The revised text of the ECCP sets forth questions and considerations that the DOJ will raise in any criminal investigation into a company’s use of AI that leads to compliance failures or failure to detect criminal activity.
Per the revised ECCP, businesses that use AI should consider and document these questions in a risk assessment:
- How does the company assess the potential impact of new technologies, such as AI, on its ability to comply with criminal laws?
- Is management of risks related to use of AI and other new technologies integrated into broader enterprise risk management strategies?
- What is the company’s approach to governance regarding the use of new technologies such as AI in its commercial business and in its compliance program?
- To the extent that the company uses AI and similar technologies in its business or as part of its compliance program, are controls in place to monitor and ensure its trustworthiness, reliability, and use in compliance with applicable law and the company’s code of conduct?
- Do controls exist to ensure that the technology is used only for its intended purposes?
- What baseline of human decision-making is used to assess AI?
- How is accountability over use of AI monitored and enforced?
- How does the company train its employees on the use of emerging technologies such as AI?
- If the company is using new technologies such as AI in its commercial operations or compliance program, is the company monitoring and testing the technologies so that it can evaluate whether they are functioning as intended and consistent with the company’s code of conduct?
- How quickly can the company detect and correct decisions made by AI or other new technologies that are inconsistent with the company’s values?
These considerations show that the DOJ requires, among other things, human accountability, controls, testing, and periodic evaluation of AI tools. Notably, these revisions are provided within the larger framework of the ECCP, which establishes that companies should perform risk assessments, craft policy and procedures that respond to the risk assessment, communicate those policies to employees, report and investigate compliance failures and misconduct, and apply the same compliance controls to third-party vendors.
Read more here...
