Enforcement Priorities May Change, But Deciding Whether to Self-Report Is Always a Balancing Act

One of the most difficult decisions for any corporate general counsel — whether to voluntarily disclose potential misconduct to the federal government — may have become more complicated with the change of administration, but the basic analytical framework remains the same. Over the past several years, the Department of Justice (DOJ) and other government agencies have encouraged voluntary and early self-disclosure. The DOJ, in particular, has implemented several programs that provide both incentives and deterrents. Although still in its early days, the new administration has announced law enforcement priorities that may de-emphasize certain areas of corporate criminal enforcement, such as foreign bribery, and weaken incentives for voluntary self-disclosure. On the other hand, the DOJ may now redouble its efforts at combatting government contracting, health care, and other fraud. And the DOJ’s guidelines on effective corporate compliance programs and voluntary disclosure benefits, as well as various federal whistleblower programs remain in effect.
Whether the potential misconduct falls within one of the government’s current priorities is only one factor for companies to consider in deciding whether to make a voluntary disclosure. As discussed below, companies should first determine whether self-disclosure is required by law, and disclose if it is. In the more difficult situations where it is not, companies should weigh the nature, scope and seriousness of the impropriety; the involvement of or harm to third parties, the potential reputational impact of later revelation; and consistency with the company’s culture of compliance. Regardless, while the enforcement landscape continues to evolve, companies should continue to maintain effective compliance programs and fully remediate any issues that arise.

Reasons for Voluntary Self-Disclosure

Federal agencies have generally adopted a carrot and stick approach to encouraging corporate self-disclosure. On the one hand, government agencies have sought to encourage corporate compliance by offering significant incentives to companies that self-report potential violations, remediate, and actively participate in any subsequent investigations. Beginning with the FCPA Pilot Program in 2016, the DOJ, in particular, has repeatedly expanded and institutionalized programs designed to encourage timely corporate disclosures. For example, in January 2023, the DOJ announced amendments to its Corporate Enforcement Policy (CEP), which increased incentives for companies to voluntarily disclose misconduct, fully cooperate, and appropriately remediate by broadening the availability of a presumption of declination and reduction of financial penalties. In October 2023, the DOJ announced the department-wide Mergers and Acquisitions Safe Harbor Policy, which provides a presumption of declination to acquiring companies that voluntarily disclose criminal misconduct discovered at the acquired entity within a safe harbor period, cooperate with an ensuing investigation, and timely and appropriately remediate. And most recently, in April 2024, the DOJ further amended the CEP to give companies the opportunity to qualify for a presumption of declination, even if a whistleblower first contacts the DOJ, if the company reports to the DOJ within 120 days after receiving an internal report and before the DOJ reaches out to them.
The DOJ has made public certain declination decisions that illustrate the benefits companies may receive for voluntary self-disclosure, and what they need to do to receive those benefits. For example, in August 2024, the DOJ announced that it declined to prosecute Boston Consulting Group (BCG) for FCPA violations related to alleged payments BCG’s agent made to Angolan government officials. Among other things, the DOJ emphasized BCG’s timely and voluntary disclosure of the misconduct, full and proactive cooperation, and timely and appropriate remediation, including termination of the personnel involved and significant improvements to its compliance program and internal controls. BCG had to disgorge more than $14.4 million but managed to avoid much harsher criminal penalties.
Similarly, other agencies — including the Securities and Exchange Commission (SEC), the U.S. Department of Health and Human Services, the U.S. Environmental Protection Agency, U.S. Customs and Border Protection, and the Federal Energy Regulatory Commission — have longstanding programs that offer significantly mitigated penalties as a reward for self-reporting.
On the other hand, several companies have been penalized in the past for their failure to expeditiously self-report known violations. These penalties have included civil monetary penalties, criminal pleas and fines, and ongoing monitoring. For example, Standard Chartered Bank was ordered to pay nearly $640 million in 2019, and its 2012 deferred prosecution agreement — entered into with the DOJ and New York County District Attorney’s Office for similar violations — was extended for two additional years.
Notably, none of these agencies have yet announced any revisions to their programs or any intention to roll back incentives for voluntary self-disclosure. To the contrary, in February, the Commodity Futures Trading Commission (CFTC) released its first-ever “Mitigation Credit Matrix” that its Enforcement Division will use to evaluate appropriate penalty reductions for companies that voluntarily self-report violations, cooperate with investigations, and sufficiently remediate against future violations.
On top of all of this, through the proliferation of whistleblower programs, government agencies now receive more information about potential corporate misconduct than ever before. These programs offer handsome monetary incentives, typically after a threshold penalty is assessed, to individuals who both report their company’s potential violations and provide critical assistance in the enforcement action. For example, under the SEC’s Whistleblower Program, in 2024 alone, four whistleblowers were awarded a total of $155 million for reports that led to successful enforcement proceedings against their companies. See, SEC Awards Whistleblower More Than $37 Million, SEC.gov (July 26, 2024); SEC Issues Awards Totaling $98 Million to Two Whistleblowers, SEC.gov (Aug. 23, 2024); SEC Issues $24 Million Awards to Two Whistleblowers, SEC.gov (Aug. 26, 2024).
Last year, the DOJ launched its own Whistleblower Pilot Program that provides monetary awards to individuals who provide the department with original and truthful information about certain types of corporate misconduct that leads to a successful asset forfeiture. Although it is too early to assess the program’s effectiveness, or whether it will be maintained in its current form by the new administration, it provides another incentive for corporate self-disclosure.

Should a Company Self-Disclose?

While the government’s enforcement priorities may be shifting, many of the considerations underlying the decision to self-disclose misconduct remain unchanged. Companies should first consider whether self-disclosure is legally mandated and, if not, weigh the likelihood of being held liable for the misconduct against the potential consequences of non-disclosure. As noted above, the DOJ and other government agencies do not extend much leniency to those that do not self-disclose. Regardless of the ultimate decision, companies should take remedial measures to fully understand the extent of the misconduct, appropriately discipline involved employees, and address any gaps in internal controls or implement new ones to prevent reoccurrence.

Is Self-Disclosure Required by Law?

As an initial matter, it is important that companies understand the reporting requirements relevant to their industries and self-report misconduct when mandated by applicable laws or regulations. For example, federal securities laws require public companies to disclose material adverse events, including those resulting from potential misconduct, in their public SEC filings. The Bank Secrecy Act and implementing Financial Crimes Enforcement Network (FinCEN) regulations mandate that banks, broker-dealers, and other types of “financial institutions” file “Suspicious Activity Reports” with FinCEN if they suspect a transaction involves illegal activity, such as money laundering. Federal government contractors are required to self-disclose “credible evidence” of certain violations of federal law, including fraud, bribery, or violations of the False Claims Act, under the Federal Acquisition Regulations (FAR).
Companies should stay up to date with mandatory reporting requirements, as they change. For example, in April, the administration announced “a sweeping review and rewrite” of the FAR, which could impact its disclosure requirements. Failure to comply with legally mandated reporting requirements can have serious consequences, such as civil or criminal liability for companies and their senior executives in some instances, and in the case of public companies, such a failure could result in being disqualified from future capital raising, or being required to pay back investors. See, e.g., Consequences of Noncompliance, SEC.gov (Sept. 19, 2024).

What if Self-Disclosure Is Not Required by Law?

The more challenging cases arise when companies have no legal obligation to make a disclosure. While there are instances when a company may decide it is in its best interest to handle potential misconduct internally, that decision must be made with caution. The likelihood of the government initiating an investigation against the company or its senior management, even if it may seem lower under the government’s current priorities, is only one factor to consider. Indeed, an administration’s law enforcement priorities can and do change. Company auditors may press for disclosures or for management representation letters, regardless. Moreover, as discussed above, various whistleblower programs continue to incentivize employees to come forward when their companies do not, and companies may lose the opportunity for full cooperation credit if employees or third-parties report to the government before the company does.
Assessing the likelihood of the company’s exposure to liability is fact-intensive and requires the company to promptly and thoroughly investigate the misconduct. After the essential facts are identified, company counsel should consider the following factors, among others, in deciding whether to make a voluntary self-disclosure.

• Extent of the Misconduct. An important consideration is the scope and frequency of the misconduct. Does it reflect a systemic issue, or is it an isolated incident? For example, if the violation itself or the conduct leading to it was a one-time incident involving one or very few lower-level employees, this may lend itself to a decision to handle the violation internally. If instead the company uncovers a wide-spread scheme involving multiple employees engaging in a pattern of misconduct over time, it may be in the company’s best interest to self-report to the appropriate government agency. The extent to which senior management knew about or was involved in the misconduct also weighs heavily towards voluntary self-disclosure.
• Role of and/or Impact on Third Parties. Another important consideration is the role of third parties in the potential misconduct. For instance, if a third-party committed or aided the misconduct on a company’s behalf, it is more likely to be discovered and prosecuted by the government. If an innocent third-party was harmed as a result of the misconduct, such as if a material misstatement impacted investors or a client was defrauded, self-disclosure would more likely be warranted as well. Third-party harm, which cannot be internally remediated, increases the risk of attracting the government’s attention through civil litigation brought by private plaintiffs. Additionally, misconduct that resulted in false information being reported to a third-party, such as auditors, tax preparers, or lenders, could expose the company to serious accounting, tax, or bank fraud charges and counsel for voluntary disclosure.
• Potential for Reputational Harm. It is also important to consider the future harm that could result if the company declines to self-disclose. There are various ways that the issue may ultimately come to light, either through government enforcement, media coverage, civil litigation, or a whistleblower. Even if the relevant agency closes the matter or it results in a settlement, the appearance of having ignored or concealed malfeasance could prove detrimental to the company’s brand, operations, business relationships, and stakeholder trust.
• Culture of Compliance. Finally, the company should carefully consider how its decision could impact its culture of compliance. Choosing to self-disclose can send a strong message to employees, and potentially to the public, that the company is committed to transparency and ethical behavior and does not tolerate corporate misconduct at any level, which is essential for maintaining a robust culture of compliance. Conversely, a decision not to disclose risks indicating that the company does not prioritize compliance.

Conclusion

Deciding whether to voluntarily self-disclose misconduct to the government is challenging, particularly in the currently evolving regulatory landscape, but the potential consequences of a wrong decision could have lasting and costly effects. Companies should consult outside counsel to aid in evaluating these factors to determine whether self-disclosure is in the best interests of the company. Regardless of the decision, the company should reinforce its culture of compliance by immediately investigating all identified issues and taking all necessary corrective actions, including disciplining responsible employees, closing any gaps in internal controls, and targeted training.