US Department of Justice Wants Data-Savvy Compliance Departments and Additional Protection for Whistleblowers

In September 2024, the US Department of Justice (“DOJ”) announced changes in how it evaluates corporate compliance programs. [1] Of particular note, the DOJ expects compliance departments to use data analytics to strengthen their compliance programs, and to ensure that whistleblowing and self-reporting of employee misconduct are encouraged. These changes, and the others set forth below, are part of continuing efforts by prosecutors to empower and activate corporate compliance departments to prevent, detect, report and remediate misconduct, and highlight the increased expectations placed on the corporate compliance function.

The DOJ can assert jurisdiction over non-US companies even if those companies do not have US operations, for example, under the Foreign Corrupt Practices Act if a company engages in bribery or corruption that has sufficient US nexus (such as the wiring of US dollars or use of a US-based bank account in connection with the act of bribery).

Non-US companies with a US presence or subject to US jurisdiction ought to ensure compliance with US laws and understand how potential corporate liability will be analysed in the event of employee misconduct.

Background

Although prosecutors approach each case individually, in recent years the DOJ has increasingly published various policies and frameworks that are designed to promote compliance with US federal laws and to identify and root out wrongdoing. In February 2017, the Fraud Section of the DOJ’s Criminal Division first identified factors relevant for its Evaluation of Corporate Compliance Programs (“ECCP”). The ECCP sets forth the questions and factors that the DOJ will consider in evaluating corporate liability as part of its investigations. [2]

ECCP Encourages Compliance Departments’ Use of Data Analytics

First, as to the ECCP, the DOJ announced a set of factors that examine the data resources available to corporate compliance programs. The ECCP now specifically asks if “compliance personnel have knowledge of and means to access all relevant data sources in a reasonably timely manner” and whether the company is “appropriately leveraging data analytics tools to create efficiencies in compliance operations and measure the effectiveness of components of compliance programs.” These changes underscore that there are a wealth of data and technology tools that can support compliance functions and companies are expected to leverage them to deter and detect misconduct. Just as data has become an important asset or resource for the world’s biggest companies, the DOJ will presume that compliance officers have “the necessary [technological] resources to do their jobs” and that compliance departments in general have the same analytical tools and timely access to data as other business-facing functions.

Second, the ECCP now includes an entirely new set of factors concerning whether companies are identifying and managing emerging risks relating to new technologies such as artificial intelligence (“AI”). Set against the backdrop of increasingly powerful and widely used AI applications, and DOJ prosecutions over the use of AI to spread disinformation on social media platforms, [3] this change is yet another example of US federal prosecutors expecting companies to keep up with emerging threats and new technology.

Third, the ECCP now explicitly evaluates corporate anti-retaliation policies and whether employees receive training on whistleblower protection laws. As part of encouraging whistleblowers to come forward, the DOJ will evaluate whether companies are doing enough to prevent retaliation and to make individuals feel comfortable reporting misconduct. The explicit addition of anti-retaliation policies to the ECCP is reason for companies to revisit their policies on this topic and ensure that they are consistent with these latest revisions.

Takeaways

The expectations on corporate compliance departments have increased. The DOJ is unlikely to find that merely maintaining compliance policies and procedures and investigating potential misconduct when it comes up is enough. Among recent additions, compliance teams are expected to have access to up-to-date information about the functioning of the company, based on sophisticated data analytics systems, encourage reporting, prevent retaliation, and build out compliance programs that respond to emerging technology and risks. Fortunately, technology can indeed help with these burdens, but companies should take note that increased budget, focus and creative thinking may be necessary to keep up with the DOJ’s efforts to raise the bar on corporate compliance obligations and standards.

Contact any of the authors for more insight and information into these policy changes and their potential effect on your company.

[1] https://www.justice.gov/opa/speech/principal-deputy-assistant-attorney-general-nicole-m-argentieri-delivers-remarks-society

[2] https://www.justice.gov/criminal/criminal-fraud/page/file/937501/dl

[3] https://www.justice.gov/opa/pr/justice-department-leads-efforts-among-federal-international-and-private-sector-partner