Don’t Wait for the DOJ to Come Knocking: Important Whistleblower Protection and AI Risk Management Updates

Background

In September 2024, the DOJ’s Criminal Division released an updated Evaluation of Corporate Compliance Programs (ECCP) guidance document to address emerging risks. The ECCP serves as a roadmap for how DOJ evaluates a company’s compliance program in considering enforcement action against that company.

DOJ sees the ECCP as a critical reference for companies seeking guidance on the effectiveness of their compliance programs. DOJ’s Criminal Division first promulgated the ECCP in early 2017 and regularly updates the document to reflect what DOJ sees as emerging compliance risks and future enforcement focuses. Substantive updates signal likely future DOJ enforcement focuses.

Among the 2024 document updates, two in particular signal key focus areas for future enforcement actions: (1) risks relating to artificial intelligence and (2) whistleblower programs. The emphasis on these two areas builds on a steady drumbeat of messaging from DOJ in 2024.

Most colorfully, in March 2024, Deputy Attorney General Lisa Monaco of the DOJ emphasized that the department’s message to companies is: “Knock on our door before we knock on yours.”

Monaco highlighted the importance of effective whistleblower programs and voluntary self-disclosure, adding that criminal use of AI was one of a growing number of reasons for the DOJ to come knocking.

New Technologies and Artificial Intelligence

The revised ECCP places strong emphasis on “Managing Emerging Risks to Ensure Legal Compliance.” The key takeaway from this is that DOJ expects companies to identify emerging risks derived from “new technologies,” including the use of AI.

According to the updated ECCP, prosecutors will consider new technologies when evaluating companies’ compliance measures from two key perspectives:

1. First, prosecutors will examine whether a company incorporates its use of new technologies and AI in its compliance policy design. DOJ expects compliance programs to utilize the best-available technologies, appropriate to corporate scale and risks.
2. Second, prosecutors will examine whether a company, by implementing its compliance programs, reviews and updates its compliance policies considering use of new technologies and, in particular, AI (including the use of third-party AI tools).

The ECCP details a set of specific questions that prosecutors will ask in considering how corporate compliance programs assess risk from AI and other new technologies, including the following questions:

• How does the company assess the risk of its use of new technologies and AI, including whether the use of new technologies could potentially expose the company to criminal liabilities?
• How has the company mitigated or curbed risks associated with the use of new technologies and AI, in both its commercial business and its compliance programs? This includes both unintended consequences from the use of such technologies and intentional or reckless conduct by its employees.
• Is the company’s risk management of new technologies and AI incorporated into the broader enterprise risk management framework?
• Has the company implemented controls to monitor the use of AI, both in the company’s business and its compliance program, to ensure its trustworthiness, reliability, and use in compliance with applicable law and the company’s own code of conduct?
• What controls exist to ensure the use of new technologies and AI is limited to their intended purposes?
• What baseline of human decision-making is used to assess the effect of AI?
• How is accountability over AI monitored and enforced?
• How does the company train its employees to use new technologies and AI?
• How quickly can the company detect and correct decisions by AI or other new technologies that are inconsistent with the company’s values?

The ECCP’s definition of AI refers to the White House’s March 2024 memorandum regarding advancing governance, innovation, and risk management for agency use of artificial intelligence.

This definition covers any artificial system that performs tasks without human oversight; learns from experience and improves with datasets; solves tasks requiring human-like perception, cognition, planning, learning, communication, or physical action; thinks and acts like a human; performs cognitive tasks; or is designed to act rationally. The ECCP’s definition also covers the underlying technologies of AI, including machine learning, reinforcement learning, transfer learning, and generative AI. It applies both to AI tools developed internally and those developed by third parties.

Whistleblower Protections

Another highlight of the ECCP is its focus on whistleblower programs—especially whistleblower anti-retaliation. Expanding on earlier 2024 DOJ announcements like the Corporate Whistleblower Awards Pilot Program, which DOJ says it has received more than 100 tips already, these updates underscore DOJ’s emphasis on encouraging and protecting corporate whistleblowers.

Under the updated ECCP, prosecutors will evaluate companies’ policies and training on whistleblower anti-retaliation. In particular, the ECCP directs prosecutors to ask:

• Does the company have an anti-retaliation policy for whistleblowers?
• Does the company train employees on both internal and external anti-retaliation policies?
• Does the company train employees on external whistleblower protection laws?
• Does the company train employees on internal reporting systems and external whistleblower programs and regulatory regimes?
• To the extent the company disciplines employees involved in misconduct, are employees who reported internally treated differently from others involved in misconduct who did not?

Comments by DOJ leadership make clear that DOJ wants companies to reward employees for their commitment to compliance, lauding companies who are “incorporating into their compensation systems performance reviews that include an assessment of how employees demonstrate the company’s core values.”

Data Resources and Access and Continuous Improvement

The updated ECCP also demonstrates DOJ’s focus on the effectiveness and efficiency of companies’ compliance programs.

Under these updates, prosecutors will assess compliance personnel’s knowledge of and means to access all relevant data sources; whether such access is provided in a timely manner; and whether the company allocates the assets, resources, and technology to compliance and risk management commensurate with other groups within the company. Prosecutors will also evaluate the efficiency and effectiveness of the company’s data analytics tools in compliance operations and programs.

DOJ also directs companies to build dynamic compliance programs that learn from history, including from the company’s own prior issues and from known issues of other companies in the same industry and geographical region.

Challenges and Potential Impacts

The new ECCP reveals two primary focus areas for future enforcement actions, which present new challenges for corporate compliance teams.

First, DOJ is focused on corporate use of AI and is dedicating substantial resources to finding corporate crime involving AI. The questions posed in the ECCP present as much an investigative roadmap for prosecutors as questions about an effective compliance program. The government’s definition of AI incorporated into the updated ECCP is also quite broad and may cover a large scope of systems applying AI technology. It will cover the use of many forms of new technologies by companies in traditional industries, especially systems without significant human oversight or those performing human-like tasks.

Given the inherent nature of novel technologies, understanding their risks and impacts can be challenging for early adopters. DOJ is placing the burden on companies to anticipate and mitigate the various potential negative outcomes of their use of these technologies.

Second, DOJ is continuing a relentless push to uncover corporate crime through whistleblower programs and corporate self-disclosures. DOJ is signaling that it will look closely at how companies treat internal whistleblowers and the actual efficacy of anti-retaliation programs. This focus on training and informing employees about external whistleblower programs is new and poses challenges for companies encouraging employees to report complaints internally.

Next Steps

All companies, especially those whose commercial business activities and internal operations frequently apply AI or other related new technologies, should take time to review and reevaluate their existing overall compliance programs with an eye toward the use of AI, or any other new technologies generally. Compliance programs should be reviewed and updated in light of the new ECCP.

But more significantly, companies that have not done so should spend resources evaluating all kinds of risks posed by AI use.

Though DOJ is asking a lot of companies to predict the risks from novel and sometimes poorly understood technologies, the ECCP demands a thoughtful and comprehensive focus on building processes to limit those risks, rather than perfection. Companies should seek legal advice when appropriate as part of this evaluation given the novelty of the technology, and the uncertainty of how existing legal regimes will apply to its use.

Corporations should also take the opportunity to evaluate their whistleblower protection and anti-retaliation training and policies, with a particular eye toward the efficacy of their anti-retaliation programs.