Tag: CEP

Categories
Blog

Balt and the New DOJ CEP: Why Individual Facts Now Drive Corporate Leniency

Under the Department of Justice’s (DOJ) updated Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP), the practical bargain is now unmistakable. A company can earn extraordinary leniency, including a Declination, but only if it surfaces the facts about individual misconduct early, completely, and credibly. Balt is not simply an FCPA declination story. It is a case study in how modern DOJ enforcement expects compliance, legal, internal audit, and investigations teams to work when misconduct is uncovered.

For years, the DOJ has said that corporate cooperation must be meaningful. Under the new CEP, DOJ has made that concept more concrete and more demanding. The CEP says it is designed not only to drive early voluntary self-disclosure, but also to promote timely enforcement, “including holding culpable individuals accountable.” It also makes clear that a company earns a declination only if it voluntarily self-discloses, fully cooperates, timely and appropriately remediates, and has no disqualifying aggravating circumstances. That is the legal architecture. Balt shows the operating reality.

The Balt matter has become important because it is the first FCPA declination under the Department’s updated CEP. DOJ declined to prosecute Balt SAS after the company self-disclosed, cooperated, remediated, and disgorged $1.2 million. At the same time, the DOJ indicted two individuals, David Ferrera and Marc Tilman, for conspiracy to violate the FCPA, substantive FCPA violations, conspiracy to commit money laundering, and international promotional money laundering. Assistant Attorney General Tysen Duva made the message plain: the resolution demonstrated the value of voluntary self-reporting, and the related indictment demonstrated DOJ’s “unwavering pursuit of culpable individuals.”

That is the bargain in plain English. The company may get mercy. The individuals do not. This is not accidental. The updated CEP expressly says a company fully cooperates when it timely, truthfully, and accurately discloses all relevant facts and non-privileged evidence, including facts gathered in the internal investigation, facts about all individuals involved in or responsible for the misconduct, regardless of status or seniority, attribution of facts to specific sources rather than a generalized narrative, and rolling updates during the investigation. It also requires proactive cooperation, the preservation and production of documents, and the availability of knowledgeable personnel for interviews.

In other words, DOJ is not looking for a company to arrive with a polished memo that says, “We found misconduct, we are sorry, and we fixed it.” DOJ wants the names, the messages, the invoices, the custodians, the timeline, the payment path, and the evidence that ties specific people to specific acts. That is the heart of the new bargain.

Balt is such a useful case study because the individual indictment shows exactly the kind of facts DOJ expects a company to surface. According to the indictment, Ferrera was a senior executive of the U.S. subsidiary, and Tilman owned and operated the Belgian consulting company used in the scheme. Both allegedly stood to gain millions in milestone payments tied to future sales. The indictment further alleges that they conspired from 2017 into September 2023 to bribe a physician employed by CHU Reims, a French state-owned public hospital treated as an instrumentality of a foreign government under the FCPA.

The indictment then lays out the mechanics. Medical Company #2 allegedly used sham consulting agreements, fake invoices, and purported bonus payments to move money to Tilman’s Belgian consulting company, which in turn paid the foreign official through accounts in France. Prosecutors also allege concealment through personal email accounts, encrypted messaging applications, and coded language such as “training,” “bonuses,” and “our friend.” Those are not abstract compliance failures. Those are granular individual facts.

The overt acts alleged in the indictment show why DOJ cares so much about speed and specificity. One 2017 message allegedly said, “Regarding the €€ for our friend, I have a plan.” Another used a private email account for the foreign official and proposed a fake invoice for a two-day sales and marketing session. Ferrera allegedly replied, “That’s acceptable. Please send this to me.” Later communications referenced “No more fake training courses” and described a new bonus as “a CAMOUFLAGE.” The indictment also ties the scheme to specific wire transfers from the United States to Belgium and onward payments into France.

This is the modern FCPA file. It is built from chats, invoices, routing, motive, and attribution. That is why the updated CEP stresses not a general narrative of facts, but facts attributed to specific sources and individuals. The practical implications for compliance and investigations teams are significant.

First, self-disclosure now must be viewed as an investigative decision, not solely a legal one. The updated CEP expressly encourages disclosure at the earliest possible time, even when a company has not completed its internal investigation. It defines voluntary self-disclosure to include reasonably prompt reporting before an imminent threat of government discovery. Balt appears to have done exactly that. The French resolution disclosed that Balt self-disclosed while the internal investigation was still ongoing. That is a critical point because it shows that DOJ is willing to reward a company that comes in before it has all the answers, provided the company follows through with real facts and real cooperation.

Second, cooperation credit is no longer a soft concept. The CEP says a company starts at zero cooperation credit and earns it through specific actions. A company that fails to demonstrate full cooperation at the earliest opportunity may reduce its ability to earn that credit. That should change how legal, audit, and investigations teams think about triage. The early questions are no longer: Did something happen? How much did it cost? The questions are: Who did it? Who approved it? Who benefited? What records exist? What devices hold the communications? Can we preserve them now?

Third, internal investigations must be built for prosecutorial usefulness. Under the CEP, DOJ expects disclosure of overseas documents, provenance, custodians, authors, translations where needed, and even identification of opportunities for the Department to obtain evidence that the company does not possess. If your investigation cannot map the facts to sources, or if your team cannot move quickly across borders, you are not simply conducting a weak internal review. You may be forfeiting declination-level credit.

Fourth, remediation still matters, but it is not enough without individual accountability. The CEP defines timely and appropriate remediation to include root cause analysis, an effective compliance and ethics program, appropriate discipline of responsible employees and supervisors, and proper controls on personal communications and messaging applications. Balt reportedly received credit for separation from Ferrera and Tilman, tailored compliance training for senior management, and remediation of internal control shortcomings. Once again, the lesson is direct. DOJ is not handing out credit for beautiful PowerPoint slides. It is rewarding companies that can show they identified the bad actors, removed them, and strengthened the system in the wake of the failure.

Fifth, the new CEP creates a sharper internal challenge for multidisciplinary teams. Compliance may identify the risk. Legal may control privilege and disclosure strategy. Internal audit may reconstruct the payments. Investigations may chase the communications. But under the new bargain, those functions cannot operate in silos. DOJ expects a company to come forward with a coherent body of attributed facts about individuals. If those teams are not integrated, the company will struggle to earn maximum credit.

This is why Balt should be read as more than a favorable corporate outcome. It is a warning shot and a roadmap. The warning is that DOJ’s focus on individual accountability is real, operational, and evidence-driven. The roadmap is that companies can still earn remarkable leniency if they move quickly, fully cooperate, and help prosecutors build the case against the responsible individuals.

For compliance professionals, that means the old debate is over. There is no longer much room for vague institutional cooperation. Under the updated CEP, the company’s path to leniency runs through facts about people. That is the trade. That is the CEP. Balt is what it looks like in practice.

5 Key Takeaways

  1. The new DOJ bargain is now unmistakable. Companies earn leniency by surfacing facts about individuals early, completely, and credibly.
  2. Balt is the proof point. The company received the first FCPA declination under the updated CEP while DOJ simultaneously indicted Ferrera and Tilman.
  3. Cooperation now means attributed facts, not general narratives. DOJ expects facts tied to specific individuals, sources, documents, and custodians, as well as rolling updates on the investigation.
  4. Speed is strategic. The CEP encourages self-disclosure even before an internal investigation is complete, and Balt appears to have benefited from doing just that.
  5. This is a team sport. Compliance, legal, internal audit, and investigations must work as a single, integrated fact-gathering function if a company hopes to earn the maximum CEP credit.
Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance – Episode 73 – The Technology Edition

What happens when two top compliance commentators get together? They talk compliance, of course. Join Tom Fox and Kristy Grant-Hart in 2 Gurus Talk Compliance as they discuss the latest compliance issues in this week’s episode!

Stories this week include:

  • Stoicism without self-examination is moral bankruptcy. (⁠FT⁠)
  • Is China more stable for companies than the US?  (⁠FT⁠)
  • JPMorgan to monitor jr. bankers’ hours. (⁠FT)⁠
  • EDNY says fighting the appeal of the FIFA corruption case is not worth the resources. (⁠Reuters)⁠
  • Judge questions DOJ’s decision to drop Halkbank AML case. (⁠Bloomberg⁠)
  • One CEP to Rule Them All (⁠CCI⁠)
  • Banning Sports Betting on Prediction Markets (⁠WSJ⁠)
  • US Regulatory Fines Plummet (⁠CCI⁠)
  • You Need an Automated Compliance Program (⁠Volkov Blog⁠)
  • Florida Man-Dress for Arrest (⁠NBC Miami⁠)

Resources:

Kristy Grant-Hart on ⁠LinkedIn⁠

⁠Prove Your Worth⁠

Tom

⁠Instagram⁠

⁠Facebook⁠

⁠YouTube⁠

⁠Twitter⁠

⁠LinkedIn

Categories
Blog

Balt’s DOJ Declination: A Case Study in Why Speed, Cooperation, and Remediation Still Matter

The Justice Department’s first publicly announced resolution under its new Department-wide Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP) offers corporate compliance officers a practical roadmap: disclose early, cooperate fully, remediate credibly, and be prepared to help prosecutors hold individuals accountable.

Some enforcement actions feel like one-off events. Then others operate like a flare shot into the compliance sky. The DOJ Declination involving French medical device company Balt SAS and its US subsidiary Balt USA (collectively ‘Balt) falls squarely into the second category.

Why? Because this was not simply another FCPA matter. It was the first publicly announced corporate resolution under the DOJ’s new CEP, and DOJ clearly meant it to send a message to the market. As the Wiley alert noted, the Balt matter demonstrates the benefits available to companies that voluntarily self-disclose, fully cooperate, and timely remediate, while also reinforcing DOJ’s emphasis on individual accountability. For compliance officers, that makes Balt important far beyond the four corners of the case itself.

What happened at Balt?

According to the Declination, Balt paid approximately $602,000 in bribes from around 2017 to 2023 to a physician who held a senior role at a state-owned public hospital in France to obtain or retain business. The payments were routed through a third-party consultant in Belgium, with fake invoices and purported bonus payments used to conceal the true nature of the transaction. The scheme generated roughly $1.68 million in revenue and approximately $1.214 million in profits for Balt. As Matt Kelly reported in Radical Compliance, the scheme involved all the old FCPA classics: sham consulting arrangements, fake invoices, and off-channel communications. That alone would have made the matter notable. But the more important point is what happened after Balt discovered the misconduct.

DOJ declined prosecution because Balt self-disclosed while its internal investigation was still ongoing; provided full and proactive cooperation; engaged in timely and appropriate remediation, including disciplinary measures and termination of tainted business relationships; and presented no aggravating circumstances sufficient to disqualify it from a Part I declination. DOJ also required Balt to disgorge approximately $1.2 million and noted that the company had entered into a parallel resolution in France that included compliance requirements. This is the template. And compliance officers should study it carefully.

The real lesson: self-disclosure means before you know everything

One of the most significant points in the Balt matter is timing. Balt disclosed the issue during an ongoing internal investigation, which strongly suggests the company came in before every fact had been nailed down.

That matters because many companies still hesitate, hoping to finish the investigation, validate every fact, and package the matter neatly before approaching the OJ. Balt is a reminder that DOJ wants speed and credibility, not perfection. The new policy framework still prizes timely self-disclosure as the clearest route to a declination. Wiley put it plainly: voluntary disclosure still provides the clearest path to that outcome, and delay can preclude eligibility for the most favorable result.

For the Chief Compliance Officer (CCO), this is where judgment, preparation, and governance structure come together. If your escalation protocols are weak, if privilege decisions are muddled, if your triage process is slow, or if your board and senior leadership do not understand the declination calculus, you can lose the timing advantage before the real work even begins. The Balt case is not simply a win for self-disclosure. It is a win for pre-existing readiness for investigation.

Cooperation means more than being polite

The second lesson is equally important. Under the CEP, cooperation is not a vague aspiration. It is an operational requirement. The Wiley analysis emphasized that full cooperation includes identifying all individuals involved in or responsible for the misconduct and providing facts and evidence concerning their conduct.

This is where compliance officers need to understand a hard truth. DOJ is not offering declinations because it has become sentimental, or even because this administration does not believe in the FCPA. It is offering incentives because it wants something in return. And one of the most important things it wants to do is help build cases against culpable individuals.

That is precisely what happened here. DOJ paired Balt’s declination with indictments of two individuals allegedly involved in the bribery scheme. Wiley correctly described the sequencing as no coincidence, but rather a reinforcement of the DOJ’s continuing focus on individual accountability. Kelly made the same point in even more direct terms: from DOJ’s perspective, if a company voluntarily self-discloses, coughs up illicit proceeds, and helps prosecutors hold wrongdoers accountable, the company can receive a declination.

For compliance professionals, this means internal investigations must be designed from the outset with evidentiary rigor. You need documentation discipline. You need clear interview protocols. You need a defensible record of who knew what, who approved what, and how the misconduct moved through the system. A half-hearted review that avoids hard questions about executives, consultants, or favored business relationships will not get you where Balt got.

Remediation is not a slide deck

The third lesson is on remediation. Too many organizations still treat remediation as presentation theater. They produce a deck, revise a policy, hold a training session, and call it transformation. The DOJ is looking for something more concrete. In the Balt Declination, remediation included disciplinary action against relevant individuals, termination of business relationships that gave rise to the misconduct, tailored compliance training for senior management, and improvements to the compliance program and internal controls. That list is worth lingering over. The DOJ did not only want a promise. It wanted decisions. It wanted changed relationships. It wanted management-specific training. It wanted better controls.

This is a point I have been making for 15 years. A compliance program is not judged by what sits in the binder; it is judged by what the company does when the pressure hits. Balt has shown DOJ that when misconduct surfaced, the company acted. That is the difference between a paper program and a living program.

For CCOs, the action item is straightforward. Build remediation plans that can be demonstrated, measured, and explained. Who was disciplined? Which third party was terminated? What internal control was changed? How was senior management retrained? What monitoring now exists that did not exist before? If you cannot answer those questions in concrete terms, you are not remediating. You are narrating.

The shadow issue: aggravating circumstances

There is another important dimension here. Balt qualified for a Part I declination, in part, because DOJ found no aggravating circumstances. But as Wiley noted, that assessment can be highly fact-dependent and may not be obvious in the early stages of an internal investigation. The line between Part I and Part II can, in practice, be subjective and outcome-determinative.

That is a crucial warning for compliance officers. Balt should not be read as a guarantee. It should be read as an incentive structure. Companies must still assess whether the misconduct is egregious or pervasive, whether senior management is implicated, whether the harm is severe, and whether the organization has a recidivist history. Those factors can dramatically change the result. So the compliance officer’s job is not to assume declination. The job is to gather facts rapidly, surface aggravating factors honestly, and help leadership make a disciplined disclosure decision.

The new DOJ Declination policy offers more clarity than many companies had before. But it does not eliminate judgment. It raises the premium on disciplined judgment.

Five Key Takeaways for Chief Compliance Officers

  1. Build a rapid disclosure protocol now. Balt’s outcome underscores that early self-disclosure, even during an ongoing investigation, can be decisive. Delay can cost you the best available resolution.
  2. Design investigations to identify individuals from day one. The DOJ expects cooperation to include facts about responsible individuals, not just corporate-level summaries.
  3. Make remediation provable. Discipline wrongdoers, terminate tainted relationships, retrain management, and strengthen controls in ways you can document and explain.
  4. Assess aggravating factors early and honestly. The Part I versus Part II distinction may turn on pervasiveness, seriousness, harm, and recidivism. Do not assume a declination path without a hard-eyed assessment of the facts.
  5. Train leadership that declinations are earned, not granted. Balt is a roadmap, not a safe harbor. The organizations that benefit will be the ones prepared to act with speed, rigor, and credibility.

What Balt means for the compliance profession

The Balt Declination is a policy statement in the form of a case. The DOJ is telling companies: we will reward timely self-disclosure, meaningful cooperation, and real remediation. But we will also pursue individuals. That combination is not new in spirit, but it is now being presented with renewed clarity under the new CEP. For corporate compliance officers, the message is not to wait for an issue and hope for good instincts in the moment. The message is to prepare now.

You need escalation protocols that move fast. You need investigation readiness. You need decision trees for voluntary disclosure. You need board education on what DOJ is rewarding and why. And you need remediation mechanisms that produce evidence, not adjectives.

Balt did not receive a Declination because the misconduct was trivial. It received a Declination because, once the misconduct came to light, the company appears to have done the things the DOJ has been asking companies to do for years. That is the real lesson.

In 2026, compliance officers should read the Balt matter not as an outlier, but as a stress test. If your company found a credible FCPA issue tomorrow, could you move quickly enough, investigate thoroughly enough, cooperate meaningfully enough, and remediate credibly enough to make a Balt-style pitch to DOJ?

That is the question. And the answer should shape your compliance program today.

Categories
FCPA Compliance Report

FCPA Compliance Report: SDNY’s New Policy on Declinations

In this episode, Tom Fox welcomes back Hughes Hubbard partner Mike DeBernardis to discuss the Southern District of New York’s new corporate enforcement voluntary self-disclosure program for financial crimes and why SDNY leadership, including Jay Clayton, likely issued it: to encourage self-disclosure that saves enforcement resources and supports DOJ’s focus on individual accountability.

They compare the policy to the (former) DOJ’s Corporate Enforcement Policy, highlighting notable distinctions such as SDNY’s narrower scope (financial/market integrity offenses) and a revised approach to aggravating factors that excludes common CEP considerations like seriousness, pervasiveness, and senior management involvement, while carving out categories including foreign bribery and sanctions evasion, potentially reducing forum shopping. They also examine a “conditional declination” within two to three weeks, its implications for investigation speed and timeliness, and added pressure from whistleblower programs and compressed internal triage timelines.

Key highlights:

  • Why SDNY Issued It
  • SDNY Significance
  • Aggravating Factors Shift
  • Does It Move Needle
  • Conditional Declination Speed
  • Whistleblowers and Pressure

Resources:

 Hughes Hubbard and Reed

Mike DeBernardis on LinkedIn

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com

Categories
Innovation in Compliance

Innovation in Compliance – Insights on FCPA and Anti-Corruption Enforcement Trends with Anik Shah

Innovation touches every part of the modern enterprise, and compliance professionals must be prepared not only to respond to change but to lead through it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators on the award-winning Innovation in Compliance podcast. In this episode, host Tom Fox welcomes Anik Shah, Global Director of Anti-Bribery and Anti-Corruption Compliance at Sandisk, for an insightful discussion on the pivotal shifts in FCPA enforcement during 2025 and what they signal for 2026.

Shah outlines his extensive professional background, including his prior roles at the SEC and DOJ. The conversation explores key developments from 2025, including the Executive Order pausing certain FCPA investigations, the Blanche Memo’s four criteria for opening FCPA cases, and the implications of revisions to the Corporate Enforcement Policy. He also analyzes the Communications Cellular enforcement action to highlight practical compliance lessons, focusing on strengthening AML controls, managing third-party risk, and deploying proactive compliance measures amid renewed anti-corruption scrutiny.

The episode concludes with a forward-looking discussion of emerging anti-corruption risks associated with advanced AI technologies, large AI construction projects, and related permitting activities, both in the United States and globally. Shah offers strategic recommendations for compliance professionals seeking to anticipate and manage these evolving risks.

Key highlights:

• 2025 as a Pivotal Year in FCPA Enforcement

• The Blanche Memo and Corporate Enforcement Policy Revisions

• Anti-Money Laundering and Third-Party Risk Management

• Large AI Construction Projects and Permitting Risks

• Global Anti-Corruption Laws and Compliance

• Key Takeaways for 2026

Resources:

Anik Shah on LinkedIn 

Sandisk

Innovation in Compliance was recently honored as the Number 4 podcast in Risk Management by 1,000,000 Podcasts.

Categories
FCPA Compliance Report

FCPA Compliance Report – Recent DOJ Policy Announcements

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. Today, Tom Fox welcomes back James Tillen and Ann Sultan, both partners at Miller & Chevalier, and takes a deep dive into four recent DOJ policy announcements: FCPA Enforcement, White-Collar Enforcement, Criminal Enforcement Policy, and the Whistleblower Pilot Program.

They take a deep dive into Deputy Attorney General Todd Blanche’s memo on Investigations and Enforcement of the FCPA, reviewing the stated main goals of the DOJ and how prosecutors are supposed to achieve these goals. They also consider three directives to prosecutors: focus on cases involving individual misconduct, proceed expeditiously, and consider the collateral consequences. They also examine the White Collar Plan and CEP and ask if we have shifted from a presumption of declination to a more tangible framework and conclude by reviewing what compliance professionals need to consider and investigate now.

Key highlights include:

  • How does the principle of “not attribute[ing] nonspecific malfeasance to corporate structures” impact potential prosecutions of companies and individuals?
  • And how do these priorities jive with other DOJ priorities, such as prosecuting cartels/transnational criminal organizations?
  • What does it mean for companies that the DOJ is prioritizing “serious misconduct”?
  • What are the implications of the DOJ’s stated intent to avoid penalizing “routine business practices in other nations”?
  • Do you see this as a shift in focus for the DOJ to non-US companies?
  • Other DOJ Priorities & Announcements
  • Policy Shifts and Clarifications
  • Looking Ahead: What’s on the Horizon

Resources:

FCPA Spring Review 2025 – Miller & Chevalier

DOJ Criminal Division White Collar Plan

Guidelines for Investigations and Enforcement of the FCPA

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

For more information on the use of AI in compliance programs, see Tom Fox’s new book, Upping Your Game. You can purchase a copy of the book on Amazon.com

Categories
Blog

It’s a New Dawn – Compliance Monitors in 2025

In a move that should surprise no corporate compliance professional, the DOJ’s Criminal Division issued a new Memo on May 12, 2025, updating and clarifying its policies on the selection, imposition, and oversight of compliance monitors in corporate resolutions. (Herein the ‘Monitor Memo.’) This new guidance refreshes prior directives (including the foundational Morford Memo) and lays out how monitorships should be assessed, tailored, and executed in granular detail. I want to end my short series on the DOJ’s announcement of changes in white-collar enforcement by reviewing the changes to monitor selection and monitorships going forward and then considering what this means for compliance professionals. As Grace Slick said when Jefferson Airplane hit the stage at Woodstock on the morning of Day 2, “It’s a new dawn.”

I. Monitors: Precision Tools

First, the DOJ clarifies that monitorship should not be used for punitive purposes. Instead, they aim to ensure that a company meaningfully implements compliance reforms and reduces the risk of future misconduct. However, the DOJ also recognizes that monitors can be costly and intrusive. Hence, their use must be carefully calibrated. The core principle of the Monitor Memo is that monitors should be imposed only when necessary, and their scope should be tailored to the misconduct and the company’s risk profile.

The Criminal Division lays out four key factors for when a monitor may be appropriate:

  1. Risk of Recurrence. If the underlying misconduct is serious—think sanctions violations, FCPA infractions, healthcare fraud, or cartel facilitation—and has national or international implications, the risk of recurrence will weigh heavily in favor of a monitorship.
  2. Other Oversight. If another regulator (domestic or foreign) is already effectively overseeing compliance, the DOJ might hold back on appointing a monitor. But if your company committed crimes despite existing oversight, that fact will support the need for one.
  3. Compliance Program & Culture. If your company has revamped its program, replaced bad actors, and created a credible culture of compliance, that cuts against the need for a monitor. But if your program is underdeveloped, window dressing won’t suffice.
  4. Control Maturity & Self-Monitoring Capacity. Have you tested your controls? Have they been in place long enough to prove they work? Can you test, update, and scale your compliance framework internally? If yes, you may avoid a monitor. If not, start preparing now.

The DOJ’s memo drives home one central theme: fit matters. The DOJ wants focused, cost-conscious, collaborative monitorships, from budget caps to biannual meetings.

Here’s what that looks like (at this point):

  • Budget Caps: Monitors must submit a detailed budget, subject to DOJ approval, at the outset of their work. Rate caps and cost estimates must be justified, updated before each review phase, and strictly adhered to.
  • Tri-Partite Meetings: At least twice a year, the monitor, the company, and the DOJ must meet to align goals, address concerns, and ensure transparency. These are not performative check-ins; they are designed to keep all parties rowing in the same direction.
  • Collaboration over Confrontation: The DOJ is encouraging a cultural shift. Monitorships should be approached as mutual partnerships, not hostile audits. Companies have a voice; explaining operational constraints or challenging unnecessary actions is not a red flag.

The selection of a monitor should not be a backroom deal. As a monitorship is a multilayered and often multiyear process, the selection process should be designed to ensure integrity, independence, and credibility. The Monitor Memo sets out a new and transparent process.

  1. Company Nominates: The company proposes 3–5 candidates with no recent ties to the organization and compliance and independence certifications.
  2. DOJ Interviews and Evaluations: Prosecutors and section supervisors interview each candidate, assessing their qualifications, objectivity, cost-efficiency, and experience.
  3. Standing Committee Review: A special committee, including ethics officials, reviews the DOJ’s recommended candidate and must approve before the pick moves to the Assistant Attorney General (AAG).
  4. Final Approval: The AAG reviews the recommendation and sends it to the Office of the Deputy Attorney General (ODAG), which gives the final stamp of approval.

In short, this is a deliberate, transparent process. If the DOJ rejects a candidate or the entire slate, the company must resubmit promptly.

The DOJ’s 2025 memorandum reflects an evolution in how federal prosecutors see compliance monitors: not just as watchdogs but as facilitators of lasting cultural change. For the corporate compliance community, this is a clarifying moment. The DOJ isn’t out to punish companies for punishment’s sake. It offers your compliance regime a chance to prove that your organization’s compliance house is in order and that your company can keep it that way without someone watching over your shoulder.

II. Lessons for the Compliance Professional

Taken in conjunction with the Galotti Memo, revised CEP, and Galeotti Speech, what should compliance leaders be doing today?

  • Bolster Your Program Now

The most effective way to avoid the imposition of a monitor and indeed receive a full Declination is to have a robust, tested, and risk-aligned compliance program already in place when misconduct is discovered, or better yet, before it occurs. If your program is reactive, overly general, or untested, it signals to the DOJ that you may need outside help. But suppose you can demonstrate that your program has been implemented thoughtfully, customized to your company’s risk profile, and embedded into business operations. In that case, you are far more likely to avoid a monitor. That means (1) documenting not only your policies and procedures; (2) showing how they are communicated, enforced, and regularly improved; (3) that your internal controls are more than words on paper; they are working in practice; and (4) continuous improvement through regular testing, third-party evaluations, and board-level oversight.

  • Document Everything

In compliance, if it is not documented, it did not happen. This mantra has never been more important than in the post-resolution environment. The DOJ’s refocused CEP and changes to monitorship decisions underscore the need for companies to contemporaneously and comprehensively document all remediation efforts, disciplinary actions, training rollouts, and policy changes. If your company responds to misconduct with serious reforms, but you do not have the paper trail to back it up, prosecutors may assume those reforms are temporary, superficial, or nonexistent. That is a recipe for a monitor.

  • Engage Experts

One of the clearest signals a company can send to the DOJ about its seriousness in addressing misconduct is proactively engaging third-party experts before the government forces its hand. The revised CEP and Monitor Memo recognizes that a company’s voluntary use of outside compliance consultants, forensic auditors, or legal advisors can reduce or even eliminate the need for a monitor. These experts provide an independent lens, help benchmark your program against industry standards, and identify gaps before they become systemic failures. The bottom line is not to wait for the government to tell you to bring in expertise. Be proactive. Be smart. Be credible.

  • Prove Your Culture Has Changed

Culture is the bedrock of compliance, and the DOJ knows it. The revised CEP and Monitor Memo encourage prosecutors to consider whether a company’s leadership and culture differ meaningfully from those that allowed the misconduct to occur. This creates a critical opportunity for compliance professionals to prove that their house has been cleaned and remodeled. It means demonstrable metrics, employee survey data, speak-up culture indicators, training completion rates, or reduction in hotline-related retaliation claims that show your culture is becoming one of integrity and accountability. Suppose you can show that employees now report misconduct earlier, that internal investigations are handled more fairly, and that ethical conduct is rewarded. In that case, your company is more likely to argue that external supervision is no longer necessary, even if a full Declination is not warranted. Cultural change takes time, but in the eyes of the DOJ, it is one of the most persuasive indicators of whether your organization has truly moved on from its past.

  • Prepare for Monitoring Anyway

If your company believes it will avoid a monitorship, prepare as if one is coming. Pressure tests your program and creates a remediation roadmap aligning with DOJ expectations. Be ready to show how your company has made significant progress. Preparing for a monitor also forces your team to adopt a monitor’s mindset: testing controls, tracking effectiveness, documenting improvements, and coordinating with business units. It’s a rigorous, forward-leaning exercise that will strengthen your compliance program, even if the monitor never arrives. Remember, the DOJ is not just interested in what you say your organization will do; it is watching what you have already done. Preparation shows maturity. And if the monitor is ultimately imposed, you can hit the ground running with a partner who views you as ready, willing, and able, not reluctant or reactive.

The bottom line from these new DOJ pronouncements is that compliance can be cleaned up, and then full walking papers for FCPA or other white-collar crime incidents that your organization may have sustained can be obtained. Now is the time to take advantage of the DOJ’s incredibly pro-business approach. If your senior management harks back to the Executive Order suspending FCPA investigation and enforcement, tell them that the DOJ has lifted the suspension.

Resources:

CRM White Collar Enforcement Plan

Revised CEP

CRM Monitor Memo

Categories
Blog

The Updated CEP: Is Real Credit Finally Here?

Matthew R. Galeotti, Head of the Criminal Division at the U.S. Department of Justice (DOJ), recently delivered a speech at SIFMA’s Anti-Money Laundering and Financial Crimes Conference. Contemporaneously, the DOJ issued a Memo (the Galeotti Memo) entitled Focus, Fairness, and Efficiency in the Fight Against White-Collar Crime. I have explored both in previous blog posts. Today, I want to review the Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP) updates. It provides a roadmap for how companies can earn leniency when they self-report wrongdoing. And in an increasingly unforgiving regulatory landscape, that roadmap is worth its weight in gold.

Under the CEP, a company that voluntarily self-discloses, fully cooperates, and timely remediates can qualify for a declination of prosecution, provided there are no aggravating circumstances. This is the reaffirmation of a multi-year DOJ effort to garner more self-disclosures. It gives compliance professionals something real to bring to the C-suite: if we invest in robust compliance and proactively address issues, we can avoid criminal prosecution altogether.

What if aggravating factors exist, such as senior-level involvement or prior misconduct? If the company cooperates and remediates in good faith, the policy still provides for reduced penalties, non-prosecution agreements, and shorter resolution terms. In other words, the DOJ offers a “near miss” safety net for companies that fall short of full eligibility but act responsibly.

The takeaway is clear: Compliance is not just a cost center but a value driver. The CEP recognizes that companies should be rewarded for coming forward, cooperating, and fixing problems. That means compliance professionals must build systems that detect misconduct early, encourage internal reporting, and enable swift action. When a crisis hits, your response will not just shape your company’s future; it may be the difference between a decline and a prosecution.

Voluntary Self-Disclosure

The DOJ’s Criminal Division strongly encourages companies to voluntarily self-disclose potential misconduct as early as possible, even before completing an internal investigation. To qualify under the CEP, a disclosure must meet several key criteria: it must be made to the Criminal Division (or in good faith to another DOJ component involved in the resolution), concern previously unknown misconduct, not be required by any existing legal obligation, and occur before any imminent threat of disclosure or government investigation arises. Additionally, the disclosure must be made within a “reasonably prompt” timeframe, with the company bearing the burden of proving timeliness.

The DOJ proposes a limited exception for the new Corporate Whistleblower Awards Pilot Program. Suppose a whistleblower reports misconduct internally and to the DOJ. In that case, a company may still qualify for the presumption of declination, but only if it self-discloses to the DOJ within 120 days of the internal report and meets all other voluntary disclosure conditions.

This guidance underscores the urgency and importance of real-time reporting mechanisms, strong internal controls, and rapid compliance response protocols. Timely self-disclosure is not just encouraged; it is now a strategic imperative in mitigating enforcement risk.

What is Full Cooperation?

To earn full cooperation credit under the CEP, a company must go beyond the general requirements of the Principles of Federal Prosecution of Business Organizations (Justice Manual 9-28.000) and meet six key obligations:

  1. Disclosure of All Relevant Facts: A company must share all non-privileged, relevant facts it knows, including facts about individuals responsible for the misconduct, regardless of their rank, whether internal or external to the company.
  2. Timely and Specific Information Sharing: This includes facts obtained through any internal investigation, updates during that investigation, and specific attributions of facts to sources. The company must also clearly identify all involved parties.
  3. Proactive Cooperation: Companies must voluntarily disclose relevant facts, even if prosecutors do not specifically request them. They are also expected to alert the DOJ to any avenues of obtaining evidence not in the company’s possession but known to them.
  4. Preservation and Disclosure of Documents: Relevant documents, including overseas ones, must be preserved, collected, and produced. Companies must detail such documents’ origin, custodians, and locations; facilitate third-party productions; and provide necessary translations. The company must prove the restriction if foreign law prevents disclosure and suggest viable alternatives.
  5. De-confliction: Companies must avoid actions that might interfere with DOJ investigations. If requested, they must delay certain investigative steps, such as employee interviews, for a narrowly tailored period to protect DOJ priorities.
  6. Availability of Individuals for Interviews: Subject to constitutional protections, companies must make current and former employees (including those overseas) available for DOJ interviews and facilitate third-party interviews where possible.

These standards ensure that cooperation is meaningful, timely, and valuable to the DOJ’s efforts, rewarding companies that truly support investigations with favorable outcomes under the CEP.

Timely and Appropriate Remediation

Under the CEP, timely and appropriate remediation is a non-negotiable component of earning cooperation credit and potentially avoiding prosecution. And for compliance professionals, it is a clarion call to action. First, the company must conduct a root cause analysis, a genuine examination of what went wrong, why, and how to prevent it from happening again. It’s not about blaming a few bad apples but addressing systemic issues that allowed the misconduct to take root. Did a cultural blind spot develop in a high-risk market? Was there a breakdown in oversight or a failure to escalate red flags? The DOJ expects thoughtful answers and corrective action.

Second, the company must demonstrate an effective compliance and ethics program tailored to its risk profile, business model, and resources. That means more than having policies on the books. DOJ evaluators are looking at leadership’s commitment, compliance’s access to the board, compensation tied to ethical performance, and real-time testing of program effectiveness. Box-checking won’t cut it.

Third, accountability is key. Companies must appropriately discipline wrongdoers, including those who failed in their supervisory duties, and ensure they retain and safeguard business records, including communications on personal devices and ephemeral apps.

Finally, remediation includes showing that the company understands the seriousness of the misconduct and is proactively reducing future risk. This is about culture, not cosmetics.

In short, remediation is proof of your values in action. It is the difference between performative compliance and real commitment. Suppose you’re building a credible compliance program in today’s enforcement environment. In that case, remediation must be embedded in your DNA because the DOJ is watching, and your organization’s future may depend on how you respond.

Providing Cooperation Credit

Finally, there is the cooperation credit. Hopefully, we have finally moved past the Kenneth Polite formulation of super, double-secret, undefined “we know it when we see it” cooperation. Cooperation credit here will be earned through demonstrable, high-quality, timely actions. Cooperation is assessed on a sliding scale based on how extensively and effectively a company supports the government’s investigation. Once a company meets the minimum threshold for cooperation, prosecutors evaluate factors such as scope, quantity, quality, timing, and the overall impact of the cooperation provided.

Importantly, cooperation credit starts at zero and increases only with meaningful contributions, and there is no presumption of full credit. The DOJ now distinguishes between cooperation levels by varying the starting point within the U.S. Sentencing Guidelines fine range, and the percentage of fine reduction awarded. Companies that delay cooperation may significantly reduce their potential credit.

Waiver of attorney-client privilege or work product protections is not required to receive cooperation credit. If a company claims its financial condition limits its ability to cooperate, it must provide supporting documentation. The DOJ will carefully evaluate any such claims. Ultimately, the message is clear: to earn meaningful credit, cooperation must be real, proactive, and sustained. But at least it is now defined and not “We know it when we see it.”

Resources:

CRM White Collar Enforcement Plan

Revised CEP

CRM Monitor Memo

Categories
Daily Compliance News

Daily Compliance News: May 19, 2025, The Definition of Corruption Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News—all from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

Categories
Blog

Ten Top Lessons from Recent FCPA Settlements – Lesson No. 10, Getting to Self-Disclosure: Speak Up, Triage and Internal Investigation

Over this series, I have reviewed the messages communicated by the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) from three key Foreign Corrupt Practices Act (FCPA) enforcement actions regarding their priorities in investigations, what they want to see in remediations, and what they consider best practices compliance programs. These enforcement actions warrant a close study of the lessons learned. They should guide not simply your actions should you find yourself in an investigation but also how you should think about priorities. One thing is abundantly clear: It all begins with self-disclosure.

The three FCPA enforcement actions we have reviewed are ABB from December 2022, Albemarle from November 2023, and SAP from January 2024. I added a fourth, the Gunvor S.A. enforcement action, as a discussion point, as it was released while I was writing this series. I have also cited several speeches by DOJ officials, including those from Deputy Attorney General Lisa Monaco and Assistant Attorney General Kenneth Polite. They pointed out a clear path for the company, which finds itself in an investigation, using extensive remediation to avoid monitoring. They provided insight for the compliance professional into what the DOJ expects in a best practices compliance program on an ongoing basis.

Late last week, there were two speeches at the ABA White Collar Conference: one by DAG Lisa Monaco and a second by Acting Assistant Attorney General Nicole M. Argentieri, which re-emphasized the points I have articulated. Today, I want to use their speeches to add another factor to my Top Ten Lessons List: a Speak Up Culture, effective triage, and quick, efficient, and accurate internal investigation when information is brought forward.

DAG Monaco could not have been clearer when she said, “When a business discovers that its employees broke the law, the company is far better off reporting the violation than waiting for DOJ to discover it. Now, when the DOJ does discover the violation, the company can still reduce its exposure by proactively cooperating in our investigation. But I want to be clear: no matter how good a company’s cooperation, a resolution will always be more favourable with voluntary self-disclosure.” [emphasis supplied]

DAG Monaco noted that the DOJ has structured its “Voluntary Self Disclosure (VSD) programs to encourage companies to take responsibility for misconduct within their organizations. And we’ve conditioned benefits on the company’s willingness to step up and own up — requiring it to disgorge profits, upgrade compliance systems, and cooperate in investigations of culpable employees…We want to empower them to make the business case for investing in compliance. And when they do, they can point to our policies. Early reports on this work are promising. We directed all components and U.S. Attorneys to implement self-disclosure programs.”

The benefits of the VSD come from this self-disclosure. The DOJ’s announcement that it was launching a whistleblower program for payments to people who come forward with information about criminal activity emphasised this idea even more. While the SEC, CFTC, IRS, and other agencies have whistleblower reward programs, this is a powerful message from the DOJ that if your company has an issue, it is far better to self-disclose than investigate, remediate, and hope the DOJ (or any other agency) never finds out about the matter. Put another way, Argentieri spoke about “the benefits that await those that voluntarily disclose misconduct.”

All of this means you must be able to intake, evaluate, and investigate the information.

Culture of Speak Up

Your organization must have an effective and efficient means of allowing employees to raise their hands and speak up. That speak-up can be through an anonymous hotline, by going into their supervisor’s office to report something, or by coming to the compliance function. Or it could be another avenue of reporting. The point is that every company must be ready, willing, and able to hear and act on internal reports of wrongdoing.

Triage

Given the number of ways that information about violations or potential violations can be communicated to government regulators, having a robust triage system is a critical way to separate the wheat from the chaff and bring the correct number of resources to bear on a compliance problem. One important area is determining whether to bring in outside counsel to head up an investigation and the resources you may want or need to commit to a problem. You need to “kick the tyres” of any allegations or information so that you know the circumstances in front of you before you make decisions. You can achieve this through a robust triage process.

Internal Investigations

You can decide whether or not to investigate by consulting with other groups, such as the Compliance Committee of the Board of Directors or the Legal Department. The head of the business unit in which the claim arose may also be notified that an allegation has been made and that the Compliance Department will be handling the matter on a go-forward basis. Using a detailed written procedure, you can ensure complete transparency on all parties’ rights and obligations once an allegation is made. This gives compliance the flexibility and responsibility to deal with such matters, from which it can best assess and decide how to manage them.

We concluded this series where we began with the need for or benefits of self-disclosure. The benefits laid out by the DOJ are clear, tangible, and direct. If you self-disclose, provide extraordinary cooperation, extensively remediate, and disgorge any ill-gotten gains through profit disgorgement, there will be a presumption of declination. Even if you do not meet the self-disclosure threshold, you can still garner significant discounts under the DOJ’s Corporate Enforcement Policy through extraordinary cooperation and extensive remediation.