Educational only; not legal advice. SPP explains diligence issue-spotting, evidence collection, risk triage, and the accountant and certified-fraud-examiner workflow. It does not give whistleblower filing advice, relator advice, voluntary self-disclosure advice, sanctions opinions, export classifications, CFIUS legal opinions, privilege advice, employment-retaliation advice, or award-eligibility opinions. Regulatory status is current as of drafting (2026-06-16); see the status note at the end.
A buyer can treat a national-security diligence issue as a compliance problem, a pricing problem, or a closing-condition problem. The government may see the same facts through another lens: somebody inside the target, the seller, a counterparty, a bank, a broker, a vendor, or an adviser may already have a financial incentive to report them.
That is the bridge between SPP’s False Claims Act work and this national-security diligence stack. The False Claims Act is the old qui tam model. A relator can sue in the name of the United States for certain false claims and share in the recovery. Dodd-Frank built SEC and CFTC award programs. Congress expanded the anti-money-laundering whistleblower statute. DOJ then launched a Corporate Whistleblower Awards Pilot Program that uses forfeiture proceeds as the award base for certain corporate-crime gaps.
The result is not one unified bounty regime. It is a routing problem.
If the diligence team finds sanctions evasion, Bank Secrecy Act failure, export-control evasion, trade fraud, procurement fraud, corruption, data-security exposure, false claims, or tainted proceeds, the first question is not “who gets paid?” The first question is “which program, if any, could this fact pattern touch, and what evidence must be preserved before counsel makes the filing, disclosure, privilege, and employment-law calls?”
That distinction matters because incentives can collide. A whistleblower may face a 120-day internal-report timing rule under the DOJ pilot. A company that receives an internal whistleblower report may face its own 120-day window under DOJ policy if it wants to preserve a potential declination presumption. FinCEN’s anti-money-laundering whistleblower statute is in force, but FinCEN’s implementing regulations were still proposed as of the April 1, 2026 Federal Register notice, with comments due June 1, 2026. The False Claims Act has a seal, intervention, public-disclosure, and original-source structure. SEC and CFTC have their own forms, covered-action notices, award applications, confidentiality rules, and related-action concepts.
The wrong way to write this article would be to say, “you cannot both self-disclose and collect,” or “every sanctions issue is now a bounty issue,” or “public-source diligence can decide award eligibility.” None of that is precise enough. The correct frame is narrower and more useful: five programs, different triggers, different award bases, different timing issues, one diligence preservation workflow.
For a CPA or certified fraud examiner working buy-side diligence, the skill is not legal routing. The skill is recognizing when the routing question exists. That means preserving the facts, keeping allegation separate from finding, identifying the source authority, marking the timing risk, and escalating before the deal team converts a possible whistleblower or disclosure conflict into an ordinary indemnity negotiation.
This article explains what problem the bounty bridge was built to solve, who runs the major programs, what changed from 2024 to 2026, what triggers the issue in a deal, what the government can do, what a buyer should ask for, what belongs in the risk memo, and when the issue must leave the diligence lane. It also ships a practitioner artifact, the bounty and disclosure decision map, plus an Applied DD Lab exercise that builds a public-authority matrix across the FCA, SEC, CFTC, AML/FinCEN, and DOJ pilot lanes.
What problem this bridge was built to solve
Whistleblower programs solve an information problem. Complex financial misconduct often sits inside private records, private conversations, internal controls, accounting systems, payments, contracts, data rooms, bank files, source-code repositories, customer ledgers, vendor emails, customs entries, sanctions-screening logs, compliance reviews, and legal or audit workstreams. The government cannot see all of that from the outside.
The False Claims Act solved one version of the problem by letting a private person bring a civil action for the person and for the United States when certain false claims or reverse false claims are alleged. That is qui tam. It is not a tip line. It is not a generic bounty. It is litigation, filed under seal, served on the government with a disclosure statement, and subject to intervention, dismissal, settlement, public-disclosure, original-source, and retaliation rules under 31 U.S.C. 3730.
The SEC and CFTC programs solved a different version after Dodd-Frank. They created agency-administered award programs for securities and commodities violations. The whistleblower does not file a qui tam case in the government’s name. The person submits information to the agency and may later apply for an award if the statutory and regulatory conditions are met.
Congress then expanded the anti-money-laundering whistleblower structure. Section 5323 of title 31 covers Bank Secrecy Act matters and, after later amendments, reaches important national-security statutes and related conspiracies, including the International Emergency Economic Powers Act, the Trading with the Enemy Act, and the Kingpin Act. That is why the AML whistleblower program belongs in this section. Sanctions, money laundering, and illicit finance are not side topics. They are core national-security diligence issues.
DOJ’s Corporate Whistleblower Awards Pilot Program fills another gap. The Criminal Division guidance says other programs do not cover the full scope of corporate crime DOJ investigates and prosecutes. The pilot uses a different award base: successful civil or criminal forfeiture. It may apply where original, truthful information in designated corporate-crime areas leads to forfeiture exceeding 1,000,000 dollars in net proceeds, subject to DOJ discretion and the pilot’s eligibility rules.
That architecture creates a practical problem for a buyer. Diligence may uncover facts that are not only risks to the target. They may also be facts someone else can monetize through a reporting program. The target’s compliance officer may have internal knowledge. A former finance employee may know the payment route. A logistics manager may know the export workaround. A vendor may know the sanctioned end user. A bank may have filed a suspicious activity report that the buyer cannot see. A seller may have already received internal complaints. A buyer may find evidence that changes the company’s voluntary self-disclosure posture before closing.
The problem is not that every deal now needs a whistleblower strategy. The problem is that certain diligence findings are timing-sensitive and incentive-sensitive. If the buyer treats them as ordinary diligence exceptions, the deal team can miss a filing deadline, lose a disclosure posture, mishandle privileged material, trigger retaliation exposure, or misstate the risk to the investment committee.
The solution is not to make accountants into whistleblower lawyers. The solution is to build a clean issue-spotting and preservation workflow. The diligence team records what was found, how it was found, which authority class it could implicate, what source backs it, what evidence is missing, what timing issue may exist, and which counsel needs to own the next call.
Who runs, investigates, and enforces the programs
The first institutional distinction is the False Claims Act. FCA cases run through federal courts and DOJ. A relator files a sealed complaint. The government investigates while the case remains under seal and decides whether to intervene. The relator’s share depends on posture. If the government proceeds, 31 U.S.C. 3730 generally sets a 15 to 25 percent range. If the government declines and the relator proceeds, the range is generally 25 to 30 percent. The FCA also carries its own public-disclosure and original-source rules. That is the sibling vertical SPP already built.
The second distinction is the SEC. The SEC Office of the Whistleblower administers the securities whistleblower program. The SEC page states that eligible individuals can receive awards from 10 to 30 percent of money collected when high-quality original information leads to an SEC enforcement action in which more than 1,000,000 dollars in sanctions is ordered. For national-security diligence, the SEC lane can matter when the target or counterparty is an issuer, broker, dealer, investment adviser, fund adviser, securities-market actor, or public-company reporting subject, and the misconduct is really a securities-law issue.
The third distinction is the CFTC. The CFTC whistleblower program handles Commodity Exchange Act matters, including commodities, futures, swaps, derivatives, and related market conduct. The CFTC public page says a whistleblower may be eligible for a percentage of monetary sanctions collected in successful CFTC enforcement actions if the person voluntarily provided original information that led to the action. It also says notices of covered actions are posted for final judgments or settlements above 1,000,000 dollars in monetary sanctions, and that tipsters have 90 days to apply after a notice of covered action. That is a different timing surface from the FCA and DOJ pilot.
The fourth distinction is FinCEN and Treasury, working with DOJ. The anti-money-laundering whistleblower statute sits at 31 U.S.C. 5323. It covers BSA, IEEPA, TWEA, Kingpin Act, and covered-conspiracy matters. The statute sets a 10 to 30 percent award range for collected monetary sanctions in covered or related actions. It also defines monetary sanctions in a way that matters for this series: penalties, disgorgement, and interest are included, but forfeiture, restitution, and victim compensation are excluded. That means the AML/FinCEN lane and the DOJ forfeiture-based pilot can sit next to each other without using the same award base.
The fifth distinction is DOJ’s Criminal Division. The Corporate Whistleblower Awards Pilot Program is managed by the Criminal Division’s Money Laundering and Asset Recovery Section. The DOJ guidance says the pilot is a three-year initiative effective since August 1, 2024, revised May 12, 2025, and subject to extension or modification after the pilot period. DOJ states that awards are discretionary. The public pilot page says a qualifying whistleblower may be eligible where original and truthful information results in a successful prosecution that includes criminal or civil forfeiture.
Those institutional differences are why a diligence memo should not use the generic phrase “bounty exposure” without a routing table. “Bounty” is a shorthand. It is not an authority.
The enforcement agencies also see the evidence differently. DOJ may see forfeitable proceeds or a corporate criminal case. FinCEN may see a covered BSA or sanctions matter. SEC may see issuer disclosure or securities fraud. CFTC may see commodity-market misconduct. DOJ Civil may see a false claim or reverse false claim. A buyer may see all of those facts inside one acquisition file. The diligence team’s job is to separate the lanes before the risk memo goes to the investment committee.
What changed from 2024 to 2026
The programs did not all appear in 2024. The False Claims Act is much older. The SEC and CFTC programs came from Dodd-Frank. The anti-money-laundering whistleblower statute was expanded before this series began. What changed from 2024 to 2026 is the convergence of those incentives with national-security enforcement and buy-side diligence.
First, DOJ launched the Corporate Whistleblower Awards Pilot Program on August 1, 2024. The revised guidance dated May 12, 2025 says the program exists because other whistleblower programs do not cover the full scope of corporate crime DOJ investigates and prosecutes. The pilot’s design matters for this series because it connects awards to forfeiture. If the information leads to civil or criminal forfeiture exceeding 1,000,000 dollars in net proceeds, a qualifying person may be eligible for a discretionary award.
Second, DOJ widened the pilot’s subject-area posture in 2025. The revised guidance includes areas that matter directly to this stack: financial-institution violations, foreign corruption and bribery, domestic corruption, health care offenses outside the core FCA lane, procurement and federal-program fraud outside certain existing lanes, trade, tariff, and customs fraud, immigration-law violations, sanctions offenses, material support of terrorism, cartels, transnational criminal organizations, money laundering, narcotics, and other violations listed in the guidance. The details are program-specific, but the message is clear. DOJ wants tips in gaps.
Third, FinCEN moved toward implementing regulations for the AML whistleblower statute. The Federal Register proposed rule published April 1, 2026 says FinCEN is proposing regulations to implement 31 U.S.C. 5323 and invites comments. Written comments were due June 1, 2026. As of this draft, that means the statute is part of the diligence map, but the implementing rule should be treated as proposed unless re-verified before publish. This is exactly the kind of status-sensitive claim the series dashboard is meant to control.
Fourth, corporate voluntary self-disclosure policy became part of the timing surface. DOJ’s pilot page states that companies that voluntarily self-report within 120 days of receiving an internal whistleblower report may be eligible for a presumption of a declination under the Criminal Division’s corporate enforcement policy if the company reports before DOJ contacts it and satisfies the policy’s conditions. That is a counsel-owned question. The diligence team should not advise whether the company qualifies. It should flag that the clock may exist.
Fifth, the national-security stack widened the kind of findings that can trigger incentive conflict. The older FCA mental model focused on false claims to the government. That still matters, especially for defense contractors, health care companies, grant recipients, customs evasion, procurement fraud, and reverse false claims. But the national-security stack adds sanctions, BSA/AML, export controls, data security, outbound investment, foreign corruption, and forfeiture. Some of those facts may route to FCA. Some may route to FinCEN. Some may route to SEC or CFTC. Some may route to DOJ’s pilot. Some may route nowhere. The buyer should not assume the answer.
The 2024 to 2026 change is therefore not “everything became qui tam.” It is that whistleblower incentives became part of national-security diligence risk. A buyer has to preserve the facts and the posture before legal routing happens.
What trips the wire in a deal
The wire is tripped when diligence finds a fact pattern that could fit one of the program lanes and creates a timing, disclosure, privilege, or evidence-preservation issue. The finding does not need to prove misconduct. It needs to be serious enough that a lawyer should decide the routing.
The first wire is government-money conduct. If the target sells to federal agencies, participates in federal health care programs, receives grants, performs defense or intelligence contracts, enters customs values, claims tariff classifications, certifies sanctions compliance to the government, or makes statements tied to government payment, the FCA question may exist. The diligence team should ask whether the issue is really a false claim, a reverse false claim, or an obligation to pay money to the United States.
The second wire is securities conduct. If the target is an issuer, a public-company subsidiary, a broker, an investment adviser, a fund adviser, or part of a public-company supply chain, and the issue affects disclosures, controls, books and records, investor communications, or market integrity, the SEC lane may exist. A sanctions, corruption, export, or data-security issue can become a securities issue when it is material to issuer disclosure, controls, or statements to investors.
The third wire is commodity or derivatives conduct. If the facts touch swaps, futures, commodities, market manipulation, energy trading, derivatives, or Commodity Exchange Act obligations, the CFTC lane may exist. This is not the most common route in ordinary M&A diligence, but for energy, agriculture, metals, crypto, trading, and financial-services targets, it should not be ignored.
The fourth wire is BSA, sanctions, or illicit-finance conduct. Section 5323 matters when the facts involve BSA, IEEPA, TWEA, Kingpin Act, or covered conspiracies. In this stack, that means AML failures, sanctions evasion, prohibited transactions, suspicious-money movement, sanctions-related facilitation, and certain national-security financial flows. The key status point is that FinCEN’s implementing rule was proposed in 2026 and should be re-checked before the article is published or later refreshed.
The fifth wire is forfeiture-linked corporate crime. DOJ’s pilot matters when the facts fit a listed pilot area and could lead to civil or criminal forfeiture exceeding the threshold. That is why C2 and C3 are paired. If the practical remedy is proceeds forfeiture, and the fact pattern falls outside another award program or only partly fits another program, the DOJ pilot may be relevant. The diligence team should not decide that fit. It should preserve the forfeiture facts and ask counsel to route them.
The sixth wire is internal reporting. If the seller discloses that an employee, vendor, compliance officer, auditor, former executive, or anonymous source made an internal report, the buyer should ask when it happened, who received it, what it alleged, what investigation followed, what documents exist, what counsel has reviewed, and whether any government report has been made. The date matters because some programs and policies use timing rules tied to internal reporting.
The seventh wire is conflicting incentives. A seller may want to delay government disclosure until after close. A buyer may want a pre-close disclosure. A whistleblower may already have reported externally. A company may have opened an internal investigation. Counsel may hold privileged work product. A banker may want the matter framed as a schedule exception. A public-company buyer may have disclosure obligations of its own. This is where a diligence issue becomes a governance issue.
Here is the high-level trigger table:
| Diligence finding | Possible program lane | First evidence to preserve | Escalation owner |
|---|---|---|---|
| False statement tied to federal payment or obligation | FCA | Contract, invoice, certification, claim, refund obligation, disclosure statement facts | FCA counsel |
| Issuer disclosure or securities-control issue | SEC | Public filings, investor materials, accounting records, control memo, board materials | Securities counsel |
| Commodity, swap, futures, or market-conduct issue | CFTC | Trading records, customer communications, Form TCR-relevant facts, market data | CFTC counsel |
| BSA, sanctions, IEEPA, TWEA, Kingpin Act issue | AML/FinCEN | Transaction records, SAR-adjacent facts where lawfully accessible, sanctions screens, payment path | AML or sanctions counsel |
| Corporate crime that may lead to forfeiture | DOJ pilot | Asset trace, proceeds path, public releases, subpoenas, internal investigation record | White-collar counsel |
| Internal whistleblower report already made | Program-specific | Report date, recipient, allegation, investigation steps, counsel involvement | Company counsel |
| Buyer discovers issue pre-close | Multiple | Date found, source, evidence received, evidence missing, decision deadline | Deal counsel and specialist counsel |
The table is not an eligibility chart. It is a triage chart. Its purpose is to prevent the deal team from losing time, privilege, evidence, or posture before counsel is in the room.
What the government can do
Each program has a different remedy and award structure. That is the core reason the article uses a decision map instead of a universal rule.
Under the FCA, the government can investigate a sealed qui tam complaint, intervene, decline, move to dismiss, settle, or litigate. The relator may receive a statutory share if the case produces proceeds. The defendant may face damages, penalties, compliance obligations, exclusion risk in some sectors, and collateral consequences. For diligence, the most important fact is that the FCA is litigation in the government’s name. It can sit under seal while a transaction is moving. A buyer may not know it exists unless the seller discloses it or related facts surface.
Under the SEC program, the Commission can investigate, bring enforcement actions, order monetary sanctions, post notices of covered actions, and make award determinations. The award range is tied to money collected, not merely money ordered. For diligence, the important distinction is that the SEC lane often turns on securities-law posture, issuer status, investor disclosure, controls, books and records, or market conduct. A sanctions or corruption issue may matter to the SEC because it affects a public company’s disclosures or controls, not because the SEC is the sanctions regulator.
Under the CFTC program, the Commission can investigate Commodity Exchange Act violations, bring enforcement actions, post notices of covered actions over the statutory threshold, and make award determinations. The CFTC public page states that notices of covered actions are posted when the Commission obtains a final judgment or settlement for more than 1,000,000 dollars in monetary sanctions, and that tipsters have 90 days to apply after the notice posts. That 90-day award-application timing is different from DOJ pilot internal-report timing and different from FCA seal practice.
Under 31 U.S.C. 5323, the Treasury and DOJ enforcement surface can involve BSA, sanctions, and related national-security statutes. The statute’s award base is collected monetary sanctions. That term is not a generic label. Section 5323 excludes forfeiture, restitution, and victim compensation from monetary sanctions. If a deal team says “the government recovered money, so the AML whistleblower base must include it,” the diligence team should stop and identify the source category. Was it a penalty? Disgorgement? Interest? Forfeiture? Restitution? Victim compensation? The label changes the program analysis.
Under DOJ’s pilot, the award base is forfeiture. The pilot guidance says an individual may be eligible if original truthful information leads to criminal or civil forfeiture exceeding 1,000,000 dollars in net proceeds. DOJ’s public FAQ says the total award available in a case is up to 30 percent of the first 100 million dollars in net proceeds forfeited and up to 5 percent of the next 100 million to 500 million dollars in net proceeds forfeited. It also says an award is made in DOJ’s sole discretion.
The government can also use the information without an award outcome. A tip can open an investigation, materially add to an existing investigation, identify assets, support a forfeiture theory, trigger subpoenas, lead to a parallel agency referral, or reshape a company’s cooperation posture. Award eligibility is not the same as enforcement significance.
That distinction is vital for diligence. A buyer should not ask, “Will someone get paid?” The buyer should ask, “Could these facts already be in a government channel, could they enter one before closing, and what does that do to transaction risk?”
What a buyer should ask for
A buyer should ask for evidence in a way that respects privilege and counsel boundaries. The request list should not demand privileged legal advice or ask management to waive protected work product. It should identify business records, dates, procedures, and non-privileged facts that let counsel evaluate the issue.
Start with the misconduct surface. Ask for the facts behind any sanctions, BSA/AML, export, customs, procurement, health care, securities, commodities, corruption, data-security, or forfeiture issues identified in management interviews, data-room documents, public records, internal audits, compliance logs, hotline reports, customer complaints, vendor disputes, bank inquiries, subpoenas, or government correspondence.
Then ask for internal reporting history. Has the target received any hotline complaint, ethics report, internal whistleblower report, anonymous complaint, compliance escalation, audit finding, quality report, billing complaint, export concern, sanctions concern, money-laundering concern, data-access concern, or retaliation allegation touching the deal period or the target’s material operations? If yes, ask for dates, categories, business owners, investigation status, remediation status, and whether counsel holds privileged materials.
Ask for government-contact history. Has the target, seller, owner, officer, director, employee, agent, broker, bank, customer, supplier, or vendor received a subpoena, civil investigative demand, grand-jury request, agency inquiry, voluntary request, OFAC administrative subpoena, BIS request, FinCEN inquiry, SEC request, CFTC request, DOJ letter, or other government communication related to the issue? Ask for non-privileged descriptions and source documents where available.
Ask for voluntary self-disclosure and cooperation posture. Has the company made, considered, rejected, or reserved any disclosure to DOJ, OFAC, FinCEN, BIS, SEC, CFTC, or another agency? Has outside counsel provided a written analysis? Is any decision deadline tracked? Has the company agreed to cooperate, remediate, discipline, claw back compensation, preserve records, or submit a report?
Ask for award-program triggers without asking for legal conclusions. Do not ask management to opine whether someone is eligible for an award. Ask for facts: internal report dates, external report dates known to the company, categories of misconduct, agencies contacted, whether an employee or third party has identified themselves as a whistleblower, whether any anti-retaliation complaint exists, and whether any program-specific notice has been received.
Ask for evidence preservation. Which systems hold the relevant emails, payment records, sanctions screens, export records, customer invoices, government claims, data-access logs, source-of-funds records, hotline records, internal audit files, board minutes, and remediation files? Are legal holds in place? Were any records deleted under ordinary retention schedules after the issue was known? Were any records moved outside the target’s control?
The buyer’s request list should be practical:
| Request area | Non-privileged records to request | Why it matters |
|---|---|---|
| Internal complaints | Hotline categories, dates, recipients, status, remediation log | Identifies possible 120-day, retaliation, and preservation issues |
| Government contact | Subpoenas, requests, notices, agency correspondence, public docket references | Shows whether facts are already in an enforcement channel |
| Disclosure posture | Non-privileged description of disclosures made or reserved | Shows timing and cooperation risk |
| Program-routing facts | Customer type, government payment, issuer status, commodity activity, BSA/sanctions facts, forfeiture facts | Routes FCA, SEC, CFTC, FinCEN, DOJ pilot questions |
| Evidence map | Systems, custodians, transaction logs, access logs, source documents | Preserves facts for counsel |
| Employment posture | Retaliation allegations, separations, discipline tied to reports | Flags employment and anti-retaliation counsel issues |
| Deal response | Proposed disclosure schedule, CP, covenant, indemnity, escrow, remediation plan | Converts the issue into a transaction decision |
The buyer should assume some material will be counsel-controlled. That is not a failure. The risk memo should record what was withheld as privileged, what factual substitute was provided, and what counsel-to-counsel channel is needed.
What belongs in the risk memo
The bounty and disclosure section of the risk memo should be short, structured, and careful. It should not tell a whistleblower what to do. It should not tell the company whether to self-disclose. It should not claim award eligibility. It should put the facts in a form that counsel can act on.
First, name the underlying issue. Do not write “possible whistleblower problem” as the issue. Write the underlying conduct: possible false claim tied to federal contract certification, possible sanctions evasion through distributor, possible BSA program failure, possible export diversion, possible trade fraud, possible investor disclosure failure, possible data-security restricted transaction, or possible proceeds forfeiture.
Second, identify the possible program lane. Use “possible” and “requires counsel review.” If the facts involve false claims to the United States, write “possible FCA lane.” If the facts involve an issuer or securities-law posture, write “possible SEC lane.” If the facts involve BSA or IEEPA monetary sanctions, write “possible AML/FinCEN lane, final-rule status to be checked.” If the facts involve forfeiture-linked corporate crime, write “possible DOJ pilot lane.” If multiple lanes exist, list each one and explain why.
Third, record the award base distinction. Is the program based on proceeds, money collected, monetary sanctions, forfeiture net proceeds, or a statutory share of FCA proceeds? The award base is not academic. It tells counsel which facts matter. For example, DOJ’s pilot is forfeiture-based. FinCEN’s section 5323 excludes forfeiture from monetary sanctions. That difference changes how the same enforcement matter may be routed.
Fourth, identify timing. Record internal report date, external report date if known, date the buyer discovered the issue, date the seller disclosed it, deal signing date, expected closing date, and any safe-harbor, self-disclosure, or award-claim date counsel identifies. If there is a possible DOJ pilot internal-report issue, flag the 120-day concept. If there is a CFTC notice of covered action, flag the 90-day claim application concept. If there is an FCA seal issue, do not speculate. State that FCA counsel must evaluate.
Fifth, identify evidence and gaps. List what supports the concern and what is missing. Good memo language says “source documents received” and “source documents not yet received.” It does not hide a gap inside a conclusion.
Sixth, identify privilege and role boundaries. If the target has an internal investigation, outside counsel report, or privileged analysis, the memo should avoid demanding privileged content through ordinary diligence. It should state that counsel-to-counsel handling is needed. If an employee or auditor may have acquired information through a privileged, compliance, or audit role, the memo should flag that program-specific exclusions may apply.
Seventh, identify deal response. Options include further diligence, counsel memo, pre-close disclosure analysis, closing condition, special indemnity, escrow, purchase-price holdback, remediation covenant, employment counsel review, legal hold, post-close lookback, or walk-away. The memo should not reduce whistleblower and disclosure risk to a general indemnity unless counsel says that is enough.
A strong memo conclusion looks like this:
“The diligence team identified a possible sanctions and money-laundering issue involving distributor payments and customer end-use statements. The facts could implicate B1 sanctions review, B3 AML review, C2 forfeiture review, and C3 program-routing review. Public and target-provided records do not support an award-eligibility conclusion. Counsel should evaluate OFAC/DOJ disclosure posture, FinCEN section 5323 status, DOJ pilot forfeiture exposure, privilege, and internal-report timing before signing.”
That conclusion does the job. It names the issue, preserves uncertainty, routes the work, and protects the diligence lane.
When to escalate to counsel
Escalation is mandatory when the issue affects filing, disclosure, award eligibility, privilege, retaliation, prosecution risk, or deal timing. That is most of C3.
Escalate to FCA counsel if facts involve federal payment, federal programs, grant funds, procurement, defense contracts, customs underpayment, health care claims, reverse false claims, or certifications to the United States. Public-source research can identify the possible lane. It cannot decide whether a relator action exists, whether a public-disclosure bar applies, whether a person is an original source, or whether a disclosure statement should be made.
Escalate to securities counsel if facts involve an issuer, investor disclosure, accounting controls, books and records, internal controls, investment adviser obligations, broker-dealer conduct, or market statements. A sanctions or data-security issue can become a securities issue when it affects disclosure or controls.
Escalate to CFTC counsel if facts involve swaps, derivatives, futures, commodities, market manipulation, trading platforms, energy trading, agricultural products, metals, crypto derivatives, or Commodity Exchange Act obligations.
Escalate to AML or sanctions counsel if facts involve BSA obligations, money transmission, suspicious activity, customer due diligence, sanctions evasion, blocked property, IEEPA, TWEA, Kingpin Act, outbound-investment sanctions authorities, or data-security enforcement tied to IEEPA. FinCEN’s rule status should be re-checked before any final advice.
Escalate to white-collar counsel if facts involve corporate crime, forfeitable proceeds, foreign corruption, domestic corruption, trade fraud, tariff fraud, procurement fraud, sanctions offenses, material support, cartels, transnational criminal organizations, money laundering, or any DOJ pilot subject area.
Escalate to employment counsel if there is a whistleblower retaliation allegation, employee discipline tied to a report, termination after an internal complaint, severance demand, confidentiality restriction, non-disparagement issue, or any employee who may have reported to an agency.
Escalate to privacy or data-security counsel if the whistleblower facts involve sensitive personal data, government-related data, countries of concern, covered persons, data brokerage, vendor access, employment access, investment access, or DOJ Data Security Program posture.
The short rule is this: once the facts could affect someone’s legal right to report, the company’s legal right to disclose, or the buyer’s legal exposure for inheriting the issue, the matter is out of ordinary diligence and into counsel-led triage.
Practitioner Skill Built By This Article
The skill this article builds is program-specific bounty and disclosure routing for a buy-side diligence memo.
After reading it, a practitioner should be able to recognize when national-security diligence facts may implicate a whistleblower or award program. The signal is not a bad fact alone. The signal is a bad fact plus a possible program lane: federal-payment conduct for FCA, securities conduct for SEC, commodities conduct for CFTC, BSA/sanctions/IEEPA conduct for FinCEN, or forfeiture-linked corporate crime for DOJ’s pilot.
The practitioner verifies the issue against the Authority Ladder. Start with primary law: 31 U.S.C. 3730 for FCA, 31 U.S.C. 5323 for AML/FinCEN, 15 U.S.C. 78u-6 for SEC, 7 U.S.C. 26 for CFTC, and 28 U.S.C. 524(c) plus DOJ guidance for the pilot. Then use agency pages, Federal Register notices, DOJ policy documents, SEC and CFTC program materials, and official enforcement or award notices. Use scholarly, ProQuest, or law-review sources for history and context, not for live program status.
The practitioner can produce a bounty and disclosure decision map, a program-routing section for the risk memo, a non-privileged evidence request list, and a timing issue log. The practitioner cannot file a qui tam complaint, submit a whistleblower tip, apply for an award, decide whether a person is eligible, decide whether a company should self-disclose, interpret privilege, advise on retaliation, or negotiate enforcement posture. Those are counsel decisions.
The issue escalates to counsel when any of the following are present: internal whistleblower report, external agency contact, FCA-like government-payment facts, issuer disclosure issue, CFTC market issue, BSA or sanctions fact pattern, possible forfeitable proceeds, DOJ pilot subject-area facts, employee retaliation allegation, privileged internal investigation, government subpoena, voluntary self-disclosure question, or any timing issue tied to signing, closing, internal reporting, covered-action notice, or award application.
Practitioner artifact: Bounty and disclosure decision map
Use this artifact as a routing aid. It is not an award-eligibility tool.
| Step | Question | Evidence to record | Possible lane | Counsel owner |
|---|---|---|---|---|
| 1 | Does the issue involve money owed to, paid by, or falsely certified to the United States? | Contract, invoice, claim, certification, refund obligation, grant, customs entry | FCA | FCA counsel |
| 2 | Does the issue involve an issuer, securities statement, investor communication, adviser, broker, or control failure? | Filings, board materials, investor deck, accounting record, control memo | SEC | Securities counsel |
| 3 | Does the issue involve commodities, futures, swaps, derivatives, or market conduct? | Trade records, market communications, commodity exposure, platform records | CFTC | CFTC counsel |
| 4 | Does the issue involve BSA, sanctions, IEEPA, TWEA, Kingpin Act, or related conspiracies? | Payment records, sanctions screens, customer files, CDD records, government inquiry | AML/FinCEN | AML or sanctions counsel |
| 5 | Does the issue involve corporate crime that may lead to civil or criminal forfeiture? | Asset trace, proceeds path, forfeiture source, subpoena, public release | DOJ pilot | White-collar counsel |
| 6 | Has anyone internally reported the issue? | Report date, recipient, allegations, investigation status, remediation status | Program-specific | Company counsel |
| 7 | Has the company already contacted an agency or received agency contact? | Agency, date, communication type, current posture | Program-specific | Deal counsel plus specialist |
| 8 | Does the deal calendar create a timing conflict? | Signing date, closing date, report date, disclosure deadline, claim window | Program-specific | Deal counsel |
| 9 | Is privilege or retaliation implicated? | Counsel involvement, legal hold, employment action, protected complaint | Program-specific | Litigation and employment counsel |
| 10 | What can the diligence team conclude? | Evidence received, gaps, source posture, unresolved issues | Lead only | Diligence lead drafts, counsel decides |
The map should end with one of four memo labels:
| Label | Meaning |
|---|---|
| No current program signal | Facts reviewed do not show a clear program-routing issue, subject to later evidence |
| Possible program signal | Facts suggest one or more lanes; counsel must evaluate |
| Timing-sensitive signal | Internal report, agency contact, covered-action notice, or deal deadline makes timing urgent |
| Counsel-controlled signal | Privilege, retaliation, self-disclosure, award eligibility, or filing posture is active |
The safest label is often “possible program signal.” That is not weak. It is accurate. The purpose of diligence is to get the right expert to the right facts before the deal commits.
Applied DD Lab: Replicate the Screen
The C3 Applied DD Lab builds a comparison matrix across the FCA, SEC, CFTC, AML/FinCEN, and DOJ pilot lanes. It does not tell a reader where to file. It does not score award eligibility. It does not decide disclosure strategy. It teaches the first data habit: keep program authority, covered conduct, award trigger, award base, timing issue, and escalation owner in separate columns.
Dataset: data/sample/c3_whistleblower_programs.csv in the companion repo. The rows are curated from public authority sources. They do not contain client data, target names, private facts, or legal advice.
Code: src/ns_diligence/award_matrix.py.
Run:
python -m ns_diligence.award_matrix \
data/sample/c3_whistleblower_programs.csv \
data/redacted_outputs/c3_bounty_program_matrix.csvSample output:
| Program | Lead agency | Award trigger | Award range | Diligence use |
|---|---|---|---|---|
| FCA | DOJ and federal courts | Successful action or settlement of the claim | 15 to 25 percent if government proceeds; 25 to 30 percent if government declines | Identify whether national-security facts are really government-payment facts |
| SEC | SEC | SEC action with more than 1,000,000 dollars in sanctions ordered | 10 to 30 percent of money collected | Identify issuer or securities-market posture |
| CFTC | CFTC | Covered or related action above threshold | 10 to 30 percent of monetary sanctions collected | Identify commodities, derivatives, swaps, or market-manipulation lane |
| AML | FinCEN, Treasury, and DOJ | Covered or related action above threshold | 10 to 30 percent of collected monetary sanctions, excluding forfeiture, restitution, and victim compensation | Identify BSA, sanctions, outbound, data-security, or IEEPA-linked facts |
| DOJ | DOJ Criminal Division | Successful forfeiture exceeding 1,000,000 dollars in net proceeds | Up to 30 percent of first 100 million dollars and up to 5 percent of the next 100 million to 500 million dollars | Identify forfeiture-linked corporate-crime gaps |
What the lab can show: a reproducible way to turn public program authorities into a routing matrix. It trains the reader to separate program name, lead agency, covered conduct, award trigger, award base, filing path, timing issue, diligence use, and escalation note.
What the lab cannot show: whether a whistleblower is eligible, whether a company should self-disclose, whether a qui tam complaint exists, whether privilege applies, whether retaliation occurred, whether a person can report anonymously, whether a person is protected, whether an award will be paid, or whether a buyer can rely on any particular disclosure posture.
When to escalate from the lab result: any row that matches live deal facts; any matter with an internal report date; any agency contact; any government-payment, sanctions, BSA, export, securities, commodities, data-security, or forfeiture fact; any deal term that assumes the issue is only a price adjustment; any request by management to delay, narrow, or avoid a government disclosure decision.
The lab is deliberately modest. It does not replace counsel. It makes the counsel question easier to see.
Terms used in this article
The full glossary lives in the section’s master glossary; the terms you need for this piece:
- Qui tam: a whistleblower suit brought on behalf of the government, as under the False Claims Act.
- Relator: the private person who brings a False Claims Act qui tam action in the name of the United States.
- Original information: information derived from independent knowledge or independent analysis, subject to program-specific exclusions.
- Original source: a False Claims Act concept for a person who has qualifying independent knowledge or materially adds to public information and voluntarily provides it to the government as the statute requires.
- Public-disclosure bar: a False Claims Act rule that can block a qui tam case based on publicly disclosed allegations or transactions unless an exception applies.
- Covered action: an enforcement action that meets a program’s threshold for a potential award claim.
- Related action: a second government action connected to original information and potentially award-eligible under some programs.
- Monetary sanctions: collected penalties, disgorgement, and interest used by some programs as the award base; under 31 U.S.C. 5323, forfeiture, restitution, and victim compensation are excluded.
- DOJ Corporate Whistleblower Awards Pilot Program: the DOJ Criminal Division pilot that may pay discretionary awards when original, truthful information in listed corporate-crime areas leads to successful forfeiture.
- AML whistleblower program: the FinCEN/Treasury program under 31 U.S.C. 5323 for BSA, sanctions, IEEPA, TWEA, Kingpin Act, and covered-conspiracy matters.
- Declination: a DOJ decision not to prosecute a company, sometimes available as a presumption under current corporate enforcement policy when all conditions are met.
- Voluntary self-disclosure: a company disclosure to the government before or within program-specific timing rules, evaluated under the relevant agency policy.
Selected sources
- 31 U.S.C. 3730, False Claims Act civil actions, https://uscode.house.gov/view.xhtml?req=%28title%3A31+section%3A3730+edition%3Aprelim%29
- 31 U.S.C. 5323, whistleblower incentives and protections, https://uscode.house.gov/view.xhtml?req=%28title%3A31+section%3A5323+edition%3Aprelim%29
- 15 U.S.C. 78u-6, securities whistleblower incentives and protection, https://uscode.house.gov/view.xhtml?req=%28title%3A15+section%3A78u-6+edition%3Aprelim%29
- 7 U.S.C. 26, commodity whistleblower incentives and protection, https://uscode.house.gov/view.xhtml?req=%28title%3A7+section%3A26+edition%3Aprelim%29
- 28 U.S.C. 524(c), Department of Justice Assets Forfeiture Fund authority, https://uscode.house.gov/view.xhtml?req=%28title%3A28+section%3A524+edition%3Aprelim%29
- DOJ Corporate Whistleblower Awards Pilot Program, https://www.justice.gov/criminal/criminal-division-corporate-whistleblower-awards-pilot-program
- DOJ Corporate Whistleblower Awards Pilot Program guidance, issued 2024-08-01 and revised 2025-05-12, https://www.justice.gov/criminal/media/1400041/dl?inline=
- DOJ memorandum on focus, fairness, and efficiency in the fight against white-collar crime, 2025-05-12, https://www.justice.gov/opa/media/1400141/dl?inline=
- DOJ Department-wide Corporate Enforcement and Voluntary Self-Disclosure Policy, https://www.justice.gov/dag/media/1430731/dl?inline=
- FinCEN Whistleblower Program, https://www.fincen.gov/whistleblower-program
- FinCEN proposed rule, Whistleblower Incentives and Protections, 91 FR 16328, published 2026-04-01, https://www.federalregister.gov/documents/2026/04/01/2026-06271/whistleblower-incentives-and-protections
- SEC Whistleblower Program, https://www.sec.gov/enforcement-litigation/whistleblower-program
- CFTC Whistleblower Program, https://www.whistleblower.gov/
Status note
Last reviewed: 2026-06-16.
Next scheduled review: 2026-09-16.
Current watch items: FinCEN final rule for 31 U.S.C. 5323; DOJ Corporate Whistleblower Awards Pilot Program extension or modification before or after 2027-08-01; DOJ covered-action and award notices; SEC and CFTC annual reports and award determinations; DOJ corporate voluntary self-disclosure policy updates; national-security, sanctions, export-control, and data-security enforcement matters with whistleblower or forfeiture posture.
By Noah Green CPA CFE, for Sheepdog Prosperity Partners. Educational only; not legal advice. SPP explains diligence issue-spotting, evidence collection, risk triage, and the accountant and certified-fraud-examiner workflow. SPP does not give whistleblower filing advice, relator advice, voluntary self-disclosure advice, sanctions opinions, export classifications, CFIUS legal opinions, privilege advice, employment-retaliation advice, or award-eligibility opinions.