Last month, the U.S. Department of Justice (“DOJ”) quietly updated its March 2023 guidance on the evaluation of corporate compliance programs.[i] Of course, DOJ did not conduct a major rewrite, but interestingly, the updated guidance emphasizes the impact, and evaluation, of emerging technologies on compliance as well as the importance of data when assessing compliance programs.

The guidance is meant to assist prosecutors in determining whether, and to what extent, a corporation’s compliance program was effective at the time of an offense, and is effective at the time of a charging decision or resolution. The guidance contains three sections based upon fundamental questions a prosecutor should ask: (1) whether the compliance program is well designed, (2) whether the compliance program is adequately resourced and empowered to function efficiently, and (3) whether the compliance program works in practice.

Risk Assessments

With respect to risk assessments, the guidance directs prosecutors to consider the new and emerging technologies used by a company to conduct business, whether a company has conducted a risk assessment regarding the use of that technology, and whether a company has taken steps to mitigate risks associated with the technology.

In its discussion of risk management, DOJ highlights inquiring into whether a company identifies and manages emerging internal and external risks that could impact the ability to comply with law. In this new section, DOJ specifically addresses artificial intelligence (“AI”) and provides questions to evaluate the compliance posture of AI. DOJ suggests prosecutors evaluate whether policies and procedures have been updated in response to internal and external issues and developments. The updated guidance also includes a new section on whistleblower protection and anti-retaliation, with new questions relating to policies, training, and discipline.

Mergers & Acquisitions

DOJ expands its inquiry into post-transaction compliance programs and integration. In the revised guidance, DOJ adds additional questions for evaluating the integration of compliance programs by migration or combination. The updated guidance also rehauls its guiding questions for evaluating post-transaction compliance programs to go beyond general inquiries about processes to integration, specific evaluation of compliance policies and procedures, risk assessment activities, and post-acquisition audits.

Compliance Program Resources

Within the section that directs prosecutors to evaluate whether a corporate compliance program is adequately resourced and empowered to function effectively, the updated guidance adds questions for evaluating the data resources and access of a compliance program, including whether data is being appropriately leveraged, managed, and evaluated for quality. DOJ also adds a section on proportionate resource allocation which instructs prosecutors to compare the resources and technology for compliance purposes to other functions of the company.

Effectiveness in Practice

In the revised guidance, DOJ adds a discussion of data when evaluating whether a corporate compliance program is actually effective. For example, the track record of and due diligence exercised by a compliance program should be assessed. How a company has leveraged data to evaluate whether the compliance program is actually effective should also be taken into account. When new technologies, such as AI, are used, the guidance directs prosecutors to consider whether the company monitors and tests those technologies to see if they function as intended and are consistent with the company’s code of conduct. The success and effectiveness of the compliance program should be measured. DOJ also inserts a new subsection on data and transparency which directs prosecutors to scope the extent to which the company has access to data and information to identify misconduct and deficiencies in its compliance program, and whether it is taking proactive steps to gather that information.

What Do These Updates Mean?

Compliance programs, especially those in the life sciences and healthcare industries, have received renewed attention within the last couple years. In April 2023, the Office of Inspector General Department of Health and Human Services (“OIG”) announced that it would update and modernize its compliance program guidance documents (“CPGs”). Although OIG has not yet released those CPGs, it announced last month that the first will be published in late 2024. [ii] This updated guidance released by DOJ, in combination with the anticipated publication of OIG”s updated CPGs, suggests DOJ is keeping a close eye on compliance programs and may increase its enforcement in this area.

The updated guidance underscores the importance of careful and mindful adoption of new technologies such as AI. Given the revisions to the guidance, DOJ suggests that employment of these technologies requires monitoring after deployment in order to ensure they are being utilized responsibly and appropriately. The guidance’s new discussion of data also indicates that companies should be incorporating a quantitative approach into their compliance program, and should be appropriately using collected data to improve and enhance the effectiveness of a compliance program. While the updates to the guidance may not be lengthy, they reflect the fast changes brought to the compliance world by new technologies and their information-gathering capabilities.

FOOTNOTES

[i] U.S. Department of Justice Criminal Division, “Evaluation of Corporate Compliance Programs” (Updated Sept. 2024), available here.

[ii] See U.S. Department of Health and Human Services Office of Inspector General, “Compliance Guidance”, available here; See our previous discussion of OIG’s updates here.