AI Analytics

Technical writing

The DPA database: every federal deferred prosecution agreement since 1992

· 9 min read· AI Analytics
Regulatory dataDOJCorporate prosecutionDPAWhite-collar crime

Deferred Prosecution Agreements are how the United States government resolves most major corporate criminal investigations. The agreements are public. A comprehensive list of them was not — until Duke Law School built one by suing DOJ.

What DPAs and NPAs are

A Deferred Prosecution Agreement is a negotiated resolution between the Department of Justice and a corporation under criminal investigation. DOJ files criminal charges in court, then agrees to defer prosecution for a specified period — typically two to three years — if the company meets a set of conditions: paying a fine, admitting a statement of facts, installing an independent compliance monitor, and cooperating with ongoing investigations. If the company complies for the full term, DOJ moves to dismiss the charges. If it breaches, prosecution resumes.

A Non-Prosecution Agreement is structurally similar but no charges are filed. The company enters into a contract with DOJ that imposes the same obligations — fine, monitor, cooperation — without a docket entry in any court. NPAs are even less visible than DPAs because there is no court record to search.

Both mechanisms exist because a criminal conviction of a corporate entity triggers collateral consequences that can be disproportionate to the underlying conduct: loss of federal contracting eligibility, loss of banking licenses, debarment from Medicare and Medicaid, and, in some industries, mandatory license revocation. Arthur Andersen's indictment and collapse in 2002 — which destroyed 85,000 jobs before the Supreme Court reversed the conviction — is the canonical case study that accelerated DOJ's shift toward deferred resolution.

The Corporate Prosecution Registry

The Corporate Prosecution Registry is maintained jointly by Duke Law School and the University of Virginia School of Law at corporate-prosecution-registry.com. It covers every US federal organizational prosecution since 1992 and every DPA and NPA since 1990. As of 2026, the registry contains more than 3,000 entries.

The dataset is downloadable as a CSV with an accompanying data dictionary. It was built primarily by Brandon Garrett at Duke Law School and has been maintained in collaboration with journalists and researchers at UVA. The registry is the most comprehensive public record of federal corporate criminal enforcement that exists.

Data structure

Each record in the registry includes the following fields:

  • Company — the named defendant or party to the agreement.
  • Parent Company — ultimate parent where identifiable.
  • Industry — sector classification.
  • Violation Type — the underlying offense category (FCPA, fraud, antitrust, environmental, tax, etc.).
  • Court — district court where charges were filed, for DPAs.
  • Prosecutor — the DOJ division or US Attorney's Office responsible.
  • Case Date — date of the agreement or charge.
  • Disposition — DPA, NPA, Guilty Plea, Conviction, or Acquittal.
  • Fine Amount — total financial penalty, in USD.
  • Monitor — boolean flag for whether an independent compliance monitor was required.
  • Monitor Name — the appointed monitor's name or firm, where disclosed.
  • Duration — the term of the agreement in months.
  • Breach — whether the company subsequently breached the agreement.
  • Notes — free-text field capturing superseding resolutions, related cases, and public source citations.

Patterns in the data

Healthcare dominates by dollar value, accounting for roughly 32% of all DPA and NPA financial penalties. The largest healthcare resolutions include GlaxoSmithKline's $3 billion agreement in 2012 (off-label drug promotion and kickbacks to physicians), Purdue Pharma's $8.3 billion resolution in 2020 (OxyContin marketing and the opioid epidemic), and Johnson & Johnson's $2.2 billion resolution in 2013 (off-label promotion of Risperdal and Invega).

Banking is the second-largest sector by dollar value. HSBC entered a $1.9 billion DPA in 2012 for laundering money for Mexican drug cartels and processing transactions for sanctioned countries. Deutsche Bank settled for $7.2 billion in 2017 over mortgage-backed securities fraud. Goldman Sachs paid $2.9 billion in 2020 in connection with the 1MDB sovereign wealth fund scandal. Technology and defense contracting have grown as a share of total DPA volume since 2018.

Foreign Corrupt Practices Act cases account for approximately 40% of all DPAs and NPAs by count. The FCPA prohibits US companies and certain foreign companies from bribing foreign government officials; DOJ and the SEC enforce it jointly. FCPA enforcement generates some of the largest individual DPAs and has expanded steadily as DOJ has brought cases in Latin America, Africa, and Southeast Asia.

The compliance monitor track record

A compliance monitor is an independent third party appointed under a DPA to oversee the company's compliance program for the term of the agreement. Monitor appointments are made by DOJ, typically from a list of candidates proposed by the company. Monitor fees are not publicly disclosed but are paid by the company; estimates from practitioners range from $5 million to $50 million or more per assignment depending on the company's size and the complexity of the remediation required.

The registry's monitor and breach fields, taken together, allow analysis of which monitors presided over subsequent compliance failures. Notable breaches include Boeing's 2022 breach of its 2021 737 MAX DPA — DOJ filed new charges after determining Boeing had violated the agreement's anti-fraud provisions — and Cognizant Technology's breach related to ongoing FCPA violations discovered after the initial agreement. Several generic pharmaceutical manufacturers entered into DPAs related to price-fixing conspiracies and subsequently had monitoring obligations extended when DOJ identified continuing violations among related entities.

The DOJ FOIA fight

The registry exists in part because DOJ resisted compiling one. When Brandon Garrett and colleagues submitted FOIA requests for a comprehensive list of DPAs and NPAs, DOJ initially refused, arguing that producing such a list would require “creating a new record” rather than releasing an existing one. This is a specific FOIA exemption: agencies are not required to create records that do not exist, only to produce records they have. DOJ's position was that no master list of its own deferred prosecution agreements existed.

After litigation, public pressure, and reporting by Jesse Eisinger at ProPublica, DOJ began publishing a partial list of DPAs on its website. The partial list remains incomplete. The Corporate Prosecution Registry includes agreements not on DOJ's official list, identified through searches of PACER (the federal court filing system), US Attorney press releases, company SEC disclosures, and FOIA requests to individual district offices. The delta between DOJ's official list and the registry is the documentary evidence of what “transparency” looks like when an agency controls the record.

Cross-reference power

The Corporate Prosecution Registry becomes substantially more useful when joined against other federal regulatory datasets:

  • Registry + FARA. The FARA dataset covers entities registered as agents of foreign principals. Which companies operating under a DPA — particularly an FCPA DPA — are simultaneously registered as foreign agents? The overlap is small but high-risk.
  • Registry + SEC enforcement. Many DPAs are accompanied by parallel SEC civil resolutions. Joining the two datasets reveals which companies faced both criminal deferred prosecution and civil enforcement simultaneously, and how the financial penalties were allocated between DOJ and SEC.
  • Registry + OFAC. Which companies that entered into DPAs — including HSBC, whose DPA explicitly covered sanctions violations — have OFAC-designated subsidiaries or named principals? The compliance monitor requirement is supposed to prevent recurrence; OFAC cross-reference tests whether it did.
  • Registry + SAM.gov exclusions. DPAs and NPAs are designed in part to avoid triggering debarment. Joining against SAM.gov exclusions shows which companies ended up debarred despite a deferred resolution, often through agency-level suspension actions independent of DOJ.

Access

The dataset is available via the Federal Regulatory Data Hub API at https://api.ai-analytics.org/datasets/corporate-prosecution-dpa. The endpoint returns records from the Corporate Prosecution Registry indexed for entity-resolved search by company name, parent company, industry, violation type, disposition, and date range.

# All DPAs in the healthcare sector
curl https://api.ai-analytics.org/datasets/corporate-prosecution-dpa\
  ?industry=healthcare&disposition=DPA

# All resolutions involving a monitor that subsequently breached
curl https://api.ai-analytics.org/datasets/corporate-prosecution-dpa\
  ?monitor=true&breach=true

# FCPA cases since 2015, sorted by fine descending
curl https://api.ai-analytics.org/datasets/corporate-prosecution-dpa\
  ?violation_type=FCPA&date_from=2015-01-01&sort=fine_desc

# Full record for a specific company (entity-resolved)
curl https://api.ai-analytics.org/datasets/corporate-prosecution-dpa\
  ?company=Goldman+Sachs

Records include the original source citations used to compile each entry — PACER links, DOJ press release URLs, and SEC cross-references where applicable — in a_sources array on each result object. The dataset refreshes monthly as new resolutions are filed and the registry is updated.

For how FARA registrations cross-reference with corporate prosecution data: FARA: the complete foreign agent registration dataset, machine-readable →

For the compliance screening endpoint that incorporates DPA history into a unified risk score: Compliance screening across 30+ federal enforcement lists: how the risk score works →