Update on DOJ’s Evaluation of Corporate Compliance Programs 2024

Opening

The DOJ’s updated Evaluation of Corporate Compliance Programs (ECCP) guidelines for 2024 introduce several key enhancements aimed at addressing emerging risks and improving the effectiveness of corporate compliance programs. Here’s a deeper dive into the main updates, along with a comparison to prior versions:

Key Changes in the 2024 DOJ Compliance Guidelines Compared to 2020 and 2023 Updates

Third-Party Due Diligence:

• 2024 Update: Continuous monitoring of third-party partners throughout the relationship is now required. Companies must use data analytics and conduct regular audits to monitor third-party compliance, with an emphasis on risk management throughout the life of the relationship, not just at the outset.
• Comparison to 2023: The 2023 update had begun to push for stronger third-party oversight, but the 2024 version formalizes ongoing due diligence as essential to a company’s overall compliance strategy.
• Comparison to 2020: The 2020 version mainly focused on initial due diligence at the beginning of third-party relationships, with only periodic reviews recommended. The 2024 version goes much further by requiring continuous oversight throughout the partnership .

AI and Technology Risks:

• 2024 Update: The 2024 guidelines include provisions for assessing risks associated with artificial intelligence (AI) and other emerging technologies, particularly in terms of data privacy, potential misuse, and bias. Companies are expected to have systems in place to manage AI-related risks, especially in decision-making processes.
• Comparison to 2023: The 2023 guidelines introduced concerns related to the use of personal devices and third-party messaging platforms but did not address AI specifically. The 2024 guidance expands the focus on technology to include AI and advanced data analytics .
• Comparison to 2020: The 2020 guidelines touched on technological risks in terms of data protection and cybersecurity, but they did not anticipate the specific risks posed by AI and remote work technologies that have become more prevalent since the pandemic .

Compensation and Whistleblower Programs:

• 2024 Update: The 2024 guidance expands on the Compensation Incentives and Clawbacks program introduced in 2023, encouraging more companies to integrate compliance metrics into executive compensation systems. Additionally, the new Corporate Whistleblower Awards program incentivizes internal reporting of misconduct by offering benefits under the Corporate Enforcement and Voluntary Self-Disclosure Policy for companies that self-report violations within 120 days.
• Comparison to 2023: The 2023 version introduced the Compensation Incentives and Clawbacks pilot program, which tied compliance performance to executive bonuses. The 2024 update builds on this by highlighting the benefits of proactive whistleblower programs, offering new avenues for reduced penalties if companies act quickly to report issues .
• Comparison to 2020: The 2020 guidelines stressed the importance of accountability but did not directly link compensation to compliance in the way the 2023 and 2024 updates have. The whistleblower program is also a new feature not present in 2020 .

Enhanced Focus on Data and Operational Integration:

• 2024 Update: The 2024 guidance places a stronger emphasis on integrating compliance into everyday operations across all departments. Companies are expected to have systems for real-time data monitoring and management participation in compliance oversight at all levels.
• Comparison to 2023: The 2023 guidelines began encouraging data-driven compliance but did not require as much focus on real-time monitoring and integration into daily operations. The 2024 update stresses that compliance programs should be dynamic and operational, continuously evolving to meet new risks .
• Comparison to 2020: The 2020 guidelines discussed the importance of risk assessments and management involvement but did not mandate the same level of data flow and real-time operational integration now required in 2024 .

Other Noteworthy Elements in the 2024 Update

• Corporate Culture and Tone at the Top: The 2024 guidelines continue to emphasize the importance of leadership commitment to compliance, but now also require ongoing management participation and visible leadership in compliance efforts, ensuring that the program is not simply a “check-the-box” exercise .
• Regulatory Flexibility: The 2024 version pushes for a flexible, constantly improving compliance program that can adapt to new situations, with a greater emphasis on auditing, root cause analysis, and corrective action .

Summary

The DOJ’s 2024 compliance guidelines introduce critical new elements such as continuous third-party monitoring, AI risk management, and enhanced whistleblower programs. These changes build on the incremental updates seen in 2023, further pushing companies toward a dynamic, proactive approach to compliance, compared to the more static frameworks in place in 2020.

Trend - My Thoughts

The trend in the DOJ’s compliance guidelines from 2020 to 2024 shows a clear shift towards continuous, proactive risk management and operational integration of compliance programs. The focus has moved from periodic assessments and reactive measures to real-time monitoring, particularly of third-party relationships, and ongoing use of data analytics. The introduction of AI risk management and the increasing use of whistleblower programs signal a growing concern with emerging technologies and internal reporting mechanisms.

A significant new aspect is the DOJ’s emphasis on managing risks related to artificial intelligence (AI), where companies are now expected to assess and mitigate AI-related risks. Compliance programs must incorporate tools to test and monitor AI systems to prevent misuse and ensure data accuracy. Additionally, there’s an enhanced focus on whistleblower protections, with the introduction of the Corporate Whistleblower Awards Pilot Program, which incentivizes internal reporting of misconduct and shields whistleblowers from retaliation.

Further, the DOJ is pushing for compliance personnel to have greater access to data and resources, aligning compliance capabilities with the tools businesses use to manage their core operations. Finally, compliance is increasingly tied to executive compensation through the Compensation Incentives and Clawbacks Pilot Program, reinforcing accountability and encouraging ethical behavior at all levels. Overall, the trend is toward embedding compliance deeply into daily operations, ensuring that companies are not only responding to risks but actively preventing and mitigating them in a dynamic business environment.

Access to Guidance

• 2024 DOJ Compliance Guidelines: You can access the updated 2024 Evaluation of Corporate Compliance Programs https://www.justice.gov/criminal/criminal-fraud/page/file/937501/dl