Compliance

Navigating the DOJ's 2024 ECCP Update: How AI and Tech Shapes Corporate Compliance

October 25, 2024by Tiffany Magri

The U.S. Department of Justice (DOJ) has released its 2024 update to the Evaluation of Corporate Compliance Programs (ECCP). This update reflects the DOJ's recognition of how rapidly evolving tech is reshaping business operations and compliance challenges.

At the heart of the 2024 ECCP update is a heightened focus on "emerging technology that the company and its employees are using to conduct company business." The DOJ now expects organizations to demonstrate that they have:

Conducted thorough risk assessments regarding the use of new technologies
Taken appropriate steps to mitigate any risks associated with these technologies

Why it matters

The DOJ recognizes technology's influence on how business run. Businesses — especially those using artificial intelligence — are now expected to assess their use of technology solutions and have a plan on how to mitigate risks.

AI: A powerful tool that requires careful oversight

Artificial intelligence (AI), especially the generative kind, is transforming how we work. It's like having a super-smart intern who never sleeps, but this intern doesn't always know right from wrong.

The DOJ is essentially saying, "We know AI is great, but are you keeping it on a leash?"

They want to see that you're not just implementing AI discriminately, but you're also managing it responsibly. Specifically for AI governance, the DOJ noted four key areas:

Risk management: AI risks need to be integrated into your broader enterprise risk management strategy. You can’t treat AI as just another tool — it has its own set of risks that need addressing.
Governance and controls: Robust oversight mechanisms for AI systems are critical to ensuring compliance and preventing misuse.
Accountability: Clear lines of responsibility are a must. Who is accountable when AI makes a bad call?
Training: Ensure employees understand the compliance implications of AI use. AI may be smarter than us in many ways, but it still needs human oversight.

Data resources and proportionate resource allocation

Building on the focus on technology and AI, the DOJ has stressed two critical areas:

Data resources
Proportionate resource allocation

Corporate compliance teams must have timely access to relevant data and must effectively leverage analytics tools. Additionally, companies must ensure that compliance resources are proportionately allocated. Specifically, the DOJ is scrutinizing how compliance resources compare to those in other departments, emphasizing the need for balanced allocation between market opportunities and risk mitigation.

This means investing not only in the right tools but also in people. Compliance departments need to be just as technologically equipped as other business units. The DOJ is taking a close look at whether compliance teams are well-staffed and well-resourced with the latest data and tech tools to meet these evolving challenges.

Proving program effectiveness

It’s not enough to have a compliance program on paper anymore — the DOJ wants proof that it works.

The DOJ now explicitly asks prosecutors to consider, "whether the company's compliance program had a track record of preventing or detecting other instances of misconduct, and whether the company exercised due diligence to prevent and detect misconduct."

The updated ECCP emphasizes the need for organizations to demonstrate that their compliance programs are effective in practice, not just in theory. Companies are now expected to:

Document instances where their compliance programs successfully prevented or detected misconduct
Show ongoing due diligence in preventing and detecting criminal conduct
Leverage data analytics to assess and gain insights into the effectiveness of their compliance efforts
Regularly update risk assessments and compliance policies to adapt to emerging risks
Conduct gap analyses to identify areas where current policies may fall short
Incorporate lessons learned from their own experiences and those of industry peers

Supervision of corporate communications: The overlooked hero

In a world of constant digital communication, the DOJ previously emphasized the importance of supervising corporate communications to detect compliance issues early. This oversight not only helps catch potential problems but also serves as proof of an active, functioning compliance program. But the DOJ’s focus goes beyond communication oversight — it also highlights data transparency as a critical component of an effective compliance strategy.

Data transparency ensures that compliance teams have full visibility into all relevant data, not just communication records. This includes transaction data, operational metrics and AI-generated outputs. By maintaining transparency, organizations can better monitor decision-making processes, identify anomalies and provide a clear audit trail for regulatory purposes.

When it comes to AI and emerging technologies, monitoring how employees interact with AI systems can reveal areas of potential misuse or unintended consequences. Ensuring data transparency allows organizations to track not just communications, but also how AI and other technologies are being used across the business, helping ensure compliance in real-time.

Effective supervision can help:

Detect compliance issues early
Show the real-world impact of compliance training and policies
Provide evidence of due diligence in preventing misconduct
Ensure data transparency, making all relevant data — from communications to operational metrics — accessible for compliance review and auditing

Training and misconduct response

The update pushes for more tailored, risk-based training approaches, especially for high-risk employees. Standard training isn’t enough — risk training must be relevant to their roles, and companies need to measure how effective that training is. Are employees just attending sessions, or are they actually applying what they’ve learned?

The DOJ also emphasizes consistent responses to misconduct:

Disciplinary actions should be applied fairly across the organization, regardless of an employee's position
Financial penalties for misconduct must be integrated into compensation structures
Recoupment policies should be in place to claw back compensation when misconduct is uncovered

A data-driven, tech-savvy approach to compliance

The 2024 ECCP update clearly signals that the DOJ expects companies to adopt a more sophisticated, data-driven approach to compliance. By focusing on technology risk management, leveraging data analytics, ensuring proportionate resource allocation, and demonstrating real-world effectiveness, organizations can build corporate compliance programs better equipped to meet these evolving expectations.

FEATURED GUIDE

Financial Services and Generative AI: Navigating a New Era of Innovation

How Financial Services Firms are Embracing — and Governing — Generative AI

Get Guide

Share this post!

Author
Recent Posts

Tiffany Magri

Senior Regulatory Advisor at Smarsh

As a Regulatory Advisor at Smarsh, Tiffany Magri monitors, evaluates and consults on the financial services regulatory landscape. Tiffany has more than 10 years of experience facilitating compliance with laws and regulations, policies, and risk management. Prior to joining Smarsh, Tiffany was a Senior Associate at Benefit Street Partners and a Compliance Analyst at Broadstone and Manning & Napier Advisors.

Smarsh Blog

Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.

Ready to enable compliant productivity?

Join the 6,500+ customers using Smarsh to drive their business forward.

watch it work

More Resources