Recent revisions made to the Criminal Division’s ” Evaluation of Corporate Compliance Programs (ECCP)” guidance highlight, among other things, risks created by artificial intelligence (AI). Thus, it
United Kingdom
Technology
To print this article, all you need is to be registered or login on Mondaq.com.
Recent revisions made to the Criminal Division’s “Evaluation of Corporate Compliance Programs
(ECCP)” guidance highlight, among other things, risks
created by artificial intelligence (AI). Thus, it would be prudent
for compliance professionals to consider these revisions as they
reevaluate the adequacy and effectiveness of their
organization’s compliance program.
The most comprehensive updates to the newes trevision of the ECCP, published in September
2024, highlight the Department of Justice’s enhanced focus
on reducing risks associated with disruptive technologies. The
revisions follow remarks by Deputy Attorney General Lisa Monaco in
March 2024, when she directed the Criminal Division to
“incorporate assessment of disruptive technology risks,
including risks associated with AI,” in the ECCP.
Prosecutors often assess how the compliance program mitigated
certain risks when resolving a corporate criminal case. “For a
growing number of businesses, that now includes the risk of
misusing AI,” Monaco stated in her remarks.
Additionally, Monaco forewarned that prosecutors will seek stiffer
sentences for offenses “made significantly more dangerous by
the misuse of AI.” Such AI misuse could include false
approvals or AI-generated documentation, for example.
Principal Deputy Assistant Attorney General Nicole Argentieri remarked that compliance professionals and
compliance programs play a role in mitigating AI-related risks.
Prosecutors will consider, for example, whether compliance controls
and tools are in place that can “confirm the accuracy or
reliability of data used by the business.”
Prosecutors also will assess “whether the company is
monitoring and testing its technology to evaluate if it is
functioning as intended and consistent with the company’s code
of conduct,” Argentieri added.
AI questions to consider
A new section in the revised ECCP directs prosecutors to assess
how the company and the compliance program manage emerging risks.
Taking cues from the ECCP, compliance professionals should consider
the following additional questions in evaluating the
organization’s compliance program:
- Is management of risks related to theuse of AI and other new
technologies integrated into broader enterprise risk management
(ERM) strategies? - What is the company’s approach to governance regarding the
use of new technologies, such as AI, in its commercial business and
in the compliance program? - How is the company curbing any potential negative or unintended
consequences resulting from the use of technologies, both in its
commercial business and in its compliance program? - How is the company mitigating the potential for deliberate or
reckless misuse of technologies, including by company
insiders?
Prosecutors also will assess whether monitoring controls are in
place to ensure the trustworthy use of AI, that it complies with
applicable law and the company’s values, and that it’s
being used for its intended purposes. Additionally, prosecutors
will assess human decision-making processes; how accountability for
AI use is monitored and enforced; and how employees are trained to
responsibly use AI.
AI regulations
In addition to the ECCP revisions addressing AI risk, many
countries and some U.S. states continue to enact or consider AI
laws and regulations.
In the United States, for example, Colorado’s landmark AI
legislation, the Colorado AI Act, requires developers of
“high-risk” AI systems to use “reasonable care”
to protect consumers from any “known or reasonably foreseeable
risks of algorithmic discrimination in the high-risk system,”
according to the bill summary. A rebuttable
presumption for “reasonable care” exists where the
developer “complied with specified provisions in the
Act.”
Outside the United States, the European Union passed its EU AI
Act, the “first comprehensive regulation on AI by a major
regulator anywhere.” The AI Act establishes certain compliance obligations,
based on the level of risk that an AI system poses.
NAVEX AI Content Library
With a greater focus on AI risk mitigation by Department of
Justice prosecutors, and more U.S. states and countries enacting
their own AI laws and regulations, it’s more important than
ever that compliance professionals implement a robust AI governance
framework, including the establishment of effective AI policies and
procedures, and instilling ethical AI practices.
To assist organizations in developing and deploying AI-related
policies and procedures and to help them stay aligned with
thefast-evolving AI regulatory landscape, NAVEX is continuously
curating its content library. Currently, the NAVEX content library
offers over 400 regulations and compliance frameworks, including several AI regulations and
frameworks.
Key features of the NAVEX AI content library include:
- Centralized AI regulatory resources, providing
organizationsaccess to a consolidated library of global AI
regulations and industry-specific guidelines - Streamlined control development, enabling organizations to
simplify the process of creating and implementing AI-specific
controls to align with emerging regulations - Automated compliance monitoring, enabling organizations to
leverage automation to track compliance requirements and ensure
adherence through continuous control testing - Enhanced risk mitigation so that organizations can identify and
mitigate AI-related risks proactively using structured regulatory
frameworks - Future-proof compliance strategies that enable organizations to
stay ahead of evolving AI laws and standards, ensuring the
organization remains compliant and competitive
“As AI technologies revolutionize industries, companies
find themselves standing at a crossroads, navigating the intricate
landscape of effective AI governance,” said NAVEX Chief
Product Officer A.G. Lambert. “Our AI content not only
empowers risk management professionals to establish crucial
controls but also enhances efficiency by automating compliance
processes. This dual approach enables organizations to embrace AI
technology with confidence, transforming challenges into
opportunities for growth and innovation.”
Additionally, the NAVEX One platform offers employees and third
parties a secure way to report any AI-related issues or concerns,
enabling organizations to proactively identify and mitigate
potential AI-related risks early on.
If you’re looking for a digestible version of the most
recent DOJ ECCP guidance, you’re in the right place. Download
the annotated guidance with the link below.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.