Tag: DOJ

Categories
Blog

Preventing Strategy Outrunning Governance in AI

One of the clearest AI governance challenges facing companies today is not a failure of ambition. It is a failure of pacing. Put simply, strategy is moving faster than governance. Business teams want results. Senior executives hear daily about efficiency gains, lower costs, faster decision-making, enhanced customer engagement, and competitive advantage. Vendors are more than happy to promise it all. Employees are already experimenting with AI tools on their own. In that environment, the pressure to move quickly is relentless.

That is where the compliance function must step forward. Not to say no. Not to slow innovation for the sake of slowing it. But to ensure that innovation moves with structure, discipline, and accountability. Governance is not the enemy of AI strategy. Governance is what allows an AI strategy to scale without becoming an enterprise risk event.

The Central Question for Boards and CCOs

For boards, Chief Compliance Officers, and business leaders, the central question is straightforward: has the company defined the rules of the road before putting AI into production? If the answer is no, the company is already behind.

This is not a theoretical problem. It is happening every day. A business unit buys an AI-enabled tool before legal, compliance, IT, privacy, and security have reviewed it. A vendor pitches a product as low-risk automation, even though it actually makes consequential recommendations. An employee uploads sensitive data into a generative AI platform for convenience. A use case that began as internal support quietly migrates into customer-facing decision-making. A pilot project becomes business as usual without anyone documenting who approved it, what risks were considered, or what human oversight is supposed to look like.

That is what it means when strategy outruns governance. The business has a faster process for adopting AI than it has for understanding, controlling, and monitoring AI risk.

What the DOJ Expects

The Department of Justice has been telling compliance professionals for years that an effective compliance program must be dynamic, risk-based, and integrated into the business. That lesson applies directly here. Under the ECCP, prosecutors ask whether a company has identified and assessed its risk profile, whether policies and procedures are practical and accessible, whether responsibilities are clearly assigned, whether decisions are documented, and whether the program evolves as risks change. AI governance sits squarely in that framework.

What “Rules of the Road” Means in Practice

What do the “rules of the road” look like in practice?

First, the company must define which AI use cases are permissible. These are lower-risk applications that can be used within established controls. Think internal drafting support, workflow automation for non-sensitive administrative tasks, or summarization tools used on approved data sets. Even here, there should be basic conditions: approved tools only, no confidential data unless authorized, user training, logging, and manager accountability.

Second, the company must identify restricted or high-risk use cases. These are situations where AI may be allowed, but only after enhanced review. This can include uses involving personal data, HR decisions, customer communications, pricing, fraud detection, credit or eligibility decisions, compliance surveillance, or any function where bias, opacity, or error could create legal, regulatory, or reputational harm. These use cases should trigger a more formal process that includes a documented risk assessment, legal and compliance review, data governance checks, testing, defined human oversight, and ongoing monitoring.

Third, the company must be clear about prohibited use cases. If an AI application cannot be used consistently with the company’s values, control environment, legal obligations, or risk appetite, it should be off-limits. That might include tools that process sensitive data in unapproved environments, systems that make fully automated consequential decisions without human review, or applications that cannot be explained, tested, validated, or monitored sufficiently for their intended use.

Fourth, the company must establish escalation thresholds. Not every AI decision belongs at the board level, but some certainly do. Use cases involving strategic transformation, material legal exposure, major customer impact, significant third-party dependency, or high-consequence decision-making may need escalation to senior management, a designated AI or risk committee, or the board itself. If management cannot explain when a matter gets elevated, governance is too vague to be trusted.

Why the NIST AI RMF Matters

This is where the NIST Framework is so useful. NIST does not treat AI governance as a one-time signoff exercise. It organizes governance as an ongoing discipline through four connected functions: Govern, Map, Measure, and Manage. For compliance professionals, that is a practical operating model.

Governance means setting accountability, policies, oversight structures, and risk tolerances. It answers who is responsible, who decides, and what standards apply. A map means understanding the use case, context, stakeholders, data, and risks. It answers what the system is actually doing and where exposure lies. Measure means testing, validating, and assessing performance and controls. It answers whether the system works as intended and whether the company can prove it. Managing means acting on what is learned through oversight, remediation, change management, and continual improvement. It answers whether the company is prepared to respond when reality diverges from the plan.

How ISO 42001 Reinforces Governance Discipline

ISO 42001 reinforces the same message from a management systems perspective. It brings structure, accountability, controls, and continual improvement to AI governance. That matters because many organizations do not fail because of a lack of policy language. They fail because they do not operationalize accountability. ISO 42001 pushes companies to embed AI governance into defined processes, assign responsibilities, document controls, conduct internal reviews, and take corrective action. In other words, it turns aspiration into a management discipline.

What Happens When Strategy Outruns Governance

What happens when none of this is done well?

Shadow AI is usually the first warning sign. Employees use public or lightly reviewed tools because they are easy to use, fast, and readily available. Sensitive data may be entered without approval. Outputs may be used in business decisions without validation. The organization tells itself it is still in the experimentation phase, while the risk has already gone live.

Vendor-driven deployment is another danger. The company relies too heavily on what the vendor says the product can do and not enough on its own evaluation of what the product should do, how it works, what data it uses, and what controls are required. When something goes wrong, accountability becomes murky. Procurement says the business wanted speed. The business says IT approved the integration. IT says legal reviewed the contract. Legal says compliance owns the policy. Compliance says no one submitted the use case for formal review. That is not governance. That is institutional finger-pointing.

Undocumented approvals are equally dangerous. An AI tool is launched because everyone generally agrees it seems useful. But there is no record of the intended purpose, risk rating, required controls, human review standard, or approval rationale. Six months later, the company cannot explain why the system was deployed, what guardrails were put in place, or whether its use has drifted beyond its original scope.

The Compliance Mechanisms Companies Need Now

That is why companies need concrete compliance mechanisms now. They need an intake process for AI use cases to enter a formal review channel before deployment. They need risk tiering so not every use case gets the same treatment, but higher-risk applications receive enhanced scrutiny. They need approval workflows with defined roles for the business, legal, compliance, privacy, security, IT, and, where appropriate, model risk or internal audit. They need board reporting triggers to inform leadership when AI adoption crosses materiality or risk thresholds. They need a current model and use-case inventory so the company knows what is in operation. They need change management, so updates, retraining, vendor changes, and scope shifts are reviewed rather than assumed. And they need periodic review because AI risk does not stand still after launch.

The Special Role of Compliance

The compliance professional has a special role here. Compliance is often the function best positioned to connect governance, process, accountability, documentation, and escalation. That is precisely what the DOJ expects in an effective program. If the company can buy AI faster than it can classify risk, document controls, assign accountability, and test outcomes, the program is not keeping pace with the business. That gap will not stay theoretical for long. It will harden into enterprise risk.

Conclusion: Governance Must Keep Pace With Strategy

The lesson is direct. Strategy and governance must move together. AI governance is not a brake pedal. It is the steering system. A company that wants the benefits of AI must be disciplined enough to define where AI can go, where it cannot go, who decides, what gets documented, and when the business must stop and reassess. If the company can move faster on AI strategy than on AI governance, it is creating risk faster than it can manage. That is not innovation. That is exposure.

Categories
Blog

Balt and the New DOJ CEP: Why Individual Facts Now Drive Corporate Leniency

Under the Department of Justice’s (DOJ) updated Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP), the practical bargain is now unmistakable. A company can earn extraordinary leniency, including a Declination, but only if it surfaces the facts about individual misconduct early, completely, and credibly. Balt is not simply an FCPA declination story. It is a case study in how modern DOJ enforcement expects compliance, legal, internal audit, and investigations teams to work when misconduct is uncovered.

For years, the DOJ has said that corporate cooperation must be meaningful. Under the new CEP, DOJ has made that concept more concrete and more demanding. The CEP says it is designed not only to drive early voluntary self-disclosure, but also to promote timely enforcement, “including holding culpable individuals accountable.” It also makes clear that a company earns a declination only if it voluntarily self-discloses, fully cooperates, timely and appropriately remediates, and has no disqualifying aggravating circumstances. That is the legal architecture. Balt shows the operating reality.

The Balt matter has become important because it is the first FCPA declination under the Department’s updated CEP. DOJ declined to prosecute Balt SAS after the company self-disclosed, cooperated, remediated, and disgorged $1.2 million. At the same time, the DOJ indicted two individuals, David Ferrera and Marc Tilman, for conspiracy to violate the FCPA, substantive FCPA violations, conspiracy to commit money laundering, and international promotional money laundering. Assistant Attorney General Tysen Duva made the message plain: the resolution demonstrated the value of voluntary self-reporting, and the related indictment demonstrated DOJ’s “unwavering pursuit of culpable individuals.”

That is the bargain in plain English. The company may get mercy. The individuals do not. This is not accidental. The updated CEP expressly says a company fully cooperates when it timely, truthfully, and accurately discloses all relevant facts and non-privileged evidence, including facts gathered in the internal investigation, facts about all individuals involved in or responsible for the misconduct, regardless of status or seniority, attribution of facts to specific sources rather than a generalized narrative, and rolling updates during the investigation. It also requires proactive cooperation, the preservation and production of documents, and the availability of knowledgeable personnel for interviews.

In other words, DOJ is not looking for a company to arrive with a polished memo that says, “We found misconduct, we are sorry, and we fixed it.” DOJ wants the names, the messages, the invoices, the custodians, the timeline, the payment path, and the evidence that ties specific people to specific acts. That is the heart of the new bargain.

Balt is such a useful case study because the individual indictment shows exactly the kind of facts DOJ expects a company to surface. According to the indictment, Ferrera was a senior executive of the U.S. subsidiary, and Tilman owned and operated the Belgian consulting company used in the scheme. Both allegedly stood to gain millions in milestone payments tied to future sales. The indictment further alleges that they conspired from 2017 into September 2023 to bribe a physician employed by CHU Reims, a French state-owned public hospital treated as an instrumentality of a foreign government under the FCPA.

The indictment then lays out the mechanics. Medical Company #2 allegedly used sham consulting agreements, fake invoices, and purported bonus payments to move money to Tilman’s Belgian consulting company, which in turn paid the foreign official through accounts in France. Prosecutors also allege concealment through personal email accounts, encrypted messaging applications, and coded language such as “training,” “bonuses,” and “our friend.” Those are not abstract compliance failures. Those are granular individual facts.

The overt acts alleged in the indictment show why DOJ cares so much about speed and specificity. One 2017 message allegedly said, “Regarding the €€ for our friend, I have a plan.” Another used a private email account for the foreign official and proposed a fake invoice for a two-day sales and marketing session. Ferrera allegedly replied, “That’s acceptable. Please send this to me.” Later communications referenced “No more fake training courses” and described a new bonus as “a CAMOUFLAGE.” The indictment also ties the scheme to specific wire transfers from the United States to Belgium and onward payments into France.

This is the modern FCPA file. It is built from chats, invoices, routing, motive, and attribution. That is why the updated CEP stresses not a general narrative of facts, but facts attributed to specific sources and individuals. The practical implications for compliance and investigations teams are significant.

First, self-disclosure now must be viewed as an investigative decision, not solely a legal one. The updated CEP expressly encourages disclosure at the earliest possible time, even when a company has not completed its internal investigation. It defines voluntary self-disclosure to include reasonably prompt reporting before an imminent threat of government discovery. Balt appears to have done exactly that. The French resolution disclosed that Balt self-disclosed while the internal investigation was still ongoing. That is a critical point because it shows that DOJ is willing to reward a company that comes in before it has all the answers, provided the company follows through with real facts and real cooperation.

Second, cooperation credit is no longer a soft concept. The CEP says a company starts at zero cooperation credit and earns it through specific actions. A company that fails to demonstrate full cooperation at the earliest opportunity may reduce its ability to earn that credit. That should change how legal, audit, and investigations teams think about triage. The early questions are no longer: Did something happen? How much did it cost? The questions are: Who did it? Who approved it? Who benefited? What records exist? What devices hold the communications? Can we preserve them now?

Third, internal investigations must be built for prosecutorial usefulness. Under the CEP, DOJ expects disclosure of overseas documents, provenance, custodians, authors, translations where needed, and even identification of opportunities for the Department to obtain evidence that the company does not possess. If your investigation cannot map the facts to sources, or if your team cannot move quickly across borders, you are not simply conducting a weak internal review. You may be forfeiting declination-level credit.

Fourth, remediation still matters, but it is not enough without individual accountability. The CEP defines timely and appropriate remediation to include root cause analysis, an effective compliance and ethics program, appropriate discipline of responsible employees and supervisors, and proper controls on personal communications and messaging applications. Balt reportedly received credit for separation from Ferrera and Tilman, tailored compliance training for senior management, and remediation of internal control shortcomings. Once again, the lesson is direct. DOJ is not handing out credit for beautiful PowerPoint slides. It is rewarding companies that can show they identified the bad actors, removed them, and strengthened the system in the wake of the failure.

Fifth, the new CEP creates a sharper internal challenge for multidisciplinary teams. Compliance may identify the risk. Legal may control privilege and disclosure strategy. Internal audit may reconstruct the payments. Investigations may chase the communications. But under the new bargain, those functions cannot operate in silos. DOJ expects a company to come forward with a coherent body of attributed facts about individuals. If those teams are not integrated, the company will struggle to earn maximum credit.

This is why Balt should be read as more than a favorable corporate outcome. It is a warning shot and a roadmap. The warning is that DOJ’s focus on individual accountability is real, operational, and evidence-driven. The roadmap is that companies can still earn remarkable leniency if they move quickly, fully cooperate, and help prosecutors build the case against the responsible individuals.

For compliance professionals, that means the old debate is over. There is no longer much room for vague institutional cooperation. Under the updated CEP, the company’s path to leniency runs through facts about people. That is the trade. That is the CEP. Balt is what it looks like in practice.

5 Key Takeaways

  1. The new DOJ bargain is now unmistakable. Companies earn leniency by surfacing facts about individuals early, completely, and credibly.
  2. Balt is the proof point. The company received the first FCPA declination under the updated CEP while DOJ simultaneously indicted Ferrera and Tilman.
  3. Cooperation now means attributed facts, not general narratives. DOJ expects facts tied to specific individuals, sources, documents, and custodians, as well as rolling updates on the investigation.
  4. Speed is strategic. The CEP encourages self-disclosure even before an internal investigation is complete, and Balt appears to have benefited from doing just that.
  5. This is a team sport. Compliance, legal, internal audit, and investigations must work as a single, integrated fact-gathering function if a company hopes to earn the maximum CEP credit.
Categories
Blog

The Balt Individuals Indictment: How Corruption Actually Works

The corporate resolution in Balt received the headlines. The individual Indictment tells the deeper compliance story. In the charges against David Ferrera and Marc Tilman, prosecutors laid out a familiar but highly instructive playbook: business pressure, personal financial incentives, sham consulting arrangements, coded language, off-channel communications, false invoices, and cross-border wire transfers. For compliance professionals, this is the anatomy of misconduct in real time.

One of the most important lessons in any FCPA matter is that companies do not commit crimes. People do. Systems may be weak, controls may be poorly designed, and incentives may be misaligned. But in the end, individuals make decisions. That is why the indictment of David Ferrera and Marc Tilman in the Balt matter deserves careful study.

The indictment alleges that Ferrera, a United States citizen, was a senior executive of Balt’s U.S. subsidiary and an owner of the predecessor company. In contrast, Tilman, a Belgian citizen, owned and operated the consulting company used in the scheme and was also an owner of the predecessor company. Prosecutors further alleged that both men stood to gain millions in milestone payments tied to future sales of the company’s products. Their alleged conduct was directed toward a physician employed by CHU Reims, a French state-owned and state-controlled public university hospital, which the indictment treats as an instrumentality of a foreign government, making the physician a foreign official for FCPA purposes.

That framing matters because it puts this case squarely in the mainstream of modern FCPA enforcement. This is not a suitcase full of cash, slipped across a hotel room table. It is a sales-driven bribery scheme allegedly dressed up as legitimate business activity.

The Charges Brought Against Ferrera and Tilman

The indictment charges both Ferrera and Tilman with six criminal counts and forfeiture allegations.

Count One charges conspiracy to violate the FCPA under 18 U.S.C. § 371. Prosecutors allege that from 2017 through September 2023, the two men conspired to offer, promise, authorize, and route money and things of value to a foreign official to influence decisions, secure an improper advantage, and obtain or retain business.

Counts Two and Three are substantive FCPA charges under 15 U.S.C. § 78dd-2 and aiding and abetting under 18 U.S.C. § 2. These counts are tied to two specific wire transfers: approximately €20,000 on July 30, 2019, and approximately €25,000 on October 28, 2019, each sent from Balt USA’s bank account in the United States to the consulting company’s bank account in Belgium. Prosecutors allege that these payments were made corruptly and in furtherance of bribes to the foreign official.

Count Four charges conspiracy to commit money laundering under 18 U.S.C. § 1956(h). The indictment alleges that Ferrera and Tilman agreed to move funds from the United States to Belgium to promote specified unlawful activity, namely FCPA violations and bribery-related offenses under French law.

Counts Five and Six are substantive international promotional money laundering charges under 18 U.S.C. § 1956(a)(2)(A), again tied to specific wire transfers: approximately €25,000 on January 31, 2020, and approximately €38,500 on April 21, 2020, sent from Balt USA in the United States to the consulting company in Belgium. Prosecutors allege that these transfers were intended to promote the ongoing bribery scheme.

Finally, the indictment includes forfeiture allegations. Upon conviction, prosecutors seek forfeiture of property traceable to FCPA offenses and to money laundering offenses, including a forfeiture money judgment representing the proceeds obtained from the alleged misconduct. That is the charge sheet. But the compliance lessons come from how the scheme allegedly worked.

How the Conduct Was Allegedly Carried Out

The indictment alleges that Ferrera and Tilman used a classic intermediary structure. Balt USA allegedly paid Tilman’s Belgian consulting company through sham consulting agreements, fake invoices, and purported bonus payments, and Tilman then routed the funds onward to the foreign official’s accounts in France. The French order adds that the consultant’s company was used to conceal the relationship with the physician, that the physician’s invoices lacked meaningful detail, and that two false invoices were issued in 2017 and 2018, the second of which was blocked by finance due to irregularities.

The overt acts alleged in the indictment are especially revealing. Prosecutors quote messages about “€€ for our friend,” private email use, and a proposed fake invoice for a “2-day sales and marketing session.” They also quote Tilman, suggesting, “No more fake ‘training courses’” and referring to a new “bonus” as “a CAMOUFLAGE.” The indictment also alleges that Ferrerra approved the arrangement, replying to one email, “That’s acceptable. Please send this to me.”

This is why I always tell compliance professionals that misconduct rarely hides in one dramatic act. It hides in language, process, and paperwork. It hides in euphemisms. It hides in rushed approvals. It hides in consultants whose compensation structure makes no business sense. It hides in payments that look close enough to ordinary commerce to escape attention unless someone asks one more question.

The indictment also alleges direct business leverage. One message attributed to Tilman said that if a Balt finance employee did not wire €25,000 that day, he would tell the foreign official “to stop everything.” If that allegation is true, it is a flashing red light from a compliance perspective. It suggests the payment stream was not peripheral to the sales effort. It was the mechanism by which the business was being maintained.

What Ferrera and Tilman Allegedly Did Wrong

From a compliance standpoint, their alleged actions fall into five familiar categories.

First, they allegedly used an intermediary as a conduit. The consulting company was not merely a vendor risk issue. It was allegedly the vehicle used to transfer funds from the company to the foreign official.

Second, they allegedly papered over bribery with false business justifications. Sham consulting agreements, fake invoices, and disguised bonuses are not accounting defects. They are corruption mechanics.

Third, they allegedly moved communications off-channel. Personal email accounts and encrypted messaging applications appear in the indictment for a reason. Prosecutors routinely treat off-channel communications as evidence of concealment when the surrounding facts support that inference.

Fourth, they allegedly used coded language. “Our friend,” “training,” “bonus,” and “camouflage” are the kinds of words that should prompt any investigator to ask whether business language is being used as cover.

Fifth, they allegedly exploited pressure points in the business model. Because both men allegedly had financial upside tied to future sales, the case also highlights the risk of incentives. The indictment expressly alleges that Ferrerra and Tillman stood to gain millions in milestone payments based on future product sales. That does not prove guilt, but it does tell every CCO where to look when incentives, sales growth, and third-party payments start to overlap.

Five Lessons for Chief Compliance Officers

1. Third-party management must go beyond onboarding.

A consultant with vague deliverables, success-linked compensation, and unusual ties to public hospital physicians is not a low-risk intermediary. CCOs need lifecycle monitoring, not just entry-point due diligence.

2. Controls must test the substance, not the paperwork.

A signed contract and an invoice are not evidence that legitimate services occurred. Finance and compliance need procedures to test whether the service actually occurred, whether the deliverable exists, and whether the compensation aligns with market reality.

3. Off-channel communications are a corruption risk indicator.

If business with public officials or healthcare professionals is being discussed on private email or encrypted apps, that should trigger escalation. The issue is not simply records retention. The issue is concealment risk.

4. Incentive compensation needs a compliance review.

When executives or consultants stand to earn substantial milestone payments tied to sales growth, compliance should assess whether that pressure could distort behavior. Sales incentives and corruption risk are often joined at the hip.

5. Finance needs the authority to stop the line.

The French order notes that one false invoice was blocked due to irregularities identified by finance. That is a reminder that finance can be one of the strongest anti-corruption controls in the company if it is trained, empowered, and protected.

Conclusion

The Balt Declination showed what a company can earn through disclosure, cooperation, and remediation. The Ferrera and Tilman Indictment shows the other side of the equation: how the alleged misconduct was actually executed. Prosecutors describe a bribery scheme hidden behind consultants, invoices, coded language, and wire transfers. For compliance professionals, that is the real value of this case. It reminds us that corruption often looks less like a dramatic criminal enterprise and more like ordinary business processes quietly bent out of shape.

Categories
Compliance Into the Weeds

Compliance into the Weeds: Balt and TradeStation: Lessons for the Compliance Professional

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore it more fully. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode of Compliance into the Weeds, Tom Fox and Matt Kelly look at the Declination awarded to Balt SAS and the OFAC enforcement action involving TradeStation. 

First, they review a Corporate Enforcement Policy declination for French medical-equipment company BAL SAS and the company’s U.S. subsidiary after self-disclosing, cooperating and remediating misconduct involving a U.S. subsidiary executive and a Belgian consultant allegedly funneling about $600,000 in bribes to a French public hospital official using sham consulting agreements, invoices, and poor documentation; BAL disgorged about $1.21 million in profit on roughly $1.68 million in revenue and disclosed while its internal investigation was still ongoing, raising timing and high-margin red-flag issues.

Second, they cover OFAC’s $1.1 million settlement with TradeStation for accidentally disabling sanctions-screening controls for nearly a year, enabling hundreds of transactions from Iran, Syria, and Crimea; despite having layered tools on paper, IT changes and lapsed subscriptions undermined those controls, underscoring the need for ongoing monitoring, testing, and auditing.

 Key highlights:

  • Balt FCPA Case
  • Disclosure Timing
  • Profit Margin Red Flags
  • Controls and France Angle
  • TradeStation Overview
  • How Screening Failed
  • Monitoring and Accountability
  • Costs and OFAC Lessons

Resources:

Matt in Radical Compliance

Tom in the FCPA Compliance Report

Tom  

Instagram

Facebook

YouTube

Twitter

LinkedIn

A multi-award-winning podcast, Compliance into the Weeds was most recently honored as one of the Top 25 Regulatory Compliance Podcasts, a Top 10 Business Law Podcast, and a Top 12 Risk Management Podcast. Compliance into the Weeds has been conferred a Davey, a Communicator Award, and a W3 Award, all for podcast excellence.

Categories
Blog

Balt’s DOJ Declination: A Case Study in Why Speed, Cooperation, and Remediation Still Matter

The Justice Department’s first publicly announced resolution under its new Department-wide Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP) offers corporate compliance officers a practical roadmap: disclose early, cooperate fully, remediate credibly, and be prepared to help prosecutors hold individuals accountable.

Some enforcement actions feel like one-off events. Then others operate like a flare shot into the compliance sky. The DOJ Declination involving French medical device company Balt SAS and its US subsidiary Balt USA (collectively ‘Balt) falls squarely into the second category.

Why? Because this was not simply another FCPA matter. It was the first publicly announced corporate resolution under the DOJ’s new CEP, and DOJ clearly meant it to send a message to the market. As the Wiley alert noted, the Balt matter demonstrates the benefits available to companies that voluntarily self-disclose, fully cooperate, and timely remediate, while also reinforcing DOJ’s emphasis on individual accountability. For compliance officers, that makes Balt important far beyond the four corners of the case itself.

What happened at Balt?

According to the Declination, Balt paid approximately $602,000 in bribes from around 2017 to 2023 to a physician who held a senior role at a state-owned public hospital in France to obtain or retain business. The payments were routed through a third-party consultant in Belgium, with fake invoices and purported bonus payments used to conceal the true nature of the transaction. The scheme generated roughly $1.68 million in revenue and approximately $1.214 million in profits for Balt. As Matt Kelly reported in Radical Compliance, the scheme involved all the old FCPA classics: sham consulting arrangements, fake invoices, and off-channel communications. That alone would have made the matter notable. But the more important point is what happened after Balt discovered the misconduct.

DOJ declined prosecution because Balt self-disclosed while its internal investigation was still ongoing; provided full and proactive cooperation; engaged in timely and appropriate remediation, including disciplinary measures and termination of tainted business relationships; and presented no aggravating circumstances sufficient to disqualify it from a Part I declination. DOJ also required Balt to disgorge approximately $1.2 million and noted that the company had entered into a parallel resolution in France that included compliance requirements. This is the template. And compliance officers should study it carefully.

The real lesson: self-disclosure means before you know everything

One of the most significant points in the Balt matter is timing. Balt disclosed the issue during an ongoing internal investigation, which strongly suggests the company came in before every fact had been nailed down.

That matters because many companies still hesitate, hoping to finish the investigation, validate every fact, and package the matter neatly before approaching the OJ. Balt is a reminder that DOJ wants speed and credibility, not perfection. The new policy framework still prizes timely self-disclosure as the clearest route to a declination. Wiley put it plainly: voluntary disclosure still provides the clearest path to that outcome, and delay can preclude eligibility for the most favorable result.

For the Chief Compliance Officer (CCO), this is where judgment, preparation, and governance structure come together. If your escalation protocols are weak, if privilege decisions are muddled, if your triage process is slow, or if your board and senior leadership do not understand the declination calculus, you can lose the timing advantage before the real work even begins. The Balt case is not simply a win for self-disclosure. It is a win for pre-existing readiness for investigation.

Cooperation means more than being polite

The second lesson is equally important. Under the CEP, cooperation is not a vague aspiration. It is an operational requirement. The Wiley analysis emphasized that full cooperation includes identifying all individuals involved in or responsible for the misconduct and providing facts and evidence concerning their conduct.

This is where compliance officers need to understand a hard truth. DOJ is not offering declinations because it has become sentimental, or even because this administration does not believe in the FCPA. It is offering incentives because it wants something in return. And one of the most important things it wants to do is help build cases against culpable individuals.

That is precisely what happened here. DOJ paired Balt’s declination with indictments of two individuals allegedly involved in the bribery scheme. Wiley correctly described the sequencing as no coincidence, but rather a reinforcement of the DOJ’s continuing focus on individual accountability. Kelly made the same point in even more direct terms: from DOJ’s perspective, if a company voluntarily self-discloses, coughs up illicit proceeds, and helps prosecutors hold wrongdoers accountable, the company can receive a declination.

For compliance professionals, this means internal investigations must be designed from the outset with evidentiary rigor. You need documentation discipline. You need clear interview protocols. You need a defensible record of who knew what, who approved what, and how the misconduct moved through the system. A half-hearted review that avoids hard questions about executives, consultants, or favored business relationships will not get you where Balt got.

Remediation is not a slide deck

The third lesson is on remediation. Too many organizations still treat remediation as presentation theater. They produce a deck, revise a policy, hold a training session, and call it transformation. The DOJ is looking for something more concrete. In the Balt Declination, remediation included disciplinary action against relevant individuals, termination of business relationships that gave rise to the misconduct, tailored compliance training for senior management, and improvements to the compliance program and internal controls. That list is worth lingering over. The DOJ did not only want a promise. It wanted decisions. It wanted changed relationships. It wanted management-specific training. It wanted better controls.

This is a point I have been making for 15 years. A compliance program is not judged by what sits in the binder; it is judged by what the company does when the pressure hits. Balt has shown DOJ that when misconduct surfaced, the company acted. That is the difference between a paper program and a living program.

For CCOs, the action item is straightforward. Build remediation plans that can be demonstrated, measured, and explained. Who was disciplined? Which third party was terminated? What internal control was changed? How was senior management retrained? What monitoring now exists that did not exist before? If you cannot answer those questions in concrete terms, you are not remediating. You are narrating.

The shadow issue: aggravating circumstances

There is another important dimension here. Balt qualified for a Part I declination, in part, because DOJ found no aggravating circumstances. But as Wiley noted, that assessment can be highly fact-dependent and may not be obvious in the early stages of an internal investigation. The line between Part I and Part II can, in practice, be subjective and outcome-determinative.

That is a crucial warning for compliance officers. Balt should not be read as a guarantee. It should be read as an incentive structure. Companies must still assess whether the misconduct is egregious or pervasive, whether senior management is implicated, whether the harm is severe, and whether the organization has a recidivist history. Those factors can dramatically change the result. So the compliance officer’s job is not to assume declination. The job is to gather facts rapidly, surface aggravating factors honestly, and help leadership make a disciplined disclosure decision.

The new DOJ Declination policy offers more clarity than many companies had before. But it does not eliminate judgment. It raises the premium on disciplined judgment.

Five Key Takeaways for Chief Compliance Officers

  1. Build a rapid disclosure protocol now. Balt’s outcome underscores that early self-disclosure, even during an ongoing investigation, can be decisive. Delay can cost you the best available resolution.
  2. Design investigations to identify individuals from day one. The DOJ expects cooperation to include facts about responsible individuals, not just corporate-level summaries.
  3. Make remediation provable. Discipline wrongdoers, terminate tainted relationships, retrain management, and strengthen controls in ways you can document and explain.
  4. Assess aggravating factors early and honestly. The Part I versus Part II distinction may turn on pervasiveness, seriousness, harm, and recidivism. Do not assume a declination path without a hard-eyed assessment of the facts.
  5. Train leadership that declinations are earned, not granted. Balt is a roadmap, not a safe harbor. The organizations that benefit will be the ones prepared to act with speed, rigor, and credibility.

What Balt means for the compliance profession

The Balt Declination is a policy statement in the form of a case. The DOJ is telling companies: we will reward timely self-disclosure, meaningful cooperation, and real remediation. But we will also pursue individuals. That combination is not new in spirit, but it is now being presented with renewed clarity under the new CEP. For corporate compliance officers, the message is not to wait for an issue and hope for good instincts in the moment. The message is to prepare now.

You need escalation protocols that move fast. You need investigation readiness. You need decision trees for voluntary disclosure. You need board education on what DOJ is rewarding and why. And you need remediation mechanisms that produce evidence, not adjectives.

Balt did not receive a Declination because the misconduct was trivial. It received a Declination because, once the misconduct came to light, the company appears to have done the things the DOJ has been asking companies to do for years. That is the real lesson.

In 2026, compliance officers should read the Balt matter not as an outlier, but as a stress test. If your company found a credible FCPA issue tomorrow, could you move quickly enough, investigate thoroughly enough, cooperate meaningfully enough, and remediate credibly enough to make a Balt-style pitch to DOJ?

That is the question. And the answer should shape your compliance program today.

Categories
Daily Compliance News

Daily Compliance News: March 17, 2026, Is the DOJ Corrupt? Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • Cyber hacks and Iran. (WSJ)
  • Madagascar’s ABC chief appointed PM. (DM.COM)
  • BoA settles Epstein victims’ lawsuit. (FT)
  • Was there corruption involved in the Live Nation settlement? (BIG)
Categories
Daily Compliance News

Daily Compliance News: March 16, 2026, The Fighting Corruption ‘Not Worth It’ Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • Rapper who fought corruption set to become Nepal’s PM. (CNN)
  • EDNY says fighting the appeal of the FIFA corruption case is not worth the resources. (Reuters)
  • UBS settles long-running whistleblower case. (Reuters)
  • Judge questions DOJ’s decision to drop Halkbank AML case. (Bloomberg)
Categories
FCPA Compliance Report

FCPA Compliance Report: SDNY’s New Policy on Declinations

In this episode, Tom Fox welcomes back Hughes Hubbard partner Mike DeBernardis to discuss the Southern District of New York’s new corporate enforcement voluntary self-disclosure program for financial crimes and why SDNY leadership, including Jay Clayton, likely issued it: to encourage self-disclosure that saves enforcement resources and supports DOJ’s focus on individual accountability.

They compare the policy to the (former) DOJ’s Corporate Enforcement Policy, highlighting notable distinctions such as SDNY’s narrower scope (financial/market integrity offenses) and a revised approach to aggravating factors that excludes common CEP considerations like seriousness, pervasiveness, and senior management involvement, while carving out categories including foreign bribery and sanctions evasion, potentially reducing forum shopping. They also examine a “conditional declination” within two to three weeks, its implications for investigation speed and timeliness, and added pressure from whistleblower programs and compressed internal triage timelines.

Key highlights:

  • Why SDNY Issued It
  • SDNY Significance
  • Aggravating Factors Shift
  • Does It Move Needle
  • Conditional Declination Speed
  • Whistleblowers and Pressure

Resources:

 Hughes Hubbard and Reed

Mike DeBernardis on LinkedIn

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com

Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance – Episode 72 – The Kristy in London Edition

What happens when two top compliance commentators get together? They talk compliance, of course. Join Tom Fox and Kristy Grant-Hart in 2 Gurus Talk Compliance as they discuss the latest compliance issues in this week’s episode!

Stories this week include:

  • What did the FCPA pause do? (JustSecurity)
  • Wells Fargo is free from the Consent Order. (WSJ)
  • Senator flags White House corruption for betting markets. (Decrypt)
  • A DOJ lawyer quit before the hearing on the use of false AI-generated cases. (Bloomberg-Law)
  • DOJ wants authority over state bar discipline. (NYT)
  • Discussion: SCCE Europe Keynote
  • Target’s ICE Arrests Expose the Gap Between Legal Compliance & Duty of Care – Corporate Compliance Insights
  • Dems Propose ‘FCPA Reinforcement Act’ – Radical Compliance
  • International agents take down major site where criminals traded stolen corporate info – Compliance Week
  • Woman Dressed In Hot Dog Costume Busted For Toilet Paper Caper – The Smoking Gun

 Resources:

Kristy Grant-Hart on LinkedIn

Prove Your Worth

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Daily Compliance News

Daily Compliance News: March 13, 2026, The Unfair Trade Practices Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • Trump Administration says tariff refunds ‘will take years”. (NYT)
  • Anthropic has a strong case against the ‘Supply Chain Risk’ listing. (Reuters)
  • Collapse of the DOJ white-collar prosecution practice. (BloombergLaw)
  • Trump Administration to investigate Section 301 UTPs. (WSJ)