DOJ Requirements for Assessing AI Implementations
The DOJ has updated its “Evaluation of Corporate Compliance Programs” (ECCP) to encompass three areas: (1) AI, (2) methods of leveraging data for compliance programs, and (3) protecting whistleblowers. For #1, according to National Law Review, the questions DOJ has for companies seeking to implement AI are the following:
Does the company have a process for identifying and managing emerging internal and external risks that could potentially impact the company’s ability to comply with the law, including risks related to the use of new technologies?
How does the company assess the potential impact of new technologies, such as AI on its ability to comply with criminal laws?
Is management of risks related to use of AI and other new technologies integrated into broader enterprise risk management (ERM) strategies?
What is the company’s approach to governance regarding the use of new technologies such as AI in its commercial business and in its compliance program?
How is the company curbing any potential negative or unintended consequences resulting from the use of technologies, both in its commercial business and in its compliance program?
How is the company mitigating the potential for deliberate or reckless misuse of technologies, including by company insiders?
To the extent that the company uses AI and similar technologies in its business or as part of its compliance program, are controls in place to monitor and ensure its trustworthiness, reliability, and use in compliance with applicable law and the company’s code of conduct?
Do controls exist to ensure that the technology is used only for its intended purposes? What baseline of human decision-making is used to assess AI?
How is accountability over use of AI monitored and enforced?
How does the company train its employees on the use of emerging technologies such as AI?
Risk assessments will be a key factor in their evaluations.
For Item #2, the use of data analytics is emphasized to determine trends and even help companies foresee potential problem areas. It was noted that effective use of data analytics helped moderate the penalties imposed on German software company SAP in a settlement with DOJ.
Item #3 advises its “inspectors/protectors” to evaluate three primary items, among other factors:
Whether the company has an anti-retaliation policy.
Trainings for employees concerning internal anti-retaliation policies and external anti-retaliation and whistleblower protection laws.
The manner in which the company disciplines employees involved in misconduct who actually reported the misconduct compared to others involved in the misconduct but who did not report it.