Corporate Compliance & Risk

The DOJ’s New Corporate Enforcement Policy: A Practical Guide for Companies

By George (Jorge) Cánovas, J.D. • Vice President Compliance, FD Associates

On March 10, 2026, the U.S. Department of Justice released what may become one of the most consequential policy statements for corporate compliance in recent years: the first Department-wide Corporate Enforcement Policy (CEP) applicable to virtually all corporate criminal cases handled by DOJ (U.S. Department of Justice, Corporate Enforcement and Voluntary Self-Disclosure Policy, Mar. 10, 2026).

While the concept of rewarding voluntary disclosure and cooperation is not new, what makes this development significant is that the Department has now standardized the framework across all DOJ components. Until now, corporate enforcement policies varied depending on which division or U.S. Attorney’s Office handled the matter. The Criminal Division maintained its own corporate enforcement guidance, and other DOJ components applied similar but not always identical approaches.

The CEP is intended to address that fragmentation and provide greater uniformity, predictability, and transparency in corporate criminal enforcement (See DOJ CEP, Introduction and Background).

For companies, however, the policy accomplishes something even more practical. It effectively codifies the enforcement playbook, explaining how prosecutors will evaluate corporate misconduct and what actions can meaningfully reduce criminal exposure.

In many respects, the policy formalizes what experienced compliance professionals and defense counsel have long understood: when misconduct occurs, the outcome often depends less on the violation itself and more on how the company responds once the misconduct is discovered. This is the message we tell all our clients at FD Associates.

The Framework That Now Governs Corporate Criminal Enforcement

At the heart of the CEP is a structured analytical framework. When prosecutors evaluate corporate misconduct, they focus on three primary factors:

  1. Whether the company voluntarily disclosed the misconduct
  2. Whether the company fully cooperated with investigators
  3. Whether the company timely and appropriately remediated the misconduct

(See DOJ CEP, §I; Appendix A Decision Framework).

If a company satisfies all three elements, and there are no aggravating circumstances, the Department states that it will generally decline prosecution (See DOJ CEP, §I, Declination Path).
That outcome is significant. A “declination” means the company avoids criminal charges, although it may still be required to pay disgorgement or restitution tied to the misconduct. If one or more of these elements are missing, however, the enforcement outcome changes significantly. The policy outlines several alternative resolutions depending on the company’s actions and the severity of the misconduct (See DOJ CEP, §§II–III).

Voluntary Self Disclosure and the Importance of Timing

The most significant incentive in the policy revolves around voluntary self disclosure. The Department is attempting to encourage companies to come forward when they discover potential wrongdoing rather than waiting until regulators uncover the issue independently.
For disclosure to qualify under the CEP:

  • The disclosure must be made to the appropriate DOJ component
  • The misconduct must be previously unknown to the Department
  • The company must not already have a legal obligation to disclose
  • Disclosure must occur before there is an imminent threat of government discovery
  • Disclosure must be made within a reasonably prompt time after discovery

(See DOJ CEP, §I.A).

The policy also recognizes that companies may disclose misconduct before completing an internal investigation. DOJ explicitly acknowledges that early or initial disclosure may occur while the internal fact gathering process is still underway (See DOJ CEP, §I.A; Appendix A). This emphasis on timing reflects a broader enforcement philosophy. Early disclosure allows prosecutors to begin investigations sooner and potentially prevent additional harm.

Cooperation Expectations Under the Policy

Even when companies voluntarily disclose misconduct, they must demonstrate meaningful cooperation to receive the full benefits of the CEP.
The policy defines cooperation in relatively detailed terms. Companies are expected to provide all relevant non privileged facts related to the misconduct, including information gathered during internal investigations (See DOJ CEP, §I.B).
Cooperation typically includes:

  • Identifying individuals responsible for the misconduct
  • Preserving and producing relevant documents
  • Providing evidence located overseas
  • Facilitating interviews with employees and relevant third parties
  • Translating foreign language documents when necessary

(See DOJ CEP, §I.B; Appendix A).

Importantly, the policy states that cooperation credit does not require waiver of attorney client privilege or attorney work product protections (See DOJ CEP, §I.B). However, companies are expected to proactively identify relevant evidence rather than simply responding to government requests.

Remediation and the Role of Corporate Compliance Programs

The third pillar of the CEP focuses on remediation. Again, from FD Associates’ perspective this is a core and important remediation concept. Companies must demonstrate that they have corrected the underlying causes of misconduct and implemented measures designed to prevent recurrence. Remediation generally includes conducting a root cause analysis, disciplining individuals responsible for the misconduct, and strengthening internal compliance controls (DOJ CEP, §I.C). The Department also emphasizes the importance of effective compliance programs. Prosecutors will evaluate factors such as:

  • Independence of the compliance function
  • Adequacy of compliance resources
  • Effectiveness of internal reporting channels
  • Ongoing testing and monitoring of compliance controls
  • Leadership support for compliance initiatives

(See DOJ CEP, §I.C; U.S. Sentencing Guidelines §8B2.1).

In practice, DOJ is assessing whether compliance is integrated into corporate governance rather than functioning as a purely administrative exercise, i.e. temporary fix.

The Three Paths to Resolution

The CEP outlines three potential enforcement outcomes depending on how a company responds to misconduct.

A. Declination

A declination may occur when a company voluntarily discloses misconduct, fully cooperates with investigators, and implements effective remediation measures, and when no additional aggravating factors are present (See DOJ CEP, §I).

Even in these cases, the company must typically pay disgorgement, forfeiture, or restitution tied to the misconduct (See DOJ CEP, §I; Appendix A).
Declinations are publicly announced.

B. Near Miss Cases

When a company cooperates and remediates but fails to qualify for full voluntary disclosure, or when limited aggravating factors exist, DOJ may resolve the matter through a Non Prosecution Agreement (See NPA and DOJ CEP, §II).

Under the policy, these cases may include:

  • NPA terms shorter than three years
  • No independent compliance monitor
  • Penalty reductions between 50 and 75 percent from the low end of the Sentencing Guidelines fine range

(See DOJ CEP, §II; U.S. Sentencing Guidelines Chapter 8).

C. Other Cases

If companies fail to self-disclose misconduct or they do not meaningfully cooperate, prosecutors retain discretion to pursue traditional criminal resolutions, including:

  • Deferred prosecution agreements
  • Criminal charges
  • Compliance monitors
  • Financial penalties

(See DOJ CEP, §III).

Even in these cases, companies that demonstrate meaningful cooperation may still receive penalty reductions of up to 50 percent (DOJ CEP, §III; U.S. Sentencing Guidelines Chapter 8).

How the Policy Changes the Enforcement Landscape

Although the CEP builds on earlier DOJ policies, it this new version introduces several structural changes.

First, the Department has established a single enforcement framework across all DOJ components, reducing the uncertainty companies previously faced when dealing with different prosecutorial offices.

Second, the policy introduces a formal decision framework, including a flow chart that outlines enforcement outcomes based on disclosure, cooperation, and remediation (DOJ CEP, Appendix A).

Third, the policy strengthens incentives for early disclosure by encouraging companies to report misconduct before completing internal investigations.

Fourth, the CEP provides clearer guidance on potential penalty reductions tied to cooperation and remediation (DOJ CEP, §§II–III).

Finally, the policy integrates aspects of DOJ’s corporate whistleblower program. If an employee reports misconduct internally and also reports it to DOJ, a company may still qualify for a declination if it self reports within 120 days of receiving the internal report (DOJ CEP, Whistleblower Provision).

How the CEP Interacts With Export Control Enforcement

For companies operating in export controlled industries such as aerospace, defense, and advanced technology, the CEP can also influence export enforcement cases. The Corporate Enforcement Policy is a DOJ criminal enforcement policy, not an export control regulation.

Companies operating in defense, aerospace and advanced technology sectors often make coordinated filings with BIS, DDTC and DOJ for a serious enforcement matters.
Administrative export violations are typically handled either by the Bureau of Industry and Security (BIS) under the Export Administration Regulations (EAR), or the Department of States’s Directorate of Défense Trae Controls Compliance (DTCC), under the International Traffic In Arms Regulations (ITAR) depending on whether the items involved are controlled as dual use or commercial items under the EAR or are classified as defense article and defense services under the U.S. Munitions List (15 CFR §§730-774; 22 CFR Parts 120-130).

Enforcement actions are governed primarily by:

  • EAR Part 764 (Violations)
  • EAR Part 766 (Administrative Enforcement Proceedings) (See 15 C.F.R. §§764–766).

ITAR Enforcement actions, administered nu the DDTC with the U.S. Department of State, are governed primarily by:

  • ITAR §127.1 (Violations)
  • ITAR §127.10 (Civil penalties)
  • ITAR §127.7 (Debarment)
  • ITAR §128 (Administrative Procedures)

(See 22 CFR Parts 127-128)

Under these frameworks, BIS or DDTC may impose a range of civil penalties and sanctions including denial orders, debarment orders, license revocations, and other administrative sanctions. (See 15 CFR Part 764; 22 CFR Part 127)

However, serious export control violations under the EAR or ITAR are often referred to the Department of Justice for criminal prosecution, particularly when violations involve willful conduct, conspiracy, sanctions evasion, national security risks, or diversion schemes (15 C.F.R. §764.2; DOJ CEP applicability).

Once DOJ becomes involved, the CEP framework becomes relevant. Prosecutors may evaluate the company using the same three factors that apply in other corporate criminal cases: voluntary disclosure, cooperation, and remediation.

Export enforcement cases frequently involve parallel investigations involving multiple agencies, including the Department of Justice, the Bureau of Industry and Security, and the Treasury Department’s Office of Foreign Assets Control.

In those situations:

  • BIS may purse civil penalties or denial orders under the EAR
  • DDTC may impose civil penalties, consent agreements, or debarment under the ITAR
  • DOJ evaluates potential criminal liability using the CEP framework

The Practical Implications for Companies

The CEP does not radically alter the Department’s enforcement philosophy. Instead, it formalizes principles that prosecutors have increasingly applied over the past decade.
What has changed is the clarity with which those principles are now articulated by the DOJ.

Companies that detect misconduct quickly, escalate concerns internally, conduct credible investigations, disclose violations promptly, cooperate fully with investigators, and remediate underlying compliance weaknesses may significantly reduce enforcement exposure.
Companies that delay disclosure or fail to cooperate may face far more serious consequences.

Perhaps the most important lesson from the CEP is that compliance programs are no longer merely defensive tools designed to satisfy regulators. They are now central to enforcement outcomes.

When misconduct occurs, the credibility of a company’s compliance program, the speed of its response, and the seriousness of its remediation efforts may determine whether prosecutors pursue criminal charges or decline the case entirely.

For corporate leadership, the implications are clear. The effectiveness of a company’s compliance infrastructure can influence not only whether misconduct is detected, but also how the government ultimately chooses to respond.

The Role of Experienced Compliance Advisors

For many organizations, particularly those operating in highly regulated sectors such as aerospace, defense, advanced technology, and manufacturing, responding to potential violations requires navigating overlapping enforcement regimes and complex disclosure decisions. Determining whether an issue should be handled internally, disclosed through administrative channels such as a BIS voluntary self-disclosure, or elevated to the Department of Justice under the CEP framework often requires careful legal and compliance analysis.

Advisory firms with deep experience in export controls, corporate compliance, and enforcement matters can play an important role in helping companies assess risk, conduct internal investigations, and develop remediation strategies that align with regulatory expectations.

FD Associates, Inc., for example, works with companies to evaluate potential export control violations under the Export Administration Regulations (EAR) and the International Traffic in Arms Regulations (ITAR), develop voluntary disclosure strategies, and strengthen compliance programs designed to prevent future violations. This includes assisting organizations with internal investigations, root-cause analyses, compliance program design, and engagement with enforcement authorities where appropriate.

In an enforcement environment where the timing of disclosure, the quality of cooperation, and the credibility of remediation efforts can significantly influence outcomes under the DOJ Corporate Enforcement Policy, experienced compliance guidance can help companies respond to potential issues with greater clarity and confidence.

 

SYNOPSIS of the New CEP

DOJ has just clarified the corporate enforcement playbook. Its new Department-wide Corporate Enforcement Policy makes one thing clear, when misconduct occurs, prosecutors will focus on three questions: did the company voluntarily disclose it, fully cooperate, and meaningfully remediate. Companies that do may avoid criminal charges entirely. For organizations in regulated sectors like aerospace, defense, and advanced technology, where export control issues can quickly involve BIS, DDTC, and DOJ, how a company responds can determine the outcome. That is exactly where FD Associates helps companies act quickly and strategically, assessing violations, guiding disclosures, and strengthening compliance programs before enforcement decisions are made.

The DOJ’s New Corporate Enforcement Policy: A Practical Guide for Companies Read More »

When the Compliance Role Goes Unfilled, and Everyone Thinks They Can Manage

ByGeorge (Jorge) Cánovas, J.D. Vice President Compliance, FD Associates

This happens constantly, across industries, geographies, and company sizes.

The compliance lead in your company leaves. The departure may be orderly or abrupt, but the organizational response is usually the same. There is no immediate fallout. No regulator calls. No customer escalations. The business keeps moving. Leadership concludes, sometimes on purpose and sometimes by inertia, that the role can remain unfilled, at least for a while. After all, nothing broke.

That initial calm is misleading, but understandably so. Compliance is one of the few functions whose success is defined almost entirely by the absence of visible events. When it works, nothing happens. No blocked transactions. No uncomfortable meetings. No late night emails to outside counsel. The system hums quietly in the background.

So when the role disappears and the system does not immediately fail, it creates a false sense of resilience and comfort.

What follows is not dramatic. It is incremental, structural, and easy to miss.

First, decision ownership begins to fragment.

Compliance decisions that once had a clear escalation point disperse across the organization. Legal weighs in on legal exposure. Operations focuses on delivery. Sales pushes for speed. Engineering frames issues as technical rather than regulatory. Everyone is acting rationally within their own incentives, but no one is responsible for synthesizing those perspectives into a defensible compliance judgment.

As a result, decisions start defaulting to consensus or momentum rather than analysis.

This is what happens when a control function designed to slow decisions just enough to test assumptions, quietly disappears. The organization still decides, but without a consistent framework for risk tolerance.

Several years after I left a company, I received a call from their newly hired CMMC lead. She was sharp, diligent, and trying to understand how the organization handled classification, escalation, and risk decisions. Her questions were basic, but telling. How were products classified? Which business units owned which decisions? What processes existed for handling gray areas?

The answer, awkwardly, was that all of this already existed.

The classification logic had been built. Risk matrices had been issued to the business units. Compliance plans had been rolled out, reviewed, and socialized. Decision trees existed for escalation and documentation. It had been implemented while I was there.

But by the time she arrived, it had all been forgotten in practice.

Not repealed. Not deleted. Just put away. The business units had been given the tools, but once “the compliance guy” was gone, the tools stopped being used. Without someone maintaining cadence, context, and judgment, the system quietly decayed.

No one had decided to abandon compliance. It simply stopped living.

That call was not about rebuilding from scratch. It was about reconstructing intent. Why those controls existed. What risks they were designed to manage. Where the organization had already learned hard lessons it was now relearning again.

That is what gets lost when compliance leadership disappears. Not rules, but reasoning.

Second, edge cases quietly become the norm.

Most compliance exposure does not arise from obvious violations. It arises from gray areas. Product modifications, new customer use cases, unusual deal structures, or cross border collaborations that do not fit neatly into prior models. A functioning compliance role is designed to live in those gray zones, to ask uncomfortable questions early, and to document why a particular path was chosen.

Without that role, gray areas are resolved ad hoc. One team treats them as low risk. Another escalates them as urgent. Precedent becomes inconsistent. Over time, the organization loses the ability to explain not just what it decided, but why it decided it.

Third, compliance quietly shifts from governance to negotiation.

Without clear authority, compliance becomes something teams work around rather than through. Questions are framed to obtain approval rather than analysis. Risk is described narrowly. Facts are simplified. This is rarely malicious. It is human behavior responding to organizational signals. If no one owns the function, the cost of slowing down feels more immediate than the cost of getting it wrong. It is over time that this becomes the norm and this is how exposure accumulates without triggering alarms.

Eventually, something happens, and the symptoms become visible.

Approvals take longer and longer. Internal emails grow more cautious. Outside counsel appears on threads where they never used to be needed. Customer diligence responses become harder to assemble. Leadership senses that decisions carry more weight and less confidence, even when no single issue appears catastrophic.

At this point, many organizations still believe they are managing. In reality, they are compensating for a missing function by absorbing cost elsewhere, and quite frankly, this is where the response from companies often goes wrong.

The answer is not always to rush into a permanent hire, especially when the organization needs immediate structure, restored judgment, and credibility with customers or regulators. This is where experienced external compliance leadership, such as FD Associates, can step in and stabilize the system while the right permanent hire is identified for the business.

The key is to getting things back in order. That means reestablishing clear escalation paths. Re-grounding classification and risk frameworks. Dusting off compliance plans and making them operational again. Recreating institutional memory before it is lost entirely. And doing so in a way that supports the business rather than slowing it to a crawl.

Just as importantly, it does not end there. Part of restoring a healthy compliance function is helping the organization decide what it actually needs long term, and helping recruit and transition to a new compliance lead who inherits a functioning system rather than a mess.

Organizations that do this early tend to recover quickly. Decisions become cleaner. Risk tolerance becomes explicit. Teams regain clarity on where compliance fits into daily operations, not as friction, but as an enabling control.

Leaving a compliance role unfilled often feels manageable because the consequences are deferred. But deferred does not mean avoided. It just means the bill arrives later.

When the Compliance Role Goes Unfilled, and Everyone Thinks They Can Manage Read More »