How and to Whom Should I Report Compliance Violations?
- Dennis Sapien-Pangindian
- Jul 8
- 3 min read
Updated: Jul 28
Discovering potential misconduct in your organization is never easy—but knowing what to do next can make all the difference. Whether you’re an executive, compliance officer, or legal counsel, a critical question follows: How—and to whom—should we report compliance violations?
With regulatory enforcement intensifying and self-disclosure programs evolving, companies now face both greater expectations and stronger incentives to report violations proactively. Failing to do so can result in steep penalties, while proper disclosure can earn reduced fines—or even avoid prosecution altogether.
In this post, we’ll walk through:
How to evaluate whether self-disclosure is appropriate
Which agencies to report to (and when)
What recent DOJ and regulatory updates mean for your decision
How to structure disclosures to maximize legal protections and cooperation credit
Step 1: Evaluate the Scope and Seriousness of the Violation
Not every compliance lapse requires external reporting. But certain factors make disclosure more likely or more beneficial:
Possible criminal conduct
Involvement of senior leadership
Regulatory exposure
Substantial financial harm
Known whistleblower reports or likelihood of external discovery
If the violation involves any of the above, consulting with internal or external counsel is essential.
Step 2: Understand the Incentives for Voluntary Disclosure
Many enforcement agencies now offer clear benefits for companies that self-report misconduct, particularly when done early, thoroughly, and in good faith.
DOJ: Revised Corporate Enforcement and Voluntary Self-Disclosure Policy
The DOJ’s updated Corporate Enforcement Policy offers:
Presumption of declination for early self-disclosure with full cooperation and remediation
Up to 75% fine reduction even when aggravating factors are present
Emphasis on individual accountability and transparency
These changes significantly enhance the strategic value of self-disclosure.
SEC: Cooperation Program
The SEC's Cooperation Program offers credit for:
Self-reporting securities violations
Remediation and internal investigations
Full cooperation in enforcement efforts
Benefits can include reduced penalties or even non-enforcement outcomes.
HHS-OIG: Self-Disclosure Protocol
The HHS-OIG Self-Disclosure Protocol allows healthcare providers and other actors who received funds from Federal healthcare programs to report violations such as kickbacks or improper billing, grant fraud, and contract fraud. Self-disclosing fraudulent conduct to HHS-OIG is encouraged as a proactive, cooperative step and incentivized by the potential for lower civil monetary penalties when resolving such matters.
Step 3: Choose the Right Agency—or Agencies
The correct agency depends on the nature of the violation. Here are some non-exhaustive examples of possible agencies to which you can report certain violations:
Conduct to be disclosed | Which agenc(ies) to disclose to |
Bribery, fraud, criminal conduct | The Department of Justice / U.S. Attorney's Offices |
Securities violations | U.S. Securities and Exchange Commission |
Fraud Relating to Federal Healthcare Programs | U.S. Department of Health and Human Services, Office of Inspector General |
Data / Privacy Issues | Federal Trade Commission / State Attorneys General |
Workplace Safety | Occupational Safety and Health Administration |
Environmental Harm | Environmental Protection Agency |
Institutional Financial Misconduct | Consumer Finance Protection Bureau / Financial Crimes Enforcement Network |
Sometimes, coordinated disclosures to multiple agencies are necessary.
Step 4: Structure Your Disclosure Carefully
Effective disclosures should be:
Timely
Substantiated with documentation
Directed through legal counsel
Paired with clear remediation and disciplinary measures
Pro tip: Prepare both a privileged internal memo and a separate disclosure summary for regulators.
Step 5: Protect the Organization Internally
While preparing a disclosure:
Investigate thoroughly
Document actions taken
Reinforce your speak-up culture and non-retaliation policies
Notify your board or compliance committee
Transparent internal handling builds credibility externally.
Final Thoughts
Voluntary disclosure is not just about avoiding enforcement—it’s about showing your company values compliance. With updated DOJ guidance and long-standing SEC and HHS-OIG self-disclosure programs, early reporting and full cooperation are more valuable than ever. If serious misconduct is suspected, act quickly. The sooner you disclose, the more flexibility you retain to protect your company and its reputation.
Comments