What the Enforcement Record Says About ‘Timely’ Disclosure

“Voluntary and timely.” Those three words, or variations of them, do some serious heavy lifting in corporate resolutions with government authorities and guidance for corporate compliance programs. Corporate leaders might wish for specifics like “within hours” or “weeks later,” which is understandable, especially when considering the self-disclosure record. CCI’s analysis of nearly two dozen actions over the past decade reveals a messy reality: What the DOJ today pitches as “guaranteed” credit may still be more of a gamble than advertised if history is a guide.

There can be little doubt that timely disclosure (along with remediation and full cooperation) can pay dividends. In the cases CCI analyzed where companies missed the timeliness window, they faced criminal penalties and disgorgement averaging in the range of $140 million to $170 million. 

Indeed, speed is of central importance to many modern corporate compliance and internal audit programs. But enforcement patterns reveal that timeliness is a Venn diagram rather than a perfect circle — what companies think is timely disclosure may not meet a standard the government hasn’t clearly defined.

That means finding out someone in your organization may have broken the law, investigating the situation, fixing what needs to be fixed and reporting all of that to the government — probably long before you’ve even closed the book on your internal investigation.

Practitioners who navigate these decisions regularly say the tension is real. 

“[The DOJ wants] you to disclose all relevant facts, but they also want you to disclose very, very early,” Taryn McDonald, a partner at Haynes Boone, told CCI. “That’s really hard to do. … If you make a decision to disclose, you’re not waiting till it’s all tied up with a bow. It’s just not going to be possible.”

Compliance

One CEP to Rule Them All?

by Jennifer L. Gaskin

March 18, 2026

The DOJ released its first-ever department-wide corporate enforcement policy ostensibly to bring fairness and transparency to the government’s decisions on charges against companies accused of criminal conduct.

Read moreDetails

What does timely mean? Only the DOJ knows

The enforcement record, like DOJ’s guidance, is scant on details, even when companies have gotten credit for timely reporting. Of the nine cases CCI examined where companies received credit for timely disclosure, only two included any measurable time window. In one, a company disclosed within three months of identifying potential misconduct and within hours of internal confirmation. In another, the board learned of the issue and notified the government within two weeks.

The remaining credited disclosures were described in language likely to frustrate any compliance officer looking for a benchmark. “Voluntarily and timely.” “Promptly.” “Prompt, voluntary self-disclosure.” No clock. No threshold. In one of those five cases, the company disclosed while its internal investigation was still underway, a fact the declination letter noted approvingly, without explaining what it might have meant to wait.

What the credited letters share is notable for what they omit. None of them define the starting point of the timeliness clock or a tipping point — whether that is the date of an initial allegation, the conclusion of a preliminary inquiry or the moment internal confirmation is reached. None explains what delay, if any, would have disqualified the company. The government’s message to companies that got it right amounts to: you were timely. The message to everyone else is more instructive.

When companies missed the window — or never opened it — the language in enforcement documents is more specific. A deferred prosecution agreement with one major company noted that it “did not voluntarily and timely disclose” the conduct at issue. Another stated the company “did not receive voluntary disclosure credit” because its disclosures came “only after the [SEC] requested documents” and years after the company became aware of bribery allegations through a whistleblower complaint and a civil lawsuit — allegations it investigated internally but chose not to report. 

In several cases, the record makes plain that the clock wasn’t stopped by anything the company did but by someone else getting there first. A former employee copied American and Indian government authorities in an email before the company came forward. Press reports made public allegations of misconduct before a company began cooperating. In each instance, the DOJ’s letter explained the denial in terms of sequencing — who knew what, and when — rather than in terms of what the company found or how long its investigation had run. The timeliness question, in those cases, had already been answered before the company picked up the phone.

When someone beats you to it

The external-trigger pattern — where the timeliness clock effectively runs out before a company acts — appears in several of the enforcement actions CCI reviewed, and the government’s language in those cases is precise about what happened.

In one case involving a global spirits company, a former employee copied American and Indian government authorities on correspondence related to the alleged misconduct before the company came forward. The company did not receive voluntary disclosure credit. Its penalty: $19.6 million.

The pattern is similar in a 2024 deferred prosecution agreement (DPA) with SAP SE, the German software giant. The DPA states the company “did not voluntarily and timely disclose” the conduct at issue — because it didn’t need to. South African investigative reports had already made the allegations public. SAP began cooperating immediately after the press reports appeared, earning substantial cooperation credit, but VSD credit was off the table. The company paid $119 million in criminal penalties and $103 million in disgorgement. 

In both cases, the decision about timeliness wasn’t really a decision at all because it had been made by someone else.

The cases involving Panasonic Avionics and Albemarle are different in kind, and in some ways more instructive. There, companies had the information. They had conducted internal investigations. The question of whether to disclose was squarely in front of them and the record reflects what they chose.

Panasonic Avionics learned of bribery allegations through a whistleblower complaint and a civil lawsuit. It investigated. Its DPA states the company “chose not to voluntarily report to the relevant authorities.” Disclosure came only after the SEC requested documents. The company paid $137.4 million and was required to retain a monitor for two years.

Albemarle, a specialty chemicals company, confirmed misconduct in one geography and waited more than nine months before disclosing, simultaneously reporting related conduct in three additional countries. The disclosure of the original conduct was deemed untimely; the additional countries received partial credit. Total penalties came to roughly $196 million. 

Walmart’s experience adds a further wrinkle. The company proactively disclosed misconduct in Brazil, China and India before the government had independently learned of it, conduct that would ordinarily qualify for voluntary disclosure credit. It didn’t, because the government was already investigating related conduct in Mexico. The disclosure of one matter, it turned out, had contaminated the credit available for all the others. 

Risk analysis, not a math problem

For companies weighing whether to disclose, the enforcement record suggests the decision rarely turns on the investigation findings themselves but on a balance of many factors, including the nature of the conduct itself.

“Part of that calculation is also what is the conduct, what does it look like, who was involved, how prevalent is it and all of those things kind of weigh more in favor of a potential self-disclosure than not,” McDonald said.

Establishing and reinforcing compliance culture is the first of many steps toward self-disclosure, McDonald said.

“Having a real compliance program, a real compliance culture where folks at the company are encouraged to report any issues … if you have no way to identify a potential issue, it really handicaps you as a company in terms of self-disclosure.”