2025’s Burning Question: Can Your Compliance Program Pass DOJ Scrutiny?

Which is more likely: a company coming under DOJ investigation or a commercial building being destroyed by fire? Answer: DOJ investigation.

Don’t believe me? Destruction from fire is less frequent due to modern fire safety measures and rapid response times. According to the National Fire Protection Association, there were about 130,000 non-residential building fires in the US in 2022, a low probability per building, given there are almost 6 million commercial buildings in the US. On the contrary, the range of issues that trigger DOJ investigations is vast, and the proliferation of government whistleblower programs has increased the likelihood of detection. 

Yet, despite the statistical differences, companies are more willing to install fire extinguishers and buy insurance than invest in compliance programs that satisfy DOJ “Evaluation of Corporate Compliance Program” guidance. Just as building owners buy fire insurance and keep fire extinguishers on hand — not expecting a fire but ready for the worst — companies should invest in ECCP-compliant programs because it makes good business sense. Both investments are made with the hope that they will never be needed and the understanding that the benefits of prevention and timely detection far outweigh the potential expense and disruption that arise from unanticipated events. Following the updated ECCP guidance means taking concrete steps.

Conduct an AI-facilitated ECCP gap assessment

ECCP gap assessments cross-reference the organization’s policies, processes and controls against the questions the ECCP poses to prosecutors. While this may seem straightforward on paper, executing these assessments often proves costly and time-consuming, given the volume of documents and file formats the team must analyze.

Enter generative AI. Begin by ingesting the organization’s compliance policies, processes, controls and the ECCP into a securely held, locally hosted large language model (LLM). Then, craft a series of prompts to address each ECCP requirement, resulting in LLM-generated responses to each requirement. The responses will create a first draft of observations, enabling human analysts to kickstart their work. Leveraging proven technology solutions enables organizations to more efficiently and effectively get their arms around otherwise cumbersome processes.

Compliance

DOJ Is Asking Questions About How Companies Use AI. Do You Know the Answers?

by Robert K. Hur, Leah B. Grossi and Michael Galdo

October 23, 2024

Federal authorities’ expectations around AI are evolving

Read moreDetails

Address recent ECCP updates

The DOJ updated the ECCP in 2023 and 2024. These amendments likely will come up in the ECCP gap assessment and should be addressed in law and compliance function’s 2025 plans.

2023 electronic communications update

The 2023 update pertains to messaging apps, personal devices and communication platforms. Building on the SEC and CFTC’s off-channel communication sweep, the update requires companies to establish policies to collect and preserve business data for compliance. Meeting the 2023 electronic communications update requires companies to:  

• Review existing policies on using personal devices, communication platforms and messaging apps.
• Identify all communication channels across business functions and jurisdictions, mapping preservation settings and accessibility.
• Examine policies related to bring your own device (BYOD) programs and messaging apps, focusing on data preservation and access protocols.
• Create or refine policies to ensure business-related electronic data is accessible and preserved
• Implement comprehensive employee training programs.
• Establish regular audits and monitoring procedures to enforce policies consistently.
• Document the rationale behind policy decisions for regulatory transparency.

2024 data and technology updates

In September 2024, the DOJ announced a round of ECCP updates, including several relating to data and technology. The risk assessment section of the ECCP includes a new section titled “Management of Emerging Risks to Ensure Compliance with Applicable Law,” which requires companies to identify and manage emerging internal and external risks, including AI.

The ECCP section on third-party management includes an update on leveraging data to evaluate vendor risk, and the compliance program autonomy and resources section asks whether the organization can measure the commercial value of investments in compliance and risk management. The ECCP section on how the compliance program works in practice asks how the company (1) leverages data to gain insights into compliance program effectiveness; (2) monitors tests and corrects flawed technologies; and (3) whether the compliance function can access data to detect misconduct and compliance program deficiencies.

Meeting the 2024 data and technology updates requires companies to:

• Create an inventory of all uses of AI and other emerging technologies
• Conduct a risk assessment to identify inherent and residual compliance risks arising from AI and other emerging technologies
• Re-perform the existing compliance risk assessment, considering AI and other technology

Close the gaps

Compliance and legal department planning for 2025 should include developing corrective action plans to address gaps identified in the assessment and the 2023 and 2024 ECCP updates. Corrective actions often take several months, if not years, to develop and implement. While DOJ policy mandates that prosecutors assess the effectiveness of a compliance program at the time of an offense, it is often enough for organizations to show they are actively working to improve their compliance programs and controls. But the plan should be documented and comprehensive.

Plans should (1) include governance (e.g., steering committee, project management office); (2) describe objectives; (3) detail necessary work steps; (4) assign responsibility and accountability; (5) set milestones; (6) create a realistic timeline; (7) provide sufficient expertise and resources; (8) note dependencies (e.g., technological solutions); and (9) avoid vague “plans for a plan.“

Test compliance program and controls

The ECCP emphasizes the importance of testing, as do other DOJ policies. The testing function must be independent — it cannot serve as an advocate or review its own work. Nor can it be subordinate to the function, department or business under evaluation (e.g., internal audit reporting to CCO testing compliance controls).

Testing the compliance program against the ECCP criteria differs from testing compliance controls. Compliance program testing applies standard audit procedures to validate whether the program’s design and implementation meet the ECCP criteria.

Compliance controls testing, in contrast, focuses on risks and risk response, including policies, processes and controls. The testing function applies standard audit procedures to assess the design and validate the operating effectiveness to determine if the controls suite brings the risk within risk appetite. 

Broadly summarized, the process entails (1) setting risk appetite; (2) selecting applicable laws and regulations; (3) identifying breach scenarios, (4) linking the scenarios to the control suite; (5) auditing control suite design and operating effectiveness; (6) identifying deficiencies, significant deficiencies or material weaknesses; and (7) issuing findings and recommendations.

Investing in DOJ-compliant compliance programs and controls is as prudent as installing fire safety measures. Fires may be rare, but building owners know the value of being prepared. Compliance programs are the equivalent of the overall fire safety program, and compliance controls are the equivalent of steps building owners take to mitigate specific risks and scenarios (e.g., electrical fires, evacuation).

As DOJ scrutiny grows, companies that prioritize compliance programs and controls that meet ECCP standards will be better equipped to anticipate and manage compliance risks and scenarios, detect and address compliance violations and weather any unexpected regulatory challenges in 2025 and beyond.