Race to Report—DOJ and FinCEN Expand Incentives for Corporate and Individual Reporting of Anti-Money Laundering and National Security Violations

On March 30, 2026, the Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) published a Notice of Proposed Rulemaking (“NPRM”) to fully implement a whistleblower program[1] offering financial incentives and protections to individuals who report violations of the Bank Secrecy Act (“BSA”), U.S. sanctions administered by the Office of Foreign Assets Control (“OFAC”), and other violations of the International Emergency Economic Powers Act (“IEEPA”), the Trading with the Enemy Act (“TWEA”), and the Foreign Narcotics Kingpin Designation Act (“Kingpin Act”).[2]  Although certain elements of the whistleblower program have been operational since May 2021—FinCEN established an Office of the Whistleblower and has already been the source of many useful tips[3]—the NPRM proposes a comprehensive regulatory framework to fully structure and operationalize the program.  The NPRM significantly increases the incentives for companies to voluntarily disclose potential wrongdoing to the Department of Justice (“DOJ”) under DOJ’s first-ever Department-wide Corporate Enforcement and Voluntary Self-Disclosure Policy (the “2026 CEP”), released on March 10, 2026,[4] by magnifying the risks that misconduct will be reported to the DOJ through the whistleblower mechanism even if the company does not disclose on its own.

Taken together, these two initiatives represent complementary mechanisms designed to dramatically expand the U.S. government’s visibility into potential violations of anti-money laundering (“AML”) and national security-related laws.  They build on a series of earlier regulatory developments, including DOJ’s Corporate Whistleblower Awards Pilot Program, launched in 2024 and expanded in 2025 to cover six new subject areas including corporate sanctions offenses, which expressly included violations involving financial institutions as a designated subject area, while FinCEN worked to operationalize its own whistleblower program.[5]  They also signal an increasingly coordinated and sophisticated strategy to enhance the flow of actionable information to the U.S. government (“USG”) for the enforcement of national security-related laws.  The FinCEN whistleblower rule targets the individual channel, offering monetary awards of 10 to 30 percent of collected penalties to individuals who provide original information leading to successful enforcement actions.  The 2026 CEP targets the corporate channel, offering companies the possibility of a declination of prosecution in exchange for voluntary self-disclosure, full cooperation, and timely remediation.  The initiatives are calibrated to work in tandem, as the 2026 CEP expressly incorporates a whistleblower safe harbor that permits companies to retain eligibility for favorable treatment even after an employee has reported to the government, provided the company self-discloses within 120 days of the whistleblower report.[6]  (In practice, such post-whistleblower disclosure may be challenging as the existence and timing of such a whistleblower report may not be known to the company.)

Key Takeaways

• A Two-Pronged Strategy to Maximize Information Flow to the USG. The DOJ’s 2026 CEP and FinCEN’s proposed whistleblower rule create parallel and mutually reinforcing incentives for both companies and individuals to bring information about potential national security violations to the attention of the USG. Companies are incentivized to self-disclose because failure to do so may result in a criminal resolution, while individuals are incentivized to report because they may receive significant financial awards.  The combined effect is a regulatory ecosystem in which there is an increasingly strong incentive for someone—whether company or employee—to bring violations to the government’s attention.[7]

• Broad and Overlapping Coverage. The FinCEN whistleblower program’s coverage of IEEPA-based violations extends not only to traditional sanctions enforcement but also to Treasury’s Outbound Investment Security Program (“OISP”) and DOJ’s Data Security Program—both of which are implemented pursuant to IEEPA.[8] The 2026 CEP applies to “all corporate criminal matters handled by the Department,” excepting only antitrust.[9]  This breadth means that the same underlying conduct could trigger obligations and incentives under multiple overlapping programs.

• The 120-Day Clock Creates Urgency. The 2026 CEP’s whistleblower safe harbor[10] and the FinCEN NPRM’s 120-day waiting period[11] are designed to give companies with strong internal compliance programs the opportunity to identify, assess, and potentially self-disclose violations before an employee goes directly to the government. However, because whistleblower reports submitted to the government are subject to confidentiality protections and are not necessarily shared with the company, the 120-day safe harbor window may be of limited practical utility for companies that are unaware a whistleblower report has been filed—the clock may begin running, and potentially expire, without the company’s knowledge unless the whistleblower also reports the issue internally.

DOJ’s Department-Wide Corporate Enforcement Policy (2026 CEP)

As we discussed in a prior client alert, on March 10, 2026, DOJ released the 2026 CEP, which it described as the “first-ever” Department-wide corporate enforcement policy for criminal matters.[12]  The 2026 CEP superseded all component-specific and U.S. Attorney’s Office-specific enforcement policies.[13]  The 2026 CEP was developed in part based on the Criminal Division’s Corporate Enforcement and Voluntary Self-Disclosure Policy, initially rolled out in 2016 and most recently updated in May 2025 (the “2025 CEP”).[14]  The 2026 CEP establishes a three-tiered framework of benefits based on the quality of a company’s engagement with the government, ranging from a full declination of prosecution for companies that voluntarily self-disclose, fully cooperate, and timely remediate (absent aggravating circumstances), to reduced penalties through Non-Prosecution Agreements (“NPA”s) for near-misses, to discretionary reductions for other cases.  The first declination under the 2026 CEP was announced on March 19, 2026, when DOJ declined to prosecute Balt SAS, a French medical device company, for FCPA violations after the company voluntarily self-disclosed a bribery scheme, cooperated fully, and remediated the misconduct.[15]

The 2026 CEP extends to national security-related matters, superseding the prior Voluntary Self-Disclosure Policy for Business Organizations issued by DOJ’s National Security Division (“NSD”).  Although the NSD-specific policy is no longer in effect, an NSD press release issued on March 30, 2026, makes clear that NSD remains the DOJ component to which companies should direct voluntary self-disclosures of potential criminal violations of U.S. national security laws.[16]  Notably, certain types of offenses covered by the FinCEN NPRM—including violations of IEEPA and TWEA—are among the categories of national security-related offenses for which NSD encourages companies to self-disclose, further highlighting that the whistleblower program may generate reports to the government about the very types of conduct for which companies are incentivized to self-report to NSD.

FinCEN’s Proposed Whistleblower Rule

On March 30, 2026, FinCEN submitted to the Federal Register a proposed rule to fully implement the whistleblower program established by the AML Act and expanded by the AML Whistleblower Improvement Act.[17]  The NPRM—the culmination of a multi-year effort[18]—proposes a comprehensive framework for the submission, evaluation, and award of whistleblower tips that lead to a qualifying “successful action” by Treasury or DOJ under one of the covered statutes.[19]  Critically, the program is not limited to generating information for FinCEN’s own enforcement efforts.  FinCEN has stated that tips received under the whistleblower program may be shared with the components of Treasury—including OFAC—and DOJ that enforce the covered statutes, meaning that the whistleblower program serves as a conduit for information to reach enforcement by OFAC, DOJ, and FinCEN alike.[20]  In announcing the NPRM, Treasury Secretary Scott Bessent stated that: “Treasury will reward whistleblowers who provide timely, actionable information on fraud, sanctions violations, and other significant illicit finance activity.”[21] 

FinCEN has also launched a dedicated online portal through which whistleblowers may submit tips.[22]  Notably, although the rule has not yet been finalized, FinCEN has already been accepting tips and encourages whistleblowers to submit information “as soon as possible” with “detailed, specific documentation” to support their claims, underscoring that the program is already generating a pipeline of information to enforcement agencies.

• Covered Statutes. The whistleblower program applies to violations of four “covered statutes”: (1) the BSA; (2) IEEPA; (3) TWEA; and (4) the Kingpin Act.[23] Because IEEPA is the statutory authority underlying both OFAC-administered economic sanctions programs and Treasury’s Outbound Investment Security Program,[24] the FinCEN whistleblower program extends to potential violations of both of these regimes, as well as DOJ’s Data Security Program.[25]   

• Award Structure. The proposed rule provides for awards of 10 to 30 percent of collected monetary sanctions to eligible whistleblowers whose original information leads to a “successful enforcement action” by Treasury or DOJ. Awards are payable from a revolving fund that receives deposits from collected penalties, avoiding the need for additional appropriations.[26]

• Eligibility Requirements. To be eligible for an award, a whistleblower must: (i) voluntarily provide original information; (ii) be the original source of that information; (iii) demonstrate that the information led to the successful enforcement of a covered action or related action; and (iv) satisfy all procedural requirements, including initial submission through FinCEN’s Tip, Complaint, or Referral form. A “covered action” is an administrative or judicial action brought by Treasury or DOJ under a covered statute that results in monetary sanctions exceeding $1,000,000.  Whereas, a “related action” is a judicial or administrative action brought by an appropriate agency or authority and successfully enforced that is based upon the original information provided by a whistleblower pursuant to this section that led to the successful enforcement of a covered action.[27]

• 120-Day Waiting Period for Certain Insiders. The proposed rule imposes a 120-day waiting period before certain categories of individuals may submit tips to FinCEN—specifically: officers, directors, trustees, and partners of entities, individuals who learned information through the entity’s internal compliance processes, employees with principal compliance or audit duties, and persons employed by firms retained to perform compliance or audit functions. The stated purpose of this provision is to “provide entities that invest in strong internal audit and compliance programs the opportunity to benefit from such programs” by reviewing and potentially self-disclosing violations before an insider goes to the government.[28]  Importantly, this 120-day period is calibrated to the same 120-day window in the 2026 CEP’s whistleblower safe harbor (discussed below), creating a synchronized timeline that gives companies with effective compliance programs a window to act before insider tips reach enforcement agencies.

• Protections and Confidentiality. The proposed rule incorporates the anti-retaliation protections established by 31 U.S.C. § 5323(g)(1), which prohibit employers from retaliating against whistleblowers who report potential violations to Treasury, DOJ, or their employers. Aggrieved whistleblowers may seek relief through complaints to the Department of Labor or, in certain circumstances, through actions in federal district court.  The proposed rule also provides robust confidentiality protections, requiring FinCEN not to disclose information that could reasonably be expected to reveal a whistleblower’s identity, subject to enumerated exceptions.[29]

• No Amnesty. Importantly, the whistleblower program does not provide amnesty or immunity to whistleblowers who may have participated in the underlying misconduct. However, culpable whistleblowers are rendered ineligible for awards only if they are convicted of a criminal violation related to the covered action. 

• Government Priorities and Focus on Fraud. FinCEN has made clear that combatting fraud is a key priority for the whistleblower program. According to FinCEN, “fraud continues to be the largest source of illicit proceeds in the United States” and is “the largest and most significant proceed-generating crime for which funds are laundered in or through the United States.”  FinCEN further notes that it especially encourages tips about the violations of the BSA or sanctions laws “that may involve, enable, or arise out of suspected fraud scheme.” [30]

The Interplay Between the Two Initiatives

The synchronized release of the 2026 CEP and the FinCEN NPRM in March 2026 reflects a deliberate and coordinated USG strategy to maximize the flow of information about potential violations of national security-related laws.  The two initiatives are designed to operate as complementary “carrots”—one directed at companies and one at individuals—that together create a dynamic in which companies face a strong incentive to identify and self-report potential violations before an employee does so first.  As FinCEN itself noted in the NPRM’s preamble, DOJ’s Criminal Division has “further incentivized companies by revising the CEP and clarifying that additional benefits are available to companies that self-disclose and cooperate”—underscoring that the agencies view these programs as part of a unified enforcement ecosystem.  The architecture of this dynamic is evident in several interlocking features:

• The 2026 CEP’s Whistleblower Safe Harbor. Permits a company to retain declination eligibility even after an employee has reported to the government, provided the company self-reports within 120 days.[31] This creates a defined “race to report” in which companies and employees are each incentivized to be the first to bring information to the government.  As the DOJ has stated—upon announcing their own whistleblower program—the intention is to create a “multiplier effect” in which both companies and individuals are incentivized to report.[32]

• The breadth of the FinCEN whistleblower program. Covering BSA, IEEPA, TWEA, and Kingpin Act violations, means that it captures not only traditional sanctions and anti-money laundering offenses, but also conduct potentially subject to the Outbound Investment Security Program and the Data Security Program.[33] These are areas of rapidly expanding enforcement focus, particularly with respect to China.[34]

• DOJ’s Corporate Whistleblower Awards Pilot Program. Launched in August 2024 and expanded in May 2025, the Pilot Program covers six categories of corporate criminal conduct—including corporate sanctions offenses—further reinforcing this ecosystem.[35] While the DOJ pilot program and the FinCEN whistleblower program are distinct, they share a common objective: incentivizing individuals to bring information about corporate misconduct to the government’s attention.  Notably, the basis for calculating monetary awards differs: DOJ bases its awards solely on forfeited amounts, while FinCEN would exclude forfeited funds from its calculation and base the award amount solely on other collected monetary sanctions (primarily penalties).

Conclusion

The coordinated release of the 2026 CEP and the FinCEN whistleblower NPRM marks a significant shift in the AML and national security enforcement landscape that has direct and immediate implications for companies and individuals.  Rather than relying primarily on traditional investigative tools, the government has deliberately created a disclosure/self-reporting architecture that is designed to ensure information about potential violations reaches enforcement agencies regardless of whether internal compliance mechanisms function as intended.  The 2026 CEP offers substantial benefits to companies that decide to voluntarily disclose potentially criminal compliance issues to the DOJ, including the possibility of a full declination.  At the same time, because employees and other insiders now have significant financial motivation to report potential violations directly to the USG—and because confidentiality provisions may prevent companies from learning that such a report has been made—companies face a heightened incentive to invest in robust internal compliance monitoring, to proactively identify potential issues, and to move quickly to assess and disclose violations before an insider acts independently.  The uncertainty of not knowing whether or when a whistleblower may have submitted a report to the government underscores the importance of maintaining rigorous compliance programs and establishing clear internal escalation protocols, so that companies are positioned to act within the 120-day safe harbor window should the need arise.  Companies should also bear in mind that OFAC and FinCEN maintain their own civil voluntary self-disclosure policies, which provide mitigation credit for companies that report potential violations of sanctions laws and BSA requirements, respectively.  Whether to also disclose to DOJ is a separate and consequential judgment. 

Financial institutions subject to the BSA as well as companies subject to national security-related regulatory regimes may benefit from reviewing their internal compliance reporting mechanisms, considering the effectiveness of their whistleblower channels, and consulting with counsel when developing a disclosure strategy that aligns with this dual-channel enforcement structure.

                                                                                                                              * * *

[1] As first established by the Anti-Money Laundering Act of 2020 (“AML Act”) 31 U.S.C. § 5323(b); and expanded by the Anti-Money Laundering Whistleblower Improvement Act of 2022 (“AML Whistleblower Improvement Act”); Congressional Budget Office, At a Glance: H.R. 7195, To provide for certain whistleblower incentives and protections (November 7, 2022), available here. See Paul, Weiss, Economic Sanctions and Anti-Money Laundering Developments: 2022 Year in Review (Mar. 1, 2023), available here; Paul, Weiss, Economic Sanctions and Anti-Money Laundering Developments: 2021 Year in Review (Feb. 10, 2022), available here.

[2] Financial Crimes Enforcement Network, Whistleblower Incentives and Protections, 91 Fed. Reg. 16,326 (proposed Apr. 1, 2026) (to be codified at 31 C.F.R. pt. 1010), available here.

[3] J Galt, Bessent: Treasury Has Topped 700 Fraud Tips—‘We Are Coming For Them’, Yahoo! News (Apr. 10, 2026), available here.

[4] U.S. Dep’t of Just., Corporate Enforcement and Voluntary Self-Disclosure Policy (Mar. 10, 2026), available here.

[5] See Paul, Weiss, DOJ Launches New Whistleblower Program Focused on Corporate Misconduct (Aug. 07, 2024), available here; see also Paul, Weiss, Economic Sanctions and Anti-Money Laundering Developments - 2025 Year in Review (Jan. 21, 2026), available here.

[6] U.S. Dep’t of Just., Corporate Enforcement and Voluntary Self-Disclosure Policy, Appendix B (Mar. 10, 2026).

[7] As we discussed in a prior memorandum, companies should be aware that under the DOJ’s framework, “to be eligible for the most significant benefits under these disclosure programs—both our corporate voluntary self-disclosure programs and the whistleblower initiative—you have to tell us something we didn't already know.” See Paul, Weiss, DOJ Launches New Whistleblower Program Focused on Corporate Misconduct (Aug. 7, 2024), available here.

[8] Whistleblower Incentives and Protections, 91 Fed. Reg. at 16,330.

[9] U.S. Dep’t of Just., Department of Justice Releases First-Ever Corporate Enforcement Policy for All Criminal Cases (Mar. 10, 2026).

[10] See Corporate Enforcement and Voluntary Self-Disclosure Policy, Appendix B (Mar. 10, 2026).

[11] 91 Fed. Reg. at 16,336.

[12] See Paul, Weiss, DOJ Releases “First Ever” Department-Wide Corporate Enforcement Policy (March 12, 2026), available here; U.S. Dep’t of Just., Department of Justice Releases First-Ever Corporate Enforcement Policy for All Criminal Cases (March 10, 2026), available here.

[13] See Paul, Weiss, SDNY Announces Updated Corporate Enforcement and Voluntary Self-Disclosure Program for Financial Crimes (Mar. 6, 2026), available here.

[14] See Paul, Weiss, DOJ Announces New Corporate and White-Collar Enforcement Policies and Priorities (May 14, 2025), available here.

[15] See Letter from Lorinda I. Laryea, Chief, Fraud Section, Crim. Div., U.S. Dep’t of Just., to David A. Last, Esq. & Lisa Vicens, Esq. (Mar. 17, 2026), available here.

[16] All voluntary self-disclosures concerning potential criminal violations of U.S. national security laws should be sent, with the company name in the subject line, to NSD’s email inbox for voluntary self‑disclosures: NSD.VSD@usdoj.gov. U.S. Dep’t of Just., Reporting Voluntary Self-Disclosures of Violations of National Security Laws Under the Department-wide Corporate Enforcement Policy (Mar. 30, 2026), available here.

[17] 91 Fed. Reg. at 16,326.

[18] Addressing the gap identified and addressed by the DOJ’s Corporate Whistleblower Awards Pilot Program, for the past couple of years, which expressly included violations involving financial institutions as a designated subject area, while FinCEN worked to operationalize its own whistleblower program. See Paul, Weiss, DOJ Launches New Whistleblower Program Focused on Corporate Misconduct (Aug. 07, 2024), available here; see also Paul, Weiss, Economic Sanctions and Anti-Money Laundering Developments - 2025 Year in Review (Jan. 21, 2026), available here.

[19] Comments on the NPRM must be submitted within 60 days of the NPRM’s publication in the Federal Register (by June 2, 2026).

[20] 91 Fed. Reg. at 16,352-53.

[21] See U.S. Dep’t of the Treasury, Press Release, FinCEN Proposes Rule to Pay Whistleblowers (Mar. 30, 2026), available here.

[22] Fin. Crimes Enf’t Network, U.S. Dep’t of the Treasury, Whistleblower Program, https://www.fincen.gov/whistleblower-program (last visited Apr. 21, 2026). 

[23] Notably, the FinCEN whistleblower program does not extend to violations of the Export Control Reform Act of 2018 (“ECRA”) or the Arms Export Control Act (“AECA”), which are the primary statutory authorities governing U.S. export controls on dual-use and defense articles, respectively.  There are, however, active legislative proposals to establish whistleblower incentive programs for export control violations. See, e.g., H.R. 6322, Stop Stealing our Chips Act, 119th Cong. (2025) (proposing to amend ECRA to create a whistleblower incentive program offering awards of 10 to 30 percent of collected fines exceeding $1,000,000 for export control violations).  On April 22, 2026, H.R. 6322 was voted by the House Foreign Affairs Committee to be reported for a full House vote.

[24] The Outbound Investment Security Program is now codified and expanded by the Comprehensive Outbound Investment National Security Act of 2025 (the “COINS Act”).

[25] IEEPA also serves as the statutory basis for other regulatory regimes—including the rules governing information and communications technology and services (“ICTS”) supply chain transactions—which may similarly fall within the scope of the whistleblower program’s coverage.  See 91 Fed. Reg. at 16,329-30.

[26] 91 Fed. Reg. at 16,326-29.

[27] 91 Fed. Reg. at 16,331-33.

[28] 91 Fed. Reg. at 16,336.

[29] 91 Fed. Reg. at 16,341-42.

[30] Fin. Crimes Enf’t Network, U.S. Dep’t of the Treasury, FinCEN Whistleblower Bulletin: Blow the Whistle on Fraud-Related AML and Sanctions Violations (Feb. 13, 2026), available here (Citing Executive Order 14249, Protecting America’s Bank Account Against Fraud, Waste, and Abuse (Mar. 25, 2025)).

[31] Corporate Enforcement and Voluntary Self-Disclosure Policy, Appendix B (Mar. 10, 2026).

[32] See Paul, Weiss, DOJ Announces New Whistleblower Program Aimed at Increasing Corporate Enforcement (Mar. 18, 2024), available here.

[33] 91 Fed. Reg. at 16,330.

[34] See Paul, Weiss, Treasury Department Issues Final Rule Regulating Outbound Investment to Protect National Security (Dec. 06, 2024), available here; Paul, Weiss, White House “America First Investment Policy” Directs Changes to CFIUS and Outbound Investment Programs (Mar. 10, 2025), available here;

[35] See Paul, Weiss, DOJ Announces New Corporate and White-Collar Enforcement Policies and Priorities (May 15, 2025), available here.