Turning Whistleblower Risk into Compliance Readiness

Whistleblowers have become a highly effective trigger for regulatory scrutiny, and their role is growing. In 2024, the Securities and Exchange Commission received approximately 25,000 tips, with international submissions on the rise. For general counsel and chief compliance officers, there is a clear signal: speak-up programs are no longer back-end safeguards.  They are front-line legal infrastructure that must be prioritized.

Recent changes made by the Department of Justice are notable as well. In May 2025 , the Criminal Division head Matthew Galeotti reissued the Corporate Enforcement & Voluntary Self‑Disclosure Policy (CEP) with an updated public flowchart, providing clarity on how timing and cooperation impact enforcement decisions. The agency previously expanded its incentives for companies that self-disclose misconduct before a tip or investigation surfaces.

In early 2025, DOJ also expanded its Corporate Whistleblower Awards Pilot Program to cover a broader set of violations, including customs and tariff fraud, immigration breaches, sanctions and export control offenses, and financial flows linked to cartels or terrorism. These tips often fall outside the False Claims Act and may originate from vendors, contractors or foreign affiliates.

Among the fastest-growing sources of whistleblower activity are healthcare and financial services. In healthcare, the DOJ guidance emphasized tips about private-payer fraud, patient safety violations, and investor schemes – areas not covered by the FCA. In financial services, whistleblowers are increasingly turning up in sectors such as banking, cryptocurrency, and investment firms.

The broader scope of violations is reinforced by DOJ’s increasing cross-border cooperation with overseas regulators, such as the UK Financial Conduct Authority (FCA). A report filed in another jurisdiction can be shared with DOJ within hours, triggering parallel investigations. This means multinational companies must ensure that their compliance systems are equipped to respond effectively to tips coming from anywhere in the world – domestic channels or foreign partner’s whistleblower programs. Both DOJ and SEC acknowledge that tips increasingly come from vendors, contractors, and third parties, not just direct employees.

The enforcement math

The updated DOJ’s Corporate Enforcement Policy offers companies that self-report:

• A full declination of prosecution when there are no aggravating factors with company’s full cooperation and timely remediation.
• Up to a 75% fine reduction, no monitorship and a short non-prosecution agreement, even when those factors exist, if they still meet the criteria.
• Up to 50% reduction if misconduct is disclosed after DOJ already knows about it.

These outcomes are illustrated in DOJ’s public flowchart embedded in the May 2025 CEP.

A declination  decision from June of this year underscores this in practice. After uncovering historical sanctions violations committed by a newly acquired company, the acquiring firm voluntarily self-disclosed to the DOJ’s National Security Division, cooperated fully and implemented remedial controls. Despite discovering the issue nearly a year post-acquisition, the DOJ found the disclosure timely and issued a declination. The acquired entity entered into a non-prosecution agreement. This case demonstrates that self-reporting, when done with urgency and transparency, can materially change enforcement outcomes.

Building programs that prevent liability

For many organizations, speak-up programs are still measured by report volume. However, volume alone tells boards and regulators very little. What matters is whether the system leads to meaningful outcomes and whether the company is prepared to act on concerns before they escalate externally. Effective programs are not defined by “checking a box.” They are designed to support early detection, enable self-disclosure and build cultural resilience – factors that influence DOJ cooperation credit under reissued CEP.

The technology behind a speak-up program often determines whether employees will use it and whether leadership will act on it in time. Programs that operate effectively across jurisdictions invest in multilingual platforms, mobile-friendly interfaces, anonymous two-way communication and analytics dashboards that flag systemic issues early, detect outliers and report meaningful insights. These capabilities enhance trust and usability, while also creating audit-ready visibility to support DOJ cooperation credit.

Investing in technology improvement means:

• Training managers to respond appropriately and recognize early red flags.
• Ensuring multi-channel accessibility, including for vendors, contractors and former employees.
• Escalating concerns beyond closing cases to address root-causes.
• Using data and analytics to identify patterns, determine outliers and surface blind spots.
• Aligning internal triage timelines with the DOJ’s enforcement thresholds to preserve cooperation credit.

These capabilities meaningfully impact legal exposure. A program that detects risk too late or mishandles an internal report may disqualify the company from full credit under DOJ policy.

Boards and regulators are focused on program metrics that reflect whether the program drives cultural and behavioral change, rather than merely enabling reporting and investigative activity.

Risk surfaces are expanding

Tips no longer come just employees alone. Vendors, contractors and former employees increasingly submit reports, many through international channels. At the same time, state attorneys general in jurisdictions like California and New York are ramping up False Claims Act enforcement, even as some federal enforcement slows.

International regulators such as the U.K. Financial Conduct Authority evaluate whistleblower programs based on outcomes, not just reports. Similarly, U.S. agencies assess the root-cause analysis and remedial program improvements when evaluating corporate compliance programs. 

If systems miss a warning and a whistleblower reaches regulators first, cooperation credit may be off the table.

Bottom line

A speak-up program is now a legal and reputational risk valve,  designed to release pressure early, redirect risk and prevent catastrophic buildup. The organizations that create visibility and act early stand a better chance of protecting their outcomes and their integrity.

For more on how compliance leaders can strengthen the speak-up and governance strategy,  FTI Technology offers guidance tailored to CCOs, here  ftitechnology.com/roles/chief-compliance-officer.

Related topics:

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.