On July 26, 2023, the US Department of Commerce’s Bureau of Industry and Security (BIS), the US Department of the Treasury’s Office of Foreign Assets Control (OFAC), and the US Department of Justice (DOJ) issued a joint compliance note (the Note) focusing on the voluntary self-disclosure (VSD) policies that apply to US sanctions, export controls, and other national security laws. The Note is the second collective effort by the three agencies to inform the private sector about civil and criminal enforcement trends, as well as to provide guidance to the business community and all persons regarding compliance with US sanctions and export laws. The first joint note, which focused on combatting third-party intermediaries used to evade Russia-related US sanctions and divert export-controlled items that are contributing to Russia’s foreign harmful activities, was issued on March 2, 2023.

The Note does not change the existing VSD policies of the three agencies, but highlights the benefits of their existing VSD policies to incentivize companies to promptly disclose and remediate.  Likewise, the Note highlights the risks companies face, in at least some instances, should they choose not to disclose.

The Note also encourages whistleblowers to report suspected violations of sanctions and anti-money laundering laws to the US Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN), for which persons that submit whistleblower tips may be awarded up to 10% to 30% of the monetary penalty collected for successful US government enforcement actions.

DOJ’s VSD Policy

The Note reiterates the updated VSD policy covering potential criminal violations of export control and sanctions laws published by DOJ’s National Security Division (NSD) on March 1, 2023 (the March 2023 VSD Policy). NSD’s VSD policy is designed to incentivize companies and other organizations to come forward promptly when they identify or otherwise become aware of potential criminal violations of US sanctions and export control laws.

NSD indicates in the Note that “[m]oving forward, where a company voluntarily self-discloses potentially criminal violations, fully cooperates, and timely and appropriately remediates the violations, NSD generally will not seek a guilty plea, and there will be a presumption that the company will receive a non-prosecution agreement and will not pay a fine.” As stated in the March 2023 VSD Policy, to be eligible for VSD benefits, a person should:

  • Voluntarily self-disclose potential criminal (i.e., willful) violations to NSD accurately and completely;
  • Fully cooperate;
  • Timely and appropriately remediate; and
  • Avoid aggravating factors.

In practice, there are a few important aspects of the NSD VSD policy that companies should be aware of in their assessment regarding disclosure.

First, to receive the VSD benefit from NSD, there has to be a disclosure to NSD. On that, NSD has made clear that disclosures made only to regulatory agencies such as OFAC or BIS do not qualify under NSD’s policy.

Second, to avail itself of NSD’s policy, a company must disclose to NSD within a “reasonably prompt” time after becoming aware of the potential violation, and in any event, “prior to an imminent threat of disclosure or government investigation.” The NSD’s VSD policy does not provide clear guidance on what would be considered “reasonably prompt;” instead, the burden to show timeliness is on the company.  

Third, the “prompt” disclosure includes a requirement that the company must disclose all relevant non-privileged facts known to it at the time of the disclosure, including all relevant facts and evidence about all individuals involved in or responsible for the misconduct at issue (including individuals inside and outside of the company).

Fourth, the disclosure assessment may need to consider other US and non-US statutes and regulations. For example, under the NSD’s VSD policy, disclosures must be made absent any other legal obligation to disclose, so a company may need to assess if it has a preexisting obligation to disclose to any US or non-US regulatory or law enforcement bodies. Also, if the disclosure involves overseas documents and the company claims that the disclosure of overseas documents is prohibited by a non-US law, the burden is on the company to establish the existence of such a restriction, to demonstrate that the relevant data are not on US servers or systems, and to identify reasonable and legal alternatives to help NSD preserve and obtain the necessary facts, documents, and evidence for its investigations and prosecutions.    

Fifth, NSD’s policy of “a presumption in favor of a non-prosecution agreement” does not apply where there are aggravating factors. The Note lists a broad set of aggravating factors and this carve-out adds to the uncertainty of whether a company can actually avail itself of the benefit of a VSD. A VSD to NSD does not bar the US government from seeking to impose civil or criminal penalties, depending on the facts and circumstances. Taken together with the requirement for “prompt” disclosure, companies will need to carefully consider whether there are any benefits to submitting a VSD to DOJ as part of its VSD assessment.

BIS’s VSD Policy

The Note states that BIS strongly encourages disclosures by companies and other entities who believe that they may have violated the Export Administration Regulations (EAR), or any order, license, or authorization issued thereunder. As stated in Supplement No. 1 to Part 766 of the EAR, disclosure that is timely and comprehensive and involves full cooperation of the disclosing party substantially reduces the applicable civil penalty under the BIS settlement guidelines.

The Note highlights two recent updates related to BIS’s VSD policy:

  1. On June 30, 2022, the Office of Export Enforcement (OEE) implemented a dual-track system to handle VSDs. VSDs involving minor or technical infractions are now resolved on a fast-track basis, with the issuance of a warning or no-action letter within 60 days of final submission. For those VSDs that indicate potential violation(s) of more serious harm to US national security, OEE will apply more scrutiny to determine whether enforcement action may be warranted, while at the same time adhering to the principle that persons will receive significant mitigation credit for voluntarily reporting and cooperating.
  2. On April 18, 2023, the Assistant Secretary of Commerce for Export Enforcement issued a memorandum regarding the BIS policy on VSDs and reports concerning alleged conduct by other persons. In this memo, BIS announced that (1) the deliberate non-disclosure of a significant potential violation will now be treated as an aggravating factor in civil enforcement cases, and (2) whistleblowing of significant potential violations by another party that ultimately results in a BIS enforcement action will be considered a mitigating factor in any future enforcement action involving the whistleblower, even for unrelated conduct. As discussed in our previous blog post, BIS’s shift in policy to adopt a dual carrot and stick approach marks a potential sea change in the voluntary self-disclosure risk calculus for companies.

OFAC’s VSD Policy

In the Note, OFAC referred to its Enforcement Guidelines, under which a VSD is a mitigating factor when OFAC is determining the appropriate enforcement response in a particular case. In cases where a civil monetary penalty is warranted, a qualifying VSD can result in a 50 percent reduction in the base amount of a proposed civil penalty.

OFAC has significant discretion in determining whether a disclosure qualifies as VSD, which may impact a company’s decision regarding when and to whom to disclose. The Note explains that under the Enforcement Guidelines, OFAC considers the totality of the circumstances surrounding the apparent violation, including, among other factors, the existence, nature, and adequacy of the subject’s compliance program at the time of the apparent violation and the corrective actions taken in response to an apparent violation. Qualifying VSDs must occur prior to, or simultaneous with, the discovery by OFAC or another government agency of the apparent violation or a substantially similar apparent violation.

Disclosures to OFAC will not qualify for full mitigation credit as VSDs under certain circumstances, including situations in which:

  • a third party is required to and does notify OFAC of the apparent violation because the transaction was blocked or rejected by that third party (regardless of when OFAC receives such notice or whether the subject person was aware of the third party’s disclosure);
  • the disclosure includes false or misleading information;
  • the disclosure is not self-initiated (including when the disclosure results from a suggestion or order of a federal or state agency or official; or, when the subject person is an entity, the disclosure is made by an individual in a subject person entity without the authorization of the entity’s senior management. Responding to an administrative subpoena or other inquiry from, or filing a license application with, OFAC is not a VSD.); or
  • the disclosure (when considered alongside supplemental information) is materially incomplete.


There is a policy reason for the US government to encourage disclosures. In the Note, the three agencies encourage businesses and other persons to timely and appropriately file VSDs, and point out that such disclosures can help the US government in advancing US national security and foreign policy interests. As stated in the Note, “[n]ot only does such reporting make the disclosing company potentially eligible for significant mitigation, but it also alerts national security agencies to activities that may pose a threat to the national security and foreign policy objectives of the US Government.”

Companies should continue to assess the pros and cons of voluntary disclosure in each particular case. The Note at times implies that there is an obligation to disclose, principally by seeking to emphasize the downsides of non-disclosure, but generally speaking, there is no US legal obligation to submit a VSD under OFAC regulations or the EAR (although mandatory reporting of blocked or rejected transactions under OFAC’s regulations may reveal an apparent violation in some instances). Disclosure may also be required where an approval from BIS is needed to remove a General Prohibition to the EAR.

The assessment involves a careful balancing of various factors, including whether the DOJ or another US government agency has been informed or would learn of the potential infraction and consider it serious, and an assessment of potential penalties and the value of mitigation credit. In this regard, third parties may be more motivated to disclose violations of others, particularly in the context of the EAR (since BIS has incentivized such whistleblowing) and US trade and economic sanctions that the US government is trying to incentivize to be reported to FinCEN. Companies must carefully assess and plan the sequence of any VSD, especially where separate disclosures to multiple US government agencies may be needed.

The increasing cooperation between US government agencies, as reflected in the release of the two “tri-seal” notes, requires a proper strategy. That includes a compliance strategy with respect to applicable statutes and regulations to mitigate potential serious criminal or civil penalty and liability exposure. In this regard, companies continue to be well-advised to ensure that their export control and sanctions compliance policies are up to date, effective, and robust. Where a company’s potential violation implicates US national security interests, the company should carefully analyze the specific facts and circumstances and relevant enforcement considerations to form a proper cooperation/defense strategy, including whether to use anonymous means to alert US national security agencies to the risk, without necessarily exposing itself to criminal or civil penalties.

For additional information on this Note, please contact one of the authors.