Back to blog

Monday, January 26, 2026

DOJ FCPA priorities in 2025: what to expect in 2026

Practical Guides & Best Practices
Iratxe Gurpegui
Written by
Iratxe Gurpegui
9 min read
DOJ FCPA priorities in 2025: what to expect in 2026

If you support a France or Spain headquartered group with any US touchpoints (US investors, US subsidiaries, USD payments, US-listed securities, or business routed through the US financial system), the US Department of Justice (DOJ) still matters for your anti-corruption program, even when the underlying conduct happens elsewhere.

What shifted in 2025 was not a rewrite of the Foreign Corrupt Practices Act (FCPA) itself, but a different enforcement posture: prosecutors increasingly frame foreign bribery as a threat to US interests (fair markets, national security, sanctions integrity, and supply chains), and they expect faster, more data-driven cooperation and remediation.

This article translates those 2025 signals into practical 2026 work for compliance officers and in-house legal teams, with an emphasis on audit-ready evidence and cross-border alignment (Sapin II, ISO 37001, UNE 19601).

What changed in 2025 (in practice, not in theory)

If you read DOJ’s public materials, the direction has been consistent: reward early, credible self-disclosure and cooperation, and penalize weak controls, slow remediation, and repeat misconduct.

In 2025, the day-to-day impact for companies was mainly visible in how matters were investigated and negotiated:

  • More scrutiny of foreign companies whose conduct harms US interests (even if the “center of gravity” is outside the US), especially when there is a plausible US nexus.
  • Higher expectations on speed and completeness of cooperation, including access to communications data and the ability to explain decisions with evidence.
  • A stronger “effectiveness” lens: not just whether you have policies, but whether controls are owned, tested, and enforced.

Helpful primary sources to anchor this:

  • DOJ’s FCPA resource guide (second edition) (DOJ/SEC)
  • DOJ Criminal Division’s evaluation of corporate compliance programs (ECCP)
  • DOJ Criminal Division’s corporate enforcement and voluntary self-disclosure policy (CEP)

The 2025 priority signals that will show up in 2026

Think of 2026 as the year your “paper posture” will be stress-tested: can you produce reliable, time-stamped evidence that your program works, across countries, in the systems people actually use?

Priority 1: A broader “US interest” framing and more aggressive jurisdiction theories

For non-US companies, the practical question is rarely “do we operate in the US?” It is “do we have any US hook that prosecutors can use?”

Common hooks include:

  • US issuers (including ADRs) and related SEC reporting obligations
  • US subsidiaries or employees involved in the business process
  • USD payments cleared through US correspondent banking
  • Meetings, calls, emails, or approvals routed through US-based systems or personnel

Why this matters in 2026: when DOJ views the impact as touching US interests, it becomes easier to justify prioritization and cross-border coordination.

What to do now: create a simple “US nexus map” tied to your high-risk processes (sales agents, distributors, tenders, customs, licensing, donations, and sponsorships). This should not be a legal memo only. It should be operational and maintained.

Priority 2: Individuals first, and cooperation that identifies who did what

DOJ has long emphasized individual accountability. In 2025, companies felt this in the form of detailed requests for decision trails: who approved the third party, who signed off on exceptions, who overrode controls, who reviewed red flags.

What to do now: ensure your controls produce evidence of human decisions, not just final outcomes.

Good evidence patterns include:

  • approvals with recorded rationale
  • documented red-flag review notes
  • exception logs with time stamps and ownership
  • clear escalation trails

This also aligns well with ISO 37001’s focus on documented procedures and control ownership.

Priority 3: Communications data, personal devices, and ephemeral messaging

The ECCP explicitly asks whether companies have effective policies and controls around business communications, including messaging apps and personal devices, and whether companies can preserve and provide data when needed.

In 2026, expect this to remain a friction point for EU companies because Europe imposes privacy, labor, and works council constraints.

What to do now (practical and defensible):

  • Define which channels are approved for business
  • Prohibit (or tightly control) ephemeral messaging for business discussions
  • Implement retention rules that match risk (not “retain nothing”)
  • Test, at least annually, whether you can retrieve relevant messages from key roles
  • Document the legal basis and governance for data access (work rules, BYOD policies, information notices)

The goal is not “surveillance.” It is auditability and the ability to investigate credibly.

Priority 4: Third parties remain the fastest path to an FCPA problem

If you operate internationally, your risk is often concentrated in third parties: agents, distributors, customs brokers, lobbyists, local consultants, and subcontractors.

In 2026, the expectation is not just onboarding due diligence, but continuous ownership:

  • Are third parties still active?
  • Are they paid in line with contract and services?
  • Are red flags re-assessed when facts change (country, scope, beneficial ownership, use of sub-agents)?

Foe European companies this match similar third-party due diligence required by local frameworks (e.g. Loi Sapin II or Art. 31 bis of the Spanish Criminal Code)

Priority 5: M&A integration and “safe harbor” thinking

DOJ has encouraged timely post-acquisition remediation and disclosed a formal “safe harbor” approach for certain voluntary self-disclosures in the M&A context (announced publicly in 2023 and operationalized thereafter).

In 2025, this translated into a clearer market expectation: you need a repeatable playbook for pre-close diligence and post-close integration, with milestones and proof.

What to do now: set a 100-day post-close compliance integration plan for higher-risk acquisitions (training, third-party resets, payments controls, hotline rollout, gifts and hospitality rules, and transaction testing).

Priority 6: Effectiveness over existence, with measurable incentives and discipline

DOJ materials increasingly emphasize whether compliance is resourced, empowered, and able to drive consequences.

In 2026, be ready to show:

  • How you test control effectiveness (not just design)
  • How you remediate and track to closure
  • What KPIs you report to leadership and how leadership reacts

This is exactly where “audit-ready evidence” becomes your strongest defense.

A one-page view: 2025 signals to 2026 actions

2025 priority signal

What it likely means for 2026

Evidence to have ready

Foreign bribery framed as harming US interests

more cases with cross-border facts and aggressive nexus arguments

US nexus map, entity charts, payment flows, key systems list

Faster cooperation expectations

shorter timelines to produce structured evidence

investigation playbook, legal hold process, evidence library, retrieval tests

Focus on individuals

deeper requests on approvals and decision trails

approval logs, exception register, red-flag review notes, delegation matrices

Messaging and personal device scrutiny

questions on retention, access, and policy enforcement

communications policy, retention settings, sampling results, governance docs

Third-party risk as a core driver

more scrutiny on ongoing monitoring and payments

due diligence files, contract clauses, invoice substantiation, monitoring alerts

M&A integration emphasis

pressure to remediate acquired risks quickly

100-day plan, integration tracker, training records, transaction testing

Effectiveness and incentives

“show me it works” interviews and data requests

control testing reports, remediation SLAs, disciplinary evidence, KPI packs

A practical decision tree: should we consider voluntary self-disclosure?

This is a simplified triage tool for compliance and legal teams. It does not replace external counsel, but it helps you structure the first 72 hours.

Step 1: Confirm the potential US hook

If there is no plausible US nexus, DOJ risk may be lower, but consider other regimes (France: Sapin II, PNF; Spain: Penal Code/UNE 19601; UK Bribery Act; multilateral development banks).

If there is a plausible US hook, continue.

Step 2: Confirm what you actually know

  • Do we have credible indicators of improper payments or intent?
  • Do we have books and records issues (false descriptions, unsupported invoices, off-book arrangements)?
  • Do we have senior involvement or control override?

If facts are unclear, prioritize preservation and scoped fact-finding.

Step 3: Assess immediacy and containment

  • Is there an ongoing payment stream that must be stopped?
  • Are documents or messages at risk of deletion?
  • Is the third party still interacting with public officials?

If yes, implement immediate containment actions and document them.

Step 4: Evaluate the disclosure pathway

  • Is there a realistic risk the issue will surface externally (whistleblowing, counterparties, auditors, M&A, press, regulator)?
  • Can we investigate quickly enough to make a credible disclosure?

If yes, voluntary self-disclosure may be a strategic option, and timing becomes critical.

For the underlying policy framework, start with DOJ’s corporate enforcement policy and align your decision record to its criteria.

The 2026 evidence pack: what to prepare before anyone asks

Many compliance teams in mid-caps and large groups struggle not with controls, but with retrieving proof quickly and consistently across countries.

A practical “FCPA readiness evidence pack” (also useful for other jurisdictions) typically includes:

  • Risk assessment and risk map, including methodology, workshops, and updates
  • Third-party due diligence files for the top risk tiers
  • Gifts, hospitality, travel, and sponsorship controls, including registers and approvals
  • Accounting controls and sample-based testing evidence
  • Training coverage for high-risk roles, plus effectiveness checks (scenario tests, manager attestations)
  • Hotline metrics and case management governance (triage rules, investigation SLAs, remediation closure)
  • M&A integration tracker for recent acquisitions
  • Communications and retention policy, plus proof it is enforced
A simple four-step diagram showing “risk scenarios” feeding into “controls”, then into “evidence”, and finally into “board reporting”, with arrows indicating a continuous loop for monitoring and improvement.

Avoid running parallel programs

A recurring operational problem is running “US-style FCPA controls” on one side and “local compliance” (e.g. Sapin II, UNE 19601) on the other.

A more efficient approach is to use one control framework and show equivalence through mapping.

How Naltilia can help

If your main pain is operational proof, Naltilia can support 2026 readiness by automating parts of risk mapping workflows, tracking remediation actions, and centralizing evidence for key controls (third parties, gifts and hospitality, training, and monitoring). This can reduce time spent chasing documents across countries and help you produce consistent KPI packs for leadership and audits.

If you want to sanity-check your current evidence trail against 2026 expectations, you can start with a scoped pilot on one high-risk process.

Frequently asked questions

Are DOJ FCPA priorities relevant if we are headquartered in France or Spain? Yes, if there is a plausible US nexus (issuer status, US subsidiary involvement, USD payment flows, or US-based approvals/communications). Even without a DOJ case, these expectations often influence auditors, banks, and counterparties.

What is the biggest “new” operational expectation going into 2026? The ability to produce credible evidence quickly: decision trails, communications preservation readiness, and control effectiveness testing, not just policy libraries.

How do we reconcile GDPR and labor constraints with DOJ requests for communications data? Typically by building a governed, transparent framework in advance: approved channels, retention rules, Bring-Your-Own-Device (BYOD) guidance, works council engagement where required, and tested retrieval procedures. Involve privacy and labor counsel early.

What should we prioritize if we have limited resources? Third parties, payments and books-and-records controls, and a small set of high-value effectiveness tests with documented remediation. These areas tend to move both DOJ and AFA/ISO conversations.

Does ISO 37001 help with FCPA risk? Generally yes, because it structures an anti-bribery management system with risk assessment, controls, training, reporting, and monitoring. You still need to tailor for US nexus topics (communications data readiness, faster disclosure decisioning).

This article is general information, not legal advice.

Back to blog

About the Author

Iratxe Gurpegui

Iratxe Gurpegui

I've spent 20 years as a compliance and competition lawyer across Europe and Latin America, and throughout my career, I've seen firsthand how complex and costly regulations can hold companies back. But I've also learned that compliance doesn't have to be a burden, it can be a strategic advantage. My mission is to help companies harness the power of AI, transforming compliance into something faster, simpler, and most importantly, a real driver of growth for businesses.

View LinkedIn profile