In May 2025, the U.S. Department of Justice announced sweeping changes to its white-collar enforcement approach—introducing incentives for self-disclosure and narrowing the use of compliance monitors. Yet amid this pivot, one expectation remains firmly in place: timely and appropriate remediation.

“[T]urning a new page on white-collar and corporate enforcement,” the U.S. Department of Justice recently announced notable changes to its white collar enforcement policy. Under the new policy, the DOJ has shifted investigative priorities,[1] overhauled key policies to guarantee declinations for qualified self-disclosures and NPAs for “near miss” reports,[2] and imposed a tight leash on monitors.[3] In a speech on May 12, DOJ Criminal Division head Matthew Galeotti noted that this update is a “turning point on white collar and corporate enforcement.” [4]

DOJ’s messages and policies take on a new tone. While acknowledging that corporate crime “poses a significant threat to U.S. interests,” the DOJ warns that “overbroad and unchecked corporate and white-collar enforcement burdens U.S. businesses” and directs prosecutors to “avoid overreach that punishes risk-taking and hinders innovation.”[5]

But one thing remains constant—remediation. Every speech and every policy makes it clear: no deal comes without “timely and appropriate” remediation. That expectation hasn’t budged.

Government Expectations

The revised DOJ Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP) defines DOJ expectations of “timely and appropriate remediation.” To qualify, the organization must have:

1. Conducted a thorough root cause analysis (RCA) and corrected the root causes “where appropriate”;
2. “Implemented an effective compliance and ethics program,” which may vary given the organization’s size and resources;
3. Disciplined directly and indirectly responsible employees;
4. Ensured proper business record and communication retention that includes implementing guidance and controls on personal communications and messaging applications; and
5. Taken additional steps to acknowledge the misconduct, accept responsibility, and implement safeguards to prevent recurrence and detect future risks.[6]

When it comes to timely and appropriate remediation, time is of the essence. Companies must start early, as many of the elements critical to success require sustained effort and cannot be rushed.

“Demonstrated Thorough Analysis of the Causes of Underlying Conduct”

Just as risk assessment is the bedrock for an effective compliance program, RCA underpins the remediation of compliance violations.[7] Risk assessments employ structured frameworks to anticipate and respond to risks before they occur. RCAs respond to risks after they occur, using the same frameworks as risk assessments.

Objective & Impartial

Building the right RCA team takes care. The team must understand the company’s operations and the case details. But to gain the DOJ’s trust, it must also be objective, impartial, experienced in root cause analysis, and  without conflicts (e.g., analyzing the causes of a superior’s misconduct). Law firms can achieve this balance by establishing a separate, attorney-client-privileged, and protected remediation workstream.

Thorough Analysis

The CEP requires a “thorough analysis,” which means digging below surface-level issues.[8] The RCA team should apply a recognized process, such as the Committee of Sponsoring Organizations’ Internal Control—Integrated Framework,[9] Cressey’s Fraud Triangle,[10] or the Five Whys Technique. [11] Key problem areas include culture, risk assessment, entity and transaction-level controls assessment, and monitoring.

Root Cause Findings

Develop a consistent format for describing the root cause analysis findings, e.g., a format that (1) begins with the root cause; (2) describes the risk scenario; (3) explains the impact; and (4) notes the risk response. This format establishes a direct connection between the root cause and the remedial steps, demonstrating that the corrective action plan effectively encompasses all significant root causes.

Timely and Appropriate Remediation

The DOJ definition of “timely and appropriate remediation” expects that the organization, “where appropriate, remediated to address those root causes.”[12]  Identifying and assessing risks arising from root causes informs the need for and scope of the remediation.[13] The CEP and other DOJ guidance make clear the value to companies that come to the table with remediation being complete and independently tested.[14]

“Implemented an Effective Ethics and Compliance Program”

The CEP’s second requirement is that the company must have “[i]mplemented an effective compliance and ethics program.”[15]  The operative word is ‘implemented’; the enhanced compliance program is already in place and has been tested. Start early or face losing CEP benefits or, worse, a government-imposed monitor.[16]

Elements

The CEP lists eight areas from the DOJ’s Evaluation of Corporate Compliance Program guidance. These include (1) instilling a culture of integrity; (2) adequate compliance resources; (3) quality and competency of compliance personnel; (4) compliance function authority and independence; (5) an effective compliance risk assessment process; (6) the reporting structure; (7) compensation of compliance personnel; and (8) testing to assure the effectiveness of the program.[17]

Independent Testing

Demonstrating the effectiveness of a compliance and ethics program requires the organization and its counsel to develop assessment criteria and collect evidence that the organization meets the criteria.[18] The DOJ 2025 Selection of Monitors Memo  requires prosecutors to consider an organization’s “ability to independently test” the compliance program[19] and directs them to consider “whether a company’s voluntary engagement of third-party consultants, auditors, and other experts obviates the need for a monitor.”[20]

The testing team must be independent, which means that they cannot audit their own work nor act as an advocate.[21]  After testing, consider having the CEO or Chief Compliance Officer certify the effectiveness of the compliance program, just as they do for post-settlement obligations.[22]

“Appropriately Disciplined Employees”

Timely and appropriate remediation requires disciplining the perpetrators and those indirectly responsible for the misconduct (e.g., failure in oversight or supervisory authority).[23] Some organizations develop criteria and frameworks similar to the federal sentencing guidelines to demonstrate consistency in their disciplinary process.

“Appropriately Retained Business Records”

The CEP definition requires that the organization retain business records, including implementing controls over personal communications and messaging applications. This requirement derives from the DOJ 2024 ECCP[24] evaluation of corporate compliance programs and the SEC 2022 -2025 enforcement sweep on preserving business-related text messages,[25] which, from an investigative perspective, is a powerful source of evidence.

“Additional Steps”

This final element serves more as an option than a requirement, as it offers organizations the opportunity to present additional steps they have taken to demonstrate their acceptance of responsibility and implementation of corrective measures to prevent and timely detect recurrence. For example, we recommend that organizations maintain a “good deeds” scrapbook to document their efforts to instill a culture of integrity, such as detailed records of board engagement in compliance oversight, leadership’s proactive involvement in ethics training, or company-wide communications that acknowledge responsibility and outline corrective actions.[26]

The Bottom Line

Despite a softer tone acknowledging the risks of overregulation, the DOJ has not softened its expectations of compliance and remediation. “Timely and appropriate” remediation isn’t a slogan; it’s the price of admission to the DOJ’s more favorable resolutions. The takeaway is simple: at the first sign of trouble, perform a comprehensive analysis of the causes of the misconduct, remediate root causes, and independently test the enhanced programs and controls to demonstrate their effectiveness.

Nathan Gibson, Manager at StoneTurn, contributed to this article.

Jonny Frank, Michele Edwards, and Christopher Hoyle help organizations and counsel remediate misconduct and address regulatory findings. If you have any questions or would like to discuss this topic please reach out them directly.

This article originally appeared in Law360.

To receive StoneTurn Insights, sign up for our newsletter.

[1] DOJ, Focus, Fairness, and Efficiency in the Fight Against White-Collar Crime (2025) https://www.justice.gov/criminal/media/1400046/dl?inline [hereinafter DOJ 2025 White Collar Enforcement Plan].

[2] DOJ, Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy (2025) www.justice.gov/criminal/media/1400031/dl?inline [hereinafter DOJ 2025 CEP].

[3] DOJ, Memorandum on Selection of Monitors in Criminal Division Matters (May 2025) www.justice.gov/criminal/media/1400036/dl?inline [hereinafter DOJ 2025 Selection of Monitors Memo].

[4] DOJ, Head of the Criminal Division, Matthew R. Galeotti Delivers Remarks at SIFMA’s Anti-Money Laundering and Financial Crimes Conference (May 2025) https://www.justice.gov/opa/speech/head-criminal-division-matthew-r-galeotti-delivers-remarks-sifmas-anti-money-laundering.

[5] Id. at 2.

[6] DOJ 2025 CEP, supra, at.6.

[7] See generally J. Frank et. al., A Primer in Root Cause Analysis: A Critical Step in the Remediation of Compliance Violations, StoneTurn Insights (2024) https://stoneturn.com/insight/root-cause-analysis-compliance-remediation.

[8] DOJ 2025 CEP, supra, at 6 (emphasis added).

[9] The Committee of Sponsoring Organizations, Internal Control ―Integrated Framework (2013) https://www.coso.org/internal-control [hereinafter COSO].

[10] Cressey’s Fraud Triangle refers to 1950s criminologist Donald Cressey’s theory that three conditions exist whenever misconduct occurs: (1) pressure or incentive; (2) rationalization; and (3) opportunity.

[11] The Five Ways Technique, developed by Toyota Industries founder Sakichi Toyoda, involves repeatedly asking “why” five times to uncover the root cause of a problem, rather than just addressing surface-level issues.

[12] CEP, supra, at 6.

[13] Risk assessing root cause findings begins with setting the risk appetite, followed by identifying potential risk scenarios, evaluating inherent risk, linking and assessing controls for inherent risks outside of risk appetite, assessing residual risk, and developing a risk response for residual risks outside of risk appetite.

[14] The DOJ 2025 CEP refers to “remediated,” not being or will be remediated, which , means that the remediation should be finished. At a minimum, remediation should be nearly complete, including independent testing.

[15] DOJ 2025 CEP, supra, at 6.

[16] See Selection of Monitors Memo, supra, at 3.

[17] DOJ 2025 CEP, supra, at 6.

[18] See generally, J. Frank et. al., Where’s the Beef? Demonstrating “Timely & Appropriate” Remediation, NYU Law School Program on Corporate Compliance and Enforcement (2024) https://wp.nyu.edu/compliance_enforcement/2024/08/27/wheres-the-beef-demonstrating-timely-appropriate-remediation/.

[19] DOJ 2025 Selection of Monitors Memo, supra, at 3 (emphasis added).

[20] DOJ 2025 Selection of Monitors Memo, supra, at 3 (emphasis added).

[21] Cf. SEC Office of the Chief Accountant, Audit Committees and Auditor Independence https://www.sec.gov/info/accountants/audit042707.pdf (prohibiting auditors from auditing their work or advocating for an audit client).

[22] See DOJ 2025 Selection of Monitors Memo, supra, at 2 (noting that DOJ corporate resolutions require company leaders to personally certify, that the organization implemented an effective compliance program).

[23] DOJ 2025 CEP, supra, at 7.

[24] DOJ 2024 ECCP, supra, at 20 (directing prosecutors to consider mechanisms the organization has implemented to manage and preserve information in electronic communication channels).

[25] See, e.g., SEC, JPMorgan Admits to Widespread Recordkeeping Failures and Agrees to Pay $125 Million Penalty to Resolve SEC Charges (2021) https://www.sec.gov/newsroom/press-releases/2021-262; SEC, SEC Charges 16 Wall Street Firms with Widespread Recordkeeping Failures (2022) https://www.sec.gov/newsroom/press-releases/2022-174; SEC, Twelve Firms to Pay More Than $63 Million Combined to Settle SEC’s Charges for Recordkeeping Failures (2025) www.sec.gov/newsroom/press-releases/2025-6.

[26] See generally, J. Frank et. al., Meeting DOJ and SEC Post-Settlement Obligations: A Practical Guide, StoneTurn Insights (2023) https://stoneturn.com/insight/meeting-doj-and-sec-post-settlement-obligations-a-practical-guide/.