In September 2024, the Criminal Division of the Department of Justice (DOJ) released an important update to its Evaluation of Corporate Compliance Programs (ECCP) policy document, which now includes specific guidance on the risks associated with artificial intelligence (AI). This revision underscores the DOJ’s recognition of AI as a source of new compliance challenges that businesses must address proactively. Companies aiming to uphold effective compliance programs are now expected to demonstrate comprehensive governance over both the development and deployment of AI technologies.
The ECCP, first published in February 2017, serves as a framework for DOJ prosecutors to evaluate corporate compliance programs in criminal matters. Although corporate misconduct has seen a decline under the current administration, the ECCP continues to guide both prosecutors and corporations in assessing compliance program effectiveness. The document is structured around three core questions: whether the compliance program is well-designed, whether it is applied earnestly and in good faith, and whether it functions effectively in practice.
With the updated ECCP, prosecutors will assess whether a company’s risk assessment incorporates measures to mitigate risks related to the use and misuse of emerging technologies, particularly AI. Key questions now include: how companies evaluate the potential impact of AI on compliance with criminal laws, how AI risk management is integrated into broader enterprise strategies, and what measures are in place to curb negative consequences from AI usage. Additionally, companies must ensure that controls are established to monitor AI’s reliability and compliance, mitigate risks of misuse, and provide adequate employee training on emerging technologies.
The revisions to the ECCP reflect the DOJ’s heightened scrutiny over AI-related compliance issues, reinforced by recent enforcement actions against companies accused of irresponsible AI use. For instance, the DOJ has initiated investigations and enforcement actions against organizations allegedly violating the Fair Housing Act and federal antitrust laws through AI-driven practices. Notably, the DOJ maintains that housing providers using algorithms for rental applicant screening can still face discrimination claims, while price-setting algorithms can lead to price-fixing allegations. Similar actions have also been taken by the Securities and Exchange Commission and Federal Trade Commission against companies making misleading claims about their AI applications.
To navigate the new regulatory landscape, companies are urged to weave AI governance into their compliance frameworks. Best practices for establishing an AI-aware compliance program include conducting comprehensive AI risk assessments to identify all instances of AI use, from customer-facing applications to internal operations. Organizations should also develop clear policies governing acceptable AI use, establish controls to ensure AI trustworthiness, and prepare for potential AI-related misconduct. This involves defining how AI could be misused and implementing technical measures to prevent unauthorized use.
Many organizations are turning to established AI governance frameworks, such as the National Institute of Standards and Technology’s AI Risk Management Framework (AI RMF) and the ISO/IEC 42001 standard, to inform their compliance strategies. The AI RMF offers practical guidance for managing AI-related risks, while ISO 42001 provides a certifiable management-system standard. Utilizing both frameworks can help companies meet the good-faith requirement for AI compliance during investigations related to the ECCP.
The challenges posed by AI in the corporate compliance landscape are significant. Companies that overlook these risks may find themselves unprepared in enforcement scenarios, lacking the governance structures that prosecutors now expect. By proactively conducting thorough AI risk assessments, implementing robust oversight mechanisms, and ensuring comprehensive employee training, organizations can align with the DOJ’s expectations while still reaping the benefits of AI technologies. The urgency for action is clear: businesses must act now to avoid potential compliance failures as prosecutors increasingly apply the ECCP framework to their investigations.
See also
Silver Touch Technologies Launches AI-Enhanced Digital Governance Engagement Platform
Professors and Students Navigate New AI Usage Rules in Higher Education Landscape
Claude Surpasses ChatGPT as No. 1 App Amid Intensified AI Trust and Ethics Debate
T3’s Jen Gennai Reveals Key Strategies for AI Tool Deployment in Compliance Programs
Tech Giants Fund $125M Super PAC Against NY Congressman Pushing AI Regulation
