Abstract:The U.S. Department of Justice (DOJ) has issued the first department-wide Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP) applicable to all corporate criminal cases except antitrust violations, replacing the previous fragmented rules across various DOJ components and U.S. Attorney’s Offices. The policy directly links voluntary self-disclosure, full cooperation, and timely remediation to tiered outcomes including declination of prosecution and substantial penalty reductions, thereby providing a transparent and predictable compliance incentive framework. This policy has far-reaching implications for Chinese and other cross-border enterprises with U.S. operations, listings, financings, U.S. dollar settlements, or transactions involving U.S. financial institutions, as it clarifies the decision-making basis for enterprises facing criminal risks such as violations of the Foreign Corrupt Practices Act (FCPA), money laundering, and sanctions non-compliance. This article analyzes the core changes of the policy, its relevance to Chinese enterprises, the three-tier outcome framework (declination of prosecution, Non-Prosecution Agreements (NPAs), and limited leniency), the standards for qualifying self-disclosure, cooperation and remediation, as well as typical application scenarios. It also proposes implementation measures including internal communication, crisis response, compliance mechanism optimization, cross-border legal conflict preparedness, and M&A clause adjustments, helping enterprises balance risks and opportunities and make sound compliance decisions under the new policy framework.
Keywords:CEP; Cross-border Compliance; Corporate Criminal Enforcement; Compliance Disclosure and Remediation
I. What is the Relevance of the DOJ’s New Policy to Enterprises?
On March 10, 2026, the U.S. Department of Justice issued the first department-wide Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP). This marks the first time the DOJ has established a unified document that stipulates the extent to which companies can seek declination of prosecution or substantial penalty reductions by voluntarily disclosing, cooperating with investigations, and remediating in a timely manner when facing criminal risks in the U.S., with the exception of antitrust cases.
In recent years, the DOJ Criminal Division has had its own Corporate Enforcement Policy, and several U.S. Attorney’s Offices have successively introduced local self-disclosure policies, resulting in a landscape of "multiple sets of rules coexisting" in practice.
A key change of this new policy is its explicit stipulation that it applies to all criminal components of the DOJ and U.S. Attorney’s Offices nationwide – superseding all prior component-specific and U.S. Attorney’s Office-specific corporate enforcement policies, except for antitrust cases. For enterprises with U.S. operations, listings, financings, U.S. dollar settlements, or regular transactions with U.S. financial institutions and clients, this means that in the event of alleged violations such as FCPA breaches, money laundering, sanctions non-compliance, and securities/accounting fraud, they can evaluate based on a relatively unified set of rules: whether to self-disclose, when to self-disclose, and the approximate difference in outcomes between self-disclosure and non-disclosure.
II. Three Core Initiatives of the New Policy
From the perspective of corporate management, the new policy can be summarized into three core initiatives:
1.Consolidating the previous fragmented leniency policies into a single department-wide rule
According to the DOJ’s press release, the new policy applies to all corporate criminal cases handled by the DOJ, with only antitrust cases continuing to be governed by the Antitrust Division’s separate leniency program. It also explicitly stipulates that the original component-specific and U.S. Attorney’s Office-specific corporate enforcement/voluntary self-disclosure policies are in principle superseded by this unified new policy. This means enterprises no longer face vastly different prosecution thresholds due to different jurisdictional authorities.
2.Institutionalizing the principle that "voluntary disclosure-cooperation-remediation entitles to declination of prosecution/substantial penalty reductions"
The new policy continues and strengthens the core approach of corporate criminal justice in 2025: enterprises that self-disclose, cooperate, and remediate in compliance with certain conditions will receive significantly more favorable treatment in terms of declination of prosecution, types of resolution agreements, penalty ranges, and the appointment of an independent compliance monitor.
3.Refining the standards for "voluntary self-disclosure, full cooperation, and timely remediation"
For example, the new policy requires that self-disclosure must be a good-faith disclosure made when the DOJ is not yet aware of the misconduct and there is no imminent threat of exposure, and it emphasizes that the disclosure must be made "reasonably promptly". For cooperation, it is defined as the "timely, truthful, and accurate disclosure of all facts and non-privileged evidence related to the conduct at issue". For remediation, it continues to emphasize individual accountability, institutional remediation, and resource matching.
Overall, the key words the DOJ highlights to the public are "transparency, uniformity, and predictability". It aims to encourage more companies to come forward and communicate promptly upon discovering misconduct, rather than delaying or resisting, by clearly setting out incentive mechanisms.
III. From "Declination of Prosecution" to "Mitigated Penalties"
The most notable aspect of this policy is that it directly links "self-disclosure-cooperation-remediation" to three typical tiered outcomes, which can be simply understood as three "outcome ranges" from an enterprise’s perspective.
Tier 1: The DOJ commits to "declining prosecution" when conditions are met
Pursuant to the new policy, the DOJ commits to declining prosecution under the unified department-wide framework if an enterprise meets the following conditions:
1.Voluntarily discloses the misconduct to the appropriate DOJ criminal component;
2.Completes the disclosure before the DOJ or other agencies become aware of the conduct and in the absence of an imminent threat of exposure;
3.Has no pre-existing legal or contractual obligation to disclose the conduct to the DOJ;
4.Fully cooperates with the DOJ’s investigation;
5.Implements "timely and appropriate" remediation, including holding involved personnel accountable and strengthening compliance systems;
6.The case involves no serious aggravating circumstances, such as extreme egregiousness, widespread senior management involvement, substantial harm, or serious recidivism.
This means that under ideal circumstances, a company facing potential criminal prosecution in the U.S. can seek a resolution where the case is not filed for prosecution and is concluded by disgorgement of ill-gotten gains, etc., by choosing to self-disclose and cooperate in a timely manner. For listed companies or those in the process of financing, this outcome has a fundamentally different impact on stock prices, reputation, and transaction progress compared to being formally prosecuted.
Tier 2: Substantial leniency still available for self-disclosure + cooperation + remediation despite aggravating circumstances
The new policy still encourages enterprises to self-disclose in cases involving certain aggravating circumstances (e.g., large amounts in question, involvement of some management personnel). According to the policy’s provisions and practical interpretations, in such cases, enterprises generally meet the requirements for self-disclosure, cooperation, and remediation, but the seriousness of the case leads the DOJ to determine that some form of criminal resolution is still necessary. In such situations, the DOJ tends to use Non-Prosecution Agreements (NPAs) or Deferred Prosecution Agreements (DPAs) instead of formal prosecution and a guilty plea. Under the new policy, enterprises that make a "near miss" self-disclosure are eligible for a penalty reduction of 50%-75% off the low end of the U.S. Sentencing Guidelines range, with the specific percentage at the prosecutor’s discretion, and an independent monitor is generally not required.
Compared with the previous Criminal Division policy, the new policy adjusts the "automatic 75%" penalty reduction for this tier to a "discretionary range of 50%-75%", but it still maintains the favorable expectation of "resolution typically through an NPA".
Tier 3: Limited leniency available for active post-hoc cooperation and remediation without prior self-disclosure
The new policy also provides for leniency for companies that do not make a voluntary self-disclosure but begin to cooperate following a whistleblower report, media exposure, or regulatory investigation, though such leniency is significantly less favorable than the first two tiers. In such cases:
1. Declination of prosecution is generally difficult to obtain, with resolutions more likely through DPAs or guilty pleas;
2. The extent of penalty reduction is typically significantly lower than in cases of self-disclosure;
3. The DOJ is more likely to require the appointment of an independent monitor to conduct external oversight of the company’s compliance system for several years.
IV. What Constitutes "Qualifying" Self-Disclosure, Cooperation and Remediation?
For corporate management and legal/compliance teams, another key question is: what conduct is sufficient to qualify for the above incentives under the new policy framework?
(1)Voluntary Self-Disclosure: Timing and Method are Critical
The new policy sets relatively clear standards for "voluntary self-disclosure":
1. Truly Voluntary: Disclosure must occur before the DOJ or other law enforcement agencies obtain substantive clues, and not passively after the misconduct is almost certain to be exposed via media or whistleblower reports;
2. No Pre-Existing Obligation: Merely fulfilling an existing statutory or regulatory reporting obligation is not sufficient to automatically constitute a "voluntary self-disclosure" under the new policy;
3. Reasonably Prompt: The DOJ emphasizes that enterprises are expected to disclose "within a reasonably prompt time", and a preliminary disclosure may be made even if the internal investigation is not yet complete, with additional details supplemented as the investigation progresses;
4. Appropriate Recipient: Disclosure must be submitted to the appropriate DOJ criminal component, rather than merely reported to other government agencies or regulatory bodies.
This means that when an enterprise discovers potential FCPA, sanctions, or money laundering issues through internal audits, the decision of whether and when to disclose to the DOJ will directly impact its eligibility for the truly favorable Tier 1 or Tier 2 outcomes if U.S. judicial risks are anticipated.
(2) Full Cooperation: Not Merely "Non-Obstruction", but "Assisting in Holding Individuals Accountable"
Contrary to the intuitive understanding of some enterprises, the DOJ’s requirements for "cooperation" under the new policy go beyond mere compliance with investigations and include assisting the DOJ in identifying and holding individual wrongdoers accountable to a reasonable extent.
In practice, the DOJ expects companies to take proactive actions in the following aspects:
1. Timely, truthful, and complete disclosure of all non-privileged facts and evidence related to the conduct at issue;
2. Facilitating interviews or testimony of key employees in court to the extent permitted by law;
3. Cooperating with the collection of cross-border data and evidence from overseas servers, and providing implementable solutions within the framework of domestic law, rather than simply refusing on the grounds of "data export restrictions";
4. Presenting the results of internal investigations in a form easily usable by the DOJ, including a clear analysis of the factual timeline, the extent of individual involvement, and internal control deficiencies.
For cross-border enterprises with Chinese background, additional consideration must be given to Sino-U.S. legal conflicts, such as data export, state secrets, and personal information protection. Such issues should be pre-planned by legal, compliance teams and external counsel before a case arises, rather than being addressed ad hoc after a DOJ investigation has commenced.
(3) Timely Remediation: From Accountability to "Sufficient Compliance Investment"
In terms of remediation, the new policy continues the DOJ’s basic approach in recent years, with a greater focus on actual effectiveness rather than merely formal institutional frameworks. Key requirements include:
1. Individual Accountability: Whether involved employees and management personnel have been investigated, disciplined or even terminated, and whether measures such as clawing back bonuses and revoking incentives have been adopted;
2. Institutional Remediation: Whether targeted institutional updates and process optimizations have been implemented to address specific vulnerabilities exposed by the case (e.g., third-party management, approval processes for high-risk regions, financial controls);
3. Resource Matching: Whether the human resources, budget, and authority of the company’s compliance department are matched to the enterprise’s business scale and risk level, rather than engaging in "paper compliance".
For enterprises, these remediation measures not only impact whether the DOJ requires the appointment of a compliance monitor but also the extent of penalty reduction and the form of the overall resolution.
V. Practical Implications for Cross-Border Enterprises
From the perspective of cross-border enterprises, the new policy brings more changes to the "decision-making framework" rather than a simple "increase or decrease in risks". The following typical scenarios illustrate these implications:
Scenario 1: Misconduct Discovered Internally but Not Yet Known to the Public
Typical situations include: internal audits uncovering abnormal payments by an overseas subsidiary, third-party commissions lacking a legitimate business purpose, or compliance whistleblower reports indicating potential bribery, money laundering, or sanctions evasion. In such cases, management typically faces several key questions:
1. Whether the conduct may trigger U.S. judicial jurisdiction (e.g., connection to U.S. issuers, U.S. dollar settlements, U.S. listing, or use of the U.S. financial system);
2. If there are risks, whether to self-disclose to the DOJ, and if so, what the optimal timing and method are;
3. If self-disclosure is delayed for the time being, to what extent should internal investigations and remediation be conducted to maximize leniency under Tier 3 if the issue is exposed in the future.
The value of the new policy here is that it allows management to compare the consequences of self-disclosure and non-disclosure in a more predictable manner, rather than merely having an abstract fear of "potentially inviting greater trouble".
Scenario 2: Already Subject to Inquiries, Whistleblower Reports or Media Attention
If the issue is already under civil investigation by the U.S. Securities and Exchange Commission (SEC), KYC/AML inquiries by banks, or media investigative reports, it becomes more complex to qualify for a "voluntary self-disclosure" under the new policy.
According to public interpretations, an enterprise may still have a limited opportunity to be deemed to have made a "de facto self-disclosure" under the new policy if the DOJ is not yet aware of the conduct and there is no imminent threat of the DOJ discovering it, but the scope for leniency is far narrower than in cases where the company proactively discovers and self-discloses the misconduct entirely on its own initiative.
In such "gray area scenarios", the ability to clearly explain the timeline, the company’s initiative, and internal governance to the DOJ often directly impacts whether the case can be categorized into Tier 1 or Tier 2.
Scenario 3: Historical Legacy Issues in M&A, Investment and Exit
In cross-border M&A or investments, acquirers often discover potential historical FCPA, sanctions, or money laundering issues of the target company during due diligence or after closing. For such U.S.-related transactions, the new policy provides a relatively clear toolkit:
1. If the acquirer proactively self-discloses, cooperates, and remediates in accordance with the new policy after closing, it has the opportunity to control "successor liability" within a manageable range, and even seek declination of prosecution if conditions are met;
2. In transaction documents, the rights and obligations of all parties regarding self-disclosure and cooperation can be pre-locked by stipulating clauses such as the "decision-making mechanism for self-disclosure upon discovery of material compliance issues" and the "division of responsibilities for communication with the DOJ".
3. In terms of investment and valuation, investors can make more informed judgments on the target’s valuation and transaction structure by combining the expectations provided by the new policy: for targets already in the DOJ’s sight, the likely resolution method, the potential extent of penalty reduction, and whether a long-term monitor will be required.
VI. Essential Strategies for Compliance Risk Focus
To effectively implement the changes brought by the new policy in a pragmatic and neutral manner, enterprises can advance the work systematically from several levels:
1. Internal Communication: Conduct a special briefing for the board of directors and management in non-technical language, clarifying the DOJ’s current unified corporate criminal enforcement policy and the tiered impact of different choices (self-disclosure, cooperation, remediation) on case outcomes when misconduct occurs;
2. Crisis Response: Add a fixed procedure to the existing cross-border compliance and crisis response manual, specifying that in the event of a material U.S.-related compliance issue, a special task force shall complete a preliminary factual investigation as soon as practicable and assess whether to initiate voluntary self-disclosure in accordance with the new policy;
3. Compliance Systems and Investigation Mechanisms: Review whether the existing compliance system has the ability to early identify high-risk transactions and payments, clear internal escalation paths and cross-departmental working mechanisms, and the capacity to promptly launch internal investigations and form fact-based evidence usable for external communication;
4. Cross-Border Legal Conflict Preparedness: Collaborate with external counsel or advisors in advance to assess the feasible boundaries of corporate cooperation when the DOJ requests it in relation to cross-border data, confidentiality obligations, and Sino-foreign legal conflicts, and form an internal principled position to avoid coordination only after the case enters the substantive investigation stage;
5. M&A and Investment: Explicitly stipulate in the terms of U.S.-related M&A and investment transactions how all parties will jointly assess self-disclosure if potential criminal risks are discovered during due diligence or after closing, and how the additional costs and penalties arising from self-disclosure will be allocated in price adjustment and compensation arrangements.
For business lines with U.S. operations, U.S. listings, financing from U.S. financial institutions, or U.S. dollar clearing, special training should be planned, focusing not on interpreting provisions but on clarifying the respective outcome ranges of "early disclosure, delayed disclosure, and non-disclosure" under the new policy through simple scenarios.
In most cases, the decision of whether and when to make a voluntary self-disclosure to the DOJ is rarely a purely legal issue, but rather a board-level decision that requires a comprehensive weighing of commercial, reputational, regulatory, and multi-jurisdictional legal consequences. The value of the new policy is that it makes this decision-making process more "calibrated" than before, allowing enterprises to make choices within a more predictable framework. From a compliance and legal practice perspective, the DOJ’s unified policy further clarifies the correlation between voluntary self-disclosure, full cooperation, timely remediation and lenient treatment, enhancing the predictability of cross-border enterprises’ response to U.S.-related criminal risks. This rule not only strengthens the incentives for enterprises to proactively comply but also raises higher requirements for internal investigations, cross-border data collaboration, crisis management, and M&A risk control. For Chinese cross-border enterprises, the key is to integrate the new policy into the normalized compliance system, advance risk assessment and contingency planning, and establish a clear decision-making mechanism within the boundaries of legal conflicts to achieve risk control and maximize compliance value.
Source: ALL BRIGHT LAW OFFICES
Authors:
- Ekin Zeng (曾峥),Senior Partner,ekinzeng@allbrightlaw.com
- Chen Yitao(陈伊韬),lawyer,chenyitao@allbrightlaw.com