One of the critical questions when evaluating a potential FCPA violation is to decide whether to disclose the matter to the Justice Department and the SEC.

The SEC recently announced a requirement that companies to voluntarily disclose such conduct in order to qualify for a deferred prosecution agreement (“DPA”) or a non-prosecution agreement (“NPA”).  By explicitly naming self-reporting as the only path to get to a DPA or NPA, the SEC is adding one more advantage to list on the “Pros” side of a comparison.

The decision to self-report is complex. There are numerous factors, including: the pervasiveness of the conduct, any related investigations, the likelihood of a whistleblower reporting the activity, individual liability for self disclosure, impact of negative publicity, and role of the organization’s compliance program in relation to the potential violation’s discovery. The new policy will not make the decision easy.

Andrew Ceresney, the SEC Director, Division of Enforcement, gave a speech on November 17, 2015 in which he makes clear that the SEC is wielding both a “carrot” and a “stick” to encourage self-reporting. In the five years since the SEC launched its formal cooperation program we have seen the program provide some definition to the previously existing informal policy of providing credit for voluntary disclosure of a potential FCPA violation.

The advantages of a DPA or NPA are clear. As Mr. Ceresney said, “there are significant benefits available to companies who self-report violations and cooperate fully with our investigations.” Penalties reduced up to 90% and reduced charges lessen all negative ramifications of an enforcement action, reducing costs, reputational harm, and collateral consequences for an organization (for example: at the beginning of this year PBSJ self-reported and fully cooperated for a 90% reduction in the disgorgement level).

Organizations should think long and hard before giving up these potential outcomes that now accompanies a decision not to self-report, especially when compared to the severe consequences not self-reporting can have, such as in the Marubeni enforcement action of March, 2014, where the DOJ cited the company’s decision “not to cooperate with the department’s investigation when given the opportunity to do so, its lack of an effective compliance and ethics program at the time of the offense, its failure to properly remediate and its lack of voluntary disclosure of the conduct,” to support its unusually harsh penalty of an $88 million fine and 8 count guilty plea.

What remains is the question of “when.” An organization faces a difficult decision, but faces it under the pressure of knowing that making the decision too late or too early can result in its own negative consequences. A decision to self-report made too late risks the DOJ and/ or SEC discovering the circumstances on its own and making self-reporting impossible. On the other hand, a decision to self-report made too early can be made without all the necessary background information. Internal investigations can take a long time, and even longer to be done thoroughly. Often executives find themselves facing a decision about self-reporting with incomplete information as a result of the volume of information to be examined.

I anticipate that Mr. Ceresney’s speech will result in a slow shift away from looking at a “should we self-report” question to a “when should we self report” question. The good news is that if all companies begin to openly discuss potential FCPA-related violations discovered within their own ranks we might ultimately see a more insightful pool of knowledge on what FCPA risks are. By recognizing common trends and patterns, we may ultimately empower organizations to address bribery and corruption scheme’s before they begin within the organization’s own ranks through targeted training and internal control policies. In such an environment everyone wins except those seeking to profit from bribery.