Yesterday, I wrote about a Declination issued by the Department of Justice issued a Declination to the Universities Space Research Association (USRA), a nonprofit organization working with NASA on advanced scientific research. The Declination is found here. Today, I want to dive deeper into the March 2024 update to the National Security Division’s (NSD) Enforcement Policy for Business Organizations. This document is a must-read for every compliance officer handling export controls, sanctions, or any business with potential national security implications. It was a policy update and a blueprint for navigating one of the highest-risk areas in global business today.
The NSD is central in safeguarding the United States from national security threats, particularly by enforcing export control and sanctions laws. Businesses and their employees are vital partners in this mission, given their roles as custodians of sensitive technologies and financial systems. NSD strongly encourages companies to voluntarily self-disclose potentially willful violations of key U.S. statutes, such as the Arms Export Control Act, Export Control Reform Act, and the International Emergency Economic Powers Act, alongside related offenses like money laundering and false statements. Such violations can pose serious risks to national security, and the NSD’s approach to corporate enforcement seeks to strike a balance between encouraging cooperation and deterring harmful conduct.
The updated Enforcement Policy outlines how the NSD, in collaboration with U.S. Attorneys and other DOJ components, determines appropriate resolutions for companies that self-disclose misconduct related to export controls and sanctions. It also sets parameters for how acquiring companies can qualify for protections under the Mergers and Acquisitions (M&A) Policy when disclosing violations by an acquired entity. While the policy’s primary focus is on export and sanctions laws, its principles are designed to guide enforcement decisions in other national security-related matters, such as FARA violations and CFIUS-related conduct. The overarching message is clear: companies should proactively report potential criminal conduct under the NSD’s jurisdiction to help mitigate legal exposure and protect national security.
Here are five key lessons compliance professionals should take away from the updated policy.
1. Voluntary Self-Disclosure Must Be Early, Unprompted, and Specific
In NSD’s world, timing is not just everything; properly seen, it is the thing. To earn credit, disclosure must happen before an imminent threat of exposure or investigation, and it must be made directly to NSD. That means you cannot sit on a problem while deciding whether to tell OFAC, BIS, or your outside counsel. If NSD doesn’t know, your organization does not even qualify for full credit.
The disclosure must include all relevant non-privileged facts, including those about individuals inside and outside the company involved in the misconduct. If your disclosure is vague, partial, or delayed, it may be too little, too late. NSD puts the burden squarely on the company to prove that the disclosure was voluntary and timely.
Compliance Lesson: Build your compliance playbook around immediate, well-documented self-reporting protocols. Simulate drills. Define who makes the call to NSD. Because once the clock starts, hesitation can cost you the deal.
2. Full Cooperation Means More Than Not Obstructing
NSD has redefined “full cooperation” in practical, prosecutorial terms. It is not enough to say your organization will assist. Instead, your organization must provide full assistance, and you must proactively help. That includes sharing key facts as you uncover them, providing timely updates, disclosing foreign-located documents, and making employees (even those overseas) available for interviews.
It also means identifying every opportunity where NSD could obtain relevant evidence, even when they have not yet asked for it. That may seem like a high bar, especially for multinationals operating in jurisdictions that block statutes or data privacy laws. The bottom line is that your organization bears the burden of showing why documents can’t be produced—and you must offer alternatives.
Lesson: Compliance teams should revisit their internal investigation protocols to ensure they enable real-time, proactive engagement with government investigators. This is no place for passive risk management.
3. Remediation Is Not Window Dressing—It’s Root Cause Surgery
NSD isn’t interested in cosmetic compliance. They want to see a thorough root cause analysis and real efforts to remediate the misconduct and the control failures that allowed it to occur. That includes changes to reporting structures, testing compliance effectiveness, employee discipline (up to and including termination), and even clawbacks when appropriate.
Critically, NSD recognizes that what counts as a “well-resourced” program depends on the size of your company, but the policy still requires evidence of authority, independence, and a clear line from the compliance function to senior leadership.
Lesson: Expect little sympathy if your root cause analysis is weak or superficial. Effective remediation means digging deep, taking hard actions, and documenting every step for potential DOJ review.
4. Compliance Programs Must Be More Than Just Policies
Your program must exist, be effective, and be tested to avoid monitoring and achieve declination eligibility. NSD’s standards align with the DOJ’s broader 2023 and 2024 guidance around program evaluation: Do your controls work in practice? Are they tailored to your risk profile? Are they embedded into day-to-day operations?
NSD also scrutinizes how you retain business records, especially regarding ephemeral messaging platforms and personal devices. If your team uses WhatsApp, Signal, or iMessage without proper controls, you could be viewed as undermining your compliance system.
Lesson: Modern compliance programs must integrate surveillance, technology, and behavior-based controls, especially where national security risks are involved. “Set it and forget it” programs will not fly.
5. There’s a Path for Acquirers—If You Act Quickly
One of the more notable additions to the 2024 policy is its treatment of M&A-related misconduct. If your company acquires an entity and discovers criminal export control or sanctions violations after the deal closes, the NSD offers a pathway to protection, but only if you act fast.
You have 180 days from the closing date to disclose the misconduct and 1 year to remediate it. Do that, and NSD will generally not seek a guilty plea, criminal fine, or asset forfeiture from the acquirer. And the kicker? The misconduct also won’t count as a strike against your compliance track record in future matters.
Lesson: Build post-acquisition compliance reviews into every integration plan. Don’t wait for a surprise; audit for red flags early and be ready to disclose. In today’s world, inherited risk is your risk.
Declinations Are Earned, Not Given
The 2024 NSD Enforcement Policy is a strong step toward encouraging ethical corporate behavior in a world where the risks are real, and the stakes are high. It rewards companies that do the right thing early, thoroughly, and transparently.
But it’s also a warning: the margin for error is razor-thin. Delayed disclosures, half-baked investigations, or weak compliance programs won’t cut it. And don’t forget, NSD still retains full authority to prosecute individuals, even if your company gets a pass.
Today, the compliance officer’s job is to prevent misconduct and design systems that respond effectively when things go wrong. The new NSD policy gives us the roadmap. We must ensure the car is gassed up, the brakes work, and the driver knows where to go.
Final Compliance Evangelist Tip:
Use this policy as a stress test for your program. Would your controls hold up if misconduct occurred tomorrow? Would you disclose it in time? Could you cooperate fully? If you’re unsure, now is the time to find out before the DOJ does.
