Despite reduced enforcement, strong compliance programs remain essential

Despite the decline in corporate enforcement by US authorities since the Trump Administration assumed office, compliance programs remain central to how agencies assess whether to bring an action and determine penalties and post settlement obligations.  

US enforcement agencies, such as the Department of Justice (DoJ), Securities and Exchange Commission (SEC), and others continue to view compliance as a proactive, long-term requirement to reform corporate culture, ensure future adherence to laws and regulations, and remediate misconduct. Set out below are recent examples of how corporate compliance programs have recently been considered by key agencies:

US Department of Justice (DoJ)

On March 10, 2026, the DoJ issued its first-ever department-wide Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP), with Deputy Attorney General Todd Blanche emphasising that the policy rewards companies, including a possible "declination" (non-prosecution), for voluntary self-disclosure, cooperation, and remediation.

The CEP provides a key condition to receiving a declination is the demonstration of timely and appropriate remediation.  To constitute timely and appropriate remediation, companies must:

• Conduct a root-cause analysis of the misconduct;
• Implement improvements to ethics and compliance programs, including internal controls;
• Discipline responsible personnel;
• Appropriately retain business records and communications (including ephemeral messaging platforms), and;
• Undertake additional steps that “demonstrate the recognition of the seriousness of the company’s misconduct, acceptance of responsibility for it, and the implementation of measures to reduce the risk of repetition of such misconduct, including measures to identify future risks.”

Marnee Rand of the DoJ at a March 2026 conference in Washington DC, noted that compliance enhancements should begin as soon as facts emerge, and the root cause is understood – not alongside settlement discussions – so they are well underway by the time of resolution.  

The DoJ’s Criminal Division Evaluation of Corporate Compliance Programs, updated in September 2024, continues to guide assessments. This guidance outlines detailed elements of an effective compliance program but summarizes that the DoJ’s primary focus is answering three fundamental questions:

1. Is the program well-designed?
2. Is it applied earnestly and in good faith (adequately resourced)?
3. Does it work in practice?

Securities & Exchange Commission (SEC)

Speaking at the Los Angeles County Bar Association’s 56th Annual Securities Regulation Seminar on February 11, 2026, the Director of the Enforcement Division, Meg Ryan (who recently announced her departure) outlined the Division’s priorities, enforcement philosophy, and procedural expectations, including its view on compliance programs.  

Director Ryan discussed that the SEC may pursue enforcement in what they refer to as the SEC’s “middle ground” approach for non-fraud violations: situations where fraud is absent, but compliance has failed in a way that poses risks to investors, risks to market integrity, or yields a benefit to the participant. Director Ryan indicated that such situations “present [an] opportunity” for resolutions that “recognize wrongdoing while rectifying the violation or charting a firmer path toward compliance.”  She also noted that where other SEC divisions can “identify, educate, and help people and entities remediate the problem or deficiency,” that approach may be preferable to enforcement. It was clear that, like the DoJ, the focus of the SEC remains reducing the risk of reoccurrence and enhancing a registrant’s overall ethics, compliance and controls environment.

US Department of Commerce’s Bureau of Industry & Security (BIS)

In 2024, BIS published its “final rule” on the voluntary self-disclosure process and penalty guidelines, emphasizing (in part) that BIS has a preference to impose non-monetary penalties to shore up a company’s compliance program rather than heavy fines in connection with lower-value violations with minimal aggravating factors.  

During the past six months, it appears that BIS may have deviated slightly from this principle in certain instances, through imposing monetary penalties, not merely requiring compliance enhancements. However, other recent BIS settlements continue to include requirements for mandatory audits and certifications.  

Examples include:

• Applied Materials agreed to pay $252 million and “conduct multiple audits of its export compliance program and make annual certifications to BIS in connection with those audits.”  
• Exyte, a German engineering company, noted as part of the settlement agreement that the company’s compliance program was lacking in certain key areas that enabled the alleged misconduct. However, BIS gave credit that the company “has made investment in and improvement of its compliance program,” which may have been a mitigating factor in avoiding the need for annual certifications to BIS in relation to audits of the export compliance program.

US Department of the Treasury, Financial Crimes Enforcement Network (FinCEN)

Anti-Money Laundering (AML) Compliance has continued to be a key element of FinCEN’s compliance program expectations. For example, on March 6, 2026, FinCEN announced an $80 million joint penalty with the SEC against Canaccord Genuity, a registered broker-dealer. This represented the largest ever penalty imposed on a broker dealer under the Bank Secrecy Act. In the Consent Order, FinCEN outlined widespread compliance failures across several areas including weaknesses in its AML program, poor risk-based customer due diligence, and weak controls to monitor transactions for suspicious activity. The settlement requires a comprehensive "lookback" review of past transactions, reporting, and a mandatory overhaul of its compliance framework, with a portion of the monetary penalty suspended pending the satisfactory completion of the review.

FinCEN’s 2024 “final rule” requires certain financial institutions, including registered investment advisors, implement more stringent AML / Countering the Financing of Terrorism (CFT) programs.  While the implementation deadline was subsequently extended to January 1, 2028, rule underscores FinCEN’s expectation that firms develop robust, effective compliance programs.

Given the volume of transactions flowing through financial institutions, a primary focus of FinCEN has been on how technology, including data analytics and AI, can be used by institutions to inform their risks and related compliance controls and reporting. FinCEN itself is utilizing “data driven enforcement operations,” such as the targeting of 100+ money services businesses operating in the south-west of the US and their potential involvement with international cartels or transnational criminal organizations. Financial institutions should constantly be looking at ways that technology, including AI, can be deployed within its compliance controls and processes.

Conclusion

While enforcement levels under the new Administration have decreased, companies cannot afford to reduce resources or their focus on key compliance risks and the controls and programs necessary to mitigate such risks. Strong compliance programs reduce exposure to regulatory breaches, reinforces a corporation’s ethical culture, and meaningfully strengthen a company’s position in enforcement negotiations.  

As set out above, enforcement agencies clearly view compliance not merely as a form of punishment but as a mechanism to prevent future violations. The evaluation by, for example the DOJ and SEC, is detailed and focuses on the "design and good faith implementation" of compliance programs, assessing whether they address operational risks effectively. To successfully facilitate this evaluation, companies must demonstrate that their programs are operating effectively, achieved not only through a well-designed program but supported by ongoing monitoring, testing and refinement to mitigate evolving risks.