DOJ has released its latest update on the standards used in assessing corporate compliance programs, linked here. This update identifies important trends that government contractors and recipients should address. Miller & Chevalier published a quick review of the changes compared to the March 2023 version. DOJ also provides a red-lined version of the changes here. The guidance is updated regularly in response to trends identified by the DOJ. The expectation is that corporate compliance should evolve as well.
The September 2024 guidance includes added details :
- Use and management of risks with data, AI, and emerging technology
- Assessing the effectiveness of whistleblower protections and speak-up programs in giving employees a comfort level in reporting without fear of retaliation
- The evolution of a company’s compliance program and culture in response to its own and other companies’ misconduct.
The incorporation of language on emerging technology includes the expectation that companies address the use of new technologies in their ERM and compliance risk assessments. Among the concerns is using AI and other new technology to generate false approvals and fake documentation. The days of photo-shopping pictures to inflate the participant numbers in trainings and doctoring photocopies to falsify hotel receipts are over. The revised guidance lists 10 questions on the management of emerging technologies. DOJ expects a company’s policies and procedures to be based on how technology is used and how they are updated based on evolving compliance requirements.
In line with the DOJ’s new program to incentivize whistleblowing, the revised guidance asks more detailed questions about the effectiveness of a company’s whistleblower protection program. How does the company assess employee willingness to report? How committed is the company to whistleblower protection? DOJ will ask employees who report misconduct how comfortable they felt raising the concern, and if they feared retaliation.
The revised guidance expands its expectation that policies and procedures as well as training and communications evolve in response to lessons learned from other companies operating in the sector. This highlights the value of communities of practice such as INDEP, International Development Ethics Professionals, and CABEN (Capital Area Business Ethics Network) as venues for sharing trends and best practices.
While DOJ is raising concerns about the risks of misconduct in using AI and other emerging technologies, they also expect companies to make greater use of data, analytics, and other information to identify vulnerabilities and potential misconduct. Compliance programs now need to be more than a hotline, a code of conduct, and annual training.
