Corporate compliance on the hot seat – updated US DOJ guidance and initiatives by US Attorneys’ Offices aim to further encourage whistleblowing
While fall is always a busy time of year, this fall has been particularly busy for the US Department of Justice (“DOJ”) and US Attorneys’ offices around the country (collectively, the “Agencies”), at least as it relates to corporate compliance. The Agencies have continued to prioritize compliance by, among other things, enhancing publicly available guidelines and introducing or improving initiatives geared at incentivizing whistleblowing and voluntary disclosures.
With regards to the DOJ, on September 23, 2024, Principal Deputy Assistant Attorney General Nicole M. Argentieri introduced an amended version of its Evaluation of Corporate Compliance Programs policy (“ECCP”), updated to address “emerging risks,” which include technology, data, and AI. This revised guidance also features insights into what DOJ expects to see in corporate compliance programs in terms of whistleblowing mechanisms. This addition is no surprise considering DOJ’s recently implemented whistleblower rewards pilot program and similar initiatives.
Several US Attorneys’ offices have likewise been busy. We reported in the spring that (like the DOJ) the Southern District of New York (“SDNY”) and Northern District of California had announced pilot programs focused on incentivizing voluntary self-disclosure. Since then, several other US Attorneys’ offices have introduced similar initiatives.
Clearly, corporate compliance is an area of top priority for the Agencies. In this context, it is vital that companies take this opportunity to re-assess their corporate compliance programs in accordance with DOJ’s amended ECCP and invest in making improvements where needed. Whistleblowing mechanisms (including ensuring there are proper protocols in place for employees to “blow the whistle” if needed and providing protection against retaliation) should be a particular point of focus.
DOJ updates its ECCP to address evolving technologies, data, and whistleblowing
In Argentieri’s words, the ECCP is “the roadmap Criminal Division prosecutors use to evaluate a company’s compliance program, including questions prosecutors will ask as they assess a compliance program in determining how to resolve a criminal investigation.” She added that DOJ’s assessment of a company’s compliance program is a “critical component” of any corporate resolution, evaluated both at the time of the misconduct and the time of resolution.
With its September 2024 update, the ECCP now addresses the following new areas (among others):
- Technology: DOJ will consider technologies used, such as AI, including whether such technologies are being monitored and tested for consistency with company codes of conduct. With regards to AI, for example, DOJ will consider among other things how companies assess the potential impact of AI on their ability to comply with criminal laws, whether AI-related risks are integrated into a company’s broader enterprise risk management strategies, whether controls exist to ensure AI is only used for its intended purposes, how accountability over the use of AI is monitored and enforced, and how the company trains its employees on the use of emerging technologies such as AI. (DOJ has also just announced its new Strategic Approach to Countering Cybercrime, including crimes facilitated by AI, and emphasized its readiness to “combat the criminal use of AI.”)
- Data: DOJ will consider whether compliance personnel are appropriately leveraging available data, including to assess the effectiveness of the compliance function.
- Whistleblowing: DOJ will consider whether companies encourage and incentivize reporting of potential misconduct or violations of company policy, whether companies use practices that chill such reporting, and how companies assess employees’ willingness to report misconduct. DOJ will also consider whether companies have an anti-retaliation policy, as well as whether companies offer training on anti-retaliation and whistleblower protection laws and external whistleblower programs and regulatory regimes.
Several more US Attorneys’ Offices announce whistleblower pilot programs
In the past few weeks, there has been a flurry of activity in US Attorneys’ offices across the country. In particular, the Eastern District of New York (EDNY Program), District of New Jersey (DNJ Program), Southern District of Florida (SDFL Program), Eastern District of Virginia (EDVA Program), District of Columbia (DDC Program), Southern District of Texas (SDTX Program), and Northern District of Illinois (NDIL Program) each announced new whistleblower pilot programs. These programs are broadly similar to the pilot program announced by SDNY earlier this year.
EDNY’s pilot program, for example, grants cooperating individuals the prospect of a non-prosecution agreement if they come forward with original information about the following types of criminal conduct: (1) fraud or corporate control failures; (2) IP theft; (3) market integrity violations; (4) state or local bribery or fraud related to federal, state or local funds; (5) obstruction of justice, perjury, or false statements; (6) healthcare fraud; and (7) money laundering.
Companies should take this opportunity to review and strengthen whistleblower protocols and protections
In this regulatory environment, companies operating in the US would be well advised to devote time and resources to evaluating and improving corporate compliance programs in line with the updated ECCP. One area that warrants particular attention is company whistleblowing protocols. Companies should have processes in place allowing employees to report misconduct internally and which ensure such complaints are reviewed thoroughly, appropriately triaged to legal, HR, and/or other departments as needed, and effectively resolved. Indeed, many external whistleblower reports are made after internal reporting fell on deaf ears.
Crucially, companies should ensure that whistleblower complaints are reviewed and handled expeditiously, as delays can have serious implications. In particular, DOJ has confirmed that companies can still qualify for a presumption of a declination under its Corporate Enforcement and Voluntary Self-Disclosure Policy if a whistleblower submits a report to DOJ before the company self-discloses, but only if the company self-reports the conduct at issue to DOJ within 120 days after receiving the whistleblower’s report (assuming all other policy requirements are met).
Finally, companies should also adopt policies that both encourage and protect whistleblowers from retaliation.