Corporate Compliance: DOJ Evaluation Updates/Pilot Programs

KPMG Regulatory Insights

• Data Access/Monitoring: Ensuring the level of direct/indirect access to data sources for timely and effective monitoring/testing of policies, controls or transactions.
• Compliance Investment: Assessing the assets, resources, and technology available to compliance and risk as compared to elsewhere in the company.
• Tech and AI: Incorporating new evaluation for the risk management of disruptive technologies, particularly AI, including an emphasis on risk assessments, risk mitigation, and technology monitoring/testing.

 __________________________________________________________________________________________________________________________________________________

September 2024

The Department of Justice’s (DOJ) Criminal Division announces several updates to programs and policies “to prevent and deter corporate crime by incentivizing corporations to invest in robust compliance programs and report misconduct when it occurs.” The updates include the Criminal Division’s:

• Evaluation of Corporate Compliance Programs (ECCP)
• Compensation Incentives and Clawbacks Pilot Program
• Corporate Whistleblower Awards (CWA) Pilot Program

Key updates are highlighted below.

Evaluation of Corporate Compliance Programs (ECCP). The Criminal Division has updated the ECCP to address several emerging risks, including:

• Technology and AI Risk Management: The ECCP contains new guidelines for evaluating how companies manage risks associated with disruptive technologies, particularly artificial intelligence (AI), in both their business and compliance programs. This includes an emphasis on whether companies have:
  • Conducted a risk assessment on the technology they use to conduct business and whether they have taken steps to mitigate the identified risks.
  • Implemented monitoring and testing procedures to evaluate whether the technology is functioning as intended and consistent with the code of conduct.
• Whistleblower Protections: Questions have been added to the ECCP to evaluate companies’ policies and training as well as treatment of whistleblowers, including whether companies:
  • Demonstrate a commitment to whistleblower protection and anti-retaliation through the existence and enforcement of anti-retaliation policies.
  • Have effective channels for reporting misconduct, including testing for employee awareness and use of those channels.
  • Encourage and incentivize reporting of potential misconduct and ensure that employees feel safe to report concerns without fear of retaliation.
• Data Access for Compliance Functions: The updated ECCP also assesses whether compliance programs have appropriate access to data, including questions that consider whether:
  • Compliance personnel have direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, or transactions.
  • The assets, resources, and technology available to compliance and risk management compare to those available elsewhere in the company.

DOJ notes that it has also expanded its expectation that companies learn from instances of misconduct, both their own and that of others, to continuously improve their compliance programs. Revisions to corporate compliance programs in light of lessons learned are considered an indicator of risk-tailoring.

Compensation Incentives and Clawbacks Pilot Program. The program, announced in March 2023 (see KPMG’s Regulatory Alert, here), is now halfway through the three-year pilot period and has produced the following observations:

• The program’s requirement to include compliance-related criteria in compensation systems is leading companies across various industries to reevaluate and adjust their compensation systems to better promote compliance (e.g., linking performance and annual reviews to compliance standards and company values).
• The program’s policy for fine reductions is incentivizing companies to recoup or withhold compensation from employees found culpable of misconduct.

Corporate Whistleblower Awards Pilot Program (CWA). The three-year pilot program, announced in August 2024, aims to encourage whistleblowers to report misconduct and to fill gaps in corporate enforcement that are not covered by other agencies' whistleblower initiatives, targeting specifically financial system abuses by financial institutions and insiders, foreign corruption and bribery schemes, domestic corruption, and health care schemes targeting private insurers.

• An amendment to the Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP) ties into this program by offering companies that self-disclose quickly (within 120 days of receiving an internal whistleblower report and before DOJ reaches out to the company) the presumption of a declination, assuming full cooperation and remediation efforts.