[Kartikey Mahajan is a Partner, Prerna Jain and Bhavya Chengappa are Principal Associates, all part of the Dispute Resolution practice group of Khaitan and Co.]
On 10 March 2026, the US Department of Justice (DOJ) issued its first-ever department-wide Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP), which is a critical risk-management framework for companies, including Indian ones, operating globally. CEP offers a clear bargain: a company that voluntarily self-discloses misconduct, fully cooperates, and timely remediates may receive a declination. Even with aggravating factors, companies can secure significant benefits, including a 50% to 75% penalty reduction and no independent compliance monitor. Conversely, inaction leaves companies exposed to full prosecutorial discretion.
But, why should Indian companies take note of this US regulatory development? Indian companies often mistakenly assume US enforcement only applies to US-listed entities or those with American subsidiaries. However, that is not the case. A US nexus can easily arise through dollar clearing, US investors, American Depositary Receipts (ADRs), US-based servers or employees, American customers, overseas subsidiaries, or global tenders.
This risk is acute in globally expanding sectors like pharmaceuticals, healthcare, defence, energy, infrastructure, logistics, mining, and technology. These industries frequently rely on agents, public officials, and cross-border supply chains, making them prone to US regulatory scrutiny.
The Practical Shift and Stepwise Guide
The key takeaway of CEP is operational in nature. Operationally, the first 30 to 90 days after discovering misconduct are critical because delays, informal clean-ups, or inconsistent narratives can severely damage a company’s ability to claim cooperation credit.
In India, internal complaints are often first handled as human resources, vigilance, audit, or business issues. That approach may be inadequate where the facts suggest a possible US nexus. A whistleblower complaint about payments to a foreign government official, suspicious distributor margins, customs irregularities, sanctions exposure, false invoices, or improper tender conduct should not be allowed to drift, and Indian companies need a structured process from the outset.
Step 1: Identify US Touchpoints
As a first step, Indian companies must assess if the DOJ has a plausible jurisdictional hook, i.e., look for US-listed securities, dollar-denominated transactions, US-routed data, American customers, or US-connected intermediaries. While a single US touchpoint does not mandate automatic disclosure, it necessitates handling the matter with cross-border sensitivity.
Step 2: Preserve Evidence Immediately
Evidence preservation is crucial for cooperation credit. Relevant data often resides in emails, WhatsApp chats, personal devices, ERP records, invoices, and informal spreadsheets. Companies must immediately issue legal holds, secure devices lawfully, identify third-party records, and prevent data deletion. A company unable to demonstrate what it preserved, when it did so, and why certain material is unavailable will be at a severe disadvantage.
Step 3: Investigate Promptly
The DOJ expects speed, good faith, and candour, not immediate perfection. Companies must conduct a focused preliminary investigation to answer several threshold questions. What is the allegation? Is it credible? Who is involved? Is there a US nexus? Is the misconduct ongoing? Are regulators or auditors already aware?
Companies must brief the board or audit committee early. Moreover, Indian and US counsel should collaborate to navigate privilege, data transfer, employment law, and regulatory reporting obligations before making any disclosure.
Step 4: Remediate Effectively
Superficial actions, such as terminating a junior employee or revising a code of conduct, are insufficient. The DOJ expects effective remediation, which includes root-cause analysis, disciplining responsible personnel, and strengthening payment and messaging controls.
For Indian companies, third-party risk is also key. Agents, distributors, customs brokers, and joint venture partners must be rigorously vetted not just for basic KYC, but for beneficial ownership, political exposure, sanctions links, and unusual success-fee arrangements.
Step 5: Coordinate Legal Obligations
A US disclosure strategy cannot exist in a vacuum. The same facts may trigger Indian obligations under SEBI regulations, the Companies Act, the Prevention of Money Laundering Act (PMLA), the Foreign Exchange Management Act (FEMA), sectoral rules, lender covenants or contractual arrangements. Hence, communications must be carefully sequenced to avoid inconsistent narratives across jurisdictions, which can create serious legal risks.
Conclusion
For Indian companies operating globally, mishandling the response is often a larger and more avoidable mistake than the initial misconduct. The new policy should not be read to mean that every company should rush to the DOJ. Self-disclosure carries collateral consequences, including potential criminal exposure under Indian law, SEBI disclosures, PMLA and FEMA risks, and contractual or arbitration claims.
Rather, decisions must be made at the right level and expeditiously. For serious matters, the board or audit committee should receive a structured note detailing the known facts, US nexus, Indian legal implications, disclosure options, remediation steps, and litigation risks. A documented, good-faith decision is invaluable, proving the company’s approach was reasoned, informed, and continuously revisited, even if it chooses not to self-disclose immediately.
– Kartikey Mahajan, Prerna Jain & Bhavya Chengappa