One of the most significant recent corporate enforcement trends is the rise in voluntary self-disclosure (VSD) policies offered by a variety of regulatory agencies, including the Department of Justice, the Office of Foreign Asset Controls, and the Bureau of Industry and Security. Regulators are increasingly offering meaningful incentives to organizations that report misconduct before the government learns of it, often promising reduced penalties or even declinations, in exchange for timely disclosure, full cooperation and remediation. These programs change the calculus for organizations considering how to detect and address potential misconduct in their organizations.
This trend accelerated last week when DOJ announced a department-wide Corporate Enforcement and VSD Policy (CEP) applicable to all “criminal matters handled by the Department, except for violations of 15 U.S.C. §§ 1-38 [Antitrust laws].”[1] According to the Department, the CEP is meant to provide predictability for organizations and their counsel. Notably, the accompanying press release explicitly states that the CEP supersedes “all component-specific or US Attorney’s Office-specific corporate enforcement policies currently in effect.”[2] This is not merely a housekeeping point: it is a statement to US attorneys offices across the country that have developed VSD programs of their own, including the US Attorney’s Office for the Southern District of New York (SDNY), which recently unveiled its own VSD program for financial crimes. The expanded scope of the CEP across the entire DOJ is undoubtedly significant, but in substance it does not change the landscape drastically, as the CEP closely tracks the version published by DOJ’s Criminal Division in May 2025.
While US regulators ramp up their VSD programs, regulators across the pond have also increasingly emphasized voluntary self-reporting and corporate cooperation when determining whether organizations should face criminal prosecution or instead receive negotiated resolutions.
This alert discusses the key elements of the CEP, highlighting the few changes in this new Department-wide version, and explores the interaction of this approach with that of regulators abroad.
DOJ’s Corporate Enforcement Policy: The Federal Authority
Prior to the CEP, guidance regarding corporate enforcement existed in various DOJ documents, including the Justice Manual and memoranda such as the 2018 Benczkowski Memorandum that provided guidance regarding selection of monitors. Now, the CEP clarifies and standardizes how prosecutors evaluate VSDs and corporate cooperation across all criminal matters. It “takes the principles the [Criminal] Division has long promoted — disclosure, cooperation, and remediation — and applies them uniformly across the Department.”[3] The CEP establishes six goals for the policy:
- To drive early, voluntary self-disclosure of criminal conduct;
- To promote timely and effective enforcement of criminal laws, including holding culpable individuals accountable;
- To reduce harm;
- To facilitate prompt remedial action, including requiring organizations to compensate victims and address corporate deficiencies;
- To help ensure Department-wide consistency; and
- To clearly describe the Department’s policies and decision-making.
Fundamentally, the core requirements for receiving a CEP declination have not changed. The organizations seeking the full benefit of the CEP must generally (1) voluntarily self-disclose misconduct to the DOJ, before the misconduct becomes known to the government; (2) fully cooperate by, among other things, proactively disclosing relevant documents and information; and (3) timely remediate the misconduct, such as by implementing compliance and ethics programs and disciplining responsible employees. Even where these conditions are met, the CEP warns that certain “aggravating circumstances” may preclude a declination and instead lead to a criminal resolution.
As with the prior CEP issued by the Criminal Division, the new Department-wide policy incentivizes self-disclosure by including the definitive statement that upon meeting the established criteria, a self-disclosing company “will” receive a declination. The CEP also addresses the concept of “near miss” voluntary self-disclosures, providing that a company should receive a non-prosecution agreement (NPA) when the company acted in good faith by self-reporting but did not meet all of the requirements above, as well as when the matter involved aggravating circumstances.
In providing a single standard applicable to all jurisdictions, the CEP simultaneously provides the upside of consistency while removing the potentially helpful opportunity to make strategic forum decisions. Only time will tell how that shift in benefit impacts resolutions.
Tension With SDNY’s Corporate Enforcement Program
SDNY’s policy, announced on February 24, 2026, offers organizations an unusually concrete path to resolution. Under that program, a company could receive a conditional declination within a matter of weeks following a qualifying VSD, with a final declination — and no criminal charges — to follow, once the company satisfies resolution conditions, including cooperation and remediation, imposed by SDNY. Although other VSD programs offer the possibility of such a favorable resolution, SDNY’s promise of it is uniquely advantageous. In addition, organizations that satisfy their VSD obligations will receive (1) no prosecution of the company or its affiliates for the disclosed misconduct; (2) no criminal fine or forfeiture beyond restitution; and (3) no corporate monitor.
While this policy in several respects offers faster and more predictable benefits than the CEP, it may not matter given the statement that the CEP explicitly preempts “all component-specific or US Attorney’s Office-specific corporate enforcement policies currently in effect.” It remains to be seen how the SDNY will implement its broader policy and how the two policies will interact, but DOJ has affirmatively asserted that the SDNY approach is not binding on the Department, rather, quite the opposite.
UK Regulators Take Slightly Different Approach With Similar End Goal
While DOJ’s CEP establishes a nationwide framework for voluntary self-disclosure to US regulators, organizations operating internationally must also evaluate the decision of whether and how to self-report and cooperate under multiple enforcement regimes.
In the United Kingdom, regulators have a renewed and strong focus on corporate liability, incentivizing organizations with both a severe stick and a carrot that differs from the US VSD approach.
The Stick
On September 1, 2025, the UK began enforcing the failure to prevent fraud offense, which creates strict criminal liability for large organizations where an employee, agent, subsidiary or other “associated person” commits a fraud intending to benefit the organization.[4] This new offense has wide extraterritorial effect; in addition to acts which are part of the underlying fraud that take place in the UK, it also applies to instances in which the gain or loss resulting from the fraudulent activity occurs in the UK or the fraudulent act targets victims in the UK. This enforcement approach marks a shift from viewing organizations as victims of fraud to viewing them as vehicles for it that can be more easily held accountable. This, in turn, provides an incentive for organizations to place a greater emphasis on fostering an anti-fraud culture and early detection and internal reporting and, perhaps, ultimately self-report to regulators.
The Carrot
As with the CEP, voluntary self-disclosure to the Serious Fraud Office (SFO) can be beneficial to the organization and is a key consideration for securing a deferred prosecution agreement (DPA), under the SFO’s guidance on cooperation and enforcement in relation to corporate criminal offending (SFO Guidance), issued in April 2025.[5] While the disclosure process to the SFO shares some fundamental tenets with the CEP, it is also materially different in significant ways.
Similar to the core requirements under the CEP for an NPA, a company that provides (1) a prompt (2) self-report to, and (3) full cooperation with, the SFO will receive an invitation to DPA negotiations and avoid prosecution, absent exceptional circumstances. The SFO emphasizes that, although a prompt self-report is a strong factor indicating cooperation, having self-reported and being cooperative are not the same. Genuine cooperation involves going beyond what the law requires, such as proactive preservation and provision of evidence, identification of involved individuals, presentation of a detailed remediation plan and provision of transparent updates on a company’s internal investigation. A self-reporting company must provide genuine cooperation to be eligible for an invitation to DPA negotiations. On the other hand, a company that does not self-report can nevertheless provide exemplary cooperation with the SFO’s investigation to become eligible for an invitation to DPA negotiations. Resolutions with US regulators recognize this nuance as well.
The SFO has historically been criticized for delays in resolutions. Significantly, like the SDNY policy, the SFO Guidance commits to more proactive engagement in response to self-reporting, including contacting the reporting organization within 48 hours of receiving a self-report, deciding within six months of receiving the report whether to open an investigation and, where DPA negotiations are initiated, will generally plan to conclude commenced negotiations within six months. On the other hand, unlike the CEP’s pledge that a qualifying company will receive a declination, self-reporting to the SFO will only result in an invitation to DPA negotiation. And even if one is secured, DPAs will always involve a penalty. Thus, self-reporting to the SFO arguably remains higher risk and less reward.
Another significant difference between the UK and US federal approaches is the degree of judicial involvement in DPAs and similar resolutions. In the US, DPAs are negotiated between corporations and DOJ with little judicial involvement, but in the UK, courts are heavily involved in the DPA process. Before the DPA terms are finalized, the prosecutor must apply to the Crown Court for a private declaration and preliminary hearing that entering into a DPA is in the interests of justice and that the proposed terms are fair, reasonable and proportionate.[6] Following the preliminary hearing, if an agreement is reached on the terms of a DPA, the prosecutor must then apply to the Crown Court for a final declaration that the DPA is in the interests of justice and that the terms are fair, reasonable and proportionate.[7]
Conclusion
Given the increasing exposure and increasing stakes of conducting worldwide operations, organizations facing potential exposure must evaluate self-reporting decisions not only through the lens of a single regulator, but also across an increasingly interconnected enforcement landscape. On a practical level, the components of the UK and US VSD programs are not vastly dissimilar, both emphasizing promptness and cooperation. At the same time, their meaningful differences mean organizations need to carefully consider the best way to navigate these pathways. As information sharing between US and UK authorities continues to deepen, a disclosure in one jurisdiction may quickly trigger scrutiny in another. Organizations must not only seek to prevent misconduct through robust compliance trainings and frameworks, they must also be prepared to quickly conduct internal investigations with an eye toward multiple jurisdictions and craft carefully coordinated cross-border disclosure strategies.
For tailored guidance on compliance frameworks, carrying out internal investigations or disclosure strategies in relation to relevant regulators, contact Bracewell’s government enforcement and investigations team.
[1] Department of Justice, Corporate Enforcement and Voluntary Self-Disclosure Policy (Mar. 10, 2026), https://www.justice.gov/dag/media/1430731/dl?inline.
[2] Press Release, Department of Justice Releases First-Ever Corporate Enforcement Policy for All Criminal Cases (Mar. 10, 2026, https://www.justice.gov/opa/pr/department-justice-releases-first-ever-corporate-enforcement-policy-all-criminal-cases.
[3] Id.
[4] Section 199, Economic Crime and Corporate Transparency Act 2023.
[5] Serious Fraud Office, “SFO External Guidance on Corporate Cooperation and Enforcement in relation to Corporate Criminal Offending” (Apr. 24, 2025), https://www.gov.uk/government/publications/sfo-corporate-guidance/sfo-corporate-guidance.
