In September 2024, the Department of Justice (DOJ) released an updated version of its Evaluation of Corporate Compliance Programs (ECCP) Guidance. The ECCP serves as a framework for DOJ prosecutors to evaluate a company’s compliance program when considering the appropriate enforcement actions. While updates were made across multiple topics, the most notable changes focus on how companies manage corporate whistleblower programs and address risks associated with Artificial Intelligence (AI) and other emerging technologies.

This is Part 2 in our blog series exploring the DOJ’s updated ECCP guidance. Haven’t had a chance to read Part 1 which covers AI-related compliance risks in detail? Be sure to check it out here.

Reporting (Whistleblowing)
The DOJ has long emphasized the importance of a confidential reporting mechanism for employees to report suspected misconduct or policy violations. Previous guidance focused on ensuring employees are aware of and feel comfortable using the hotline. However, this updated version takes it further, asking whether companies actively encourage or incentivize reporting potential misconduct and whether there are practices or a culture that discourages reporting.

To assess the effectiveness of your reporting mechanism, consider how employees view the process and their willingness to report misconduct. The new guidance also includes key questions about protecting whistleblowers from retaliation. Evaluate your company’s anti-retaliation policy to ensure it safeguards employees who report alleged misconduct in good faith. Additionally, review how your company trains employees on internal reporting systems and external whistleblower protection laws.

Lastly, consider how employees involved in misconduct but who reported it are treated compared to those who did not report.

Mergers and Acquisitions (M&A)
The DOJ encourages companies to consider their process for integrating critical Enterprise Resource Systems (ERPs) and compliance programs post-transaction. It’s important to have a clear plan in place to oversee compliance within the new organization. Additionally, consider how you incorporate the new organization into your company’s risk assessment, policies and procedures as well as post-acquisition audits.

Policies and Procedures
The DOJ recommends companies regularly evaluate their process for updating policies and procedures, particularly in response to lessons learned from past issues or industry peers. This includes incorporating emerging technologies into policies. It’s also important to confirm that employees know how to access relevant policies.

Training
Companies should ensure their training is tailored to the specific needs, roles and responsibilities of employees. It should also reflect lessons learned from previous compliance issues within the company or industry. Consider measuring employee engagement with the training to confirm that they truly absorbed the material, rather than simply acknowledging it.

As life science companies navigate the complexities of compliance in an era defined by rapid technological advancement, the DOJ’s updated ECCP guidance serves as a critical resource. By proactively addressing risks tied to emerging technologies, corporate whistleblower programs and overall risk management, organizations can align their compliance frameworks with evolving expectations.

For the full text of the DOJ Guidance and a redline version that reflects all changes made in the new update, please go to:

Redline Version – ECCP_September 2024 Redline Updates_v3

Clean Version – https://www.justice.gov/criminal/criminal-fraud/page/file/937501/dl

 

February 20, 2025

Jay Ward
Director, Life Science Solutions