember, the new Corporate Whistleblower Awards Pilot Program has a 120-day deadline from when a reporter speaks up in any manner internally. Companies must fully investigate and disclose to the DOJ within that timeline to be eligible for a Declination under the Corporate Enforcement Policy.

Reinforce Whistleblower Policies and Training

The foundation of any effective whistleblower program is a clear, robust policy communicated effectively across the organization.

  • Review and Update Whistleblower Policies. Start by revisiting your existing whistleblower policies. Ensure they clearly outline the process for reporting misconduct, the protections afforded to whistleblowers, and the consequences for retaliatory actions. Update your policies to reflect the latest regulatory guidance and industry best practices.
  • Comprehensive Training Programs. Policies are only effective if employees understand them. Develop and deliver training programs that educate employees on the importance of whistleblowing, the protections they are entitled to, and how to report concerns. This training should be mandatory, regularly updated, and tailored to different levels of the organization, ensuring everyone—from frontline employees to senior executives—understands their role in maintaining a speak-up culture.
  • Regular Communication. Keep whistleblowing at the forefront of your mind by regularly communicating the importance of speaking up. This can be through internal newsletters, town hall meetings, or dedicated campaigns reinforcing the company’s commitment to ethical conduct and employee protection.

Demonstrate Zero Tolerance for Retaliation

An effective compliance program must go beyond just having a hotline—it must actively protect those who use it. A key element of the DOJ’s evaluation will be how companies treat employees who report misconduct. It is critical to ensure there is no tolerance for retaliation.

  • Develop a Strong Anti-Retaliation Policy. Ensure your company has a comprehensive anti-retaliation policy that is clear, enforceable, and well-publicized. This policy should unequivocally state that retaliation against anyone who reports misconduct in good faith will not be tolerated.
  • Swift Action Against Retaliation. Establish clear, enforceable consequences for retaliatory behavior. If an employee experiences retaliation, act quickly to investigate the claim and, if necessary, take disciplinary action against those responsible. Publicize these actions (while maintaining confidentiality) to reinforce the message that retaliation will not be tolerated.
  • Training on Anti-Retaliation Laws. Train employees on your internal anti-retaliation policies and relevant external whistleblower protection laws. This training should be frequent and tailored to different levels of the organization, from entry-level employees to executives.
  • Monitor and Measure. Implement systems to track whistleblower reports and any subsequent actions. Regularly review this data to identify patterns or areas of concern, such as departments with higher rates of reported retaliation. Use this information to refine your policies and training, ensuring continuous improvement in your approach to whistleblower protection.

Build Trust Through Transparency

Trust is the cornerstone of any effective whistleblower program. Employees must know their concerns will be taken seriously and handled with integrity.

  • Transparency in Investigations. When a report is made, ensure the investigation process is transparent, thorough, and impartial. Keep the whistleblower informed (within the bounds of confidentiality) about the investigation’s progress and any resulting outcomes.
  • Fair Treatment of Whistleblowers. Scrutinize how whistleblowers are treated within your organization, especially if they are involved in the misconduct they reported. The DOJ will examine whether whistleblowers are treated fairly and without bias compared to others involved in the same incidents.
  • Celebrate Whistleblowers. Consider recognizing and celebrating employees who come forward with important information. While this can be a sensitive area, public acknowledgment (where appropriate) can reinforce the organization’s value of ethical behavior and speak up.

Evaluate and Improve Continuously

Finally, the DOJ will look for evidence that companies are committed to whistleblower protection and continuously improving their programs.

  • Regular Program Assessments. Conduct periodic assessments of your whistleblower program to ensure it remains effective and aligned with the latest regulatory expectations. This could involve employee surveys, focus groups, or third-party audits.
  • Act on Feedback. Use the insights gained from these assessments to make meaningful changes. Continuous improvement should be a core component of your whistleblower program, whether improving reporting channels, enhancing training, or refining policies.
  • Regular Training on Reporting Mechanisms. Incorporate training on internal reporting systems and external whistleblower programs into your regular compliance training. Employees should know how to report internally and to external regulators if necessary.
  • Assess Training Effectiveness. Regularly assess the effectiveness of this training through quizzes, feedback surveys, or audits. Ensure that employees understand the reporting systems and feel empowered to use them.

Nicole Argentieri emphasized the DOJ’s heightened focus on whistleblower protections within corporate compliance programs. This comes on the heels of the DOJ’s new whistleblower awards program and underscores the critical role of speak-up cultures in identifying and mitigating misconduct. For compliance professionals, this shift means more than just updating policies; it requires a fundamental reassessment of how your organization encourages, protects, and values whistleblowers. Here’s how you can align your compliance program with the DOJ’s expectations.

Her remarks make it clear that the DOJ is placing a renewed emphasis on whistleblower protections as a critical component of corporate compliance programs. For compliance professionals, this is both a challenge and an opportunity. By reinforcing your policies, fostering a culture of speaking up, demonstrating zero tolerance for retaliation, building trust, and committing to continuous improvement, you can meet the DOJ’s expectations and create a more ethical, transparent, and resilient organization.

The 2024 ECCP made it abundantly clear that companies must have robust, accessible reporting mechanisms and unwavering whistleblower protections. For compliance professionals, this means creating a culture that supports and actively encourages reporting. By setting up effective hotlines, fostering a positive reporting culture, ensuring thorough investigations, and protecting whistleblowers from retaliation, your compliance program will meet DOJ standards and contribute to a healthier, more ethical workplace. In today’s regulatory environment, the effectiveness of your reporting mechanism and commitment to whistleblower protection are no longer just best practices—they are imperatives.

Categories
Daily Compliance News

Daily Compliance News: September 24, 2024 – The Revised ECCP Released Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen to the Daily Compliance News. All from the Compliance Podcast Network.

Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

In today’s edition of Daily Compliance News:

  • DOJ releases a 2024 update to the Evaluation of Corporate Compliance Programs. (FCPA Compliance & Ethics Blog)
  • Jackson Walker referred for disciplinary proceedings. (Reuters)
  • Singapore gears up for huge corruption trial. (Al Jazeera)
  • The UK government says flexible work is better for companies. (BBC)

Categories
Blog

Argentieri Speech: 6 Key Takeaways for Compliance Programs

On Monday, Principal Deputy Assistant Attorney General Nicole M. Argentieri spoke at the Society of Corporate Compliance and Ethics 23rd Annual Compliance & Ethics Institute. ( A copy of her remarks can be found here.) She reiterated the long-stated policy that compliance professionals play a critical role in ensuring companies comply with the law and foster a culture of ethics and integrity. She noted that the Department of Justice (DOJ) has made it clear that companies are the first line of defense against corporate crime, and compliance officers are on the front lines of this defense. The 2024 update to the DOJ’s Evaluation of Corporate Compliance Programs (ECCP) and the introduction of new pilot programs in 2024 underscore the increasing importance of the roles of compliance professionals. This blog post will review the highlights from her speech, the key lessons from this 2024 update to the ECCP, and how they should shape our approach to compliance programs in our organizations.

Lesson 1: Embrace Continuous Improvement in Compliance Programs

The DOJ’s emphasis on continuous improvement in compliance programs is a call to action for all of us. The updated ECCP highlights the need for companies to regularly review and update their compliance programs to account for emerging risks, such as those posed by disruptive technologies like artificial intelligence (AI). As the pace of technological advancement is rapid, and with it come new risks. AI, for example, can be a double-edged sword—while it offers efficiency and insights, it can also be exploited for fraudulent purposes, such as generating false documentation or approvals. The DOJ now explicitly expects companies to assess and manage these risks, which means we must stay ahead of the curve in understanding and mitigating the potential pitfalls of new technologies.

Action Steps for the Compliance Professional:

  • Conduct regular risk assessments that include emerging technologies.
  • Implement controls that address the risks associated with AI and other disruptive technologies.
  • Ensure your compliance program evolves alongside technological advancements with continuous testing and monitoring.

Lesson 2: Foster a “Speak Up” Culture

The DOJ’s updates to the ECCP also emphasize encouraging a culture where employees feel comfortable reporting misconduct. The newly integrated questions into the ECCP regarding whistleblower protection reflect the DOJ’s serious stance on this issue. A “speak up” culture is foundational to a strong compliance program. Employees on the ground are often the first to spot potential issues, and creating an environment where they feel safe to report without fear of retaliation is crucial. The DOJ will scrutinize how well companies protect whistleblowers, so we must ensure our organizations have robust policies and training.

Action Steps for the Compliance Professional:

  • Review and strengthen whistleblower protection policies.
  • Regularly train employees on reporting misconduct and reassuring them about the protections in place.
  • Monitor the effectiveness of your whistleblower program and make necessary adjustments to enhance reporting mechanisms.

Lesson 3: Data Access is Key to Compliance Effectiveness

Another critical area highlighted in the DOJ’s ECCP updates is the importance of data access for compliance personnel. The DOJ will now evaluate whether compliance teams have adequate access to the necessary data to assess the effectiveness of their programs.

Over the past 18 months, the DOJ has made it clear that accessing and analyzing relevant data is crucial for identifying risks and monitoring compliance. If compliance teams are siloed or cut off from important data sources, it hampers their ability to do their jobs effectively, and the DOJ will take notice.

Action Steps for the Compliance Professional:

  • Ensure that compliance personnel have access to all relevant data sources.
  • Invest in the necessary technology and resources for effective data analysis and monitoring.
  • Work closely with IT and other departments to break down silos and facilitate seamless data access.

Lesson 4: Leverage Compensation to Drive Compliance

The DOJ’s Compensation Incentives and Clawbacks Pilot Program introduced a new dimension to compliance—aligning compensation with ethical behavior. This initiative requires companies to include compliance-related criteria in their compensation and bonus systems. While it is certainly not new to align compensation with compliance goals, it sends a powerful message to employees and management that ethical behavior is non-negotiable, and the new emphasis on consequences in the form of clawbacks and holdbacks must be considered. The DOJ views this leveraging of positive incentives and negative outcomes as a tangible link between individual performance and the company’s commitment to integrity.

Action Steps for the Compliance Professional:

  • Integrate compliance metrics into performance evaluations and compensation structures.
  • Regularly assess the effectiveness of these incentives and make adjustments as needed.
  • Make sure you have the contractual right to clawback incentive awards or holdback bonuses for executives who are culpable or have buried their collective heads in the sand while corruption surrounds them.

Lesson 5: The Importance of Cooperation and Remediation

The DOJ’s approach to corporate resolutions underscores the importance of timely and effective cooperation and remediation. Companies that act quickly to cooperate with the DOJ and take meaningful steps to remediate misconduct are rewarded with significant penalty reductions. How a company responds can significantly affect the outcome in the unfortunate event of misconduct. The DOJ’s recent resolutions show that companies that move swiftly and decisively to address issues are viewed more favorably.

Action Steps for the Compliance Professional:

  • Develop a clear protocol for responding to potential misconduct, including timely self-disclosure to the DOJ.
  • Ensure that your company is prepared to cooperate fully with any investigation.
  • Focus on meaningful remediation efforts that address the root causes of misconduct and prevent future occurrences.

Lesson 6: Whistleblower Programs as a Strategic Tool

Launching the DOJ’s Corporate Whistleblower Awards Pilot Program (CWA) is a significant development for compliance professionals. This program incentivizes internal reporting and substantially rewards companies that self-disclose misconduct. Given the number of reports the DOJ received in its first month (100), the CWA adds a new layer of urgency for companies to establish strong internal reporting mechanisms. Companies that encourage and protect whistleblowers can benefit from the CWA, while those that fail to do so may face harsher penalties.

Action Steps for the Compliance Professional:

  • Strengthen your internal reporting systems and ensure they are well-publicized within the company.
  • Make sure that your whistleblower policies are aligned with the DOJ’s expectations.
  • Actively monitor and protect whistleblowers, ensuring there is no retaliation against those who report misconduct.

Now is the Time to Act

The DOJ’s updated policies and programs signal that corporate compliance expectations are higher than ever. Compliance professionals must take these developments seriously and use them as a roadmap to strengthen our programs. Do not wait. Whether embracing new technologies, fostering a “speak up” culture, or aligning compensation with ethical behavior, now is the time to make the necessary investments in compliance.

Remember, when misconduct does occur, it’s better to be proactive and call the DOJ before they call you. By taking these lessons to heart and implementing them in our organizations, we can meet the DOJ’s expectations and contribute to building a culture of integrity and accountability that will serve our companies well in the long run.