Organisations that treated reduced enforcement pressure as a signal of reduced exposure pay significantly more when scrutiny arrives, in some cases multiples of what earlier remediation would have cost. The enforcement record of the past several years is consistent on this.
Liability builds during the period when the programme is not looking for it. For any compliance leader, the relevant question is how much liability has accumulated while the programme was not built to find it.
Six Years of Conduct: The Cadence Case
The Cadence Design Systems resolution, concluded in July 2025, shows the scale. The company paid combined net penalties of more than $140 million: a $95 million civil penalty to the Bureau of Industry and Security, and criminal penalties to the Department of Justice of nearly $118 million (comprising a criminal fine and forfeiture), coordinated between the two agencies so that cross-credited payments brought the aggregate net figure above $140 million.
Export controls had attracted less enforcement attention than FCPA violations or financial fraud for much of that period, and the liability accumulated throughout. Statutes of limitations are long enough that conduct from a period of reduced enforcement activity remains fully actionable when attention returns. A company’s exposure is built in the years before a regulator looks.
What the DOJ’s March 2026 Framework Requires
In March 2026, the Department of Justice published its first department-wide Corporate Enforcement and Voluntary Self-Disclosure Policy. Organisations that voluntarily disclose and cooperate through full remediation may qualify for substantially reduced penalties and in some cases, a full declination.
The Balt SAS resolution from the same month provides a comparison. The French medical device company disclosed FCPA violations while its internal investigation was still ongoing, cooperated fully, and remediated; the Department of Justice declined to prosecute, and Balt SAS disgorged approximately $1.2 million in profits from the underlying conduct.
The monetary differences between the Balt SAS resolution and the Cadence case shows that when a company surfaces its own problem, they are penalized differently: $1.2 million disgorgement is a completely different scale from the $140 million that Cadence was on the hook for. The gap between those two outcomes reflects what each organisation’s programme was built to do.
The DOJ framework makes the evaluation criteria explicit: prosecutors assess whether a compliance programme was well-designed and implemented in good faith. That assessment directly affects how outcomes are calculated.
The same principle runs through Article 16 of the EU Anti-Corruption Directive. Where a legal person has implemented effective internal controls, ethics awareness and compliance programmes, that is treated as a mitigating circumstance in sentencing. Demonstrable programme maturity, built and documented before any incident arises, changes outcomes across enforcement regimes.
Employees as Risk Intelligence
The enforcement record quantifies fines and settlements but does not capture whether employees inside the organisation have a credible internal channel to use when they notice a problem. Compliance leaders tend to overestimate how credible their internal channels actually are.
The financial incentives for external reporting have expanded. The DOJ launched its Corporate Whistleblower Awards Pilot Program in August 2024 and extended its scope in May 2025 to include sanctions violations, trade and tariff fraud, procurement fraud, and cartel activity. The SEC received approximately 27,000 tips in fiscal year 2025, an 8% increase over the prior year, and has paid more than $2.2 billion in awards to 444 individuals since its programme launched in 2011.
Mary Inman, partner at Whistleblower Partners, has represented whistleblowers in US enforcement proceedings for three decades. Her observation on where this leaves organisations: ‘Every day there seems to be a new government program incentivizing whistleblowers. If you’re taking a reactive, wait-and-see approach, waiting for the SEC and DOJ to act, what you may not have considered is the fact that there’s a wild card out there called incentivized whistleblowers who may be sitting inside your very organization and poised to report externally if their concerns aren’t heeded.’
But organisations should know that an increase in internal reporting does not necessarily lead to an increase in penalties. In fact, it’s often the opposite. Research by Stubben and Welch, published in the Journal of Accounting Research and based on nearly two million internal reports from more than 1,000 publicly traded companies, found that a 10% increase in internal whistleblower report volume was associated with a 2% decrease in government fines and a 1% decrease in legal settlement costs in subsequent years. Employees rarely choose external reporting first; external channels become the default when internal ones are not credible enough to use.
Mary Inman frames the cultural dimension. The companies that fare best, she said, are those that have made it possible for employees to surface concerns before they find another outlet. ‘Allow whistleblowers to be a risk management tool for you,’ she said. ‘They are often a company’s most loyal employees — the ones with the temerity to speak out when others are drinking the Kool-Aid.’
Hear It From a Whistleblower Attorney:
Oversight Before Guidance: SEC, DOJ, and the Cost of Waiting
Ver el seminario webOrganisations with well-used internal channels intercept concerns before employees find other outlets. Inman’s observation holds across jurisdictions: an employee raising a concern internally is often the organisation’s most useful risk signal. Whether that signal reaches the programme depends on whether the channel is worth using.
The 120-Day Window and What Opens It
Under the DOJ’s March 2026 policy, a company can qualify for a full declination even if a whistleblower has already reported both internally and to the DOJ, provided the company self-discloses within 120 days of receiving the internal report.
That 120-day window means that the DOJ anticipates and supports internal reporting. When companies treat their whistleblowers as part of their internal compliance program, they are able to work alongside the DOJ. Without a structure for internal reporting, the window closes before the organisation knows it has a problem.
What Proactive Compliance Programmes Establish
Most organisations approaching this question ask: are we compliant? The more useful question, and the one prosecutors and supervisors are increasingly asking alongside them, is whether the programme can be evidenced to an examiner today. Policy documentation tells compliance leaders what the programme is supposed to do. Examiners want evidence of what it actually does.
The cost of non-compliance extends beyond the headline fine. The Cadence resolution at $140 million already exceeded any profits the underlying conduct generated; enforcement resolutions routinely carry remediation requirements and compliance monitoring obligations that compound that figure over years.
Building the programme before pressure arrives is the only way to keep the full range of outcomes available. The Cadence and Balt SAS cases are a direct comparison: one organisation surfaced its own problem; the other did not. The difference in outcome is what programme maturity is worth.
The Business Case for Compliance Culture is Clear
Programe una demostraciónPreguntas frecuentes
What is the financial cost of non-compliance for organisations?
Non-compliance costs consistently exceed the value of the underlying conduct. Cadence Design Systems paid $140 million in combined criminal and civil penalties for export control violations spanning 2015 to 2021. Beyond the headline penalty, enforcement resolutions typically carry remediation and compliance monitoring obligations that compound the total cost over subsequent years.
Does a proactive compliance programme reduce legal and financial exposure?
Research by Stubben and Welch, published in the Journal of Accounting Research and based on nearly two million internal reports from more than 1,100 publicly traded companies, found that a 10% increase in internal whistleblower report volume was associated with a 2% decrease in government fines and a 1% decrease in legal settlement costs in subsequent years. The relationship is directional rather than causal, but consistent: organisations with more active internal reporting have better legal outcomes than those with underused systems.
Can an organisation still qualify for a declination if an employee has already reported to the DOJ?
Yes, under specific conditions. The DOJ’s current framework allows an organisation to qualify for a full declination even if a whistleblower has reported both internally and to the DOJ, provided the organisation self-discloses within 120 days of receiving the internal whistleblower report. A functioning internal reporting system is the operational prerequisite for that window to exist.
What should compliance leaders do when formal regulatory guidance has not been issued for a specific risk area?
The absence of formal guidance does not reduce legal exposure. Conduct that violates existing law can be prosecuted under future administrations with different enforcement priorities, and statutes of limitations are long enough that violations from years prior remain actionable. The most defensible compliance strategy is one built around internal detection capacity: surfacing problems before they reach regulators, regardless of current enforcement priorities.
