Alston & Bird Consumer Finance Blog

Uncategorized

From Uncertainty to Action: DOJ Rolls Out a New White-Collar Enforcement Playbook

On May 12, 2025, the head of the U.S. Department of Justice Criminal Division, Matthew Galeotti, announced a new white-collar enforcement plan rooted in three tenets: “focus, fairness, and efficiency.” The new plan includes updates to the Criminal
Division’s Corporate Enforcement Policy, independent compliance monitor selection policy, and whistleblower programs.

In announcing the new plan, Galeotti explained that the DOJ’s Criminal Division “is turning a new page on white-collar and
corporate enforcement,” and despite recent indications of a step back from corporate criminal enforcement by the DOJ, the
plan suggests that such enforcement is certain to continue in many ways that are familiar to companies and counsel. The
plan designates 10 areas of focus for white-collar enforcement: Some are longstanding enforcement priorities, such as health
care fraud, and some are newer initiatives that align with the Trump Administration’s priorities, such as trade and tariff-related enforcement.

Ten Corporate Criminal Enforcement Priorities
The Criminal Division’s plan is directed at “corporate crime in areas that will have the greatest impact in protecting American
citizens and companies and promoting U.S. interests,” and prioritizes 10 “high-impact areas” for investigative and
prosecutorial focus:
1. Fraud, waste, and abuse, including health care fraud and federal program and procurement fraud.
2. Trade and customs fraud, including tariff evasion.
3. Fraud perpetrated through special purpose vehicles or variable interest entities, including securities fraud and market
manipulation.
4. Fraud on U.S. investors, including through Ponzi schemes.
5. National security threats, including threats to the U.S. financial system.
6. Support to terrorist organizations, including designated cartels.
7. Complex money laundering.
8. Violations of the Controlled Substances Act and the Food, Drug, and Cosmetic Act, including illegal distribution of
fentanyl and other drugs.
9. Bribery and associated money laundering.
10. Certain crimes involving digital assets.

In investigating and prosecuting these types of conduct, the Criminal Division further commits to prioritize “schemes involving
senior-level personnel or other culpable actors, demonstrable loss, and efforts to obstruct justice,” and the identification and
seizure of “assets that are the proceeds of, or involved in” such conduct.

Corporate Enforcement Policy Changes
The CEP was introduced in 2016 as a pilot program for the Criminal Division’s Foreign Corrupt Practices Act unit. In 2018, the
policy was extended to “all other corporate matters” handled by the Criminal Division. In 2023, the CEP was revised again to
further incentivize self-disclosure through greater fine discounts. But at the same time, DOJ leadership announced that
non-prosecution agreements (NPAs) and deferred prosecution agreements would be “disfavored” without fast and full
cooperation. (Alston & Bird’s analysis of the CEP changes over time appears in advisories, available here, here, and here).

While this latest CEP update provides more certainty for companies who self-report and credit for “near misses,” it may also
result in the DOJ wielding a bigger stick against companies deemed to fall outside that scope. The revised CEP offers three
categories of potential benefits for companies:

  • To companies that (1) promptly and voluntarily self-disclose potential misconduct; (2) fully cooperate with the DOJ’s
    investigation; and (3) undertake timely and appropriate remediation, the Criminal Division promises a declination of
    enforcement action (provided no “aggravating circumstances” are present), rather than (as before) simply offering a
    presumption of a declination.
  • To companies in the “near miss” category that do not qualify for a declination (due to failure to self-report or the presence
    of aggravating circumstances), the Criminal Division promises an NPA with a term of 3 three years or less (except in
    “exceedingly rare cases”), no monitor, and a 75% fine reduction (calculated from the low end of the applicable U.S.
    Sentencing Guideline range).
  • To companies that fail to satisfy any of the three key criteria – voluntary self-disclosure, full cooperation, and timely and
    appropriate remediation – the Criminal Division caps the available fine reduction at 50% (typically from the low end of the
    applicable guideline range) and does not rule out the possibility of imposing an independent compliance monitor.

In an effort to further clarify these policy changes, the Criminal Division has, for the first time, distilled the CEP into a
flowchart:

Corporate Enforcement Policy flowchart

Whistleblower Program Changes
To reinforce the changes to the CEP, Galeotti directed that the Criminal Division’s Corporate Whistleblower Awards Pilot
Program (covered in an earlier Alston & Bird advisory, available here) be amended to include six additional types of conduct
of interest. These new areas are:
1. Violations by corporations related to cartels and transnational criminal organizations, including money laundering.
2. Violations by corporations of federal immigration law.
3. Violations by corporations involving material support of terrorism.
4. Corporate sanctions offenses.
5. Corporate trade, tariff, and customs fraud.
6. Corporate procurement fraud.

Individuals reporting such conduct must still meet the Corporate Whistleblower Awards Pilot Program criteria. But the
program’s expansion increases corporate risk as companies continue to grapple with the significant implications of the
numerous whistleblower programs launched by the DOJ in 2024 (covered in an Alston & Bird advisory, available here).

Monitor Selection Policy Changes
In his Memorandum on the Selection of Monitors in Criminal Division Matters, Galeotti aims to “clarify[] the factors that
prosecutors must consider when determining whether a monitor is appropriate and how those factors should be applied” and
also emphasizes the need to “appropriately tailor and scope the monitor’s review and mandate.” To accomplish these goals,
the memo lists four criteria prosecutors are to consider when assessing the need for a monitor:
1. The risk of recurrence of criminal conduct that significantly impacts U.S. interests.
2. The availability and efficacy of other independent government oversight.
3. The efficacy of the company’s compliance program and culture of compliance at the time of the resolution.
4. The maturity of the company’s controls and its ability to independently test and update its compliance program.

Based on those criteria, if a prosecutor determines that a monitor is appropriate, then Galeotti’s memo requires prosecutors to
take three specific steps “to ensure [the monitorship] is carried out appropriately”:
1. Close scrutiny and management of costs associated with the monitorship, including a cap on hourly rates, a preliminary
budget, and periodically updated cost estimates.
2. Biannual (at least) “tri-partite” meetings of the government, the company, and the monitor to ensure alignment.
3. Ongoing collaboration among the government, the company, and the monitor, including “an open dialogue” among all
three parties.

This revised and restated DOJ approach to monitors largely mirrors that of the first Trump Administration, during which the
DOJ expressed greater hesitation to impose monitors as part of corporate criminal resolutions. In 2018, the DOJ issued a
memorandum from then Assistant Attorney General Brian Benczkowski (discussed in a prior Alston & Bird advisory, available
here), which instructed that monitors should only be imposed “where there is a demonstrated need for, and clear benefit to be
derived from, a monitorship relative to the projected costs and burdens.” Three years later, however, Biden Administration
Deputy Attorney General Lisa Monaco reversed course and signaled a greater DOJ appetite for the imposition of monitors
(see prior Alston & Bird analysis, available here). It appears the pendulum has now swung back again, with the Criminal
Division resuming something like its prior stance on monitorships and having already terminated certain existing monitorships
early.

Key Takeaways
White-collar enforcement remains a DOJ priority. Since President Trump’s reelection, speculation has swirled about
whether the DOJ would pull back from white-collar criminal enforcement. Various DOJ memoranda and Executive
Orders—most notably the President’s February 10, 2025 order purporting to “pause” DOJ enforcement of the Foreign
Corrupt Practices Act (discussed in a prior Alston & Bird advisory, available here)—have fueled such speculation and
uncertainty. But the Criminal Division’s new plan sends an unmistakable signal: DOJ white-collar enforcement will
continue, and may even expand, as clarified expectations and resource alignment take hold in the coming years.

Broad industry impact. The Criminal Division’s plan distills its white-collar enforcement focus into 10 “high-impact
areas,” which may at first seem to represent a narrowing of the Criminal Division’s focus. However, those areas span
multiple sectors, including health care and life sciences, financial services, investment management, industrials and
manufacturing, natural resources, defense, retail, and others.

The DOJ’s Criminal Division intends to flex its new muscles. Public reports indicate that DOJ leadership plans to
shift certain criminal enforcement responsibilities previously assigned to the Civil Division’s Consumer Protection Branch
to the Criminal Division, and the Criminal Division’s new plan appears to not only reflect that shift—by including as
priorities elder fraud, “fraud that threatens the health and safety of consumers,” and violations of the Food, Drug, and
Cosmetic Act—but to suggest that Criminal Division prosecutors will quickly put these reassigned authorities to use.

More opportunities for whistleblowers. The Criminal Division’s new plan indicates that any speculation that the DOJ
might scale back the Corporate Whistleblower Awards Pilot Program or otherwise express disinterest in whistleblowers is
unfounded. The new plan states that Criminal Division leadership has “reviewed the Criminal Division’s existing pilot
program” and made just one change: expanding the scope of conduct for which whistleblower reports will be
incentivized.

What does the DOJ’s commitment to “efficiency” mean in practice? Galeotti’s remarks in announcing the new
Criminal Division plan highlight potential concerns around DOJ white-collar enforcement: It can be costly, “unchecked,”
“unfocused,” and can drag on for years, unduly disrupting law-abiding businesses. The new plan commits the Criminal
Division to targeted, tailored white-collar enforcement and directs prosecutors to “move expeditiously to investigate
cases and make charging decisions.” But how this commitment will play out remains unclear—whether it will primarily
shape internal decision-making at the DOJ or lead to perceptible outward-facing changes such as more tailored DOJ
expectations and demands of cooperating companies.

A less patient DOJ? As welcome as this increased clarity and focus by the DOJ’s Criminal Division may be, the price of
it for companies likely will be some measure of diminished patience on the part of Criminal Division prosecutors and
supervisors regarding investigative or other delays by subjects and targets of investigations. This raises the stakes for
compliance improvements that will better ensure prompt detection of potentially illegal conduct, skilled and efficient
internal investigations of any such conduct, effective assessment of the all-important self-reporting decision, and adroit
engagement with the government.

Compliance ROI higher than ever. By returning to a more skeptical posture regarding the imposition of independent
compliance monitors, the Criminal Division is offering more of a potential reward than ever to companies that implement
robust compliance programs. Beyond preventing and detecting misconduct, such programs will position companies to
proactively engage with the DOJ and will better position companies to persuade a far more receptive DOJ that a monitor
is unnecessary.

_________________________________________

Originally published May 15, 2025.

Alston & Bird’s White Collar, Government & Internal Investigations team, which is composed of numerous former federal and
state prosecutors and agency staff (including several former DOJ Criminal Division prosecutors), will continue to monitor and
provide updates on the Criminal Division’s implementation of these new policies.

If you have any questions, or would like additional information, please contact one of the attorneys on our White Collar,
Government & Internal Investigations team.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.

Wave Goodbye to the Waiver Debate: Court Holds Data Breach Investigation Report Not Work Product from the Start

Litigants in data breach class actions often fight over whether a data breach investigation report prepared in response to the breach is protected by the work-product doctrine. Common areas of dispute include whether the report was prepared in whole or in part for business—not legal—purposes, and whether the report relays facts that are not discernable from other sources. The fight becomes even more complicated, however, when the company that suffered the data breach is required to provide the report to regulators.

For example, in the mortgage industry, mortgagees regulated by the Multistate Mortgage Committee (MMC) are required to provide a “root cause report” following a data breach. Similarly, under Mortgagee Letter 2024-10, FHA-approved mortgagees must notify HUD of a cybersecurity incident and provide the cause of the incident. These reporting obligations involve production of information to regulators that typically overlaps with the content of data breach investigation reports.

Traditionally, one might think that disclosure of an investigation report (or its contents) to a regulator was a question of waiver. But recently, a federal district court in the Southern District of Florida bypassed the waiver analysis entirely by holding that reports provided to regulators weren’t protected by the work-product doctrine because they were primarily created for regulatory compliance rather than in anticipation litigation, even though, factually, they weren’t originally created for the purpose of regulatory compliance.

What Happened?

In a recent decision in a data breach litigation against a national mortgage loan servicer, the court considered whether investigative reports prepared by cybersecurity firms were protected under the work-product doctrine. These reports were initially withheld from discovery on the familiar grounds that they were prepared in anticipation of litigation following a data breach. But the plaintiffs argued that because the reports were disclosed to mortgage industry regulators, any work-product protections were waived.

Rather than address the waiver issue, the court analyzed whether the documents were privileged in the first place under the dual-purpose doctrine, which assesses whether a document was prepared in anticipation of litigation or for other business purposes. Under this doctrine (adopted by the First, Second, Third, Fourth, Sixth, Seventh, Eighth, Ninth, and D.C. Circuits), a document is protected if it was created “because of” the anticipated litigation, even if it also serves an ordinary business purpose. Notably, the court found that the reports were primarily created to comply with regulatory obligations, specifically those imposed by the MMC, even though they’d initially been prepared in anticipation of litigation. In the court’s view, the unredacted submission of the reports to the MMC, when demanded, evidenced that the predominant purpose for their creation was regulatory compliance.

The court ended with the suggestion that the defendants could have avoided this issue by creating a separate document for regulatory compliance, omitting sensitive findings related to litigation. Aside from this suggestion, there does not appear to be a legal framework under the which the disclosed reports would have been protected work product, at least in the court’s view.

Why Does it Matter?

The district court’s decision creates a new challenge for breach victims seeking to protect investigation reports from disclosure under the work-product doctrine. A key purpose of the doctrine is to allow parties to engage in pre-litigation investigations without the fear of disclosure. Data breach victims dealing with regulators have historically had to manage the risk that disclosing investigation reports (in whole or in part) to regulators could result in litigation over whether work-product protections were waived. But the decision appears to raise the stakes. The risk of disclosure is not limited to a waiver analysis, where parties can defend the disclosure based on the circumstances of the compelled disclosure and can rely on law requiring the narrow construction of privilege waivers. Now, parties must also consider whether using a report for a non-litigation purpose after the fact will lead to the conclusion that the report wasn’t prepared for litigation at all and therefore not privileged in the first place.

What Do I Need to Do?

Because this decision is by a federal district court, this is an area that should be monitored to determine whether a trend develops around the court’s rationale. And in the interim, the best option seems to be to follow the court’s suggestion: create separate documents for regulatory compliance and litigation purposes.

It is, of course, important to maintain a good relationship with regulators to try to circumvent these issues, but the two-report approach is a practical way to preempt the issue entirely. The reality is that many litigation-related items do not need to be submitted in a regulatory report. For example, an emerging issue in the cybersecurity space is whether following a data breach, the company that suffered the breach should bring claims against other related parties. Analyzing the merits of this type of litigation is plainly covered by the work-product doctrine but is not needed for regulatory reports. Thus, by following the two-report approach, sensitive findings related to that potential litigation can be omitted from the regulatory report, preserving the work-product protection for the litigation-related document. This approach could help companies navigate the complexities of dual-purpose documents and maintain the intended protections of the work-product doctrine.

The End of Disparate Impact Liability?

On April 23, 2025, President Trump signed an Executive Order entitled “Restoring Equality of Opportunity and Meritocracy,” which seeks to “eliminate the use of disparate-impact liability in all contexts to the maximum degree possible.”

This sweeping eradication of the disparate impact theory is not surprising. Indeed, the Consumer Financial Protection Bureau (CFPB) under the first Trump Administration (Trump I) strongly questioned the doctrine and ultimately brought no disparate impact enforcement actions. Further, the Trump I CFPB rescinded Bulletin 2013-02, in which the CFPB had previously asserted that indirect auto lenders may be held liable under the legal doctrines of both disparate treatment and disparate impact for disparities in their portfolio. What’s more, the Congressional resolution rescinding the Bulletin further prevented the CFPB “from ever reissuing a substantially similar rule unless specifically authorized to do so by law.” In addition, the CFPB under Trump I challenged the validity of the disparate impact theory under the Equal Credit Opportunity Act (ECOA) in light of the of the U.S. Supreme Court 2015 ruling in Texas Department of Housing v. Inclusive Communities Project Inc., which applied the disparate impact theory under different language found in the Fair Housing Act. And earlier this year, Attorney General Bondi ordered the U.S. Department of Justice (DOJ) to issue updated guidance that “narrow[s] the use of ‘disparate impact’ theories that effectively require use of race- or sex-based preference.”

Nonetheless, the language of the Executive Order is stark: “It is the policy of the United States to eliminate the use of disparate-impact liability in all contexts to the maximum degree possible to avoid violating the Constitution, Federal civil rights laws, and basic American ideals.” To that end, the Executive Order boldly demands that all agencies “deprioritize enforcement of all statutes and regulations to the extent they include disparate-impact liability.”

What is the Disparate Impact Theory?

Disparate impact is a theory of discrimination applied when a facially neutral practice has a statistically significant impact on a protected group. According to the Executive Order, “disparate-impact liability” creates “a near insurmountable presumption of unlawful discrimination … where there are any differences in outcomes in certain circumstances among different races, sexes, or similar groups, even if there is no facially discriminatory policy or practice or discriminatory intent involved, and even if everyone has an equal opportunity to succeed.”  The order criticizes disparate-impact liability as “all but requir[ing] individuals and businesses to consider race and engage in racial balancing to avoid potentially crippling legal liability.”  Thus, according to President Trump, disparate-impact liability prevents employers from “act[ing] in the best interests of the job applicant, the employer, and the American public” and undermines “meritocracy,” “a colorblind society,” and “the American Dream.”

Civil rights advocates, on the other hand, argue that the Trump Administration misstates the disparate impact legal theory and effectively instructs the government to stop enforcing key civil rights protections in the workplace, at schools, and throughout society – the latter of which includes the offering of loans and other consumer financial products and services. Does this Executive Order then mean that lenders can once again impose facially neutral policies that traditionally have been viewed as discriminatory under the disparate impact theory, such as increased minimum loan amount requirements (beyond investor and agency thresholds) or practices that exclude self-employment income?

What Does the Executive Order Mean for Financial Services Enforcement?

As stated previously, the Executive Order directs all federal agencies to deprioritize enforcement of all statutes and regulations to the extent they include disparate impact liability. Consequently, the Executive Order also instructs all heads of federal agencies, including the CFPB and the U.S. Department of Housing and Urban Development (HUD), to evaluate all pending proceedings relying on disparate impact theories and “take appropriate action” within 45 days.  Agencies must conduct a similar review of “consent judgments and permanent injunctions” within 90 days.

The above indicates that federal agencies may not pursue fair lending actions rooted in disparate impact – at least for a while. The Executive Order even attempts to curtail state actions by requiring the Attorney General, “in coordination with other agencies,” to determine whether state laws imposing disparate impact liability are preempted. Of course, private litigation is still a real tool for consumer complainants. And federal agencies may still look to the disparate treatment theory to pursue and remediate potential fair lending violations under ECOA, the Fair Housing Act, and other federal statutes. Further, certain federal claims, more recently characterized (or mischaracterized) as disparate impact, such as pricing discrimination, may continue to be brought, but as newly and perhaps more appropriately packaged disparate treatment claims.

What Does the Executive Order Mean for Financial Services Compliance?

Given the potential for private litigation and increased interest by the states in light of federal deprioritization – not to mention the fact that the statute of limitations for most federal fair lending violations can be up to five (5) years, lenders should continue to conduct their routine fair lending monitoring and testing, which seeks to detect disparities among statutorily protected groups. Frankly, this testing alone cannot identify whether any disparities are due to discrimination, much less whether the discrimination was of the disparate treatment or disparate impact variety (though the results are more likely to detect disparate impact discrimination than isolated instances of discriminatory treatment). Nevertheless, the results of monitoring and testing provide lenders with a starting point for assessing their policies, procedures, and practices for fair lending compliance. One question that remains, however, is whether lenders should add White as a racial category in their monitoring efforts.

Are You Ready for the Corporate Transparency Act’s Filing Deadline?

As the new year approaches, so does an important deadline: although January 1, 2025, is the date by which non-exempt companies formed prior to 2024 must file a Beneficial Ownership Information (BOI) Report with the Financial Crimes Enforcement Network (FinCEN) under the Corporate Transparency Act (CTA), we recommend that affected entities file BOI Reports no later than December 31, 2024.

Enacted in 2021, and effective January 1 of this year, the CTA aims to combat illicit financial activity by requiring certain businesses operating in or accessing U.S. markets to provide ownership information on associated individuals.

Looking forward from January 1, non-exempt companies must file BOI reports: (a) within 30 days of entity formation; and (b) within 30 calendar days of changes to any information provided in the initial or a subsequent BOI report.

Alston & Bird has previously reported on the CTA’s requirements, and is happy to assist clients who have questions regarding their initial and ongoing filing obligations under the CTA.

Shareholders Sharpen Focus on AI-Related Securities Disclosures

What Happened?

As Alston & Bird’s Securities Litigation Group reported, the number of securities class actions based on AI-related allegations is rising.  With six new filings in the first half of 2024 and at least five more identified by the authors since, a new trend of AI lawsuits has emerged. This trajectory is likely to continue alongside increased AI-related research and development spending in the coming years.

Why Is It Important?

A recent proposed rule and several enforcement actions indicate that the Securities and Exchange Commission (“SEC”) has a growing appetite for regulating AI-specific disclosures, and shareholders’ interest in claims. In this environment, it is imperative that companies remain cognizant of their public statements on AI.

Last year, the SEC proposed a rule that would govern AI use by broker dealers and investment advisers. Although the rule is not yet final, the agency has pursued several AI-related enforcement actions with its authority to regulate false or misleading public statements.

Thus far, the SEC’s enforcement actions have been limited to companies whose public statements on AI usage were at issue.  These companies allegedly claimed to use a specific AI model to elevate their customer offerings but could not provide any evidence of their AI implementation when questioned by the SEC.

Those previous actions do not necessarily mean that a company’s ability to prove it implemented AI technology in some form will be enough to avoid scrutiny or liability. Investor plaintiffs targeting companies’ AI disclosures represent a new frontier of potential risk for companies and their directors and officers.

What To Do Now?

Companies should consider whether the board’s audit or risk committees should be tasked with understanding the company’s AI use and considering associated disclosures in addition to any privacy and confidentiality concerns that arise. Companies can identify their AI experts to properly vet any technical proposed disclosures on AI to confirm the disclosures are accurate. The key is to make sure AI disclosures and company claims about AI prospects have a reasonable basis that’s adequately disclosed.

Companies should also aim to create and maintain appropriate risk disclosures. When disclosing material risks related to AI, risk factors become more meaningful when they are tailored to the company and the industry, not merely boilerplate.