The Federal Reserve announced on August 3, 2016, that it would fine Goldman Sachs $36.3 million in connection with a leak of confidential information from its New York branch. The leak was discovered and reported by Goldman Sachs in 2014 after Goldman learned that a junior executive had received information from a contact at the New York Fed. Both the junior executive and one of his supervisors were fired as a result.

The fine once again brings to bear the importance of maintaining and enforcing compliance programs. In addition to the clear benefits of having infrastructure in place to detect and prevent issues such as the ones experienced at Goldman Sachs, to the extent a criminal (or other governmental) investigation is ever initiated, the law looks much more favorably on organizations with active and meaningful compliance programs than it does on organizations that merely give lip service to such efforts. In fact, the Federal Sentencing Guidelines provide substantial reductions in criminal fines for organizations with effective compliance programs, and, although those Guidelines are not mandatory, a well-maintained compliance program is one of the best tools for minimizing a company’s potential criminal (and even civil) exposure.

As a result, the recent Fed action provides a useful reminder of the need for all companies to engage in meaningful third-party audits of any existing compliance programs, or, if no such program exists, to do an initial audit and establish a program that is tailored to the particular areas of the organization’s need. Beyond that, the action emphasizes the need for retribution-free reporting channels, an established corporate-compliance hierarchy, and a clear policy in favor of complying with all laws.

But the Fed action raises a very serious predicament: what is enough to avoid a hefty fine? As the New York Times pointed out in its article on the Fed’s action, Goldman Sachs identified the leak—not the Fed. And Goldman Sachs terminated the two individuals believed to have been involved in the leak. (As an important aside, the junior executive’s supervisor is contesting the charges against him.) The uncertainty occasioned by these enforcement actions—especially considering that the Fed failed to detect the leak quicker than Goldman—raises significant concerns for companies trying to avoid substantial fines. Indeed, if Goldman can be fined such a large amount after self-reporting an offense that the Fed had an equal opportunity to uncover, how does that bode for other entities?

Again, the best bet is to ensure thorough and frequent audits of the compliance processes in place. The more an organization self-polices and establishes a culture of compliance, the more likely it is that such a breach will not occur or would be caught before any substantial damage could be incurred. While the exact extent of Goldman’s culpability is not entirely clear (in fact, the New York Times writes that the fine reflects partial punishment for several years of policies considered to be overly lax), something could likely have been done to help prevent or further limit the leak in this case. Only well-articulated and earnestly enforced policies and procedures can demonstrate a company’s good faith in such situations.