Tag: declination

Categories
Blog

The Bosch Declination: Part 2 – Lessons Learned in Transparency, Remediation, and the ECCP in Action

Every Chief Compliance Officer should study the Bosch declination because it answers a practical question: what does the DOJ reward when a company discovers serious national security compliance failures? It is also a useful case study for CCOs beyond export controls. It is a broader lesson in how enforcement authorities evaluate program effectiveness, internal controls, and corporate response after misconduct is identified.

The answer is not perfection. The answer is transparency, cooperation, remediation, resources, accountability, and governance. Bosch received a declination from the National Security Division under the DOJ’s Department-wide Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP) after self-disclosing export control issues, cooperating with the investigation, remediating, and resolving parallel civil exposure with BIS.

Lessons Learned

1. Manage Your Organization’s Risks

Those facts present the first lesson for CCOs. A compliance program must be built around the company’s actual risk profile. For a global technology and manufacturing company, that means export controls cannot be treated as a narrow legal specialty. They must be embedded into product development, sales, logistics, customer review, third-party engagement, software, engineering, and business approval processes.

This point aligns directly with the DOJ’s Evaluation of Corporate Compliance Programs (ECCP). The ECCP asks three fundamental questions: Is the program well designed? Is it applied earnestly and in good faith, meaning adequately resourced and empowered? Does it work in practice? DOJ also states that prosecutors evaluate the program at the time of the offense and at the time of charging or resolution.

The Bosch Declination demonstrates why those questions matter. A program may exist on paper, yet still fail if it lacks specialized knowledge, escalation paths, and operational integration. The Foreign Direct Product Rule (FDPR) is technical. It requires understanding product origin, technology lineage, software, manufacturing equipment, Entity List designations, and licensing requirements. If the compliance team lacks the expertise or access needed to analyze those issues, the control environment is not fit for purpose. Clearly, the Bosch compliance team lacked the expertise needed for trade compliance.

2. Quick Action-the Need for Speed

The second lesson is that detection and escalation remain central to program effectiveness. The DOJ credited Bosch with conducting an internal investigation after discovering the issues and voluntarily self-disclosing to both NSD and BIS while that investigation was still ongoing. That detail matters. Bosch did not wait for a perfect final report before going to the government. It identified the problem, investigated it, and disclosed it while continuing to learn the facts.

For CCOs, this is the real-world self-disclosure dilemma. Companies often want certainty before disclosure. DOJ policy rewards promptness. The Bosch matter shows that the government may credit a company that self-discloses while its internal investigation is still underway, provided the company preserves evidence, continues to develop the facts, cooperates, and remediates.

3. Active Cooperation

The third lesson is that cooperation must be active. The DOJ cited Bosch’s disclosure of relevant facts; the preservation, collection, and production of documents and information; and prompt, voluntary responses to CES requests following the self-disclosure. This is not passive cooperation. It is an organized, disciplined, and documented cooperation.

For the CCO, this means the company must be ready before a crisis. There should be an investigation protocol. There should be document preservation capabilities. There should be clarity on who owns export control investigations, who briefs the board, who coordinates with outside counsel, who manages government requests, and who ensures that remediation does not wait until the matter concludes.

4. Substantive Remediation

The fourth lesson is that remediation must be tangible. Bosch was credited with organizational changes, including adding 66 employees to its trade compliance organization, expanding U.S. trade compliance resources, and updating internal policies and procedures to clarify U.S. export control jurisdiction and licensing requirements.

That is an important message for every compliance leader. Remediation is not a memo. Remediation is not revised policy language alone. Remediation means changing the program so that the same issue is less likely to happen again. It means more resources where the risk requires them. It means better expertise. It means clearer rules. It means stronger controls. It means accountability. Law360 reported that Bosch also made organizational changes, imposed discipline, added trade compliance employees, expanded U.S. trade compliance resources, and updated internal policies and procedures.

5. Effectiveness

The fifth lesson is that the DOJ is connecting compliance effectiveness to enforcement outcomes. DOJ’s CEP is designed to encourage companies to invest in effective compliance programs, voluntarily self-report potential misconduct, cooperate with law enforcement, and rectify wrongdoing. The policy states that the DOJ will decline to prosecute when the company voluntarily self-discloses, fully cooperates, remediates in a timely and appropriate manner, has no aggravating circumstances, and is required to disgorge, forfeit, or otherwise compensate victims for the misconduct.

Bosch is the proof point. DOJ did not ignore the misconduct. Bosch agreed to disgorge $11,430,098, with a credit for amounts paid to BIS. BIS imposed a parallel civil penalty. DOJ also made clear that the declination did not protect individuals and that the investigation could be reopened if DOJ learned new information that changed its assessment or if disgorgement was not paid promptly.

That is a critical governance message. A declination is not a free pass. It is an enforcement outcome tied to conditions, cooperation, transparency, remediation, and accountability.

The Board Component

For boards, Bosch should be read as a Caremark-adjacent reminder that mission-critical compliance risks require real oversight. Export controls and sanctions are not technical back-office functions for global technology companies. They are national security, legal, operational, reputational, and business continuity risks.

The Bosch declination letter states that the company’s Management Board had been advised of the terms of the letter agreement and that Bosch’s Global General Counsel signed the agreement on behalf of the company. That is how these matters should land. Senior management and the board must understand the facts, the root cause, the remediation plan, the financial consequences, and the continuing obligations.

Boards should be asking whether the company has identified its mission-critical regulatory risks. For a technology, manufacturing, software, logistics, aerospace, life sciences, energy, or semiconductor company, export controls and sanctions may sit at the center of that risk map. The board should ask whether compliance has sufficient expertise, authority, budget, data access, and independence. It should ask whether management has tested the controls around high-risk customers, restricted parties, product classification, end-use, end-user, software, and foreign-produced items.

The ECCP reinforces this governance point. The DOJ expects prosecutors to consider whether a company has made significant investments in its compliance program and internal controls and whether improvements have been tested to demonstrate that they would prevent or detect similar misconduct in the future.

Top Five Takeaways

  1. Voluntary self-disclosure still matters. Bosch received credit because it disclosed to NSD and BIS while still under investigation and then continued to cooperate and remediate.
  2. Export controls are internal controls. FDPR risk requires more than screening. It requires integration across product, software, engineering, sales, legal, and compliance.
  3. Resources are evidence. DOJ credited Bosch for adding 66 trade compliance employees and expanding U.S. trade compliance resources. That is remediation prosecutors can see.
  4. The ECCP is a governance tool. CCOs should use the ECCP’s three questions to assess whether the program is well designed, empowered, resourced, and working in practice.
  5. Boards must oversee national security risks. Export controls and sanctions are mission-critical risks for many global companies. Bosch shows that transparency and remediation can materially shape the enforcement outcome.

The Bosch remediation was not cosmetic. Adding 66 trade compliance employees and expanding U.S. trade compliance resources communicates seriousness. It tells enforcement authorities that the company understood the root cause and invested in fixing it. CCOs should take that lesson directly to the board. Compliance resources should follow risk. Where the business model creates national security exposure, compliance must have the technical capability to match that risk.

Categories
Blog

The Bosch Declination: Part 1 – The DOJ’s New National Security Enforcement Playbook

The Bosch Declination is an important early marker in the Department of Justice’s new corporate enforcement architecture. It is also a practical case study in how export controls, national security compliance, voluntary self-disclosure, and remediation now intersect under the Department-wide Corporate Enforcement and Voluntary Self-Disclosure Policy. Over the next two blog posts, we will consider this Declination. Today we look at the Declination itself. In the next blog post (on Monday), we will consider the lessons for compliance professionals.

On June 17, 2026, the DOJ announced that the National Security Division had declined prosecution of Robert Bosch GmbH, resolving an investigation into an alleged scheme involving the export of products and software to an Entity-listed company in the People’s Republic of China. The Declination was reached under Part I of DOJ’s Department-wide Corporate Enforcement and Voluntary Self-Disclosure Policy, after DOJ considered the Principles of Federal Prosecution of Business Organizations. DOJ stated that Bosch promptly disclosed the misconduct to NSD, fully cooperated, and timely and appropriately remediated, with no aggravating circumstances present.

The facts are significant. The DOJ’s Declination letter states that from approximately September 2020 to September 2024, Bosch, through two non-U.S. subsidiaries, re-exported more than $70 million in foreign-produced Micro-Electro-Mechanical Systems sensor products and foreign-produced software to Huawei Technologies Co., Ltd. and its affiliates on the Entity List, including Huawei Tech. Investment Co., Ltd., Hong Kong. DOJ identified the two Bosch subsidiaries as Bosch Sensortec GmbH and ETAS GmbH. According to the DOJ, the products were provided without the required license or authorization from the Department of Commerce’s Bureau of Industry and Security, in violation of the Export Administration Regulations.

The central export control issue was the Entity List Foreign Direct Product Rule, or FDPR. The DOJ stated that BST and ETAS provided Huawei with foreign-produced items subject to the EAR under the Entity List FDPR for designated entities, without obtaining the required authorization from BIS. DOJ further found that Bosch’s trade compliance personnel were “ill-equipped” to provide accurate guidance on the FDPR. The investigation also identified ongoing sales despite several missed opportunities in which third-party companies had identified potential FDPR applications for Bosch products or equipment used in providing services. DOJ calculated that Bosch made approximately $11,430,098 in pre-tax profits from the conduct.

That fact pattern is important for compliance professionals because this was not described as a simple denied-party screening failure. It involved the intersection of foreign-produced products, U.S.-origin technology or software, non-U.S. subsidiaries, Entity List restrictions, and a rule that requires sophisticated technical, legal, and operational judgment. This is precisely the type of export control risk that can sit outside traditional compliance comfort zones. It may involve engineering data, manufacturing equipment, software lineage, product classification, third-party technical inputs, and commercial teams operating far from the United States.

The DOJ letter also makes clear that Bosch’s response mattered. DOJ stated that, after discovering the issues, Bosch conducted an internal investigation and voluntarily self-disclosed the matter to both the National Security Division’s Counterintelligence and Export Control Section and BIS. In contrast, the internal investigation was still ongoing. Bosch also remediated promptly and appropriately. The Declination letter notes that Bosch’s internal investigation uncovered numerous mistakes in applying the FDPR to Huawei sales. However, Bosch did not believe those mistakes rose to the level of willfulness required for criminal violations under the Export Control Reform Act.

The DOJ’s decision rested on four factors. First, Bosch made a timely and voluntary self-disclosure. Second, Bosch cooperated, including by disclosing relevant facts, preserving, collecting, and producing documents and information, and promptly responding to NSD requests. Third, Bosch remediated, including through organizational changes, adding 66 employees to its trade compliance organization, expanding U.S. trade compliance resources, and updating policies and procedures to provide clearer guidance on U.S. export control jurisdiction and licensing requirements. Fourth, DOJ found that regulatory remedies were adequate, specifically the approximately $36 million penalty imposed by BIS for civil violations under the ECRA and EAR.

The financial terms are also instructive. The DOJ conditioned the Declination on Bosch’s agreement to disgorge $11,430,098 within thirty days. That amount represented the pre-tax profits from sales to Huawei through BST and ETAS for products for which Bosch had not obtained the required EAR authorization. DOJ agreed to credit $7,829,069 paid by Bosch to BIS in the parallel resolution against the disgorgement amount.

Law360 reported that Bosch agreed to pay $36 million to resolve allegations that it improperly exported technology products to Huawei, with the payment amount including profit disgorgement under the DOJ Declination and a penalty under the parallel BIS agreement. Law360 also reported that Bosch said the civil violations were unintentional. That, upon discovering the potential export control violations, it conducted an extensive investigation, voluntarily self-disclosed to U.S. authorities, and cooperated throughout the process.

The timing matters. The DOJ released its first Department-wide Corporate Enforcement Policy for criminal matters on March 10, 2026. That policy was designed to provide uniformity, predictability, and fairness across DOJ corporate criminal enforcement. DOJ stated that, absent certain limited aggravating circumstances, companies that voluntarily disclose discovered misconduct, cooperate, and timely and appropriately remediate may receive a declination.

The Bosch matter is also tied directly to NSD’s export control and sanctions enforcement priorities. DOJ’s March 30, 2026, NSD guidance stated that enforcing export control and sanctions laws is a top priority for NSD and that companies and employees are at the forefront of protecting U.S. national security by preventing unlawful exports of sensitive commodities, technologies, and services, as well as unlawful transactions with sanctioned countries and designated parties.

In that context, Bosch is not merely an export controls case. It is the first public example of how NSD will apply the new Department-wide CEP to a national security matter. DOJ stated that this was the first time NSD had declined to prosecute a company under the CEP.

For trade compliance professionals, the facts underscore several enforcement realities. Export control jurisdiction can attach to foreign-produced items. Non-U.S. subsidiaries can create U.S. enforcement exposure. Entity List designations require more than customer screening. FDPR analysis must be integrated into product classification, sales review, engineering support, and third-party risk management. A compliance program that lacks the technical competency to interpret the rule can fail even when employees are trying to comply.

This is where the facts become the enforcement message. DOJ did not say Bosch had no compliance program. The DOJ said the relevant personnel were ill-equipped on a critical rule and that third-party warning signs were missed. In other words, the issue was not simply whether the company had a trade compliance function. The issue was whether that function had the expertise, authority, resources, and escalation mechanisms to identify and stop sales governed by complex national security controls.

The Bosch Declination also shows that voluntary self-disclosure continues to have real value, but only when paired with cooperation and remediation. DOJ did not reward disclosure alone. It credited Bosch for preserving and producing facts, responding promptly, making organizational changes, expanding resources, adding personnel, strengthening policies, accepting disgorgement, and resolving the civil matter with BIS.

That is the factual landscape. On Monday, we will turn from the facts to the lessons. For CCOs, Bosch is not simply a trade compliance resolution. It is a case study in what DOJ expects from compliance governance, internal controls, resources, remediation, and board oversight when national security risk moves from theoretical to real.

Categories
Blog

Balt and the New DOJ CEP: Why Individual Facts Now Drive Corporate Leniency

Under the Department of Justice’s (DOJ) updated Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP), the practical bargain is now unmistakable. A company can earn extraordinary leniency, including a Declination, but only if it surfaces the facts about individual misconduct early, completely, and credibly. Balt is not simply an FCPA declination story. It is a case study in how modern DOJ enforcement expects compliance, legal, internal audit, and investigations teams to work when misconduct is uncovered.

For years, the DOJ has said that corporate cooperation must be meaningful. Under the new CEP, DOJ has made that concept more concrete and more demanding. The CEP says it is designed not only to drive early voluntary self-disclosure, but also to promote timely enforcement, “including holding culpable individuals accountable.” It also makes clear that a company earns a declination only if it voluntarily self-discloses, fully cooperates, timely and appropriately remediates, and has no disqualifying aggravating circumstances. That is the legal architecture. Balt shows the operating reality.

The Balt matter has become important because it is the first FCPA declination under the Department’s updated CEP. DOJ declined to prosecute Balt SAS after the company self-disclosed, cooperated, remediated, and disgorged $1.2 million. At the same time, the DOJ indicted two individuals, David Ferrera and Marc Tilman, for conspiracy to violate the FCPA, substantive FCPA violations, conspiracy to commit money laundering, and international promotional money laundering. Assistant Attorney General Tysen Duva made the message plain: the resolution demonstrated the value of voluntary self-reporting, and the related indictment demonstrated DOJ’s “unwavering pursuit of culpable individuals.”

That is the bargain in plain English. The company may get mercy. The individuals do not. This is not accidental. The updated CEP expressly says a company fully cooperates when it timely, truthfully, and accurately discloses all relevant facts and non-privileged evidence, including facts gathered in the internal investigation, facts about all individuals involved in or responsible for the misconduct, regardless of status or seniority, attribution of facts to specific sources rather than a generalized narrative, and rolling updates during the investigation. It also requires proactive cooperation, the preservation and production of documents, and the availability of knowledgeable personnel for interviews.

In other words, DOJ is not looking for a company to arrive with a polished memo that says, “We found misconduct, we are sorry, and we fixed it.” DOJ wants the names, the messages, the invoices, the custodians, the timeline, the payment path, and the evidence that ties specific people to specific acts. That is the heart of the new bargain.

Balt is such a useful case study because the individual indictment shows exactly the kind of facts DOJ expects a company to surface. According to the indictment, Ferrera was a senior executive of the U.S. subsidiary, and Tilman owned and operated the Belgian consulting company used in the scheme. Both allegedly stood to gain millions in milestone payments tied to future sales. The indictment further alleges that they conspired from 2017 into September 2023 to bribe a physician employed by CHU Reims, a French state-owned public hospital treated as an instrumentality of a foreign government under the FCPA.

The indictment then lays out the mechanics. Medical Company #2 allegedly used sham consulting agreements, fake invoices, and purported bonus payments to move money to Tilman’s Belgian consulting company, which in turn paid the foreign official through accounts in France. Prosecutors also allege concealment through personal email accounts, encrypted messaging applications, and coded language such as “training,” “bonuses,” and “our friend.” Those are not abstract compliance failures. Those are granular individual facts.

The overt acts alleged in the indictment show why DOJ cares so much about speed and specificity. One 2017 message allegedly said, “Regarding the €€ for our friend, I have a plan.” Another used a private email account for the foreign official and proposed a fake invoice for a two-day sales and marketing session. Ferrera allegedly replied, “That’s acceptable. Please send this to me.” Later communications referenced “No more fake training courses” and described a new bonus as “a CAMOUFLAGE.” The indictment also ties the scheme to specific wire transfers from the United States to Belgium and onward payments into France.

This is the modern FCPA file. It is built from chats, invoices, routing, motive, and attribution. That is why the updated CEP stresses not a general narrative of facts, but facts attributed to specific sources and individuals. The practical implications for compliance and investigations teams are significant.

First, self-disclosure now must be viewed as an investigative decision, not solely a legal one. The updated CEP expressly encourages disclosure at the earliest possible time, even when a company has not completed its internal investigation. It defines voluntary self-disclosure to include reasonably prompt reporting before an imminent threat of government discovery. Balt appears to have done exactly that. The French resolution disclosed that Balt self-disclosed while the internal investigation was still ongoing. That is a critical point because it shows that DOJ is willing to reward a company that comes in before it has all the answers, provided the company follows through with real facts and real cooperation.

Second, cooperation credit is no longer a soft concept. The CEP says a company starts at zero cooperation credit and earns it through specific actions. A company that fails to demonstrate full cooperation at the earliest opportunity may reduce its ability to earn that credit. That should change how legal, audit, and investigations teams think about triage. The early questions are no longer: Did something happen? How much did it cost? The questions are: Who did it? Who approved it? Who benefited? What records exist? What devices hold the communications? Can we preserve them now?

Third, internal investigations must be built for prosecutorial usefulness. Under the CEP, DOJ expects disclosure of overseas documents, provenance, custodians, authors, translations where needed, and even identification of opportunities for the Department to obtain evidence that the company does not possess. If your investigation cannot map the facts to sources, or if your team cannot move quickly across borders, you are not simply conducting a weak internal review. You may be forfeiting declination-level credit.

Fourth, remediation still matters, but it is not enough without individual accountability. The CEP defines timely and appropriate remediation to include root cause analysis, an effective compliance and ethics program, appropriate discipline of responsible employees and supervisors, and proper controls on personal communications and messaging applications. Balt reportedly received credit for separation from Ferrera and Tilman, tailored compliance training for senior management, and remediation of internal control shortcomings. Once again, the lesson is direct. DOJ is not handing out credit for beautiful PowerPoint slides. It is rewarding companies that can show they identified the bad actors, removed them, and strengthened the system in the wake of the failure.

Fifth, the new CEP creates a sharper internal challenge for multidisciplinary teams. Compliance may identify the risk. Legal may control privilege and disclosure strategy. Internal audit may reconstruct the payments. Investigations may chase the communications. But under the new bargain, those functions cannot operate in silos. DOJ expects a company to come forward with a coherent body of attributed facts about individuals. If those teams are not integrated, the company will struggle to earn maximum credit.

This is why Balt should be read as more than a favorable corporate outcome. It is a warning shot and a roadmap. The warning is that DOJ’s focus on individual accountability is real, operational, and evidence-driven. The roadmap is that companies can still earn remarkable leniency if they move quickly, fully cooperate, and help prosecutors build the case against the responsible individuals.

For compliance professionals, that means the old debate is over. There is no longer much room for vague institutional cooperation. Under the updated CEP, the company’s path to leniency runs through facts about people. That is the trade. That is the CEP. Balt is what it looks like in practice.

5 Key Takeaways

  1. The new DOJ bargain is now unmistakable. Companies earn leniency by surfacing facts about individuals early, completely, and credibly.
  2. Balt is the proof point. The company received the first FCPA declination under the updated CEP while DOJ simultaneously indicted Ferrera and Tilman.
  3. Cooperation now means attributed facts, not general narratives. DOJ expects facts tied to specific individuals, sources, documents, and custodians, as well as rolling updates on the investigation.
  4. Speed is strategic. The CEP encourages self-disclosure even before an internal investigation is complete, and Balt appears to have benefited from doing just that.
  5. This is a team sport. Compliance, legal, internal audit, and investigations must work as a single, integrated fact-gathering function if a company hopes to earn the maximum CEP credit.
Categories
Compliance Into the Weeds

Compliance into the Weeds: Balt and TradeStation: Lessons for the Compliance Professional

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore it more fully. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode of Compliance into the Weeds, Tom Fox and Matt Kelly look at the Declination awarded to Balt SAS and the OFAC enforcement action involving TradeStation. 

First, they review a Corporate Enforcement Policy declination for French medical-equipment company BAL SAS and the company’s U.S. subsidiary after self-disclosing, cooperating and remediating misconduct involving a U.S. subsidiary executive and a Belgian consultant allegedly funneling about $600,000 in bribes to a French public hospital official using sham consulting agreements, invoices, and poor documentation; BAL disgorged about $1.21 million in profit on roughly $1.68 million in revenue and disclosed while its internal investigation was still ongoing, raising timing and high-margin red-flag issues.

Second, they cover OFAC’s $1.1 million settlement with TradeStation for accidentally disabling sanctions-screening controls for nearly a year, enabling hundreds of transactions from Iran, Syria, and Crimea; despite having layered tools on paper, IT changes and lapsed subscriptions undermined those controls, underscoring the need for ongoing monitoring, testing, and auditing.

 Key highlights:

  • Balt FCPA Case
  • Disclosure Timing
  • Profit Margin Red Flags
  • Controls and France Angle
  • TradeStation Overview
  • How Screening Failed
  • Monitoring and Accountability
  • Costs and OFAC Lessons

Resources:

Matt in Radical Compliance

Tom in the FCPA Compliance Report

Tom  

Instagram

Facebook

YouTube

Twitter

LinkedIn

A multi-award-winning podcast, Compliance into the Weeds was most recently honored as one of the Top 25 Regulatory Compliance Podcasts, a Top 10 Business Law Podcast, and a Top 12 Risk Management Podcast. Compliance into the Weeds has been conferred a Davey, a Communicator Award, and a W3 Award, all for podcast excellence.

Categories
Blog

Declinations Are Not Exits: Using Liberty Mutual to Pressure – Test Your Compliance Program

In August 2025, the Department of Justice announced its first FCPA declination of the year, closing its investigation into Liberty Mutual Insurance Company. The facts, while concise, are significant: between 2017 and 2022, employees of Liberty General Insurance, Liberty Mutual’s Indian subsidiary, funneled approximately $1.47 million in bribes to officials at six state-owned banks in exchange for customer referrals. These illicit payments, concealed as marketing expenses and routed through third-party intermediaries, generated $9.2 million in revenue and $4.7 million in profits.

Despite this misconduct, DOJ declined prosecution, citing Liberty Mutual’s early self-disclosure in March 2024 while its internal investigation was still underway; its full and proactive cooperation, including naming individuals involved; and its timely remediation efforts, which included a full acceptance of responsibility, a systematic root cause analysis, and enhanced compliance controls. Notably, the company agreed to disgorge nearly $4.7 million in profits and adopted strengthened policies on third-party oversight, social media use, and ephemeral messaging apps.

Far from a routine declination, Liberty Mutual’s case is a blueprint for how DOJ expects companies to handle potential FCPA violations in 2025 and beyond. For compliance officers, it provides an opportunity to benchmark their programs against the department’s revised Corporate Enforcement Policy and assess whether their own organizations could withstand the scrutiny that Liberty Mutual faced.

What lessons should the compliance community draw from this “plain Jane” declination that is anything but ordinary? Today, we break it down.

Lesson 1: The Risks and Rewards of Early Self-Disclosure

Liberty Mutual’s decision to self-disclose in March 2024, before its internal investigation was complete, reflects the central tension in DOJ’s revised Corporate Enforcement Policy: disclose early or risk losing credit. Under the old guidance, companies were expected to report “immediately upon becoming aware” of potential misconduct, often before facts were clear. The 2025 revision softened the language slightly, but the expectation remains to step forward as soon as you have a clear understanding of the conduct, even if the picture is incomplete.

For compliance officers, this means preparing leadership and boards for tough judgment calls. Waiting for every fact to crystallize risks forfeiting the benefits of voluntary disclosure. Disclosing too early risks exposing the company to liability before it fully understands the problem. Building governance frameworks that allow rapid escalation, provisional risk assessment, and timely board engagement is no longer optional; it is a survival mechanism.

Lesson 2: “Full and Proactive” Cooperation

The declination letter praised Liberty Mutual for its “full and proactive cooperation.” This is a notable evolution in the DOJ’s vocabulary. We know what “full” means: produce documents, facilitate interviews, and respond to requests quickly. Note how this differs from the prior formulation by former Assistant Attorney General Kenneth Polite when discussing the DOJ’s Corporate Enforcement Policy. He defined cooperation as going “above and beyond the criteria for full cooperation” to provide ‘extraordinary’ assistance in demonstrating immediacy, consistency, degree, and impact of the disclosures and support of the investigation. Polite’s use of the term ‘extraordinary’ went well beyond the framing of “full and proactive cooperation.” An extraordinary commitment is required to demonstrate exceptional dedication to the investigation and actively assist the DOJ in achieving its goals.

Liberty Mutual provided relevant facts about individuals, prepared materials the DOJ hadn’t specifically requested, and worked through foreign data privacy challenges to expedite production. That’s proactive.

For compliance professionals, the message is unmistakable: cooperation credit does not just come from answering questions; instead, it comes from anticipating them. Proactive means preparing translations before DOJ asks, synthesizing investigative findings into clear presentations, and offering additional documentation that regulators might find helpful. Companies that want declinations need to train investigative teams to think two steps ahead.

Lesson 3: Navigating Deconfliction and Investigative Boundaries

The Liberty Mutual matter also reminds us of the delicate dance of deconfliction. The DOJ’s practice of asking companies to delay interviewing certain employees so that prosecutors can conduct their interviews first. But cooperation doesn’t end there. The DOJ may also encourage companies to expand their investigations into new geographies or business units.

The 2025 CEP revisions signaled an intent to keep investigations more focused for companies, which provides leverage to push back on overreach while still demonstrating cooperation.

Compliance officers must strike a balance: honor deconfliction requests that allow prosecutors to proceed without interference, but defend investigative boundaries when asked to wander into areas where no evidence exists. A disciplined scope protects both resources and credibility with regulators.

Lesson 4: Fulsome Acceptance of Responsibility

One of the more striking phrases in the declination letter was DOJ’s recognition of Liberty Mutual’s “fulsome acceptance of responsibility.” This signals a shift from perfunctory acknowledgments of wrongdoing to meaningful ownership.

It is the difference between saying, “Yes, our subsidiary made mistakes,” versus declaring, “We, as the parent company, failed to prevent this misconduct, and we own the failure.” Liberty Mutual didn’t stop at distancing itself from bad actors; it accepted enterprise-level responsibility.

For boards and executives, this is a powerful compliance lesson. DOJ expects companies to shoulder responsibility broadly, not hide behind “rogue employees.” The tone set at the top must reflect ownership, contrition, and commitment to preventing recurrence.

Lesson 5: Root Cause Analysis as Compliance Bedrock

The declination also highlighted Liberty Mutual’s systematic root cause analysis. This is not a new concept in compliance circles, but it is increasingly central to the DOJ’s calculus. Simply removing the wrongdoer isn’t enough. The question is: what systemic weaknesses allowed the misconduct to occur?

Liberty Mutual conducted a thorough RCA that examined its control environment, third-party oversight, and cultural gaps. This analysis guided remediation efforts, including structural reorganization, increased compliance resources, and enhanced third-party monitoring.

For compliance officers, the takeaway is straightforward: build RCA into every investigative playbook. Document how each failure occurred, identify the control breakdowns, and map remediation directly back to those findings. DOJ does not just want to see discipline; it wants to see learning.

Lesson 6: Messaging, Social Media, and the New Compliance Frontier

Finally, the Liberty Mutual declination highlighted an issue that has been simmering beneath the surface: the use of ephemeral messaging and social media in business communications. DOJ specifically noted Liberty Mutual’s remediation in this area, a rarity in declinations.

This signals that DOJ expects compliance programs to account for modern communication risks, not just email and enterprise systems, but WhatsApp, Signal, Teams auto-delete, and even Facebook Messenger or Instagram DMs. These channels are increasingly central to both legitimate business and corrupt schemes.

For compliance officers, the challenge is twofold:

  1. Develop clear policies governing employee use of messaging and social media for business.
  2. Deploy monitoring and recordkeeping mechanisms that ensure compliance with legal and regulatory expectations.

This is the new frontier, and companies that fail to adapt may find themselves unable to demonstrate control credibly.

Declinations as Roadmaps

The Liberty Mutual case may have looked routine at first glance, but it is anything but. For the compliance community, it serves as a roadmap for navigating the DOJ’s revised Corporate Enforcement Policy.

The lessons are clear: prepare for early self-disclosure, embrace proactive cooperation, defend investigative boundaries, accept responsibility broadly, conduct rigorous root cause analysis, and modernize oversight of communication.

Declinations are not just quiet exits; they are public teaching tools. Liberty Mutual’s experience demonstrates how a company can turn a damaging bribery scandal into a compliance success by owning the problem, learning from it, and showing a genuine commitment to reform. For today’s CCO, the real question is: if DOJ knocked on your door tomorrow, could you meet the Liberty Mutual standard?

Categories
All Things Investigations

All Things Investigations – DOJ’s Evolving Guidelines: Implications from Liberty Mutual’s FCPA Case

Welcome to the Hughes Hubbard Anti-Corruption & Internal Investigations Practice Group’s podcast, All Things Investigation. In this podcast, host Tom Fox welcomes back Mike DeBernardis to discuss the recently released first Foreign Corrupt Practices Act (FCPA) enforcement action, a Declination involving Liberty Mutual Insurance Company.

Mike DeBernardis, partner at Hughes Hubbard & Reed, and Tom delve into the first FCPA enforcement action of 2025 involving Liberty Mutual. They discuss the nuances of self-disclosure during ongoing investigations, the challenges facing defense attorneys, and the expectations set by the new corporate enforcement policy. Key topics include proactive cooperation, dealing with deconfliction, and the importance of root cause analysis. The conversation provides valuable insights into how the Department of Justice communicates its expectations through enforcement actions and the evolving landscape of corporate compliance.

Key highlights:

  • Exploring the Liberty Mutual Case
  • Challenges of Early Self-Disclosure
  • Corporate Enforcement Policy Changes
  • Full and Proactive Cooperation
  • De-confliction in DOJ Investigations
  • Root Cause Analysis Importance
  • Social Media and Ephemeral Messaging

 Resources:

Hughes Hubbard & Reed website

Mike DeBernardis

Categories
Blog

A Textbook Declination: Lessons Learned from the USRA Declination

In the fast-moving world of enforcement actions and corporate misconduct, we rarely get an actual “bottle episode” of compliance—a neatly wrapped case that functions almost like a compliance case study come to life. That is precisely what we see in the recent declination issued to the Universities Space Research Association (USRA), a nonprofit organization working with NASA on advanced scientific research. The Declination is found here.

This declination tells us as much about what to do right as it does about what went wrong. USRA’s prompt and resolute response to employee misconduct provides a blueprint for companies, regardless of size, to attain the ideal result: a DOJ declination. This decline in the Trump Administration’s second term provided crucial lessons for compliance professionals.

The Story: Export Controls and a Rogue Employee

The facts are obvious. Between April 2017 and September 2020, USRA employee Jonathan Soong used his position to oversee export compliance and sell restricted software and source code to Beihang University in China. Mr. Soong did not simply mishandle sensitive materials; he willfully bypassed export laws, concealed his actions, and even embezzled from USRA in the process. Soong pleaded guilty to violating export control laws in connection with secretly funneling sensitive aeronautics software to a Beijing university.

But here is the key takeaway: once USRA learned of the misconduct, they acted fast. They alerted NASA. They conducted an internal investigation. They self-reported to the Department of Justice within days. They cooperated fully. And in the end, the DOJ rewarded them, not with a fine, but with a complete declination.

The Power of Prompt Self-Disclosure

USRA’s leadership did not wait to see if the issue would disappear or downplay it internally. Instead, they engaged with enforcement agencies early and often. This fits squarely within the DOJ’s National Security Division Guidance, which outlines how voluntary self-disclosure, cooperation, and timely remediation can mitigate or eliminate penalties.

Let’s be clear: this was a national security matter, not just a regulatory breach. The software involved may have had potential military applications, making USRA’s response all the more commendable and critical.

Internal Controls and Oversight: Where the Breakdown Happened

As much as this is a story of compliance success, it is also a reminder that internal controls must work in practice, not just on paper. There were three key control failures:

  1. Export compliance oversight was left to the same employee who committed the fraud.
  2. Internal monitoring failed to detect red flags.
  3. Supervisory negligence enabled the misconduct to continue for three years.

One of Mr. Soong’s supervisors was eventually disciplined or terminated. However, the lesson is that even well-designed controls fail when not executed or appropriately monitored.

What Made This Declination Possible?

  1. Voluntary, timely self-disclosure within days of learning of the misconduct.
  2. When the USRA discovered potential wrongdoing, they didn’t hesitate; they immediately self-reported the issue to NASA and the Department of Justice. This type of proactive disclosure is precisely what the DOJ expects when evaluating a company’s response to misconduct. The timeliness demonstrates a functioning internal control system and an ethical culture prioritizing transparency. Rather than hiding behind bureaucracy or launching a months-long internal cover-up, USRA made the call within days. That decision set the tone for everything that followed and paved the way for trust-based engagement with enforcement authorities.
  3. Full cooperation, including sharing internal findings and offering access to witnesses.
  4. USRA didn’t just make a phone call and then sit back. They actively cooperated with investigators at every stage. Their actions included providing access to key internal documents, conducting an internal investigation, and turning over their findings to the DOJ. Equally important, they facilitated interviews with relevant employees, supported the legal process, and ensured that authorities had all the resources necessary to pursue the case against the wrongdoer. In short, USRA became a partner to the government, not an adversary. Comprehensive, good-faith cooperation carries tremendous weight in a declination decision.
  5. Swift and meaningful remediation, including terminating the wrongdoer and disciplining supervisors.
  6. USRA didn’t stop at self-reporting. They took tangible steps to clean the house. Mr. Soong, the employee at the center of the misconduct, was promptly terminated. However, the company didn’t stop there; USRA also reviewed its supervisors’ actions (or inactions). At least one supervisor was disciplined or let go for failing to oversee export control responsibilities properly. The move sends a strong message internally and externally, emphasizing that accountability extends throughout the entire chain of command. This swift and meaningful remediation satisfies DOJ expectations and helps rebuild trust with business partners, regulators, and the broader public.
  7. Strong risk awareness of their role in handling sensitive, export-controlled material.
  8. USRA operates in a field where national security risks are inherent. As a NASA contractor handling sensitive aerospace research, they were well aware of the dangers posed by improper exports of data and source codes. The incident wasn’t just a case of a company claiming ignorance, as they were aware of the potential consequences. Their compliance failures came down to one rogue actor and a breakdown in oversight, not a lack of awareness. When problems surfaced, they acted with the urgency such risks demand. This situational awareness, recognizing how export control violations could ripple across global security, played a major role in helping the DOJ see them as a responsible actor.
  9. Responsiveness to the DOJ and NASA, including prompt answers and evidence production.
  10. Throughout the investigation, USRA maintained consistent and open lines of communication with both NASA and the DOJ. They promptly responded to any questions posed. They delivered the requested documents promptly and in excellent order. Such responsiveness isn’t just about meeting deadlines; it is about demonstrating respect for the investigative process and showing that the company values ethical resolution over self-preservation. By staying accessible, professional, and efficient throughout the inquiry, USRA signaled to prosecutors that they were committed to helping resolve the matter fairly and thoroughly. That level of responsiveness is precisely what the DOJ wants to see.

Lessons Learned for Compliance Professionals

  1. Speed Matters
  2. In the world of corporate enforcement, timing can be everything. Companies do not always receive declinations for self-reporting, but it often makes a significant difference when they do.  USRA moved within days to notify NASA and the DOJ of serious misconduct. That speed demonstrated a culture of integrity, robust internal reporting, and a commitment to doing the right thing even under pressure. Quick action also preserves evidence, signals accountability, and allows enforcement agencies to act more efficiently. The faster a company responds, the more credible its leadership appears and the more likely it is to be viewed as a trusted partner.
  3. Controls Must Work in Real Life
  4. Too often, compliance programs look good on paper but fail in execution. A policy isn’t controllable or effective unless it’s well-designed and implemented correctly. In the USRA case, while policies existed, execution faltered, and an employee responsible for oversight violated the law. That’s a stark reminder: your controls must work in the real world. We must regularly evaluate the effectiveness of supervisory review, dual controls, cross-checks, and audit testing. Failure to test a control could result in liability, enforcement, or worse.
  5. Know Your Risk Profile
  6. USRA dealt with export-controlled scientific software, which is a high-risk domain. Their failure wasn’t in identifying risk but in adequately mitigating and monitoring it. For every company, the starting point must be understanding your unique risk profile. Is it corruption and bribery? Data privacy? Sanctions exposure? What are the ethics of the supply chain? Compliance officers must align risk assessment, control design, and resource allocation accordingly. Implementing a universally applicable compliance program can lead to failure. Regulators expect a risk-based approach that demonstrates thoughtfulness and proportionality. You can’t mitigate what you don’t understand or defend a program that overlooks its most critical vulnerabilities.
  7. Use the Right Tone from the Top
  8. When the misconduct came to light, USRA leadership did not equivocate. They acted decisively, demonstrating a tone from the top that prioritizes ethical behavior and transparency. That tone matters. It influences how quickly issues are escalated, how freely employees speak up, and how credible regulators perceive your organization. Leadership must consistently communicate that compliance is not just a legal necessity but a core business priority. Words are important, but so is behavior: executives who support investigations, invest in controls, and respond to crises with accountability send a powerful message. That tone sets the cultural foundation for the entire compliance program.
  9. Partner with Enforcement, Don’t Oppose Them
  10. USRA’s interaction with NASA and the DOJ reflected a cooperative mindset. They partnered; they didn’t stonewall, delay, or obscure the facts. That approach is increasingly essential in today’s enforcement environment. Regulators are clear: they are looking for good-faith actors. A company that cooperates, provides relevant data promptly, and engages constructively in dialogue is far more likely to receive credit, whether in a declination, reduced penalties, or favorable settlement terms. Fighting regulators at every turn rarely results in positive outcomes. Instead, view enforcement as an opportunity to demonstrate integrity and operational maturity. Compliance should be a bridge, not a barricade.

Final Thoughts: Don’t Wait for the Crisis

USRA did not plan to become a compliance case study. However, they were ready when the time arrived. And preparation, coupled with integrity, made all the difference. This declination was not granted out of charity. We earned it. It resulted from a well-executed compliance framework, fast action, and an unrelenting drive to do the right thing. If your company faced a similar incident tomorrow, would you be ready to act like USRA? That’s the benchmark. And that’s the challenge for every compliance officer reading this.

So, take this as more than a good news story. Take it as your Monday morning prompt: check your controls, reassess your key risks, and remind your leadership that compliance isn’t about fear but readiness.

Categories
Compliance Into the Weeds

Compliance into the Weeds: USRA Declination Case Study: Self-Disclosure Best Practices

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject more fully. Are you looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this Compliance into the Weeds episode, Tom Fox and Matt Kelly take a deep dive into the declination recently given by the DOJ to the Universities Space Research Association (USRA).

In this episode, Tom and Matt dive deeply into a recent decline issued by the Department of Justice (DOJ) to the University Space Research Association (USRA). The discussion focuses on the organization’s exemplary behavior in self-disclosure and cooperation during an investigation into an employee’s misconduct. This misconduct included unauthorized export of software to Beijing University. The hosts highlight the case as a textbook example of effective compliance practices, self-reporting, and cooperation with regulators. They also explore the DOJ’s guidelines on self-disclosure and the importance of internal controls in high-risk areas.

Key highlights:

  • Case Overview: USRA Declination
  • DOJ Press Release Insights
  • Details of the Misconduct
  • USRA’s Response and Cooperation

Resources:

DOJ Press Release on Universities Space Research Association Declination

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Compliance into the Weeds was recently honored as one of a Top 25 Regulatory Compliance Podcast and a Top 10 Business Law Podcast, and a Top 12 Risk Management Podcast.

Categories
Compliance Into the Weeds

Compliance into the Weeds: The BCG Declination – Key Insights for Compliance

The award winning, Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds!

In this episode, Tom Fox and Matt Kelly take a deep dive into the recent Department of Justice (DOJ) declination for the Boston Consulting Group (BCG).

They highlight why this case garnered significant attention and dissect the substantive actions BCG took to avoid prosecution, including firing implicated employees and forcing equity forfeiture. The duo also explores the seven factors that led to the declination, such as timely self-reporting, full cooperation, and improved compliance measures. The episode provides a comprehensive analysis of the BCG case, offering crucial takeaways for compliance officers on how to handle potential corruption issues and DOJ expectations.

Key Highlights:

  • Overview of the Boston Consulting Group Declination
  • DOJ’s Factors for Declination
  • Full Cooperation, Timely Self-Disclosure and Employee Consequences
  • Remediation Efforts and Compliance Improvements

Resources:

Matt in Radical Compliance

Tom in the FCPA Compliance and Ethics Blog

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

The Boston Consulting Group Declination: A Money Shot for Clawbacks

In a recent development that has garnered significant attention in the compliance community, the U.S. Department of Justice (DOJ) declined prosecution of Boston Consulting Group, Inc. (BCG) for violations of the Foreign Corrupt Practices Act (FCPA). Despite evidence of bribery involving BCG’s operations in Angola, the decision to forgo prosecution serves as a powerful reminder of the critical role that timely self-disclosure, cooperation, and effective remediation play in navigating the complexities of corporate compliance and, most significantly, clawbacks play in a decision to decline to prosecute. The decision was made public via a letter from the DOJ to BCG.

Between 2011 and 2017, BCG’s Lisbon, Portugal office engaged in a scheme to secure business contracts with Angolan government agencies, including the Ministry of Economy (MINEC) and the National Bank of Angola (BNA). BCG funneled approximately $4.3 million in commissions to an agent with close ties to Angolan government officials. These payments, made through offshore entities, helped BCG secure twelve contracts, resulting in revenues of $22.5 million and profits of $14.424 million.

The misconduct was serious: BCG employees in Portugal were aware of the agent’s ties to government officials and took deliberate steps to conceal the true nature of the agent’s work. This included backdating contracts and falsifying documents to cover up the corrupt activities. Such actions violated the FCPA, which prohibits U.S. companies from engaging in bribery of foreign officials to secure business advantages.

The money shot in this Declination was in the area of clawbacks. In the Wall Street Journal  (WSJ), Dylan Tokar wrote, “The consulting group’s disciplinary actions come amid pressure on companies by Justice Department officials to clawback compensation from employees involved in wrongdoing. Officials have said they want to shift the burden of penalties for corporate misconduct to those most responsible.” Mary Shirley, quoted by Tokar in the same article, noted, “That’s a strong message. While they’re not stated, the actual figures involved for individuals could be quite high.”

In his Radical Compliance piece on the Declination, Matt Kelly emphasized Shirley’s point: “That final point on surrendering equity — wow. That’s a punitive measure with real bite. Not only has BCG damaged the offenders’ future employment prospects by firing them and leaving a black mark on their records, but the loss of equity is a wallop to all their past employment with the firm. I have no idea how much that equity might have been worth, but BCG is a giant and prosperous business, so it’s entirely possible those offenders just lost millions of dollars.”

Given the severity of the misconduct, the DOJ’s decision to decline prosecution may seem surprising at first glance. However, more conduct was conducted by BSG after discovering the illegal conduct, which led to this superior result. The decline reveals that BCG’s response to finding the potential FCPA violation was exemplary, and equally importantly, it aligned with the DOJ’s Corporate Enforcement and Voluntary Self-Disclosure Policy. These factors included:

  • Timely and Voluntary Self-Disclosure: In a 2014 email, BCG uncovered evidence of the potential FCPA violation and promptly disclosed the misconduct to the DOJ. This proactive step is crucial in the DOJ’s assessment of whether to pursue prosecution, as it demonstrates the company’s commitment to transparency and accountability.
  • Full and Proactive Cooperation: BCG did not merely disclose the misconduct; the company fully cooperated with the DOJ’s investigation. This included providing all relevant facts, including information about the individuals involved in the bribery scheme. Cooperation of this magnitude significantly mitigates the risk of prosecution, as it aids the government in its investigation and potential prosecutions of individuals responsible for the wrongdoing.
  • Comprehensive Remediation: BCG’s response to the misconduct was swift and decisive. The company terminated the personnel involved, imposed compensation-based penalties, and required implicated partners to forfeit their equity in the company. BCG also denied these individuals the financial transitions typically accorded to departing employees, underscoring the seriousness of the misconduct.
  • Significant Compliance Improvements: Beyond addressing the immediate issue, BCG substantially enhanced its compliance program and internal controls. These improvements included formalized employee training, vendor and client screening protocols, and the establishment of local and global risk committees. Such measures demonstrate BCG’s commitment to preventing future misconduct and fostering a culture of compliance.
  • Absence of Aggravating Factors: The DOJ’s decision was also influenced by the absence of certain aggravating factors, such as executive management’s involvement in the misconduct, significant profit relative to the company’s size, or a history of criminal recidivism. These factors often weigh heavily in the decision to prosecute, but in BCG’s case, their absence worked in the company’s favor.
  • Disgorgement of Ill-Gotten Gains: BCG agreed to disgorge $14.424 million, representing the profits from the contracts secured through the corrupt scheme. This financial penalty further reinforced BCG’s commitment to addressing the consequences of its actions and aligning with legal and ethical standards.

The BCG case offers several critical lessons for compliance professionals. First and foremost, the importance of timely and voluntary self-disclosure cannot be overstated. When a company discovers potential misconduct, promptly bringing it to the authorities’ attention can significantly influence the outcome, potentially leading to a declination of prosecution.

Full cooperation with government investigations is essential. Compliance teams must be prepared to provide all relevant information, facilitate interviews, and support the investigation process. This cooperation demonstrates the company’s commitment to addressing the issue and helps build a collaborative relationship with the authorities.

Remediation is another crucial aspect. Companies must swiftly and meaningfully address the root causes of misconduct, including holding individuals accountable and implementing robust compliance measures to prevent future violations. A strong compliance program, reinforced by ongoing training and risk assessment, is vital in demonstrating a company’s commitment to ethical business practices.

Finally, the BCG case underscores the importance of avoiding aggravating factors. Companies should strive to cultivate a culture of integrity from the top down, ensuring compliance is embedded in every aspect of the organization. By doing so, they can reduce the likelihood of misconduct occurring in the first place and mitigate the impact if it does.

The DOJ’s decision to decline BCG’s prosecution is a powerful reminder of the value of self-disclosure, cooperation, and remediation in corporate compliance. For compliance professionals, the BCG case highlights the critical role they play in guiding their organizations through complex legal and ethical challenges. By fostering a culture of compliance, responding proactively to potential issues, and working closely with authorities, companies can navigate the difficult terrain of regulatory enforcement while upholding their commitment to ethical business practices.