Skip to Main Content

October 04, 2024
Health Law Weekly

Governance Implications of the New Department of Justice Compliance Effectiveness Guidelines

  • October 04, 2024
  • Michael W. Peregrine , McDermott Will & Emery
  • Ashley C. Hoff , McDermott Will & Emery LLP
Board Room Chairs
Share this:

Health care corporate boards, and their Audit & Compliance Committees, should take heed of the latest revisions of the Department of Justice’s (DOJ’s) Evaluation of Corporate Compliance Programs (ECCP) guidance, released on September 23. This is particularly important as boards consider a more robust oversight approach to the company’s use of emerging technology, such as artificial intelligence.

As most chief legal and chief compliance officers know, a critical corporate governance responsibility is the oversight of an organizational compliance program’s effectiveness. The ECCP is an historically valuable resource and guide in that regard. Indeed, DOJ refers to it as “the roadmap” by which its Criminal Division prosecutors evaluate the effectiveness of a company’s compliance program for purposes of resolving a criminal investigation.

This latest version of the ECCP incorporates what DOJ calls “critical additions” in three principal categories: (i) the risk of misusing disruptive technology like artificial intelligence; (ii) whistleblower protections, along with the promotion of a reporting culture; and (iii) whether a company’s compliance program has the appropriately high level of internal resources to access data that would be helpful in assessing program effectiveness. The new ECCP also contains an assortment of other substantive revisions. 

These changes in DOJ’s “new and improved” ECCP are particularly significant for health care company compliance plans given their strong emphasis on data and technology (especially artificial intelligence). They also prompt board compliance committees to be more deliberate in their oversight of the resources available to support program effectiveness and to learn from not only their own mistakes, but to take lessons from the mistakes of others.

Principal Changes

Disruptive Technology. The first principal change to the ECCP relates to the risk of misusing disruptive technology and directs the Criminal Division to include an assessment of disruptive technology risks—including a clear focus on artificial intelligence—in its evaluation. The new version of the ECCP adds a detailed assessment of how companies are monitoring and managing new technology risks, both in their business and in their compliance programs.

As part of the assessment, DOJ prosecutors will evaluate the technology used by the company and its employees to conduct business and determine whether the company has (i) performed a risk assessment of the use of that technology, and (ii) taken appropriate steps to mitigate any risk associated with the use of that technology. This assessment would involve a comprehensive evaluation of artificial intelligence training and risk management practices within the company, including but not limited to changes to the legal and regulatory landscape and the increased use of new technologies.

The risk, monitoring, trust, and related questions prosecutors are to ask about the company’s use of artificial intelligence are consistent with the types of questions that leading corporate governance policy groups expect boards to ask of their own technology management.

Whistleblower Protections and a Reporting Culture. The second principal change to the ECCP relates to the rise of the whistleblower who reports misconduct as the centerpiece to DOJ’s approach to corporate compliance and enforcement. The new version of the ECCP adds questions designed to focus on whether the company (i) encourages its employees to report misconduct, or (ii) takes steps to discourage such reporting. 

A key area of focus will be on the company’s commitment to whistleblower protections and anti-retaliation, through policies, training, and its treatment of employees who report misconduct. Prosecutors are also directed to ask whether (to the extent that the company disciplines employees involved in misconduct), employees who reported internally are treated differently than others involved in misconduct who did not.

Access to Data. The third principal change to the ECCP relates to whether the company’s compliance program has appropriate, high-level resources dedicated to accessing data, including that which would be helpful in gauging program effectiveness. The new version of the ECCP adds an array of questions geared towards revealing the ability of compliance personnel to access specific data sources, as well as about the assets, resources, and technology that are available to compliance and risk management personnel.

For example, prosecutors are directed to evaluate the extent to which compliance and control personnel can access relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions. They are also expected to identify impediments that may limit access to relevant sources of data (and, if so, the corrective steps the company is taking).

Notably, prosecutors are also directed to review the proportionality of resource allocation; i.e. the extent to which the assets, resources, and technology available to internal compliance and risk management teams are comparable to those available for commercial purposes. A related area of inquiry is the potential for imbalance between the company’s commitment to technology and resources used to identify and capture market opportunities for its business revenue, and the technology and resources used to detect and mitigate risks on the inside.

Other Substantive Changes

Greater emphasis is placed on the effectiveness of the company’s internal compliance reporting mechanism. Newly added questions address the extent to which the company encourages and incentivizes reporting of potential misconduct or violation of company policy. They also address whether the company uses practices that tend to chill such reporting.

In the newest version of the ECCP, DOJ also makes it a point to underscore the importance of lessons learned, not just from a company’s own prior issues, but through the close observation of missteps and outcomes associated with the conduct of other companies. The ECCP’s revisions ask if there is tracking and incorporation for both internal and external lessons learned for optimal risk assessment.

Questions regarding the relationship of the organization’s compliance function to acquisition targets continue to evolve. In particular, a new question has been added that considers the company’s process for implementing and/or integrating a compliance program post-closing.

Key Governance Implications 

There are three principal corporate governance takeaways from the new version of the ECCP:

First is that DOJ appears to be focusing more on the substance of the compliance program (e.g. available resources and breadth of program coverage) than the program’s form (e.g. “check the box”). This could place new pressure on the Audit & Compliance Committee to pursue an in-depth evaluation of substantive elements of the program.

Second is the increasing need for intra-board compliance oversight collaboration between otherwise disparate committees focusing on technology and data, human resources, and executive compensation. Previously announced DOJ corporate fraud initiatives have underscored the importance of collaboration between the executive compensation and corporate compliance committees. The newly revised ECCP works to encourage further collaboration, between the board’s technology committee and the compliance committee.

Third is a heightened expectation of greater board engagement in its oversight of compliance program effectiveness. As the Delaware courts continue to mold and refine their interpretation of the Caremark compliance oversight duty, the Audit & Compliance Committee must reconsider the amount of time, energy, and resources committed to compliance effectiveness.

Regular briefings on compliance developments such as the updated ECCP help demonstrate the good faith commitment of the board, and of its Audit & Compliance Committee, to its Caremark-grounded compliance oversight obligations. The organization’s CLO and CCO, perhaps in conjunction with the CIO, are the appropriate corporate officers to conduct this briefing.

About the Authors

Michael W. Peregrine and Ashley Hoff are attorneys in the Chicago and Austin, respectively, offices of McDermott, Will & Emery, where they represent health industry clients on board oversight of corporate compliance programs, and of related white collar matters. Their views do not necessarily represent those of McDermott, Will & Emery and/or its clients.

Bibliography

1. United States Sentencing Commission, Federal Sentencing Guidelines Chapter §8B2.1. Effective Compliance and Ethics Program), https://www.ussc.gov/guidelines/2018-guidelines-manual/2018-chapter-8.

2. Department of Justice Evaluation of Corporate Compliance Programs (Updated Version), https://www.justice.gov/criminal/criminal-fraud/page/file/937501/dl.

3. Principal Deputy Assistant Attorney General Nicole M. Argentieri Delivers Remarks at the Society of Corporate Compliance and Ethics 23rd Annual Compliance & Ethics Institute, https://www.justice.gov/opa/speech/principal-deputy-assistant-attorney-general-nicole-m-argentieri-delivers-remarks-society.

4. Principal Deputy Assistant Attorney General Nicole M. Argentieri Delivers Remarks at the Computer Crime and Intellectual Property Section’s Symposium on Artificial Intelligence in the Justice Department at Center for Strategic and International Studies, https://www.justice.gov/opa/speech/principal-deputy-assistant-attorney-general-nicole-m-argentieri-delivers-remarks-0.

5. Deputy Attorney General Lisa Monaco Delivers Remarks on New Corporate Whistleblower Awards Pilot Program, https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-monaco-delivers-remarks-new-corporate-whistleblower-awards.

*This article was shared with members of AHLA's In-House Counsel Practice Group.

 

ARTICLE TAGS