Key Details: On March 10, 2026, the U.S. Department of Justice released its first-ever department-wide Corporate Enforcement Policy, consolidating decades of evolving guidance into a single, unified framework governing voluntary self-disclosure, cooperation, remediation, and individual accountability in corporate criminal matters. The policy provides clearer, more predictable outcomes for organizations that proactively address misconduct, while signaling heightened expectations for boards, audit committees, and compliance programs. As an independent member of the BDO Alliance USA, Ryan & Wetmore shares this BDO analysis to help organizations understand how enforcement expectations are changing and what governance leaders should be considering now. If you have questions about how this policy may affect your organization’s compliance posture, internal investigations, or board oversight responsibilities, contact Ryan & Wetmore to discuss your specific circumstances.
On March 10, 2026, the U.S. Department of Justice (DOJ) released what it described as the first-ever department-wide Corporate Enforcement Policy (CEP) for criminal matters. The news did not come as a surprise to those of us who had been paying close attention. In December 2025, following Deputy Attorney General Todd Blanche’s keynote address at the American Conference Institute’s annual FCPA and Global Anti-Corruption Conference, we wrote about the principles shaping this administration’s approach to corporate enforcement. We noted that a unified policy was coming. It has now arrived.
In the world of white-collar enforcement, that arrival is significant. Not because everything changed overnight. It did not. But it is significant because of what the policy signals about the pragmatic, unified direction of enforcement going forward, and what it means for those of us, along with external counsel and compliance professionals, who take our obligations seriously.
To appreciate why it matters, you need to understand its origins.
The corporate enforcement landscape did not emerge in a vacuum. For well over a century, the Criminal Division of the Department of Justice has developed, enforced, and supervised the application of federal criminal law. What has evolved dramatically over the past three decades is the framework governing how the government decides whether to prosecute corporations and how companies can earn meaningful credit when misconduct surfaces.
It started with the Holder Memorandum in 1999. Deputy Attorney General Eric Holder articulated, for the first time in any systematic way, how federal prosecutors should approach charging decisions against corporate entities. That memo introduced concepts we now treat as standard: voluntary disclosure, cooperation, and remediation, but framed them as factors rather than a structured policy. Practitioners at the time understood that the memo was a starting point, not an ending point.
The Thompson Memorandum followed in 2003, tightening the framework and sparking significant controversy over practices such as waiving the attorney-client privilege as a condition of cooperation. The McNulty Memorandum in 2006 walked back some of those excesses. The Filip Memorandum in 2008 codified the principle that companies should not be penalized for protecting legitimate privileges while still cooperating fully.
Then came the Yates Memorandum in 2015. Sally Yates, then deputy attorney general, articulated a principle that shaped enforcement thinking for years afterward: to receive credit for cooperation, companies needed to identify the individuals responsible for the misconduct affirmatively, not just cooperate in the abstract. That shift mattered because it changed how companies structured their internal investigations and how they interacted with the government.
Starting in 2017, the DOJ formalized the process of assessing a company’s compliance program when determining enforcement actions. The Evaluation of Corporate Compliance Programs (ECCP) was first introduced in February 2017 by the DOJ’s Fraud Section within the Criminal Division, marking a significant step in providing prosecutors with structured guidance on assessing the adequacy of corporate compliance efforts during investigations and resolutions. This initial framework outlined key topics and sample questions for evaluating whether a compliance program was effective at the time of the offense and at the time of charging, emphasizing design, implementation, and functionality rather than a one-size-fits-all approach. The June 2020 updates to the ECCP refined the DOJ’s framework, emphasizing a more individualized, context-based evaluation of the compliance program based on factors such as a company’s size, industry, and external circumstances. Those updates introduced a “lessons learned” approach that required companies to incorporate insights from prior misconduct, both internal and industry-wide, into ongoing risk assessments, while promoting data-driven reviews and continuous access to operational metrics for program evolution.
Under the Biden administration, the Monaco Memorandum and its revisions pushed further still, expanding what cooperation meant, elevating the use of compliance monitors, and treating recidivist conduct as an aggravating factor that both courts and prosecutors would weigh heavily.
That is the line of development that brings us to today.
It is worth pausing here because today’s policy did not emerge without warning. In our December 2025 analysis of Blanche’s ACI keynote, we covered the five enforcement principles he articulated. As of today, those principles are codified in a single department-wide policy.
We have long held that books, records, and systems do not commit offenses. People do. People whose decisions are shaped by culture, incentives, pressures, and the quality of oversight around them. Blanche’s remarks at the ACI Conference reinforced that view directly, and that premise is now embedded in the new CEP’s foundation.
Beyond that core premise, Blanche laid out five specific guideposts that now underpin the released policy. First, individual accountability is the department’s primary goal in any corporate criminal investigation. Second, the department will not pursue corporate criminal resolutions without admissible evidence sufficient to prove a case beyond a reasonable doubt; prosecutors will not use the threat of indictment to force a resolution they cannot support in court. Third, cooperation matters and must be substantive; companies that go the extra mile, including producing information located abroad and otherwise difficult to obtain, will receive meaningful credit, while surface-level assistance will not. Fourth, investigations must be efficient and disciplined; matters will not be allowed to drift, and delays attributable to a company’s own conduct will not later be characterized as government delay. Fifth, significant decisions require a fair and orderly process, with clearly defined roles for prosecutors and component heads, and only the most consequential questions are escalated to senior leadership.
Blanche also addressed monitorships directly, acknowledging that past engagements had sometimes expanded beyond their intended scope and imposed unnecessary costs. The revised approach is more disciplined: monitorships will be imposed only when needed, will carry explicit scopes and budgets, and will not persist beyond the point at which a company’s own remedial efforts can sustain the outcome. The goal, as Blanche made clear, is a compliance program that functions without external oversight, not the monitor itself.
All of that was the preview. What was released on March 10 is the policy itself.
The Criminal Division’s corporate enforcement policy dates back to 2016, when it was first formalized. Each subsequent iteration refined the approach, culminating in the revisions announced in May 2025 and now extended, for the first time, across the entire department in a single, unified policy.
The new Corporate Enforcement Policy does something structurally important: it supersedes all component-specific and U.S. Attorney’s Office-specific corporate enforcement policies currently in effect. Every one of the 93 U.S. attorneys’ offices has operated under its own voluntary self-disclosure framework, creating real uncertainty for companies and their counsel and inconsistent enforcement. Depending on who was investigating and where the case was filed, the incentives for self-disclosure could look quite different. The new policy addresses that directly.
The framework rests on three core behaviors:
For companies that satisfy all three, absent certain limited aggravating circumstances, the Department will decline to prosecute. Not a presumptive declination. A guaranteed one. That distinction is worth understanding clearly. In the May 2025 revisions to the Criminal Division’s CEP, the policy moved from presumptive to guaranteed. Today’s announcement extends that commitment across the entire department and provides a clear path from full declination to Department-approved alternative agreements.
More specifically, the Department also has a framework for addressing “Near Miss” scenarios: situations that do not qualify for voluntary self-disclosure, or that involve aggravating circumstances warranting a criminal resolution. If either of these circumstances arises, the Department spells out additional available outcomes:
The other pillar is individual accountability. The primary goal of corporate enforcement is to identify and prosecute the individuals whose decisions caused the harm, not to extract institutional penalties that get absorbed as a cost of doing business and can be recouped in the near term. This echoes what Yates said in 2015 and what enforcement practitioners have long understood. But it is now embedded in a uniform framework that applies everywhere to every type of white-collar criminal matter the department pursues, except antitrust, which maintains its own separate enforcement structure.
We have decades of experience in forensic accounting and investigations, fraud risk management, and governance advisory work. Over that time, we have seen corporate leadership treat enforcement policy primarily as a legal department concern. It is an understandable instinct. It is also a mistake.
What the Department is articulating through this policy is not only a governance standard but also an expectation that companies can reach an informed preliminary decision on voluntary self-disclosure relatively quickly. The Department has also made clear that companies uncertain about their obligations can contact the relevant component to discuss the situation before committing to a course of action. When misconduct occurs, the questions prosecutors will ask are the same questions a well-functioning board should have been asking all along. Was there a compliance program that actually worked? Did leadership respond when red flags appeared? Were the people responsible for the misconduct held accountable internally? Did the organization come forward honestly, or did it wait to see whether the government would find out on its own? Reaching that conclusion is never easy. It requires careful consideration of the many stakeholders to whom the organization is accountable, as well as the full range of ramifications that flow from committing to voluntary self-disclosure.
For boards and audit committees, the implications are direct. Governance is not a compliance exercise you complete and set aside. It is an ongoing discipline. The companies that will benefit from this policy are the ones that have built cultures where misconduct is surfaced, not suppressed, where internal reporting channels are trusted, where the audit committee receives candid information rather than narratives filtered through management, and where leadership understands that a problem discovered internally and disclosed voluntarily is categorically different, under the law, from a problem the government discovers on its own. Irrespective of the internal decision on self-disclosure, the board, through its audit committee, must ensure that the company has the appropriate mechanisms and organizational capacity to make an informed decision, whatever the outcome, that will withstand scrutiny, whether through voluntary self-disclosure or in response to a whistleblower submission to the Department.
That cultural and structural work does not happen after misconduct occurs. It has to be in place before, and it has to be genuine.
By mandating a disciplined approach to investigations and monitorships, the policy demands that boards invest in proactive oversight mechanisms that align with the Department’s expectations for efficiency and fairness, ensuring that cultural commitments to ethics translate into operational realities that withstand scrutiny.
The release of this policy sends a clear and consistent signal: timely voluntary self-disclosure to the appropriate authorities will ensure uniform credit, even where aggravating circumstances are present and must be factored into the analysis. For any organization that takes corporate governance seriously, there are concrete steps that deserve immediate attention.
Written by Jonathan T. Marks, Didier Lavion and Paul Peterson. Copyright © 2026 BDO USA, P.C. All rights reserved. www.bdo.com