The DOJ’s New Corporate Enforcement Policy: What History Tells Us and What Boards Can’t Ignore

On March 10, 2026, the U.S. Department of Justice (DOJ) released what it described as the first-ever department-wide Corporate Enforcement Policy (CEP) for criminal matters. The news did not come as a surprise to those of us who had been paying close attention. In December 2025, following Deputy Attorney General Todd Blanche’s keynote address at the American Conference Institute’s annual FCPA and Global Anti-Corruption Conference, we wrote about the principles shaping this administration’s approach to corporate enforcement. We noted that a unified policy was coming. It has now arrived.

In the world of white-collar enforcement, that arrival is significant. Not because everything changed overnight. It did not. But it is significant because of what the policy signals about the pragmatic, unified direction of enforcement going forward, and what it means for those of us, along with external counsel and compliance professionals, who take our obligations seriously.

To appreciate why it matters, you need to understand its origins.

A Policy Built Over Decades

The corporate enforcement landscape did not emerge in a vacuum. For well over a century, the Criminal Division of the Department of Justice has developed, enforced, and supervised the application of federal criminal law. What has evolved dramatically over the past three decades is the framework governing how the government decides whether to prosecute corporations and how companies can earn meaningful credit when misconduct surfaces.

It started with the Holder Memorandum in 1999. Deputy Attorney General Eric Holder articulated, for the first time in any systematic way, how federal prosecutors should approach charging decisions against corporate entities. That memo introduced concepts we now treat as standard: voluntary disclosure, cooperation, and remediation, but framed them as factors rather than a structured policy. Practitioners at the time understood that the memo was a starting point, not an ending point.

The Thompson Memorandum followed in 2003, tightening the framework and sparking significant controversy over practices such as waiving the attorney-client privilege as a condition of cooperation. The McNulty Memorandum in 2006 walked back some of those excesses. The Filip Memorandum in 2008 codified the principle that companies should not be penalized for protecting legitimate privileges while still cooperating fully.

Then came the Yates Memorandum in 2015. Sally Yates, then deputy attorney general, articulated a principle that shaped enforcement thinking for years afterward: to receive credit for cooperation, companies needed to identify the individuals responsible for the misconduct affirmatively, not just cooperate in the abstract. That shift mattered because it changed how companies structured their internal investigations and how they interacted with the government.

Starting in 2017, the DOJ formalized the process of assessing a company’s compliance program when determining enforcement actions. The Evaluation of Corporate Compliance Programs (ECCP) was first introduced in February 2017 by the DOJ’s Fraud Section within the Criminal Division, marking a significant step in providing prosecutors with structured guidance on assessing the adequacy of corporate compliance efforts during investigations and resolutions. This initial framework outlined key topics and sample questions for evaluating whether a compliance program was effective at the time of the offense and at the time of charging, emphasizing design, implementation, and functionality rather than a one-size-fits-all approach. The June 2020 updates to the ECCP refined the DOJ’s framework, emphasizing a more individualized, context-based evaluation of the compliance program based on factors such as a company’s size, industry, and external circumstances. Those updates introduced a “lessons learned” approach that required companies to incorporate insights from prior misconduct, both internal and industry-wide, into ongoing risk assessments, while promoting data-driven reviews and continuous access to operational metrics for program evolution.

Under the Biden administration, the Monaco Memorandum and its revisions pushed further still, expanding what cooperation meant, elevating the use of compliance monitors, and treating recidivist conduct as an aggravating factor that both courts and prosecutors would weigh heavily.

That is the line of development that brings us to today.

What Blanche Said in December and Why It Matters Now

It is worth pausing here because today’s policy did not emerge without warning. In our December 2025 analysis of Blanche’s ACI keynote, we covered the five enforcement principles he articulated. As of today, those principles are codified in a single department-wide policy.

We have long held that books, records, and systems do not commit offenses. People do. People whose decisions are shaped by culture, incentives, pressures, and the quality of oversight around them. Blanche’s remarks at the ACI Conference reinforced that view directly, and that premise is now embedded in the new CEP’s foundation.

Beyond that core premise, Blanche laid out five specific guideposts that now underpin the released policy. First, individual accountability is the department’s primary goal in any corporate criminal investigation. Second, the department will not pursue corporate criminal resolutions without admissible evidence sufficient to prove a case beyond a reasonable doubt; prosecutors will not use the threat of indictment to force a resolution they cannot support in court. Third, cooperation matters and must be substantive; companies that go the extra mile, including producing information located abroad and otherwise difficult to obtain, will receive meaningful credit, while surface-level assistance will not. Fourth, investigations must be efficient and disciplined; matters will not be allowed to drift, and delays attributable to a company’s own conduct will not later be characterized as government delay. Fifth, significant decisions require a fair and orderly process, with clearly defined roles for prosecutors and component heads, and only the most consequential questions are escalated to senior leadership.

Blanche also addressed monitorships directly, acknowledging that past engagements had sometimes expanded beyond their intended scope and imposed unnecessary costs. The revised approach is more disciplined: monitorships will be imposed only when needed, will carry explicit scopes and budgets, and will not persist beyond the point at which a company’s own remedial efforts can sustain the outcome. The goal, as Blanche made clear, is a compliance program that functions without external oversight, not the monitor itself.

All of that was the preview. What was released on March 10 is the policy itself.

What the Department-Wide CEP Actually Says

The Criminal Division’s corporate enforcement policy dates back to 2016, when it was first formalized. Each subsequent iteration refined the approach, culminating in the revisions announced in May 2025 and now extended, for the first time, across the entire department in a single, unified policy.

The new Corporate Enforcement Policy does something structurally important: it supersedes all component-specific and U.S. Attorney’s Office-specific corporate enforcement policies currently in effect. Every one of the 93 U.S. attorneys’ offices has operated under its own voluntary self-disclosure framework, creating real uncertainty for companies and their counsel and inconsistent enforcement. Depending on who was investigating and where the case was filed, the incentives for self-disclosure could look quite different. The new policy addresses that directly.

The framework rests on three core behaviors:

• voluntary self-disclosure to an appropriate component of the Department;
• cooperation with the Department’s investigation; and
• timely and appropriate remediation addressing the misconduct.

For companies that satisfy all three, absent certain limited aggravating circumstances, the Department will decline to prosecute. Not a presumptive declination. A guaranteed one. That distinction is worth understanding clearly. In the May 2025 revisions to the Criminal Division’s CEP, the policy moved from presumptive to guaranteed. Today’s announcement extends that commitment across the entire department and provides a clear path from full declination to Department-approved alternative agreements.

More specifically, the Department also has a framework for addressing “Near Miss” scenarios: situations that do not qualify for voluntary self-disclosure, or that involve aggravating circumstances warranting a criminal resolution. If either of these circumstances arises, the Department spells out additional available outcomes:

• Non-Prosecution Agreement (NPA);
• Term length of fewer than three years;
• No requirement for a compliance monitor; and
• A substantial reduction in the fine range under the U.S. Sentencing Guidelines (50% to 75% reduction).

The other pillar is individual accountability. The primary goal of corporate enforcement is to identify and prosecute the individuals whose decisions caused the harm, not to extract institutional penalties that get absorbed as a cost of doing business and can be recouped in the near term. This echoes what Yates said in 2015 and what enforcement practitioners have long understood. But it is now embedded in a uniform framework that applies everywhere to every type of white-collar criminal matter the department pursues, except antitrust, which maintains its own separate enforcement structure.

Why This Matters More Than Many Realize

We have decades of experience in forensic accounting and investigations, fraud risk management, and governance advisory work. Over that time, we have seen corporate leadership treat enforcement policy primarily as a legal department concern. It is an understandable instinct. It is also a mistake.

What the Department is articulating through this policy is not only a governance standard but also an expectation that companies can reach an informed preliminary decision on voluntary self-disclosure relatively quickly. The Department has also made clear that companies uncertain about their obligations can contact the relevant component to discuss the situation before committing to a course of action. When misconduct occurs, the questions prosecutors will ask are the same questions a well-functioning board should have been asking all along. Was there a compliance program that actually worked? Did leadership respond when red flags appeared? Were the people responsible for the misconduct held accountable internally? Did the organization come forward honestly, or did it wait to see whether the government would find out on its own? Reaching that conclusion is never easy. It requires careful consideration of the many stakeholders to whom the organization is accountable, as well as the full range of ramifications that flow from committing to voluntary self-disclosure.

For boards and audit committees, the implications are direct. Governance is not a compliance exercise you complete and set aside. It is an ongoing discipline. The companies that will benefit from this policy are the ones that have built cultures where misconduct is surfaced, not suppressed, where internal reporting channels are trusted, where the audit committee receives candid information rather than narratives filtered through management, and where leadership understands that a problem discovered internally and disclosed voluntarily is categorically different, under the law, from a problem the government discovers on its own. Irrespective of the internal decision on self-disclosure, the board, through its audit committee, must ensure that the company has the appropriate mechanisms and organizational capacity to make an informed decision, whatever the outcome, that will withstand scrutiny, whether through voluntary self-disclosure or in response to a whistleblower submission to the Department.

That cultural and structural work does not happen after misconduct occurs. It has to be in place before, and it has to be genuine.

By mandating a disciplined approach to investigations and monitorships, the policy demands that boards invest in proactive oversight mechanisms that align with the Department’s expectations for efficiency and fairness, ensuring that cultural commitments to ethics translate into operational realities that withstand scrutiny.

What Organizations Should Do Now

The release of this policy sends a clear and consistent signal: timely voluntary self-disclosure to the appropriate authorities will ensure uniform credit, even where aggravating circumstances are present and must be factored into the analysis. For any organization that takes corporate governance seriously, there are concrete steps that deserve immediate attention.

1. Every compliance and reporting program should be evaluated against the department's definition of voluntary self-disclosure and full cooperation. Those terms have specific, defined meanings in the policy framework, and they are more demanding than many internal programs are currently designed to meet. If your program has not been tested against that standard recently, now is the time.
2. Second, board-level oversight of compliance needs to be substantive, not ceremonial. That means audit committees asking hard questions about whether employees actually trust the company’s whistleblower and reporting infrastructure, not whether it exists on paper. It means receiving unfiltered reporting on compliance matters, not summaries shaped by layers of management with a stake in the outcome. An issue that is properly elevated also requires proper treatment. If an issue falls within the Department’s remit and enforcement strategy, it should be investigated independently, with a focus on reaching defensible conclusions based on a proper evaluation of the facts and circumstances by independent outside advisors.
3. Third, organizations should integrate scenario-based training for executives and compliance teams to practice navigating the policy’s requirements for substantive cooperation, including handling complex data from abroad, while leveraging advanced analytics to strengthen early detection and root cause analysis for sustained remedial improvements.
4. When misconduct is detected, the response matters as much as the detection. Timely and appropriate remediation means fixing the conditions that allowed the misconduct to occur, addressing the harm caused, and cooperating with the government in a complete and forthright manner. Organizations that treat a potential disclosure primarily as a negotiating exercise miss the point and frequently miss the benefit.
5. Finally, the emphasis on individual accountability has direct implications for the design of internal investigations. When an investigation identifies culpable individuals, the organization’s response to those findings, including whether those individuals are promptly removed and referred appropriately, will be part of the record that prosecutors evaluate.