On March 10, 2026, DOJ announced its first ever Department-wide Corporate Enforcement Policy (CEP). The CEP closely tracks the Criminal Division’s revised CEP announced in May 2025, by placing continued emphasis on voluntary self-disclosure and individual accountability and making clear that companies choosing not to self-disclose should expect aggressive enforcement. 

The CEP provides that companies will receive a declination if they voluntarily self-disclose, fully cooperate, and timely and appropriately remediate misconduct for which there are no aggravating factors. Notably, prosecutors retain discretion to recommend a declination even where aggravating factors are present, and the policy does not excuse a company receiving a declination from having to pay disgorgement, forfeiture, restitution, or victim compensation.

For companies that have aggravating circumstances or do not meet DOJ’s definition of voluntary self-disclosure, the CEP provides a “Near Miss” category imposing reduced consequences, including a non-prosecution agreement with a term of less than three years, no independent compliance monitor, and a fine reduction of at least 50% and up to 75% off the low end of the U.S. Sentencing Guidelines.

Unlike the Criminal Division’s CEP, the Department-wide CEP requires that a company disclose to the “appropriate [DOJ] criminal component” but clarifies that a good-faith disclosure to one component will still qualify so long as it is within the DOJ. On March 30, 2026, DOJ’s National Security Division (NSD) issued a press release confirming that voluntary self-disclosures involving potential criminal violations of U.S. national security laws should be submitted to NSD and providing instructions for companies seeking to disclose. The CEP “Near Miss” category also provides for a reduction of at least 50% but not more than 75% off the low end of the Sentencing Guidelines’ fine range, whereas the Criminal Division’s CEP provided for a 75% reduction off the low end. As a result, companies may have less certainty regarding potential outcomes and fines after a self-disclosure because they may be required to pay more in fines under the CEP.

On March 19, 2026, DOJ issued its first declination under the new CEP to Balt SAS, a France-based medical device company, and its subsidiary Balt USA LLC (together, “Balt”), in connection with an alleged foreign bribery scheme involving a physician at a state-owned hospital in France. DOJ credited Balt’s timely and voluntary self-disclosure to the Fraud Section, full and proactive cooperation with the government’s investigation, timely and appropriate remediation, and lack of aggravating circumstances, and highlighted Balt’s remediation efforts, including disciplining the individuals involved, terminating the business relationships that gave rise to the misconduct, providing compliance training for senior management, and strengthening its compliance program and internal controls. As part of the resolution, Balt agreed to disgorge approximately $1.2 million in profits tied to the misconduct. Notably, David Ferrera, a senior executive of Balt USA LLC, and Marc Tilman, a Belgium-based consultant, were recently indicted in connection with the bribery scheme at issue, demonstrating DOJ’s prioritization of individual accountability.

The new Department-wide CEP follows the Southern District of New York’s (SDNY) February 24, 2026 announcement of its own self-disclosure program for financial crimes. Despite DOJ explicitly stating that the CEP supersedes “all component-specific or U.S. Attorney’s Office-specific corporate enforcement policies currently in effect,” except those of the Antitrust Division, Jay Clayton, SDNY’s U.S. Attorney, made clear in remarks at NYU’s Corporate Compliance and Enforcement Spring Compliance Conference on April 14, 2026 that SDNY’s program remains in full force.

Clayton described SDNY’s program as providing certainty and speed to qualifying companies. For example, the SDNY program provides that shortly after receiving a qualifying self-report, SDNY will issue a conditional declination letter, and once the company fulfills its obligations, it will issue a final declination notice and close the matter without criminal charges, fines, forfeiture, or a monitor. According to Clayton, between 6 and 12 companies have already made disclosures to date, for which conditional declinations are in progress.

Clayton further described SDNY’s program as a means to distinguish companies with effective compliance programs, suggesting those companies will voluntary self-disclose. As for companies choosing not to self-disclose, Clayton emphasized SDNY’s willingness to pursue aggressive prosecution, reiterating the program’s strong presumption against a declination and a presumption in favor of a resolution with a monetary penalty. 

In January 2026, DOJ reported a record-breaking 2025 fiscal year for False Claims Act (FCA) enforcement, with $6.8 billion in FCA recoveries, 1,297 qui tam filings, and 401 government-initiated investigations. In remarks at the ACI’s 13th annual Advanced Forum on False Claims and Qui Tam Enforcement, Deputy Assistant Attorney General Brenna Jenny signaled DOJ’s continued focus on FCA enforcement with continued prioritization in the healthcare, trade, cybersecurity, and government contracting industries. Jenny further emphasized DOJ’s use of data analytics and collaboration with the Department of Health and Human Services to identify potential fraud on the government.

FCA enforcement throughout the first quarter remained largely consistent with DOJ’s stated priorities, including several cases in the healthcare industry. In January, DOJ filed a complaint against Louisiana-based hospital management company, Priority Hospital Group (PHG), three PHG-managed long-term care hospitals, and a physician, alleging that they violated the FCA by holding patients in the hospital longer than medically necessary to increase their Medicare reimbursements. The complaint further alleged one hospital-defendant violated the FCA by entering into a medical directorship with a physician to induce referrals in violation of the Anti-Kickback statute. Also in January, DOJ announced a $34 million settlement with Traditions Health, resolving allegations that it violated the FCA by providing medically unnecessary home health services and impermissible referral payments to physicians.

On March 12, DOJ announced a $4.75 million settlement with Tri-City Cardiology, P.C. (an Arizona cardiology group) resolving allegations that the group violated the FCA by performing medically unnecessary vein ablations. On March 11, DOJ announced a $117.7 million settlement with insurance provider Aetna Inc. to resolve allegations that Aetna submitted or failed to delete inaccurate diagnosis codes for enrollees in its Medicare Advantage plan to increase its Medicare payments.

On January 8, 2026, the President unveiled a new DOJ division focused on national fraud enforcement. The newly-minted National Fraud Enforcement Division (the Fraud Division) will serve to enforce federal criminal and civil laws prohibiting fraud that targets federal government programs, federally funded benefits, businesses, nonprofits, and private citizens nationwide. This announcement follows the Administration’s stated priority to combat fraud on the government and ongoing federal investigations into certain state-administered health and welfare programs. On April 1, Colin McDonald was sworn in as the Assistant Attorney General (AAG) for the Fraud Division. AAG McDonald is tasked with (i) overseeing multi-district and multi-agency fraud investigations; (ii) providing advice, assistance, and direction to the U.S. Attorneys’ Offices on fraud-related issues; and (iii) working closely with other federal agencies and DOJ divisions to identify, disrupt, and dismantle organized and sophisticated fraud schemes across jurisdictions.

On April 7, 2026, Acting Attorney General Todd Blanche released a memo detailing plans to consolidate and realign resources to staff the newly formed Fraud Division. The memo instructs DOJ Criminal Division’s Tax Section, the Health Care Fraud Unit, and the Market, Government, and Consumer Fraud Unit be transferred under AAG McDonald’s operational control effective immediately for an interim period of up to 30 days, at which point a permanent decision on the realignment will be made by the Deputy Attorney General. The memo further directs (1) the Civil Division to designate a Fraud Division liaison to leverage fraud enforcement; (2) each U.S. Attorney’s Office to designate an experienced prosecutor to carry out the Fraud Division’s mission in each district; and (3) the Fraud Division to establish a National Fraud Detection Center, aimed at identifying potential fraudulent schemes for prosecutors.

Separately, on February 23, 2026, Cody Matthew Herche, the head of the Trade Fraud Task Force created in 2025, provided an update on the Task Force’s partnerships and objectives. Herche announced that the Task Force is ramping up efforts to combat abuse by partnering with multiple agencies responsible for product safety and national security, including the FDA, EPA, CPSC, HSI, DHS, and DOJ. The U.S. Attorney’s Office in Chicago will serve as a lead prosecutorial partner on the Task Force. Herche also stated that investigations are proceeding at a faster pace and the size of settlements have increased precipitously. Herche’s comments signal an aggressive shift in the government’s approach to trade fraud enforcement. Pointing to economic and national security, Herche noted that the Task Force aims to move trade compliance away from administrative decisions and into increased criminal investigations and prosecutions, focused more on individual accountability.

On February 18, 2026, a Pennsylvania federal jury convicted Charles Hobson, a former Vice President at Corsa Coal Corp., of two counts of violating the FCPA and conspiracy to violate the FCPA. Hobson’s convictions stem from a scheme to bribe Egyptian government officials to obtain lucrative coal supply contracts to an Egyptian state-owned coal company. Corsa Coal received a declination under the Criminal Division’s then-existing CEP in 2023.

Hobson’s conviction follows a temporary pause in FCPA enforcement, which culminated in Deputy Attorney General Blanche’s memo detailing Guidelines for Investigations and Enforcement of the FCPA (FCPA Guidelines). Despite not fitting squarely within the FCPA Guidelines, Hobson’s conviction highlights DOJ’s commitment to prosecuting and holding individual executives accountable.

On February 24, 2026, the SEC’s Enforcement Division announced significant updates to its Enforcement Manual (Manual), including revisions to the Wells process, corporate cooperation credit, consideration of collateral waivers, and criteria for criminal referrals.

The revised Manual provides that SEC enforcement staff (Staff) are now expected, where feasible, to provide advance oral notice before issuing a Wells notice and to be more forthcoming about the key evidence gathered during the investigation. Wells recipients will now generally have four weeks to submit a response, and requests for post-Wells meetings, with senior leadership present, will typically be granted within four weeks of a Wells submission. Additionally, the revised Manual provides specific substantive guidance as to how to make a Wells submission most effective, delineating eight key elements of a successful Wells submission. Taken together, these changes reflect a more structured and transparent Wells process, with greater senior-level oversight, while also providing respondents with clear expectations and a more meaningful opportunity to present their position before recommendations are finalized.

The revised Manual also provides detailed guidance on how the Enforcement Division will evaluate cooperation, provides specific examples of “effective remediation” and “exemplary cooperation,” and expressly recognizes the possibility of a “zero-penalty settlement” in appropriate cases. Under the revised Manual, cooperation credit will generally be available when a company comes forward before (i) the Staff learns of the misconduct from another source; (ii) there is an imminent threat of disclosure or investigation; (iii) any media attention; and (iv) another regulator opens an investigation. Effective remediation includes disciplining or terminating responsible employees, making prompt corrective disclosures, and strengthening internal controls. Exemplary cooperation includes summarizing investigative findings, identifying key documents and witnesses, and, generally, taking affirmative steps that assist with the SEC’s investigation.

The revised Manual further memorializes the SEC’s restoration of its pre-2021 practice of allowing a settling party to ask that the Commission consider an offer of settlement and, at the same time, request waivers from automatic disqualifications and other consequences triggered by the underlying enforcement action. 

Finally, the revised Manual provides that Staff should consider six factors when deciding whether to refer possible violations to criminal law enforcement authorities, including (i) the harm or risk of harm; (ii) the potential gain to the defendant; (iii) whether the defendant had specialized knowledge; (iv) whether the defendant knew the conduct was harmful or illegal; (v) whether the defendant is a recidivist; and (vi) whether the referral would provide additional investor protection.

Despite revisions to the Manual, SEC enforcement remains slow. On February 11, 2026, Stryker disclosed in its 10-K annual report that the SEC had closed its investigation into potential violations of the FCPA without taking any enforcement action. The disclosure follows Stryker’s May 2025 securities filing disclosure that DOJ had closed an FCPA inquiry without further action. On March 16, 2026, Judge Margaret Ryan resigned from her post as Director of the Enforcement Division. Principal Deputy Director Sam Waldon has been named Acting Director of the Division with a permanent successor expected to be announced in the coming weeks.

On March 30, 2026, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) submitted to the Federal Register a Notice of Proposed Rulemaking (NPRM) to implement a formal whistleblower program as mandated by the 2020 Anti-Money Laundering Act and the 2022 Anti-Money Laundering Whistleblower Improvement Act. FinCEN announced that the program is intended to help safeguard the financial system from illicit use, promote national security, and combat money laundering, sanctions evasion, terrorist financing, proliferation financing, and related crimes.

If finalized, the proposed rule would establish formal procedures for submitting tips, set out eligibility requirements, and standardize confidentiality, anonymity and anti-retaliation protections for whistleblowers. Importantly, the program would not be limited to Bank Secrecy Act (BSA) violations. It would also apply to violations under key U.S. sanctions authorities including the International Emergency Economic Powers Act (IEEPA), the Trading With the Enemy Act (TWEA), and the Foreign Narcotics Kingpin Designation Act. The program would also reach violations of sanctions programs administered by the Office of Foreign Assets Control (OFAC) and any programs implemented pursuant to IEEPA, including any tariffs programs and DOJ’s Data Security Program. As a result of this broad reach, non-financial institutions (such as casinos, precious metals dealers, art dealers and galleries, or third parties that provide business services to financial institutions) could be subject to new enforcement risk. Non-financial institutions and sanctioned entities, as well as entities that do business with sanctioned entities or fail to have an effective compliance program, could all be impacted.

Under the proposed rule, eligible whistleblowers include U.S. and non-U.S. natural persons. To qualify for an award, FinCEN specifies that the individual must (i) voluntarily provide original information; (ii) be the original source of that information; (iii) provide information that leads to the successful enforcement of a covered action involving monetary sanctions exceeding $1 million, or a related action involving a successfully enforced judicial or administrative action that is based on the original information that led to the successful covered action; and (iv) provide DOJ and Treasury with any additional requested information. A submission is considered “voluntary” only if it is made before any contact from a government agency, and “original” only if the government was not already aware of the information.

The proposal provides that, if an individual meets these requirements, the whistleblower may receive an award of 10 to 30 percent of collected monetary sanctions. FinCEN would determine the exact percentage based on factors including the significance of the information, the assistance the whistleblower provides, and the whistleblower’s culpability in the matter. The proposal also includes a presumption in favor of a 30 percent award where the collected amount is $15 million or less.

FinCEN is accepting public comments until May 31, 2026. If adopted, the rule is expected to meaningfully expand the flow of tips and enforcement actions in response to both anti-money laundering and sanctions-related misconduct. The new whistleblower program would increase incentives for employees and others to report concerns directly to the government, making the need for companies’ strong internal reporting systems, investigation procedures, and escalation channels even more critical.

In a February ruling in United States v. Heppner, Judge Jed S. Rakoff of the U.S. District Court for the Southern District of New York held that documents generated through a third-party generative AI tool and later shared with counsel were not protected by the attorney-client privilege or the work-product doctrine. The ruling underscores the potential discovery risks that can arise when individuals input confidential information into AI tools, including in the context of a potential or pending investigation or litigation.

The underlying criminal matter involves allegations of fraud arising from investments made by GWG Holdings, Inc. (GWG) into Beneficient to satisfy sham debts owed to a shell company, Highland Consolidated Limited Partnership (HCLP). Bradley Heppner—the founder of Beneficient, chairman of the GWG board, and controlling party of HCLP—was arrested in November 2025 on charges of securities fraud, wire fraud, conspiracy to commit securities and wire fraud, false statements to auditors, and falsification of records. In connection with their investigation, federal agents seized devices that contained thirty-one AI-generated documents that Heppner allegedly created using Anthropic’s AI tool, Claude, to organize his thinking about the investigation, including potential defenses and legal arguments.

Heppner’s counsel logged the documents as privileged, asserting that Heppner prepared them to synthesize his thoughts for communication with counsel. His counsel acknowledged, however, that Heppner created the documents on his own initiative, not at the direction of counsel. The government moved for a ruling that the AI-generated materials were not protected by the attorney-client privilege or the work-product doctrine.

The district court agreed with the government. First, the court held that the communications were not protected by the attorney-client privilege for three discrete reasons: (i) Claude is not an attorney, so there was no privileged communication between a client and counsel to generate the documents; (ii) Heppner’s use of the consumer version of Claude undermined any claim of privilege because its policies put users on notice that the data could be disclosed to third parties without any confidentiality protections; and (iii) Heppner did not use Claude for the purpose of obtaining legal advice because he did not do so at the suggestion or direction of counsel. Second, the court rejected work-product protection claims because the documents were neither prepared by counsel nor prepared at counsel’s direction, and did not reflect counsel’s strategy.

The ruling is a clear caution for organizations and individuals using publicly available AI tools in connection with disputes, investigations, or other sensitive matters. Moving forward, clients should consider involving counsel before using generative AI for sensitive matters so that counsel can evaluate the specific tool and use, the applicable terms and policies, and any available safeguards to ensure documents and information remains privileged. Where AI use is appropriate, clients should consider using platforms designed to maintain confidentiality and should use those tools in a counsel-directed manner, recognizing that resolutions of disputes regarding privilege and disclosure may not be easily determinable and will likely remain highly fact-specific.

OFAC continued active enforcement in the first quarter of 2026. OFAC’s Q1 enforcement actions involved a range of industries, underscoring the continued importance of effective policies, controls, screening, and testing. We highlight one of OFAC’s three Q1 enforcement actions below.

TradeStation Securities: On March 17, OFAC announced a $1.11 million settlement with TradeStation Securities, a Florida-based brokerage firm, to resolve 481 apparent violations of the Iran, Syria, and Ukraine-/Russia-related sanctions programs. According to OFAC, between June 2021 and June 2022, TradeStation’s mobile platform processed 481 trades worth approximately $4.4 million for users located in Iran, Syria, and Crimea. Notably, the violations were not the result of an absence of sanctions controls altogether. OFAC found that TradeStation had a sanctions compliance program, but that failures in TradeStation’s IP address detection and geo-blocking controls, as well as inadequate testing of those controls, allowed users in sanctioned jurisdictions to continue accessing TradeStation’s mobile platform and executing trades. OFAC determined that the matter was non-egregious. TradeStation also voluntarily self-disclosed the conduct and took significant remedial measures after it discovered the issues. The action is a reminder that even firms with carefully designed compliance systems in place can face exposure where controls are not adequately tested and maintained.