Updated DOJ Guidance Highlights the Importance of AI & Data Analytics

  • February 17, 2025

Late last year, the U.S. Department of Justice (“DOJ”) Antitrust Division updated its Evaluation of Corporate Compliance Programs (“ECCP”) in Criminal Antitrust Investigations guidelines. This release was preceded by the DOJ Criminal Division’s ECCP update in September.1

While many of the changes merely refine earlier guidance from the Antitrust Division (2019) and the Criminal Division (2023), a key theme in the new guidance is the government’s evolving perspective of the risks associated with using emerging technologies, such as artificial intelligence and algorithmic decision-making software, and the need for companies to develop documented policies and procedures around the use of such technologies and identify ways to integrate AI and data analytics into the frameworks of their organizations’ compliance programs.

While it remains uncertain how the new administration will enforce the updated guidance, companies should consider its implications — particularly as it intersects with increasingly aggressive state antitrust enforcement and the operational and reputational risks posed by emerging technologies.

Managing Risks Associated with New Technologies and AI

Managing a corporation today requires staying ahead of technological advancements, both in strategizing how to best leverage the opportunities that emerging technologies provide and being aware of the risks and how to mitigate them. The updated guidance from the DOJ emphasizes the need for companies leveraging emerging technologies and advanced tools to understand the associated risks and address these concerns through appropriate risk management governance and controls, from policy creation and process design to assessment, monitoring and training. Some of the risks involving AI tools include data manipulation, lack of security and data privacy, lack of transparency in AI decision-making processes and inadvertent bias or discrimination.

AI is more than just a “new technology”
The DOJ updates reference new technologies, in general, and AI in particular. Several characteristics of AI help explain that distinction.

“Black box” Problem: Deep learning models are opaque; they’re not easy to explain.
Emergent Behavior: AI systems can display behaviors beyond their programming parameters.
Bias and Discrimination: If data used to train AI systems is biased, AI may amplify these.
Deepfakes and Manipulation: AI can be used to create very realistic, but fake content.

Other new technologies generally function in more defined and predictable ways.

The DOJ’s guidance on new technologies suggests that prosecutors who are considering bringing charges — and, by extension, a company’s compliance officers and outside counsel pay attention to how companies manage emerging risks through compliance including:

Implementation Process: Companies need “a process for identifying and managing emerging internal and external risks” such as “the potential impact of new technologies.” Further, this process should include compliance personnel in the “deployment of AI and other technologies to assess the risks they may pose.”2

Governance: The guidance recommends asking about “the company’s approach to governance regarding the use of new technologies such as AI in its commercial business and in its compliance program,” including controls “to ensure that the technology is used only for its intended purposes” and training “on the use of emerging technologies.” The DOJ will also look to whether a company has a process to update its policies and whether procedures address emerging risks and capture lessons learned, both internally or from others in related businesses or geographies.

Ongoing Assessment: The government is interested in knowing how a company assesses the ongoing use of AI and similar technologies, including controls “to monitor and ensure its trustworthiness, reliability, and use in compliance with applicable law.” This requires that compliance personnel have an “understanding of the AI and other technology tools used such as the sources of data relied upon, factors that influence outputs and the extent to which human decision-making is involved.

Speed of Corrective Action: In the event of potential misconduct, companies must be prepared to “quickly…detect, and correct decisions made by AI or other new technologies that are inconsistent with the company’s values.

Data-Driven Compliance in the Modern World

Compliance departments are increasingly expected to demonstrate the effectiveness of their programs through measurable outcomes, aligning with broader organizational practices that leverage data analytics and new technologies. Since the issuance of the 2019 guidelines, the Antitrust Division has consistently advocated for proactive monitoring of a company’s compliance with the antitrust laws, including through the use of screens, communications monitoring and statistical testing. The 2024 guidance goes a step further to ask whether “the level of technology devoted to compliance [is] comparable to…other functions.” Significantly,. the U.S. government is signaling that compliance departments’ use of technology and data analytics must keep pace with the use of technology and data analytics elsewhere in the organization.

This includes leveraging analytics to evaluate the performance of compliance initiatives, from assessing policy adherence to tracking the resolution of potential issues. The emphasis on data underscores the need for compliance departments to operate not as isolated units but as integrated, data-driven contributors to the organization’s overall risk management framework. By integrating analytics that likely already exists in other parts of the business into compliance programs, organizations can streamline operations, enhance monitoring capabilities and proactively identify risks.

Fortunately, as monitoring can often be done using existing data and internal systems, as companies progress in their use of new technologies and performance metrics, they have at their disposal more available data and sophisticated dashboarding tools for use in compliance functions without significant additional investment.

The use of analytics now extends beyond risk identification and transaction monitoring. The new guidance further suggests that companies measure their culture of compliance and respond to findings from “its measurement of the compliance culture.” This is consistent with the government’s shift away from purely qualitative measurements of compliance or a “paper program” to one supported by qualitative evidence of effectiveness.

A robust compliance program also hinges on the quality and reliability of its data sources. Companies must manage data quality diligently, ensuring accuracy, precision and recall in their analytics models to produce meaningful insights. This requires establishing governance protocols for data integrity and continuously refining analytic processes to meet evolving standards. For businesses already employing data analytics in other functions, extending this discipline to compliance is both a natural progression and a strategic imperative. By embedding analytics into compliance efforts, companies can not only comply with regulatory expectations but also foster a culture of accountability and transparency that supports long-term resilience and growth.

Accountability in Company Communications

The Antitrust Division’s guidelines extend management of new technology to impose affirmative obligations on companies to regulate and, when appropriate, preserve communications in electronic communication channels, including appropriate use of preservation and deletion settings in ephemeral messaging platforms. The guidance emphasizes the importance of knowing which electronic communication channels the company uses to conduct business and what purposes they serve and intentionally regulating the use and preservation of such channels. This update is consistent with increased focus by regulatory enforcement on off-channel communications and emerging data sources, including modern communication tools, collaboration platforms, personal devices, chat applications and ephemeral messaging. The DOJ’s updated guidelines come as no surprise as they follow the Securities and Exchange Commission (“SEC”) and the Commodity Futures Trading (“CFTC”) in emphasizing the need for preserving and monitoring off-channel communications (and possibly imposing fines on record-keeping failures).

Implications for Corporations and Their Counsel

These DOJ updates reinstate the need for companies and counsel to understand and embrace data and AI tools as part of modernization initiatives and activities. The following steps are fundamental in doing so:

  • Understand the risks of AI and modern technologies: Assess the use of AI and modern technologies in the ordinary course of business activities, including the sources of data relied upon and impact of such technology on competition and prices, to create or update risk mitigation strategies.
  • Develop policies for new technology use and data management — and provide comprehensive training to employees at all levels: These policies should align with the organization’s goals, resources and the responsibilities of various stakeholders (e.g., business personnel, technical engineers, legal and compliance teams). Training should be tailored to different roles, ensuring employees understand permissible and impermissible uses of new technologies, compliance obligations and best practices for ongoing evaluation and responsible implementation.
  • Review and update data retention policies to comply with DOJ and FTC guidelines: This will include, for example, establishing clear legal hold protocols to disable auto-deletion functions for relevant messaging platforms as well as identifying and limiting the use of ephemeral messaging applications for which retention is impracticable, and considering alternative options if necessary.
  • Assess and evaluate internal culture of compliance: At the senior and middle management levels, assess leaders’ understanding and commitment to using new technologies in a defensible manner and adapting to the increasingly complex needs of a modern corporation. Employ strategic communication campaigns, culture transformation strategies and benchmarking surveys to facilitate and measure the adoption of compliance during modernization of business practices.
  • Assess and improve compliance continuously: As business operations modernize, consider how new technology may be employed by compliance to identify new risk areas, transactions that violate compliance policies or trends in performance metrics that are consistent with misconduct. Leveraging ordinary course data and technology tools available to the broader business will enhance compliance program insights and ensure it stays aligned with the business’s technological advancements.

Footnotes:

1: “Evaluation of Corporate Compliance Programs”, U.S. Department of Justice, Criminal Division (September 2024), .

2: “Evolution of Corporate Compliance Programs in Criminal Antitrust Investigations,” U.S. Department of Justice, Antitrust Division (November 2024)

Related Insights

Related Information

Published

February 17, 2025

temp Key Contacts

Nicole P. Wells, CPA, CFF

Senior Managing Director, Leader of North America Risk & Investigations

Adam T. Berry

Senior Managing Director

Andrea B. Levine

Managing Director

Most Popular Insights

  1. What Directors Think Report
  2. Know Your Risk: Terrorist Designation of Cartels on Business Interests in Mexico
  3. Four Predictions for Private Equity in 2025
  4. Global CFO Survey 2025
  5. Current Power Trends and Implications for the Data Center Industry

Sign up to get access to FTI Consulting Insights

Subscribe