Tag: DOJ

Categories
Blog

DOJ’s White-Collar Enforcement Plan: Galeotti Memo on Focus, Fairness, and Efficiency

Matthew R. Galeotti, Head of the Criminal Division at the U.S. Department of Justice (DOJ), recently delivered a speech at SIFMA’s Anti-Money Laundering and Financial Crimes Conference. Contemporaneously, the DOJ issued a Memo (the Memo) entitled Focus, Fairness, and Efficiency in the Fight Against White-Collar Crime. Today, I want to explore the key insights and crucial issues for compliance professionals in the Memo.

The Memo marks a turning point in the enforcement landscape, emphasizing a trio of principles: focus, fairness, and efficiency. For compliance professionals, these adjustments represent more than mere policy shifts; they outline clear and practical pathways that demand immediate attention and strategic integration into compliance frameworks.

Focus, Fairness, and Efficiency

The Memo states that the DOJ’s core mission is delivering justice, upholding the rule of law, safeguarding the public, and championing victims’ rights. Within the Criminal Division, this mission translates into proactive efforts aimed at dismantling dangerous criminal entities, such as cartels and transnational criminal organizations (TCOs), disrupting human trafficking networks, combating fentanyl and other illicit drug flows, and prosecuting violent offenders and child predators. This is a way of saying that this Administration’s enforcement priorities have changed.

White-collar crime is identified as a critical threat that significantly impacts American citizens and the national economy. Uncontrolled fraud within government programs and markets harms taxpayers, weakens public resources, and undermines national security by facilitating illicit financial activities, including money laundering and sanctions evasion. However, the DOJ believes that overly aggressive enforcement practices can inadvertently damage legitimate businesses, stifle innovation, and punish legitimate risk-taking.

To navigate this complexity, the DOJ’s Criminal Division emphasizes what it characterizes as a balanced enforcement approach grounded in three key principles: focus, fairness, and efficiency. “Focus” entails directing investigative resources towards crimes of greatest national impact, avoiding unnecessary distractions. “Fairness” involves prosecuting individual offenders primarily, ensuring corporate entities are penalized appropriately without excessive burden for isolated misconduct. “Efficiency” calls for streamlined investigations and appropriate, narrowly tailored interventions. Through these guiding tenets, the Criminal Division seeks to effectively tackle serious crimes, protect public interests, and support the vitality and innovation of American enterprise.

Harms Caused by White Collar Crime

White-collar crime presents a significant threat to American society, economy, and national security. Dishonest actors frequently exploit taxpayer-funded government programs through rampant healthcare, procurement, and defense spending fraud, diverting essential resources for vulnerable populations. These abuses weaken government efficacy and impose unjust financial burdens on taxpayers. Additionally, complex investment schemes, including Ponzi operations and elder fraud, target individual investors, stripping them of their financial security and eroding market trust.

Exploiting monetary systems, particularly through digital asset fraud, hampers economic innovation and growth. In contrast, trade and customs fraud, including tariff evasion, negatively impact domestic competitiveness and undermine administration efforts to bolster job creation and investments within the U.S. Financial institutions and shadow banks facilitate serious international crime, including sanctions evasion and money laundering, thus directly supporting transnational criminal enterprises and increasing threats to national security. Specifically, Chinese-affiliated companies (Variable Interest Entities—VIEs) listed on U.S. exchanges have been highlighted for their potential to commit fraud and manipulate markets, putting American investors at significant financial risk.

Sophisticated money laundering schemes further facilitate cross-border crime, allowing criminal organizations to conceal illicit funds and sustain criminal enterprises, including drug trafficking operations that introduce harmful substances like fentanyl to American shores. Furthermore, foreign terrorist groups depend significantly on financial networks and corporate complicity to fund and execute terror activities against U.S. citizens domestically and abroad. Therefore, businesses and financial institutions aiding such organizations severely compromise American lives and national security. Addressing these severe issues, the Criminal Division is intensifying efforts to prosecute these offenses vigorously, prioritizing cases that uphold American economic and national security interests.

Prioritization and Policy Changes

The Criminal Division has updated its enforcement priorities and policies, targeting specific high-impact white-collar crime areas crucial to safeguarding U.S. interests. Priority enforcement categories include fraud against government programs such as healthcare, procurement fraud harming public resources, and trade and customs fraud, like tariff evasion. The Criminal Division will actively prosecute complex financial crimes, including securities fraud, market manipulations, elder fraud, and schemes targeting individual investors and consumers. Additional focus areas encompass activities threatening national security, such as sanctions violations by financial institutions, material support by corporations to foreign terrorist organizations, complex money laundering operations, and violations related to illegal drug manufacturing and distribution.

Furthermore, bribery and associated money laundering activities that harm U.S. competitiveness or security are prioritized, alongside digital asset-related crimes victimizing investors or facilitating significant criminal activities. Prosecutors will prioritize identifying and seizing crime-related assets to reinforce these efforts, emphasizing accountability for senior-level perpetrators or those obstructing justice. Enhancements to the Corporate Whistleblower Awards Pilot Program also underscore this refined approach, adding incentives for reporting violations involving international criminal organizations, terrorism support, immigration breaches, sanctions offenses, and trade fraud. These targeted measures aim to enhance investigative effectiveness, promote fairness, and streamline DOJ’s enforcement efforts.

Fairness in Prosecutions

The Criminal Division’s Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP) has emphasized transparency, cooperation, and remediation, significantly enhancing efforts to hold individual offenders accountable while rewarding responsible corporate citizens. Recognizing that individual actors, whether executives, officers, or employees, often commit white-collar crimes at the expense of investors, employees, and consumers, the Criminal Division focuses intensely on prosecuting these specific wrongdoers. Notably, federal prosecution isn’t always necessary for corporate misconduct; alternative remedies like civil or administrative actions may better address less severe infractions, provided the companies demonstrate sincere cooperation and effective remediation.

Prosecutors evaluate multiple factors when determining corporate charges, including timely self-disclosure, cooperation level, and the comprehensiveness of remedial actions. Recent updates to the CEP further simplify its guidelines, making pathways for potential declinations and fine reductions clearer for corporations. These refinements offer maximal transparency, allowing corporations to make informed decisions about proactively addressing misconduct.

The Criminal Division also reviews existing corporate agreements, potentially shortening their terms based on compliance maturity, reduced risk profiles, and proactive self-reporting. Future corporate resolutions will typically cap terms at three years unless exceptional circumstances dictate otherwise. Regular assessments will determine whether agreements warrant early termination, enhancing fairness and practicality in corporate enforcement.

Efficiency Through Streamlined Investigations

The DOJ’s revised approach emphasizes efficiency and clarity in investigating and prosecuting white-collar crimes, recognizing that lengthy and intrusive federal investigations can unnecessarily burden innocent stakeholders and significantly disrupt normal business operations. Complex white-collar schemes often span borders and involve extensive evidence, causing investigations to stretch for years. However, the DOJ now mandates prosecutors to expedite these investigations, swiftly conclude inquiries, and promptly make charging decisions. This renewed urgency ensures that justice is served quickly, limiting collateral damage to uninvolved entities and reducing reputational harm.

Additionally, the DOJ addresses the use of independent compliance monitors, recognizing that monitorships should only be imposed when necessary, specifically when internal company mechanisms alone are insufficient to prevent misconduct recurrence. To further efficiency, monitorships must be narrowly tailored, carefully scoped to address the specific misconduct risks, and designed to minimize financial costs and operational disruptions for companies.

The Criminal Division has implemented a new monitor selection Memo clarifying the criteria prosecutors must consider when determining the necessity of a monitor and how to limit their mandates appropriately. Furthermore, the DOJ is actively reviewing existing monitorships to individually assess their ongoing necessity, ensuring alignment with the principles of efficiency and minimal interference. Compliance professionals should thus prioritize developing robust internal compliance programs, mitigating the need for external monitors, and preparing for swift, efficient cooperation with any DOJ inquiries.

The Galeotti Memo emphasized a renewed commitment to focus, fairness, and efficiency in white-collar crime enforcement. The Memo underscores the critical need to precisely target high-impact criminal activities, including healthcare fraud, securities manipulation, customs violations, and digital asset crimes. The DOJ aims to protect American interests by clearly defining enforcement priorities while minimizing unnecessary business disruptions.

The DOJ’s revised Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP) reflects a balanced approach that prioritizes prosecuting individual wrongdoers over punishing entire corporations for isolated misconduct. Companies are encouraged toward transparency and proactive self-disclosure, incentivized through more straightforward guidelines, reduced penalties, and potentially shorter oversight durations.

Furthermore, the DOJ stresses the importance of streamlined, efficient investigations to conclude cases and promptly limit collateral damage to innocent parties. Independent compliance monitorships are now restricted to essential circumstances, narrowly tailored to specific compliance needs, minimizing cost and operational interference.

The DOJ’s strategic shifts represent a more cooperative and transparent enforcement regime, fostering improved corporate compliance, accountability, and integrity within American enterprises.

Join us tomorrow when we take a deep dive into the Revised CEP.

Categories
Daily Compliance News

Daily Compliance News: May 19, 2025, The Definition of Corruption Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News—all from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

Categories
Blog

A New Era of White-Collar Enforcement

Matthew R. Galeotti, Head of the Criminal Division at the U.S. Department of Justice (DOJ), recently delivered a speech at SIFMA’s Anti-Money Laundering and Financial Crimes Conference. Galeotti outlined crucial changes in the DOJ’s approach to corporate enforcement. For compliance professionals, it was the first major speech by a DOJ representative touching on issues important to the corporate compliance community. It represents a paradigm shift that requires immediate attention, reflection, and strategic recalibration.

As compliance professionals, our mission goes beyond merely ensuring adherence to rules and regulations; it is about aligning ethical conduct with business excellence. Galeotti’s remarks clearly state that the DOJ recognizes compliance teams as indispensable allies in maintaining integrity and national security. Today, I want to explore the key insights and crucial lessons learned from Galeotti’s landmark address for compliance professionals.

Proactivity in Self-Disclosure is Paramount

The Criminal Division’s revised Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP) underscores a clear incentive structure. Companies that voluntarily self-disclose, fully cooperate, timely remediate, and demonstrate no aggravating circumstances will not merely be presumed eligible but will definitively qualify for a declination. As Galeotti emphasized, “Self-disclosure is key to receiving the most generous benefits the Criminal Division can offer.”

The days of companies hesitating to self-disclose due to uncertainty about consequences are (hopefully) numbered. Compliance programs must prioritize internal monitoring and foster a culture where issues surface rapidly, are transparently addressed, and are communicated proactively to authorities. The DOJ now promises more certainty, with the carrot being a declination, not ambiguity. For compliance teams, the action is clear: establish robust internal reporting mechanisms and ensure swift escalation processes.

DOJ Clarifies Incentives for Partial or Late Disclosures

The revised policy also addresses a longstanding area of anxiety. What happens when a company comes forward after the DOJ has initiated an inquiry or self-discloses late? Galeotti clarified that even companies that disclose “not quickly enough” are eligible for significant benefits, including a Non-Prosecution Agreement (NPA) of fewer than three years, up to a 75% fine reduction, and no monitor requirement.

Compliance professionals should seize this clarity to advocate internally for transparency, even if belated. Organizations must understand that delayed disclosure still carries significant benefits compared to complete silence. This new clarity enhances the compliance professional’s ability to negotiate internally, ensuring corporate leaders understand the tangible benefits of transparency, even under challenging circumstances.

Expect a Narrower and More Focused DOJ Enforcement

Galeotti explicitly intended to shift the Criminal Division’s focus to the priorities of administrative enforcement. These schemes harm individual Americans, defraud government programs, and exploit financial systems to facilitate international crime. The DOJ now pledges to target resources precisely rather than spreading them thin through overly broad or protracted investigations. Galeotti succinctly encapsulated the rationale: “Excessive enforcement and unfocused corporate investigations stymie innovation, limit prosperity, and reduce efficiency.”

This presents an opportunity for compliance programs to fine-tune their internal risk assessments and investigative frameworks. Compliance professionals must ensure internal investigative resources are equally precise and strategic, aligning clearly with the DOJ’s focus areas. In short, avoid distraction; concentrate your vigilance on risks that matter most to regulators.

Reconsideration of Corporate Monitorships

One of the most consequential announcements is the reconsideration of the DOJ’s policy on corporate monitorships. Galeotti recognized that monitors can sometimes impose excessive financial and operational costs. Going forward, monitorships will be narrower in scope, tightly tailored, and deployed selectively only when benefits outweigh costs.

This is welcome news for compliance professionals, as corporate monitorship can be an unpleasant experience for a corporation and a compliance function. This change empowers compliance teams to advocate for internal investment in compliance improvements over external oversight. Compliance leaders should proactively develop internally led remediation and monitoring plans to demonstrate to regulators that the company has comprehensive capabilities to ensure compliance without burdensome external monitoring.

However, when a monitor is necessary, compliance professionals now have clear factors to prepare for DOJ review, including the severity of the underlying conduct, existing regulatory oversight, efficacy and maturity of compliance programs, and a demonstrated culture of compliance. Companies must document continuous improvement efforts clearly and transparently, making a strong case that external monitoring is redundant.

Corporate Whistleblower Programs Elevated in Importance

Lastly, Galeotti underscored the DOJ’s expanded whistleblower program, adding specific priority areas for whistleblower tips, including procurement fraud, trade and tariff violations, immigration violations, and sanction violations supporting terrorist groups or transnational criminal organizations.

The clear lesson here is the criticality of robust internal whistleblower programs. Compliance professionals must champion strong, accessible, secure, and confidential internal whistleblower policies to encourage employees to report concerns internally first. Organizations that fail to nurture internal reporting channels may receive external regulator attention first. Whistleblower programs should no longer be viewed solely as legal necessities; they must be strategic initiatives central to corporate integrity and national security.

A Call to Action for Compliance Professionals

Galeotti’s address represents a clear change in the DOJ’s approach. Compliance professionals have long desired a regulatory environment that rewards proactive transparency and practical self-governance, and the DOJ now offers this.

However, clarity and pragmatism from the DOJ require reciprocal clarity and pragmatism within corporate compliance programs. Compliance leaders must leverage these new DOJ policies to advocate internally for stronger compliance investments, clearer internal communication channels, and faster reporting protocols.

The DOJ’s message to compliance professionals is clear: You are our frontline partners in protecting integrity and national security. Self-reporting, effective remediation, and robust internal compliance structures will not merely shield your company from punitive enforcement; they represent pathways to tangible benefits and increased corporate resilience.

As compliance evangelists, we must seize this moment. Strengthen your internal mechanisms, streamline your reporting protocols, and reaffirm to your organizations that compliance excellence is not merely defensive but strategically beneficial.

Matthew Galeotti’s remarks provide the road map; it is incumbent on the compliance community to lead the way forward.

We will explore the attendant policy releases announced with the publication of Galeotti’s speech. Over the remainder of the week, we will consider the following:

CRM White Collar Enforcement Plan

Revised CEP

CRM Monitor Memo

Categories
10 For 10

10 For 10: Top Compliance Stories For the Week Ending May 17, 2025

Welcome to 10 For 10, the podcast which brings you the week’s Top 10 compliance stories in one podcast each week. Tom Fox, the Voice of Compliance brings to you, the compliance professional, the compliance stories you need to be aware of to end your busy week. Sit back, and in 10 minutes hear about the stories every compliance professional should be aware of from the prior week. Every Saturday, 10 For 10 highlights the most important news, insights, and analysis for the compliance professional, all curated by the Voice of Compliance, Tom Fox. Get your weekly filling of compliance stories with 10 for 10, a podcast produced by the Compliance Podcast Network.

  • The $100K in cash deposit.  (WSJ)
  • Broader DOJ whistleblower program announced.  (WSJ)
  • Google faces massive antitrust lawsuit in Italy. (WSJ)
  • Apple says punishment for its illegal acts unfair. (BBC)
  • Insurance cover for chatbot based losses.  (FT)
  • Adani tries to settle corruption case. (Bloomberg)
  • Is the gift of a jet plane corruption. (NYT)
  • Will SEC overturn bans and suspensions? (Reuters)
  • GOP wants to ban state regulation of AI. (Bloomberg)
  • What is risk paralysis.  (FT)

You can check out the Daily Compliance News for four curated compliance and ethics related stories each day, here.

Connect with Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

You can purchase a copy of my new book, Upping Your Game, on Amazon.com

Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance – Episode 52 – The Big Jet Plane Edition

What happens when two top compliance commentators get together? They talk compliance, of course. Join Tom Fox and Kristy Grant-Hart in 2 Gurus Talk Compliance as they discuss the latest compliance issues in this week’s episode!

Stories this week include:

  • Trump closes tariff loophole on cheap online goods from China MSN)
  • If A.I. Systems Become Conscious, Should They Have Rights? (NYT)
  • Sarah Hadden & Corporate Compliance Insights: “Failure was always a possibility. It just wasn’t an option.” (Ideas & Answers)
  • ‘Everybody’s Replaceable’: The New Ways Bosses Talk About Workers (WSJ)
  • Florida man casually offers officer a vodka spritzer during police chase, officials say (Fox 35 Orlando)
  • The Board’s role in ransomware planning. (Harvard Law School Forum on Corporate Governance)
  • DOJ National Security Division issued a Declination. (Crime, Corruption and Compliance)
  • Based on whistleblower tips, UBS will pay $511MM for Credit Suisse’s failure to live up to DPA. (ComplianceWeek)
  • Malaysia wants Tim Leissner. (WSJ)
  • What is risk paralysis? (FT)

Resources:

Kristy Grant-Hart on LinkedIn

Prove Your Worth

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Preparing for the New Data Security Program, Part 2

Yesterday, I began a two-part blog post on preparing to respond to the Department of Justice’s (DOJ) new Data Security Program (DSP), which was released on April 8, 2025. Today, I want to conclude this series by reviewing additional key actions you can take now to prepare for the full effective date of October 6, 2025.

  • Set up internal processes for training, audit, and reporting.

The DSP does not just ask for policies; it demands proof of implementation. Your organization must build internal compliance muscle around training, auditing, and reporting specific to DSP obligations. Start with training. Who needs to know what? Procurement teams must understand vendor screening protocols. IT and security teams must recognize DSP risk categories. Legal must know the redlines on cross-border data sharing. Executives must understand their certification responsibilities. Everyone must grasp the stakes: violations carry real-world consequences, including civil penalties and criminal charges.

Next comes auditing. You must create audit plans that review DSP compliance across your data lifecycle, collection, storage, access, processing, sharing, and deletion. These audits should be independent, recurring, and specific to your Data Compliance Program. And don’t forget: if you engage in restricted transactions, you must conduct an audit and submit an annual compliance certification. This is not optional, but mandatory compliance activity is baked into the regulation.

Lastly, establish internal reporting mechanisms. That includes hotlines or portals for employees to report suspected violations and internal systems for escalating rejected transactions to compliance or legal. DSP requires you to report known or suspected breaches within 14 days. This is not a theoretical SLA; failing to meet the timeline is a compliance failure. Build templates, designate responsible officers, and track every report. If your whistleblower program is not integrated with your data governance team, you are already behind the proverbial 8-ball.

Think of this as building a new compliance pillar, just like you did for FCPA or anti-money laundering. It’s not about reinventing the wheel but about embedding DSP-specific requirements into the systems, teams, and culture you already rely on.

  • Engage your board and C-suite on DSP requirements. This is national security compliance, not just privacy.

One of the most underappreciated risks in corporate compliance today is the leadership’s assumption that DSP is just an extension of privacy laws. It is decidedly not. This is national security compliance. And that means the board and C-suite must be informed and actively engaged.

Start by educating the board on how the DSP aligns with existing fiduciary duties and oversight obligations. Directors must understand that data exposure to hostile foreign powers could result in enforcement actions, reputational damage, shareholder litigation, and, in some sectors, revocation of government contracts. This could raise the level of a material disclosure risk for public companies.

The C-suite also has new legal responsibilities. Senior officers must sign off on DSP compliance certifications, ensure audits are conducted, and provide adequate resources for risk management. That means CEOs, GCs, and CFOs are personally accountable for implementation, and their failure to act could aggravate an enforcement action. Bring DSP compliance into board audit committee agendas. Create executive-level working groups that include the CISO, Chief Privacy Officer, General Counsel, and Chief Compliance Officer. Produce quarterly dashboards showing compliance metrics, known or suspected violations, audit results, and third-party risk assessments.

Do not make the mistake of treating this like another privacy briefing. Treat it like an FCPA or sanctions discussion, with risk maps, case studies, DOJ priorities, and benchmark expectations, because this is not about theoretical data misuse. It’s about preventing hostile state actors’ strategic exploitation of American data. And that is a matter of national urgency. If your board does not understand this message, it is up to compliance to evangelize the message before regulators do it for you.

  • Start building your Data Compliance Program today—October 6, 2025, is not as far off as it seems.

October 6, 2025, may feel like a future problem, but let me assure you that the future is already knocking at your door. The DOJ has given us a roadmap and a runway. What you do with that time will define your compliance posture for years. Don’t treat the DSP as a regulatory cliff. Treat it as a strategic build.

Begin by appointing a DSP compliance lead with data governance and regulatory experience. Next, map your data flows, classify your datasets, and identify your exposure to restricted or prohibited transactions. Use that information to build a risk profile. That’s your foundation.

Then, develop your Data Compliance Program. Create written policies for due diligence, vendor screening, internal reporting, and audit procedures. Set up governance structures, designate accountable officers, and prepare for annual certifications. Do not wait until Q3 to scramble; start embedding controls into your existing compliance infrastructure now.

Use this runway to build muscle memory: conduct tabletop exercises, test your reporting protocols, and audit your readiness. Engage your business units with training, mock scenarios, and real-life case studies. The goal is not just compliance; it is about cultural adoption. You’ve already failed if your people see this as a box-checking exercise. The organizations that will thrive under DSP are the ones that treat this not as a regulatory burden but as an opportunity to lead. Because let’s face it: national security compliance is the new frontier. And October 6, 2025, won’t end this journey. It’s the beginning.

The DSP marks a seismic shift for compliance professionals in the era of data as a national security asset. This is not just another privacy framework but a national security regulation with teeth. U.S. companies must now treat data governance the way they’ve treated anti-bribery compliance or export controls: with rigor, documentation, and executive oversight. That starts with reviewing and aligning privacy policies to DSP-defined risk categories, especially around government-related and bulk-sensitive personal data.

Vendor agreements must be audited for exposure to covered persons or countries of concern and updated with enforceable clauses to prevent prohibited data transfers. Organizations must also build robust internal training, auditing, and reporting systems, with mandatory 14-day reporting windows for violations. Most critically, boards and C-suites must be actively engaged, and this is national security compliance, not just IT hygiene. The clock is ticking, with full enforcement kicking in on October 6, 2025. Compliance professionals have a unique opportunity to lead from the front, building a proactive, risk-based Data Compliance Program that integrates DSP mandates into business operations before DOJ examiners come knocking. The message is clear: Know your data. Know your risks.

Finally, take action before your inaction becomes your liability.

Categories
Blog

Preparing for the New Data Security Program, Part 1

Yesterday, I introduced the Department of Justice’s (DOJ) new Data Security Program (DSP), which was released on April 8, 2025, and implemented under Executive Order 14117. Today, I want to begin reviewing key actions you can take now to prepare for the full effective date of October 6, 2025. We will complete our review of key steps to take tomorrow.

1. Review your current data governance and privacy policies—align them with DSP risk categories.

Data governance is no longer just about classification and access rights; it’s now a frontline national security function. The DSP requires fundamentally rethinking how organizations define, inventory, and control sensitive data. Compliance officers must start with a forensic review of current data governance frameworks: What data are you collecting? Who touches it? Where does it live? Who can access it, and how is it transferred internally and externally? Once mapped, each dataset must be examined through the DSP lens: Is it government-related? Does it contain bulk sensitive personal data? Is it linked to current or former U.S. government personnel? These are not simply IT questions. These are compliance questions with profound legal implications.

Next, organizations must evaluate their privacy policies for blind spots. Many policies were written for GDPR or CCPA, not for adversarial data exfiltration by foreign intelligence services. If your data policies are not risk-aligned to DSP categories, such as data brokered to third parties or aggregated in ways that make re-identification likely, you are flying blind in a regulatory minefield. This isn’t a call for a quick redline but a strategic overhaul of how you structure data controls, policies, and risk frameworks. Collaborate with your CISO, but lead with your compliance hat on. The DOJ is not asking for IT security alone, and they are demanding accountable, auditable compliance with national security-grade rigor. Treat this like an FCPA compliance program: document everything, know your risk vectors, and escalate anomalies. The age of “data policy as an afterthought” is over. In the DSP era, data is not just a privacy concern but a geopolitical flashpoint.

2. Audit your third-party vendor agreements for exposure to covered persons or countries of concern.

Third-party risk just got geopolitical. Under the DSP, vendor due diligence has become a national security obligation. You must now screen for performance and financial viability and whether any foreign vendor, subcontractor, or partner is a “covered person” or tied to a country of concern like China, Russia, Iran, North Korea, Venezuela, or Cuba. Even indirect ownership or residency triggers a compliance obligation. That friendly cloud storage provider with a branch in Shenzhen? Is that IT support firm subcontracting code maintenance to Belarus? They may now be regulatory liabilities under the DSP.

Start with a comprehensive audit of all current vendor agreements, focusing on data-sharing terms, sub-licensing permissions, and geographic exposure. Can the vendor access, process, or host government-related or bulk-sensitive personal data? If so, is there a clause prohibiting onward transfer to covered persons or countries of concern? If not, you’re potentially out of compliance. You may need to renegotiate or terminate contracts that create risks you can’t control. Relying on “we didn’t know” is insufficient, as the DSP holds U.S. persons accountable for failing to implement reasonable and proportionate due diligence.

Also, consider implementing a DSP-specific screening protocol that goes beyond sanctions and AML lists and includes the DOJ’s Covered Persons List. Integrate this into your vendor onboarding, renewal, and periodic review processes. Remember, under the DSP, even inadvertent exposure can constitute a violation. That means it’s no longer enough to run a vendor through OFAC and call it a day. You need a national security screening lens. Compliance must lead this effort, not procurement, legal, or IT. If a vendor relationship enables DSP-prohibited access, the legal liability will land squarely on your doorstep.

3. Draft contractual clauses that prohibit data resale or access by covered entities.

The DSP has thrown a wrench into how we think about contract drafting. Referencing generic data use terms or standard confidentiality clauses is no longer sufficient. You’re exposed if your contracts do not explicitly prohibit the onward sale or transfer of covered data to countries of concern or covered persons. Under the DSP, exposure is not simply reputational but both civil and criminal.

Compliance teams should immediately collaborate with legal and procurement to update all relevant agreements. That includes data-sharing contracts, licensing, cloud service agreements, vendor onboarding templates, and M&A data room protocols. Insert clauses prohibiting foreign counterparties from transferring sensitive personal or government-related data to any covered person or country of concern. Go further: mandate that they notify you of any suspected breach and certify compliance annually.

Do not stop at language insertion. Require enforceability mechanisms, termination clauses, indemnification provisions, and audit rights. The DOJ clarified that including boilerplate language will not shield you from enforcement. You may have committed a prohibited transaction if you knew or should have known that a foreign vendor resold data to a hostile actor. Even the best legalese won’t save you without operational controls to back it up.

Consider maintaining a DSP Clause Library, a set of pre-approved terms for use across contracts by legal and compliance staff. Train your contract managers on red flags. Build escalation protocols when counterparties push back. And do not forget to update your templates as the DOJ issues more guidance. In short, think of DSP compliance clauses the way you would anti-corruption reps and warranties in an FCPA context: a first line of defense, but only effective when part of a broader compliance architecture.

The Department of Justice’s new Data Security Program, effective October 6, 2025, is a game-changer for corporate compliance. It redefines data governance as a national security obligation, requiring companies to align privacy policies with DSP risk categories and scrutinize third-party vendors for ties to covered persons or countries of concern. Compliance professionals must proactively draft enforceable contracts, build auditable training and reporting systems, and educate C-suites and boards that DSP is not “just privacy”; rather, it is national security compliance. With the clock ticking, the time to act is now. Join us tomorrow for Part 2, where we continue the roadmap to DSP readiness.

Categories
Blog

Data Defense is the New Compliance: What the Data Security Program Means for Compliance

In an age where data is the new oil, the Department of Justice (DOJ) has dropped a regulatory hammer with the release of the Data Security Program (DSP), which was released on April 8, 2025, and was implemented under Executive Order 14117. If you are a corporate compliance officer, this is not simply another acronym to file away; it is a full-blown mandate to build a risk-based compliance infrastructure that treats data the way we’ve historically treated cash: something precious, something dangerous, and something that foreign adversaries are actively trying to exploit. The DSP marks a critical shift in how compliance professionals think about national security, not as the purview of spooks and diplomats but as a living, breathing component of your organization’s third-party risk, data governance, and vendor oversight programs. Equally interestingly, the Trump Administration builds with zero fanfare on the building blocks put in place by the Biden Administration.

DSP Is More Than an IT Issue

The DOJ is not simply aiming at you, your Chief Information Officer (CIO), but rather looking squarely at you, the compliance professional. The new rules require U.S. persons (which includes individuals and corporations) to proactively monitor, restrict, and, when necessary, report data transactions that could expose U.S. Government-related or bulk sensitive personal data to adversarial foreign actors. These rules are about compliance and accountability. DSP enforcement brings with it the full force of the International Emergency Economic Powers Act (IEEPA), meaning penalties can include civil fines exceeding $368,000 per violation and criminal liability with up to 20 years in prison. That should sober up even the most compliance-fatigued executive.

Who’s in the DOJ’s Crosshairs?

The program identifies “Countries of Concern,” including China, Russia, Iran, North Korea, Venezuela, and Cuba. It further defines “covered persons” as not just foreign governments or entities but any individual or company operating under their influence, including contractors and subsidiaries that may be 50% or more owned by such parties. This is not simply a red flag but should be seen as a red carpet for compliance departments to step up and create data-focused due diligence protocols that mirror those already established under FCPA for anti-bribery or OFAC for sanctions screening.

The DSP targets four main types of transactions:

1. Data Brokerage Agreements

2. Vendor Agreements

3. Employment Agreements

4. Investment Agreements

Any of these, involving sensitive personal data or government-related data, could trigger a compliance obligation or, worse, a violation. Even anonymized or encrypted data isn’t exempt if it can be aggregated to reveal individual identities. Compliance teams must now incorporate data risk classification and flow mapping into their routine controls and audits.

Restricted and Prohibited Transactions: Not Just Semantics

The DSP distinguishes between “prohibited” and “restricted” transactions. Prohibited transactions, like selling bulk data to a covered person or foreign entity, are off-limits. Restricted transactions, such as engaging a foreign vendor for cloud services, are allowed only if specific due diligence, security protocols, and contractual safeguards are met.

Translation for compliance officers: This is your new playbook. You must tailor contract language to prohibit onward data transfers, track compliance, audit vendors, and report violations within 14 days. Inaction isn’t just a missed best practice; it could also be a statutory violation.

Your New Compliance Infrastructure: Four Pillars

Under Subpart J of the DSP, companies must develop and maintain a robust Data Compliance Program. Here’s what the DOJ expects from you:

1. Risk-Based Due Diligence Procedures: Know your data, vendors, employees, and business model. Map where sensitive data lives and flows. Identify exposure to covered persons or countries of concern.

2. Security Requirements: Implement the Cybersecurity and Infrastructure Security Agency’s (CISA) security standards and document them in a written policy reviewed annually.

3. Audit Program: Conduct an annual independent audit to assess DSP compliance, covering your vendors, data flows, contracts, and internal controls.

4. Training and Certification: Deliver targeted training to frontline staff and compliance officers. Certify the program annually with a sign-off from a senior officer not designated as a covered person.

The Compliance Response

Do not underestimate the power of line managers in operationalizing this program. From procurement officers vetting vendors to HR leads onboarding new hires, your middle managers are now your eyes and ears for potential data risks. Equip them with training, toolkits, and escalation protocols. Empower them to say, “No, we can’t do that,” and back them up when they do. This is where culture meets controls, and a compliance-minded organization distinguishes itself from a liability waiting to happen. DSP violations are serious business, but the program leaves room for good-faith actors. Reporting suspected breaches or rejected transactions within 14 days may mitigate enforcement risks.

What to Do Now: A Compliance  Checklist

For those who want to get ahead of this before the hammer drops, here’s your compliance punch list:

  • Review your current data governance and privacy policies—align them with DSP risk categories.
  • Audit your third-party vendor agreements for exposure to covered persons or countries of concern.
  • Draft contractual clauses that explicitly prohibit data resale or access by covered entities.
  • Set up internal processes for training, audit, and reporting.
  • Engage your board and C-suite on DSP requirements. This is national security compliance, not just privacy.
  • Start building your Data Compliance Program today, as the date of October 6, 2025 (the full implementation date) is not as far off as it seems.

Conclusion: The Age of Data National Security is Here

The DSP marks a sea change for compliance professionals. It transforms data governance from an IT-driven policy concern into a top-tier compliance risk, with reporting deadlines, audit mandates, and hefty penalties. It requires us to think beyond cybersecurity and embrace data risk as a function of geopolitical conflict and corporate accountability. Compliance is not simply about following the rules; rather, it is about being the first line of defense in protecting American data, values, and institutions from adversarial exploitation. And in that mission, every compliance professional is now a stakeholder in national security.

So, as Bette Davis might say, buckle up, tune up your compliance programs, and get ready to evangelize the next great frontier in corporate compliance.

Categories
Blog

Declinations, Disclosure, and National Security: Key Lessons from the 2024 NSD Enforcement Policy

Yesterday, I wrote about a Declination issued by the Department of Justice issued a Declination to the Universities Space Research Association (USRA), a nonprofit organization working with NASA on advanced scientific research. The Declination is found here. Today, I want to dive deeper into the March 2024 update to the National Security Division’s (NSD) Enforcement Policy for Business Organizations. This document is a must-read for every compliance officer handling export controls, sanctions, or any business with potential national security implications. It was a policy update and a blueprint for navigating one of the highest-risk areas in global business today.

The NSD is central in safeguarding the United States from national security threats, particularly by enforcing export control and sanctions laws. Businesses and their employees are vital partners in this mission, given their roles as custodians of sensitive technologies and financial systems. NSD strongly encourages companies to voluntarily self-disclose potentially willful violations of key U.S. statutes, such as the Arms Export Control Act, Export Control Reform Act, and the International Emergency Economic Powers Act, alongside related offenses like money laundering and false statements. Such violations can pose serious risks to national security, and the NSD’s approach to corporate enforcement seeks to strike a balance between encouraging cooperation and deterring harmful conduct.

The updated Enforcement Policy outlines how the NSD, in collaboration with U.S. Attorneys and other DOJ components, determines appropriate resolutions for companies that self-disclose misconduct related to export controls and sanctions. It also sets parameters for how acquiring companies can qualify for protections under the Mergers and Acquisitions (M&A) Policy when disclosing violations by an acquired entity. While the policy’s primary focus is on export and sanctions laws, its principles are designed to guide enforcement decisions in other national security-related matters, such as FARA violations and CFIUS-related conduct. The overarching message is clear: companies should proactively report potential criminal conduct under the NSD’s jurisdiction to help mitigate legal exposure and protect national security.

Here are five key lessons compliance professionals should take away from the updated policy.

1. Voluntary Self-Disclosure Must Be Early, Unprompted, and Specific

In NSD’s world, timing is not just everything; properly seen, it is the thing. To earn credit, disclosure must happen before an imminent threat of exposure or investigation, and it must be made directly to NSD. That means you cannot sit on a problem while deciding whether to tell OFAC, BIS, or your outside counsel. If NSD doesn’t know, your organization does not even qualify for full credit.

The disclosure must include all relevant non-privileged facts, including those about individuals inside and outside the company involved in the misconduct. If your disclosure is vague, partial, or delayed, it may be too little, too late. NSD puts the burden squarely on the company to prove that the disclosure was voluntary and timely.

Compliance Lesson: Build your compliance playbook around immediate, well-documented self-reporting protocols. Simulate drills. Define who makes the call to NSD. Because once the clock starts, hesitation can cost you the deal.

2. Full Cooperation Means More Than Not Obstructing

NSD has redefined “full cooperation” in practical, prosecutorial terms. It is not enough to say your organization will assist. Instead, your organization must provide full assistance, and you must proactively help. That includes sharing key facts as you uncover them, providing timely updates, disclosing foreign-located documents, and making employees (even those overseas) available for interviews.

It also means identifying every opportunity where NSD could obtain relevant evidence, even when they have not yet asked for it. That may seem like a high bar, especially for multinationals operating in jurisdictions that block statutes or data privacy laws. The bottom line is that your organization bears the burden of showing why documents can’t be produced—and you must offer alternatives.

Lesson: Compliance teams should revisit their internal investigation protocols to ensure they enable real-time, proactive engagement with government investigators. This is no place for passive risk management.

3. Remediation Is Not Window Dressing—It’s Root Cause Surgery

NSD isn’t interested in cosmetic compliance. They want to see a thorough root cause analysis and real efforts to remediate the misconduct and the control failures that allowed it to occur. That includes changes to reporting structures, testing compliance effectiveness, employee discipline (up to and including termination), and even clawbacks when appropriate.

Critically, NSD recognizes that what counts as a “well-resourced” program depends on the size of your company, but the policy still requires evidence of authority, independence, and a clear line from the compliance function to senior leadership.

Lesson: Expect little sympathy if your root cause analysis is weak or superficial. Effective remediation means digging deep, taking hard actions, and documenting every step for potential DOJ review.

4. Compliance Programs Must Be More Than Just Policies

Your program must exist, be effective, and be tested to avoid monitoring and achieve declination eligibility. NSD’s standards align with the DOJ’s broader 2023 and 2024 guidance around program evaluation: Do your controls work in practice? Are they tailored to your risk profile? Are they embedded into day-to-day operations?

NSD also scrutinizes how you retain business records, especially regarding ephemeral messaging platforms and personal devices. If your team uses WhatsApp, Signal, or iMessage without proper controls, you could be viewed as undermining your compliance system.

Lesson: Modern compliance programs must integrate surveillance, technology, and behavior-based controls, especially where national security risks are involved. “Set it and forget it” programs will not fly.

5. There’s a Path for Acquirers—If You Act Quickly

One of the more notable additions to the 2024 policy is its treatment of M&A-related misconduct. If your company acquires an entity and discovers criminal export control or sanctions violations after the deal closes, the NSD offers a pathway to protection, but only if you act fast.

You have 180 days from the closing date to disclose the misconduct and 1 year to remediate it. Do that, and NSD will generally not seek a guilty plea, criminal fine, or asset forfeiture from the acquirer. And the kicker? The misconduct also won’t count as a strike against your compliance track record in future matters.

Lesson: Build post-acquisition compliance reviews into every integration plan. Don’t wait for a surprise; audit for red flags early and be ready to disclose. In today’s world, inherited risk is your risk.

Declinations Are Earned, Not Given

The 2024 NSD Enforcement Policy is a strong step toward encouraging ethical corporate behavior in a world where the risks are real, and the stakes are high. It rewards companies that do the right thing early, thoroughly, and transparently.

But it’s also a warning: the margin for error is razor-thin. Delayed disclosures, half-baked investigations, or weak compliance programs won’t cut it. And don’t forget, NSD still retains full authority to prosecute individuals, even if your company gets a pass.

Today, the compliance officer’s job is to prevent misconduct and design systems that respond effectively when things go wrong. The new NSD policy gives us the roadmap. We must ensure the car is gassed up, the brakes work, and the driver knows where to go.

Final Compliance Evangelist Tip:

Use this policy as a stress test for your program. Would your controls hold up if misconduct occurred tomorrow? Would you disclose it in time? Could you cooperate fully? If you’re unsure, now is the time to find out before the DOJ does.

Categories
Blog

A Textbook Declination: Lessons Learned from the USRA Declination

In the fast-moving world of enforcement actions and corporate misconduct, we rarely get an actual “bottle episode” of compliance—a neatly wrapped case that functions almost like a compliance case study come to life. That is precisely what we see in the recent declination issued to the Universities Space Research Association (USRA), a nonprofit organization working with NASA on advanced scientific research. The Declination is found here.

This declination tells us as much about what to do right as it does about what went wrong. USRA’s prompt and resolute response to employee misconduct provides a blueprint for companies, regardless of size, to attain the ideal result: a DOJ declination. This decline in the Trump Administration’s second term provided crucial lessons for compliance professionals.

The Story: Export Controls and a Rogue Employee

The facts are obvious. Between April 2017 and September 2020, USRA employee Jonathan Soong used his position to oversee export compliance and sell restricted software and source code to Beihang University in China. Mr. Soong did not simply mishandle sensitive materials; he willfully bypassed export laws, concealed his actions, and even embezzled from USRA in the process. Soong pleaded guilty to violating export control laws in connection with secretly funneling sensitive aeronautics software to a Beijing university.

But here is the key takeaway: once USRA learned of the misconduct, they acted fast. They alerted NASA. They conducted an internal investigation. They self-reported to the Department of Justice within days. They cooperated fully. And in the end, the DOJ rewarded them, not with a fine, but with a complete declination.

The Power of Prompt Self-Disclosure

USRA’s leadership did not wait to see if the issue would disappear or downplay it internally. Instead, they engaged with enforcement agencies early and often. This fits squarely within the DOJ’s National Security Division Guidance, which outlines how voluntary self-disclosure, cooperation, and timely remediation can mitigate or eliminate penalties.

Let’s be clear: this was a national security matter, not just a regulatory breach. The software involved may have had potential military applications, making USRA’s response all the more commendable and critical.

Internal Controls and Oversight: Where the Breakdown Happened

As much as this is a story of compliance success, it is also a reminder that internal controls must work in practice, not just on paper. There were three key control failures:

  1. Export compliance oversight was left to the same employee who committed the fraud.
  2. Internal monitoring failed to detect red flags.
  3. Supervisory negligence enabled the misconduct to continue for three years.

One of Mr. Soong’s supervisors was eventually disciplined or terminated. However, the lesson is that even well-designed controls fail when not executed or appropriately monitored.

What Made This Declination Possible?

  1. Voluntary, timely self-disclosure within days of learning of the misconduct.
  2. When the USRA discovered potential wrongdoing, they didn’t hesitate; they immediately self-reported the issue to NASA and the Department of Justice. This type of proactive disclosure is precisely what the DOJ expects when evaluating a company’s response to misconduct. The timeliness demonstrates a functioning internal control system and an ethical culture prioritizing transparency. Rather than hiding behind bureaucracy or launching a months-long internal cover-up, USRA made the call within days. That decision set the tone for everything that followed and paved the way for trust-based engagement with enforcement authorities.
  3. Full cooperation, including sharing internal findings and offering access to witnesses.
  4. USRA didn’t just make a phone call and then sit back. They actively cooperated with investigators at every stage. Their actions included providing access to key internal documents, conducting an internal investigation, and turning over their findings to the DOJ. Equally important, they facilitated interviews with relevant employees, supported the legal process, and ensured that authorities had all the resources necessary to pursue the case against the wrongdoer. In short, USRA became a partner to the government, not an adversary. Comprehensive, good-faith cooperation carries tremendous weight in a declination decision.
  5. Swift and meaningful remediation, including terminating the wrongdoer and disciplining supervisors.
  6. USRA didn’t stop at self-reporting. They took tangible steps to clean the house. Mr. Soong, the employee at the center of the misconduct, was promptly terminated. However, the company didn’t stop there; USRA also reviewed its supervisors’ actions (or inactions). At least one supervisor was disciplined or let go for failing to oversee export control responsibilities properly. The move sends a strong message internally and externally, emphasizing that accountability extends throughout the entire chain of command. This swift and meaningful remediation satisfies DOJ expectations and helps rebuild trust with business partners, regulators, and the broader public.
  7. Strong risk awareness of their role in handling sensitive, export-controlled material.
  8. USRA operates in a field where national security risks are inherent. As a NASA contractor handling sensitive aerospace research, they were well aware of the dangers posed by improper exports of data and source codes. The incident wasn’t just a case of a company claiming ignorance, as they were aware of the potential consequences. Their compliance failures came down to one rogue actor and a breakdown in oversight, not a lack of awareness. When problems surfaced, they acted with the urgency such risks demand. This situational awareness, recognizing how export control violations could ripple across global security, played a major role in helping the DOJ see them as a responsible actor.
  9. Responsiveness to the DOJ and NASA, including prompt answers and evidence production.
  10. Throughout the investigation, USRA maintained consistent and open lines of communication with both NASA and the DOJ. They promptly responded to any questions posed. They delivered the requested documents promptly and in excellent order. Such responsiveness isn’t just about meeting deadlines; it is about demonstrating respect for the investigative process and showing that the company values ethical resolution over self-preservation. By staying accessible, professional, and efficient throughout the inquiry, USRA signaled to prosecutors that they were committed to helping resolve the matter fairly and thoroughly. That level of responsiveness is precisely what the DOJ wants to see.

Lessons Learned for Compliance Professionals

  1. Speed Matters
  2. In the world of corporate enforcement, timing can be everything. Companies do not always receive declinations for self-reporting, but it often makes a significant difference when they do.  USRA moved within days to notify NASA and the DOJ of serious misconduct. That speed demonstrated a culture of integrity, robust internal reporting, and a commitment to doing the right thing even under pressure. Quick action also preserves evidence, signals accountability, and allows enforcement agencies to act more efficiently. The faster a company responds, the more credible its leadership appears and the more likely it is to be viewed as a trusted partner.
  3. Controls Must Work in Real Life
  4. Too often, compliance programs look good on paper but fail in execution. A policy isn’t controllable or effective unless it’s well-designed and implemented correctly. In the USRA case, while policies existed, execution faltered, and an employee responsible for oversight violated the law. That’s a stark reminder: your controls must work in the real world. We must regularly evaluate the effectiveness of supervisory review, dual controls, cross-checks, and audit testing. Failure to test a control could result in liability, enforcement, or worse.
  5. Know Your Risk Profile
  6. USRA dealt with export-controlled scientific software, which is a high-risk domain. Their failure wasn’t in identifying risk but in adequately mitigating and monitoring it. For every company, the starting point must be understanding your unique risk profile. Is it corruption and bribery? Data privacy? Sanctions exposure? What are the ethics of the supply chain? Compliance officers must align risk assessment, control design, and resource allocation accordingly. Implementing a universally applicable compliance program can lead to failure. Regulators expect a risk-based approach that demonstrates thoughtfulness and proportionality. You can’t mitigate what you don’t understand or defend a program that overlooks its most critical vulnerabilities.
  7. Use the Right Tone from the Top
  8. When the misconduct came to light, USRA leadership did not equivocate. They acted decisively, demonstrating a tone from the top that prioritizes ethical behavior and transparency. That tone matters. It influences how quickly issues are escalated, how freely employees speak up, and how credible regulators perceive your organization. Leadership must consistently communicate that compliance is not just a legal necessity but a core business priority. Words are important, but so is behavior: executives who support investigations, invest in controls, and respond to crises with accountability send a powerful message. That tone sets the cultural foundation for the entire compliance program.
  9. Partner with Enforcement, Don’t Oppose Them
  10. USRA’s interaction with NASA and the DOJ reflected a cooperative mindset. They partnered; they didn’t stonewall, delay, or obscure the facts. That approach is increasingly essential in today’s enforcement environment. Regulators are clear: they are looking for good-faith actors. A company that cooperates, provides relevant data promptly, and engages constructively in dialogue is far more likely to receive credit, whether in a declination, reduced penalties, or favorable settlement terms. Fighting regulators at every turn rarely results in positive outcomes. Instead, view enforcement as an opportunity to demonstrate integrity and operational maturity. Compliance should be a bridge, not a barricade.

Final Thoughts: Don’t Wait for the Crisis

USRA did not plan to become a compliance case study. However, they were ready when the time arrived. And preparation, coupled with integrity, made all the difference. This declination was not granted out of charity. We earned it. It resulted from a well-executed compliance framework, fast action, and an unrelenting drive to do the right thing. If your company faced a similar incident tomorrow, would you be ready to act like USRA? That’s the benchmark. And that’s the challenge for every compliance officer reading this.

So, take this as more than a good news story. Take it as your Monday morning prompt: check your controls, reassess your key risks, and remind your leadership that compliance isn’t about fear but readiness.