Foro Compliance Latam

DOJ Criminal Division Announces New Plan for White Collar Enforcement and Revised Policies on Corporate Prosecutions

13-06-2025 | Miller & Chevalier US

n a significant step designed to implement further the Trump administration’s re-focusing of priorities for corporate enforcement by the Department of Justice (DOJ), on May 12, 2025, Matthew R. Galeotti, Head of the DOJ Criminal Division, announced in a speech at the Securities Industry and Financial Markets Association’s annual Anti-Money Laundering and Financial Crimes Conference several important policy updates, including revisions to the DOJ’s Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP). These changes are also discussed in a May 12, 2025, memorandum from Galeotti to DOJ Criminal Division personnel titled “Focus, Fairness, and Efficiency in the Fight Against White-Collar Crime,” which “outline[s] the Criminal Division’s enforcement priorities and policies for prosecuting corporate and white-collar crimes in the new Administration.”

In addition to a revised CEP, the Criminal Division has issued a revised version of the DOJ’s Corporate Whistleblower Awards Pilot Program, as well as a new Memorandum on Selection of Monitors in Criminal Division Matters that supersedes past policy documents regarding monitorships. This alert will summarize salient points related to each of these revised policy documents in turn.

The enforcement priorities that inform these new policy documents are consistent with earlier presidential and DOJ orders and memoranda. For example, the enforcement plan and revisions to the whistleblower pilot program coverage align with Attorney General Bondi’s February 5, 2025 memorandum “Total Elimination of Cartels and Transnational Criminal Organizations,” which we discussed in this alert, and the president’s February 10, 2025 executive order (E.O.) “Pausing Foreign Corrupt Practices Act Enforcement to Further American Economic and National Security,” which we discussed in this alert. The updated policies, especially the CEP’s focus on declinations and other potential benefits for “law-abiding companies and companies that are ready to acknowledge and learn from their mistakes,” represent further and more formal clarification of the DOJ’s long-running efforts to encourage companies to self-disclose, cooperate, and remediate potentially illegal behavior by their employees or agents. That said, the revised CEP largely retains the eligibility criteria for such benefits previously developed by the DOJ.

The DOJ’s White Collar Enforcement Plan

Galeotti’s enforcement plan memorandum opens by affirming, among other issues, the Criminal Division’s commitment to pursuing the “Total Elimination of Cartels and Transnational Criminal Organizations” and white collar crime that threatens “U.S. interests” and national security, such as fraud, sanctions violations, tariff evasion, and international money laundering. However, the memorandum also asserts that “overbroad and unchecked corporate and white-collar enforcement burdens U.S. businesses and harms U.S. interests.” Thus, the DOJ “must strike an appropriate balance between the need to effectively identify, investigate, and prosecute corporate and individuals’ criminal wrongdoing while minimizing unnecessary burdens on American enterprise.” The memorandum then proceeds to outline the Criminal Division’s priorities for white-collar enforcement and the policy revisions that align with those priorities, guided by what the memorandum characterizes as the “core tenets” of “focus, fairness, and efficiency.”

Priority Enforcement Areas. The memorandum establishes several areas of prosecutorial focus as to white collar crime, with overarching themes of targeting exploitation of the U.S. financial system or the “public fisc,” countering threats to national security, and “protecting American citizens.” The memorandum particularly notes risks posed by Chinese-affiliated companies and money laundering organizations, as well as cartels and Foreign Terrorist Organizations (FTOs).    The memorandum then outlines the following ten prioritized areas of enforcement, noting that prosecutors should “prioritize efforts to identify and seize assets that are the proceeds of, or involved in, such offenses”:

  • “Waste, fraud, and abuse, including health care and federal program and procurement fraud that harm the public fisc”
  • “Trade and customs fraud, including tariff evasion” (a trend we have identified and discussed previously)
  • “Fraud perpetrated through” foreign-affiliated “variable interest entities” (VIEs), which have been identified as harmful actors in President Trump’s February 21, 2025 “America First Investment Policy” (NSPM-3)
  • “Fraud that victimizes U.S. investors…and markets,” such as “Ponzi schemes, investment fraud, elder fraud, [and] servicemember fraud”
  • National security threats, including by “gatekeepers” such as financial institutions that violate sanctions or “enable” transactions by FTOs, transnational criminal organizations (TCOs), cartels, or “hostile nation-states”
  • “Material support by corporations to” FTOs, “including recently designated Cartels and TCOs” (risk we have discussed hereherehere, and here)
  • “Complex money laundering” (including specifically by “Chinese Money Laundering Organizations”) affiliated with “the manufacturing of illegal drugs”
  • “Violations of the Controlled Substances Act and the Federal Food, Drug, and Cosmetic Act” (such as via illegal drug manufacture and distribution)
  • “Bribery and associated money laundering that impact U.S. national interests, undermine U.S. national security, harm the competitiveness of U.S. businesses, and enrich foreign corrupt officials”
  • Crimes involving digital assets, as outlined in the April 7, 2025 Digital Assets DAG Memorandum, with particular emphasis on cases “involving cartels, TCOs, or terrorist groups, or facilitating drug money laundering or sanctions evasion”

Continuing Focus on Prosecuting Culpable Individuals. Consistent with longstanding DOJ policy, the enforcement memorandum states that the DOJ’s “first priority is to prosecute individual criminals,” as “[i]t is individuals—whether executives, officers, or employees of companies—who commit these crimes, often at the expense of shareholders, workers, and American investors and consumers.” For all of the areas of focus discussed above, the memorandum directs that “prosecutors should prioritize schemes involving senior-level personnel or other culpable actors, demonstrable loss, and efforts to obstruct justice.”

“Streamlining Corporate Investigations.” In contrast to the “relentless” pursuit of individual wrongdoers, the enforcement memorandum contains a section directing prosecutors to “maximize efficiency in all corporate investigations,” since “federal investigations into corporate wrongdoing can be costly and intrusive for businesses, investors, and other stakeholders, many of whom have no knowledge of, or involvement in, the misconduct at issue” and can “significantly interfere with day-to-day business operations and cause reputational harm that may at times be unwarranted.” This language recognizes concerns raised by corporate defendants and advisers for many years.

The memorandum requires prosecutors to “move expeditiously to investigate cases and make charging decisions” and to “take all reasonable steps to minimize the length and collateral impact of their investigations.” Prosecutors will be required to coordinate regularly with the Head of the Criminal Division’s  office on the state of investigations, but this is the only tool that specifically addresses the issues identified and is a requirement that has existed informally for years at the DOJ. Further, the memorandum recognizes the reality that “complex,” “cross-border” “schemes” can “take substantial time and effort to unravel” and may “require an investigation that spans multiple years.” Thus, it remains to be seen whether these policies will have a significant practical effect on future corporate investigations.

The bulk of the remaining sections of the memorandum discusses revisions to the Corporate Whistleblower Awards Pilot Program, the CEP (in stated pursuit of the Criminal Division’s focus on fairness), and policies regarding independent compliance monitors, all of which are discussed in detail below.

Revised Corporate Enforcement Policy

The enforcement memorandum asserts that “[t]o ensure fairness and individualized assessments” of corporate cases, the CEP has been revised to “clarify that additional benefits are available to companies that self-disclose and cooperate, including potential shorter terms.” The DOJ has modified the CEP to attempt to clarify “its core components—the paths for potential declination, the available fine reductions for a company’s cooperation and remediation, and relevant factors that determine the contours of a corporate resolution.” Some of these changes provide significant potential new benefits for companies under investigation, but the revised CEP’s core requirements for such benefits – self-disclosure, cooperation, and remediation – are largely unchanged.

CEP Declination – More Leeway When Aggravating Circumstances Exist. The CEP states that the DOJ “will decline to prosecute a company for criminal conduct when” a company:

  • “voluntarily self-disclosed the misconduct to the Criminal Division”
  • “fully cooperated with the Criminal Division’s investigation”
  • “timely and appropriately remediated the misconduct”
  • “[t]here are no aggravating circumstances” related to certain issues

In his speech, Galeotti contrasted this language to the earlier version’s “presumption of declination,” asserting that the new formulation provides greater certainty of result. Even so, as discussed further below, the CEP’s requirements for company eligibility for such treatment fundamentally remain the same.

The updated CEP does give prosecutors more “discretion to nonetheless recommend a CEP declination” where aggravating circumstances are present, “based on weighing the severity of those circumstances and the company’s cooperation and remediation.”  The older CEP also allowed for such discretion, though it required companies in such circumstances to have engaged in “immediate” self-disclosure, an effective compliance program, and internal accounting controls that resulted in awareness of the misconduct and self-disclosure, and “extraordinary” cooperation and remediation. The new language dispenses with these heightened requirements, which may have the effect of more CEP declinations.

“Near-Miss” Voluntary Disclosures “or Aggravating Factors Warranting Resolutions.” The revised CEP’s next section discusses two circumstances in which a company does not qualify for an automatic declination:  “(1) it acted in good faith by self-reporting the misconduct but that self-report did not qualify as a voluntary self-disclosure… [a so-called “near-miss” self-disclosure] or (2) it had aggravating factors that warrant a criminal resolution.”  In such cases, as long as a company fulfills obligations regarding full cooperation and timely remediation, the CEP now states that the DOJ “shall”:

  • “Provide an [non-prosecution agreement (NPA)]—absent particularly egregious or multiple aggravating circumstances”
  • “Allow a term length of fewer than three years”
  • “Not require an independent compliance monitor”
  • “Provide a reduction of 75% off the low end of the U.S. Sentencing Guidelines (U.S.S.G.) fine range”

These requirements represent a significant benefit for eligible companies when compared to the CEP’s prior policies. The use of “shall” limits prosecutors’ discretion in individual cases that do not feature “egregious” or “multiple” aggravating circumstances – in favor of the companies. An NPA is traditionally the least burdensome non-trial resolution available; in the past, for areas such as the Foreign Corrupt Practices Act (FCPA), the DOJ has often employed deferred prosecution agreements (DPAs). Indeed, the previous administration had focused on requiring guilty pleas for corporate cases involving certain types of “egregious” conduct (though the new language does not completely forego such an option). In addition, most past dispositions have involved standard three-year terms; the new policy virtually guarantees that many companies will face shorter terms.

Finally, the 75 percent reduction from the low end of the USSG range is more favorable to companies than language in the prior CEP version, which stated that companies in such situations were eligible for “at least 50% and up to a 75% reduction off of the low end of the [USSG] fine range, except in the case of a criminal recidivist.” The superseded policy language stated that recidivists could obtain “a reduction of at least 50% and up to 75%” but that such a reduction would “generally not be from the low end of the U.S.S.G. fine range.”

Other Cases. The updated CEP states that in cases where companies are not eligible for declinations or “near-miss” resolutions, prosecutors “maintain discretion to determine the appropriate resolution including form, term length, compliance obligations, and monetary penalty.” The policy instructs that in such cases companies will not receive more than a 50 percent reduction in monetary penalties, although there is “presumption” that “companies that fully cooperate and timely and appropriately remediate” will have that discount start from the low end of the applicable USSG range. The policy also specifically notes that recidivism will be a key factor in the exercise of discretion under this section. This approach is generally in line with the older version of the CEP, though it dispenses with definitions of “extraordinary” cooperation, in line with the policy updates in other sections.

Scope of Aggravating Factors. The updated CEP takes a somewhat different approach to identifying aggravating factors that can affect a company’s disposition. Both the current and former CEP versions note that the egregiousness or pervasiveness of misconduct can be an aggravating factor, and both discuss “the nature and seriousness of the offense.” However, the prior CEP explicitly stated that involvement by executive management in misconduct and “criminal recidivism” (which was broadly defined by the previous administration) might warrant a criminal resolution. The prior version also contained language that the stated factors were examples and that other factors could affect specific cases.

The new CEP, in contrast, appears to contain an exclusive list of aggravating factors that could preclude a CEP declination. Those factors do not include specific executive involvement, instead noting “severity of the harm caused” as an aggravating factor. Rather than broadly defined recidivism, the updated CEP language focuses only on the existence of “criminal adjudication or resolution within the last five years based on similar misconduct.”

Minimal Changes to Eligibility Requirements of Self-Disclosure, Cooperation, and Remediation. In the interest of simplicity, the revised CEP moves the key definitions and requirements for eligibility from the main text to a new Appendix B (Appendix A is a flowchart that summarizes the main CEP benefits – one that likely will appear on many Board presentations in the future). While there are changes to the text that shorten, move, or combine certain sections, the language regarding the eligibility requirements remains fundamentally the same.

For example, the revisions incorporate what had been a “temporary amendment” to the prior CEP regarding self-disclosures in light of the whistleblower awards pilot program into the main CEP discussion of voluntary disclosures, though the requirements have not changed. The updated CEP’s section on remediation retains key elements such as a root cause analysis of the conduct at issue and required compliance program elements.

There are a few changes to the discussions on cooperation. Language related to cooperation that was previously spread over multiple pages is consolidated within one section, though some commentary on “providing cooperation credit” remains in a separate section. That commentary drops discussion of “extraordinary” cooperation but retains the concept that “[a] cooperating company must earn credit for cooperation…start[ing] at zero cooperation credit and then earn[ing] credit for specific cooperative actions”). The updated CEP also drops a discussion regarding less than full cooperation by companies under certain circumstances and the resulting considerations for partial credit; it is unclear what this omission will mean in practice.

DOJ-Wide M&A Policy Still in Force. The updated CEP notes in its footnote 3 that “[t]he Department-wide Merger & Acquisition (M&A) Policy [in] Justice Manual 9-28.600 and 9-28.900 [still] applies to misconduct uncovered in the context of M&A pre- or post-acquisition due diligence,” while dropping the former version’s language that summarized the DOJ’s special approach to self-disclosures arising from M&A due diligence.

Revised Corporate Whistleblower Awards Pilot Program

The primary revisions to the Corporate Whistleblower Awards Pilot Program reflect the addition of coverage for the areas of focus outlined in the white collar enforcement memorandum. The new “subject areas” for which whistleblowers may be eligible for awards include corporate violations related to cartels/TCOs, federal immigration law, and material support of terrorism, as well as trade-related offenses including violations of sanctions, trade, tariff and customs fraud, and corporate procurement fraud. The program’s requirements for eligibility and other mandates are unchanged from the documentation as initially rolled out in August 2024.

Memorandum on Selection of Monitors in Criminal Division Matters

Finally, the white collar enforcement plan notes that the DOJ is taking action to “narrowly tailor” the “use of [independent compliance] monitors” in DOJ dispositions, “to achieve the necessary [compliance remediation] goals while minimizing expense, burden, and interference with the business.” As a result, the DOJ issued a new memorandum on monitors.

The overall focus of the memorandum is that monitorships should be sparingly used —imposed on companies only after careful consideration of factors including the risk  of recurrence (at the time of resolution) of criminal conduct “that significantly impacts U.S. interests,” “availability and efficacy of other independent [e.g., regulatory] oversight,” and how effective, mature, and tested the company’s compliance program, compliance culture, and related internal accounting controls are at the time of the resolution. These factors largely echo prior monitorship guidance, though are closer to the monitor guidance issued under the first Trump administration in 2018 than subsequent revisions under the Biden administration.

The new monitor memorandum also outlines various efforts the Criminal Division will undertake to ensure that monitorships that are assigned are narrowly tailored, proportionate to the conduct being remediated, and cost-effective. Among other steps that signal more active formal DOJ involvement, the memorandum states that the DOJ will attempt to control costs and scope of action “by requiring a fee cap, approving budgets for all workplans, and requiring biannual tripartite meetings between the Department, the monitor, and the company.” Consistent with the administration’s actions regarding Diversity, Equity, and Inclusion (DEI), the memorandum also removes DEI provisions that the superseded policy had included.

Overall, the changes in the various Criminal Division policies announced on May 12 in many ways create a more company-friendly corporate enforcement environment.  The changes outlined in the CEP build on several initiatives from the previous administration, while reflecting the current administration’s priorities related to such issues as health care fraud, operating in cartel-influenced areas, trade fraud and tariff evasion, and changing sanctions environments. Overall, the fundamental requirements for potential increased benefits and certainty of enforcement outcomes for companies remain unchanged – companies must continue to self-disclose promptly, fully cooperate with the DOJ’s investigation, and effectively remediate any questionable conduct, including through the maintenance of effective compliance programs.

Opinion | Recommendations for implementing a compliance program in large companies

Opinion | Recommendations for implementing a compliance program in large companies

27-12-2024 | Noticias-en, Opinions

Starting from the premise that a compliance program must be implemented according to the size and characteristics of the organization, we will now make some recommendations for its implementation in a large company, which, due to its focus and complexity, varies significantly from that of a small company.

Firstly, and considering that large companies usually have greater resources available, we recommend that, in addition to dedicating financial, technological and human resources, through the participation of specialized teams during its implementation, the governing body and senior management demonstrate a commitment to the culture of compliance, sufficiently visible to generate awareness at all levels of the organization, through awareness-raising, sensitization and training programs.

Likewise, considering that a large company could have a higher degree of exposure to risk, as a consequence of the volume or complexity of its operations, it is recommended that, as a starting point, and prior to the identification of the activities, operations and/or processes exposed to risk, the following methodologies be developed ad hoc for the organization:

  • Risk assessment: which takes into account the risks inherent to the organization’s activities, and the criteria for determining the level of impact and probability consider the nature of the business, its economic environment and the influence on the fulfillment of strategic objectives.
  • Control evaluation: which measures the level of control strength, considering, for example, the degree of automation (manual or automatic), the nature of the control (preventive or detective), the ability to circumvent the control (vulnerability) and the frequency of execution of the control.
  • Review of controls: to ensure an adequate control environment, through guidelines that allow the development of control monitoring plans that contain specific actions and lines of defense aimed at properly managing the supervision of previously identified controls.

As you can see, large companies will not only have a higher degree of sophistication during the implementation stage of a compliance program , but also during its operation, since, compared to a small company:

  • The frequency of review of risks and controls will be less spaced.
  • Higher levels of reporting of the results of the different model reviews will be established.
  • More frequent and more specialized communication programs will be required.
  • Codes, policies, procedures, action guides, manuals, protocols and/or instructions will be developed for specific risk areas.
  • Increased internal controls will be implemented.
  • The use of technologies for monitoring the program and access to the reporting channel will be assessed.
  • Compliance programs will be integrated into the organization’s various processes.
  • The model will be flexible enough to grow with the organization (scalable).
  • The appointment of an internal auditor will be evaluated.
  • The governing body or senior management, as appropriate, will need to appoint a compliance program officer with autonomy, authority and independence .

In conclusion, the implementation of a compliance program in large companies must be adapted to the specific characteristics and dimensions of the organization, considering aspects such as operational volume, exposure to risks and complexity of its structure.

For this, the involvement of corporate governance is key, since it must lead and promote the implementation and supervision of the compliance program, in addition to ensuring compliance by acting in an ethical and responsible manner.

In addition, it is essential to create customized methodologies to evaluate risks, controls and their constant review, thus ensuring a solid control environment.

 

 

 

By Jorge Luis Hurtado, Deputy Manager of Legal and Regulatory Management at Redinter.

Colombia | Artificial Intelligence Governance

Colombia | Artificial Intelligence Governance

17-12-2024 | media-en, Noticias-en

AI governance   transcends regulatory frameworks and enters into business strategies. It covers a wide spectrum of elements ranging from financial planning to risk management. Responsible AI governance  can  strengthen a company’s reputation and attract customers and talent.  AI governance  can foster an environment of responsible innovation, enabling companies to develop AI solutions that create a positive impact on society. Companies that adopt  strong AI governance  will be better positioned to compete in an increasingly digitalized market.

In this regard, ethical principles will always be key when considering the development and implementation of AI systems. The importance of transparency in  AI algorithms  and the need to explain the decisions made by these systems, as well as the need to train employees in the responsible use of AI, are fundamental aspects.

Peru | New regulations of the Personal Data Protection Act are published

Peru | New regulations of the Personal Data Protection Act are published

16-12-2024 | Noticias-en

Supreme Decree No. 016-2024-JUS was published in the Official Gazette El Peruano, approving a new Regulation of Law No. 29733 – Personal Data Protection Law (hereinafter, the “Regulation”). Through this regulation, new obligations are imposed on the holders of personal data banks and/or those responsible for their processing, such as:

  • Notify the National Authority for Personal Data Protection within 48 hours of becoming aware of a security incident that causes the exposure of large volumes of personal data or serious harm to its owners. This must also be notified to the affected owners within the same period, unless the incident has been resolved or such damage has not occurred. Likewise, any security incident that occurs must be duly documented and a record kept.
  • Appoint a Personal Data Protection Officer when large volumes of personal data or sensitive data are processed, who will be responsible for supervising compliance with the obligations and being the point of contact with the Authority. In the case of business groups, only one officer may be appointed per group.
  • Have a security document, which must be formally approved and must be complied with by personnel with access to information systems. It must be up to date and contain at least the access management procedures, privilege management and periodic verification of assigned privileges regarding information systems.

Likewise, proactive responsibility mechanisms are established, of an optional nature, which represent the commitment of the person responsible to comply with the regulations and may be considered mitigating circumstances of liability in a possible administrative sanctioning procedure, such as:

  • Conducting Personal Data Protection Impact Assessments, especially when it involves sensitive data, data for the purpose of creating personal profiles, data of people in particularly vulnerable situations, among others.
  • The implementation of Codes of Conduct, which establish specific rules for compliance with regulations within the entity or business group, such as procedures that facilitate the exercise of rights, supervisory mechanisms, clauses for obtaining consent, among others.

On the other hand, the new Regulation establishes new features such as the recognition of portability as a manifestation of the right of access to the personal data of its owners, which implies the transfer of the data to another controller or owner of personal data banks, when requested and technological possibilities allow it, as well as the possibility of establishing a first contact to obtain the express consent of the owner for advertising and commercial prospecting purposes (if this is not obtained, a new contact cannot be made).

Finally, the registration of personal data banks is established free of charge and the creation of the platform “I take care of my personal data” for citizen attention.

The new Regulation will come into force 120 calendar days after its publication in the Official Journal. Specifically, the obligations regarding the appointment of a Compliance Officer will come into force progressively over a 4-year timeframe, depending on the sales volume of the responsible companies. Regarding the right to Portability, this will take effect 6 months after the Regulation comes into force.

For more information or in case of any questions on the subject, contact us at the following email:  innovacion@cpb-abogados.com.pe