There are now strict new rules CIOs and other senior executives need to adhere to after the US Department of Justice (DoJ) this week released an update to its Evaluation of Corporate Compliance Programs (ECCP) guidance.
The changes, which were announced Monday by Principal Deputy Assistant Attorney General Nicole M. Argentieri in Grapevine, Texas, will, according to a Gartner advisory released on Wednesday, mean that “compliance leaders are facing heightened expectations to provide clear guidance on the responsible use of AI for their employees.”
In her address to members of the Society of Corporate Compliance and Ethics (SCCE), Argentieri focused on the ECCP update, and said it “includes an evaluation of how companies are assessing and managing risk related to the use of new technology such as artificial intelligence, both in their business and in their compliance programs.”
Under the ECCP, she added, “prosecutors will consider the technology that a company and its employees use to conduct business, whether the company has conducted a risk assessment of the use of that technology, and whether the company has taken appropriate steps to mitigate any risk associated with the use of that technology.”
Argentieri said, “we have also updated the ECCP to expand upon an important concept — that companies should be learning lessons, from both the company’s own prior misconduct and from issues at other companies, to update their compliance programs and train employees.”
Further to that, the update states, “this document is meant to assist prosecutors in making informed decisions as to whether, and to what extent, the corporation’s compliance program was effective at the time of the offense … for purposes of determining the appropriate form of any resolution or prosecution; monetary penalty, if any; and compliance obligations contained in any corporate criminal resolution.”
It goes on to say that, during the course of an investigation, there are three fundamental questions a prosecutor should ask: Is the corporation’s compliance program well designed? Is the program being applied earnestly? (In other words, is the program adequately resourced and empowered to function effectively?) Does the corporation’s compliance program work in practice?
Beyond that, there are other supplemental questions that will be asked and answered, such as “how does a company assess the potential impact of new technologies, such as on its ability to comply with criminal laws? What is the company’s approach to governance regarding the use of new technologies such as AI in its commercial business and in its compliance program? What baseline of human decision-making is used to assess AI? How is accountability over use of AI monitored and enforced?”
Argentieri ended her speech thusly: “Companies that step up and own up to misconduct send a powerful message about the importance of a robust compliance program and ethical corporate culture. I hope you will take this message back to your companies: Now is the time to make the necessary compliance investments to help prevent, detect, and remediate misconduct. And when you uncover misconduct, call us before we call you.”
The law firm of Crowell & Moring, headquartered in Washington, DC, addressed the update on its website, and in one of two key takeaways said, “the updated ECCP highlights the DoJ’s growing expectations for corporate compliance programs and personnel in an environment with changing technology and business pressures, and it directs prosecutors to consider whether corporate compliance programs are reactive or proactive.”
It described the update as “an evergreen reminder that companies should continually reassess their compliance programs to ensure they are keeping pace with the organization’s risk profile — including risks presented by technological advances.”
Peter Eyre, a partner with the firm, said Thursday, “there have been a series of speeches, memos, press events, where DoJ is highlighting the importance of compliance in terms of the overall approach it takes to enforcement. And there are some notable changes in this September 23 version over the prior version. I do not think it is really out of step at all with what they have said before. It emphasizes and shifts the focus onto some new areas consistent with prior public announcements that office has made.”
It is, he said, a “good opportunity for companies that have not refreshed their compliance and risk assessments in some time to do [so], recognizing these new areas of focus and key takeaways from the DoJ discussion.”
Lauren Kornutick, director analyst in the Gartner legal and compliance practice, said, “incorporating AI guidance into an organization’s codes of conduct is critical. These codes act as a comprehensive resource for employees seeking corporate direction, and for stakeholders monitoring a firm’s governance.”
She wrote in a Gartner Q&A that the reason for compliance leaders to consider adding AI guidance to their code is threefold:
- Prevalent use of AI: The average employee now has access to AI, and without guardrails, they may give away sensitive data, make biased decisions, or use the technology to draft misleading or deceiving communications with customers.
- Increased regulatory scrutiny: With warnings from the US Department of Justice against AI-facilitated misconduct, as well as new global regulations and government orders, appearing oblivious to these compliance obligations is not an option.
- Growing stakeholder demand for transparency: Investors, suppliers, customers, and other external stakeholders demand to know more about the guardrails being placed around companies’ use of AI.
Kornutick said in an interview that CIOs are “so tasked with executing on strategic vision — and that is OK — for you want them to be able to innovate and innovate safely. [The update] is a wakeup call that you need to build an empathetic partnership between the CIO and CDAO back to compliance.”
Compliance, she said, “on one hand, can actually help them deploy these new technologies safely. But the compliance teams are also going to need [a CIO’s] help with access to data to build out their compliance monitoring program. What this guidance does is it really brings it to life that, if that partnership does not yet exist, and the compliance team and legal team do not have a seat at the CIO’s table on strategic vision, now is a good time to facilitate that partnership.”
Read More from This Article: DoJ gets tough on evaluation of corporate compliance
Source: News