Corporate Prosecution Registry: DPAs, NPAs, and the Too-Big-to-Jail Database

The Corporate Prosecution Registry is the most comprehensive public record of how the United States federal government resolves criminal cases against corporations. Maintained by law professor Brandon Garrett—now at Duke Law, formerly at the University of Virginia—it tracks every federal corporate criminal resolution since 1990: deferred prosecution agreements, non-prosecution agreements, guilty pleas, and declinations with disgorgement. More than 400 resolutions are catalogued, representing over $30 billion in total fines. The dataset is freely available for bulk download and is the authoritative academic source for the study of corporate criminal enforcement in the United States.

What the registry covers

The Corporate Prosecution Registry began as a research project tracking the then-novel practice of deferred prosecution agreements, which the Department of Justice had begun using systematically in corporate cases starting in the early 1990s. Garrett's scholarship on the subject—particularly his 2014 book Too Big to Jail: How Prosecutors Compromise with Corporations—drew sustained attention to the gap between how the DOJ prosecuted individual defendants and how it handled large corporations. The registry grew from a manually curated spreadsheet into a structured relational database.

Each record in the registry contains: company name and parent company, industry classification, the specific criminal charge or statute violated, the resolution type (DPA, NPA, guilty plea, or declination with disgorgement), the DOJ division that handled the matter (Criminal Division in Washington or a United States Attorney's Office), the year of resolution, the fine and penalty amount, whether a compliance monitor was required and the monitor's name, a summary of the compliance program requirements imposed, whether the company self-disclosed the underlying conduct, and the cooperation credit granted by DOJ. This level of structured detail makes the registry far more useful for analysis than reading individual DOJ press releases.

The bulk download is available at lib.law.virginia.edu/Garrett/corporate-prosecution-registry/ in both CSV and Excel format. Researchers at UVA Law and Duke Law update the registry as new resolutions are announced. The registry complements but does not duplicate the SEC's Accounting and Auditing Enforcement Releases (AAERs), which cover civil enforcement by the Securities and Exchange Commission in parallel with many DOJ criminal resolutions.

The three resolution types

Deferred Prosecution Agreements

A deferred prosecution agreement is a formal contract between the DOJ and a corporate defendant. The government files criminal charges against the company in federal district court—the indictment or information appears in the public docket—but simultaneously agrees to defer prosecution for a defined period, typically two to three years, provided the company meets specified conditions. Those conditions uniformly include: payment of a financial penalty, admission of a statement of facts describing the criminal conduct, implementation of a compliance program, cooperation with ongoing government investigations, and often the retention of an independent compliance monitor.

If the company satisfies its obligations during the deferral period, the government moves to dismiss the charges. The prosecution never proceeds; no conviction is entered. If the company breaches the agreement—by engaging in new misconduct, failing to implement required compliance measures, or obstructing DOJ oversight—the government can resume prosecution on the original charges, with the company's signed statement of facts available as evidence. This asymmetry gives DOJ substantial ongoing leverage over the company during the deferral period.

The DPA structure was borrowed from individual defendant practice, where deferred prosecution has long been used for first-time offenders in relatively minor cases. Its application to large corporations was pioneered by prosecutors in the 1990s as a way to punish corporate misconduct while avoiding the severe collateral consequences that a criminal conviction would trigger. An actual conviction can result in debarment from federal contracting, revocation of professional licenses, exclusion from Medicare and Medicaid, and in the case of banks and broker-dealers, the loss of regulatory permissions necessary to operate.

Non-Prosecution Agreements

A non-prosecution agreement is the most favorable outcome a corporate defendant can achieve short of a full declination. Under an NPA, the government agrees not to file charges at all in exchange for the company's agreement to pay a penalty, admit a statement of facts, cooperate with related investigations, and implement compliance reforms. Because no charges are filed, an NPA does not appear in any court docket; the agreement exists as a letter from the DOJ to the company's counsel. NPAs are less transparent than DPAs and were historically subject to minimal judicial oversight.

The distinction between a DPA and an NPA is not merely formal. NPA companies face fewer collateral consequences: because no charges were filed, there is no criminal record even in the interim period, and the risk of the prosecution resuming if the agreement is breached is lower in practice (the government would need to build its case anew rather than simply lifting a stay). NPAs are therefore typically reserved for companies with stronger cooperation records, stronger compliance programs at the time of resolution, and less egregious underlying conduct relative to DPA candidates.

Guilty Pleas

An actual corporate guilty plea is a criminal conviction. The company admits guilt to one or more criminal counts, a judgment of conviction is entered by the court, and the company is sentenced. Guilty pleas are increasingly rare for large corporations precisely because the collateral consequences can be existential. A bank that pleads guilty to a felony may face mandatory exclusion from certain regulatory programs; a defense contractor that pleads guilty faces potential debarment from federal contracting; a pharmaceutical company that pleads guilty may face exclusion from Medicare and Medicaid reimbursement—a consequence that would render the business inoperable.

DOJ regulators have historically worked with the relevant licensing agencies to waive or limit these consequences in connection with negotiated guilty pleas, making the plea more survivable than the statutory framework suggests. But the negotiation of collateral consequence waivers adds complexity and requires multi-agency coordination, making DPAs and NPAs administratively simpler even when a guilty plea might be more appropriate on the merits.

The “too big to jail” critique

The phrase “too big to jail” entered the public lexicon in 2013 when Attorney General Eric Holder testified before the Senate Judiciary Committee that the size of some financial institutions made criminal prosecution difficult because it could have “a negative impact on the national economy, perhaps even the world economy.” Holder was defending DOJ's decision to resolve major bank cases through DPAs and NPAs rather than criminal indictments during and after the 2008 financial crisis. The testimony crystallized a debate that Garrett's academic work had been developing for years.

The critique was most pointed in the context of HSBC's 2012 DPA. HSBC agreed to pay $1.9 billion—then the largest bank settlement in American history— to resolve charges that it had laundered hundreds of millions of dollars for Mexican and Colombian drug cartels and processed transactions for countries under U.S. sanctions including Iran, Cuba, Libya, Sudan, and Burma. Internal DOJ memos subsequently obtained by congressional investigators showed that prosecutors in the Criminal Division had recommended criminal charges against HSBC but were overruled, with senior officials citing the risk to the global financial system. No individual HSBC executive was charged. The $1.9 billion fine represented approximately five weeks of HSBC's pre-tax profits at the time.

The Goldman Sachs 1MDB case tested the limits of the too-big-to-prosecute framework. The 1MDB scandal involved the theft of approximately $4.5 billion from a Malaysian sovereign wealth fund, with Goldman Sachs underwriting bond offerings that generated fees while Goldman bankers facilitated and in some cases participated in the diversion of funds. After years of negotiation and significant public pressure, DOJ secured a 2020 guilty plea from Goldman Sachs's Malaysian subsidiary, Goldman Sachs (Malaysia) Sdn. Bhd., along with a $2.9 billion resolution with the parent company that included a DPA. The parent company's avoidance of a felony conviction for the holding company itself was widely criticized as another example of institutional protection.

The DOJ Corporate Enforcement Policy

The formal framework governing corporate prosecution decisions has evolved through a series of DOJ policy memoranda. The Principles of Federal Prosecution of Business Organizations (colloquially the “Filip Factors,” after Deputy Attorney General Mark Filip's 2008 memorandum) established the baseline framework: prosecutors weigh the nature and seriousness of the offense, the pervasiveness of wrongdoing, the corporation's history of similar conduct, timely and voluntary disclosure, the corporation's cooperation with the investigation, the adequacy of remediation and compliance, the adequacy of prosecution of individuals, the collateral consequences of prosecution, and the adequacy of civil or regulatory alternatives.

The 2015 Yates Memorandum, issued by Deputy Attorney General Sally Yates, added a hard requirement: to receive any cooperation credit in resolving a corporate criminal investigation, a company must identify all individuals substantially involved in or responsible for the misconduct. The Yates Memo responded directly to criticism that DPA and NPA resolutions almost never resulted in individual prosecutions. The policy created tension between companies' interests in resolving their own cases quickly and DOJ's insistence on individual referrals as a precondition to cooperation credit.

The Monaco Doctrine—a series of policy announcements by Deputy Attorney General Lisa Monaco beginning in 2021—tightened the framework further. Monaco announced that prior corporate misconduct, even if previously resolved, would weigh more heavily in evaluating subsequent cases; that companies with a history of DPAs and NPAs would face higher expectations for compliance and would more frequently be required to accept a guilty plea or monitor; and that prosecutors should scrutinize whether prior resolutions had produced genuine behavioral change or merely financial penalties that the company had absorbed as a cost of doing business.

The DOJ Criminal Division's Corporate Enforcement Policy (CEP) governs FCPA cases specifically and has been updated multiple times. Under the current CEP, a company that voluntarily self-discloses FCPA violations, fully cooperates, and timely remediates can receive a discount of up to 50% off the bottom of the applicable U.S. Sentencing Guidelines fine range, and DOJ will generally not require a guilty plea or monitor. Self-disclosure is the threshold: a company that does not self-disclose but fully cooperates can receive up to 25% off the bottom of the guidelines range. A company that neither self-discloses nor cooperates faces the full guidelines range or above.

FCPA as the dominant enforcement category

The Foreign Corrupt Practices Act prohibits U.S. persons and issuers from bribing foreign government officials to obtain or retain business, and requires that issuers maintain accurate books and records and adequate internal accounting controls. Enacted in 1977 after the Watergate-era discovery that hundreds of U.S. companies had made payments to foreign officials, the FCPA was largely dormant for its first two decades. DOJ and the SEC began enforcing it aggressively in the 2000s, and FCPA resolutions now account for the largest DPAs and NPAs in the Corporate Prosecution Registry by fine amount.

FCPA enforcement has two components that mirror the statute's two sets of provisions. The anti-bribery provisions are criminally enforceable by DOJ; the books-and-records and internal controls provisions are enforceable both criminally by DOJ and civilly by the SEC. In a major FCPA case, a company typically faces parallel DOJ and SEC proceedings. DOJ handles the criminal DPA or NPA and the related fine; SEC handles a civil deferred prosecution agreement or cease-and-desist order and a disgorgement of ill-gotten profits. The combined DOJ-SEC resolution is typically disclosed in a coordinated press release.

The Alstom FCPA case illustrates the dynamics of a large FCPA resolution. Alstom, the French power and transportation company, pleaded guilty in 2014 and paid $772 million—then the largest FCPA criminal fine in history—to resolve charges that it had bribed government officials in Indonesia, Egypt, Saudi Arabia, the Bahamas, and Taiwan to obtain power plant and other contracts. Alstom's unwillingness to cooperate during the investigation, combined with the breadth and duration of the conduct, led DOJ to insist on a guilty plea rather than a DPA. Four individual Alstom executives were also charged, including a former senior vice president who was extradited from the United Kingdom.

Volkswagen's 2017 guilty plea arose from a different statutory framework but illustrated similar dynamics. Volkswagen AG pleaded guilty to conspiracy to defraud the United States, commit wire fraud, and violate the Clean Air Act, paying $4.3 billion in criminal and civil penalties to resolve the diesel emissions cheating scandal. The plea was notable because it was entered by the parent company itself, not a subsidiary—an outcome DOJ achieved in part because the emissions defeat device scheme had been implemented at the corporate level with knowledge of senior executives.

The compliance monitor system

A compliance monitor is an independent third party appointed by DOJ as part of a DPA or, occasionally, an NPA to oversee the company's implementation of its compliance commitments. Monitors typically serve for one to three years, have broad access to the company's books, records, and personnel, and submit periodic reports to DOJ evaluating whether the company has satisfied its compliance obligations. The DOJ can extend a monitor's term if it finds that the company has not met its obligations, or can seek to resume prosecution if the breaches are serious.

The monitor selection process has been a persistent source of controversy. DOJ guidance requires that monitors be selected based on their qualifications and lack of conflicts, but the process historically allowed the company to propose monitor candidates, giving large law firms and former government officials a financial incentive to cultivate relationships with both DOJ and the companies likely to face DPAs. The appointment of former Attorney General John Ashcroft as compliance monitor for Zimmer Biomet in 2007—at fees reported at $52 million—drew congressional scrutiny, particularly because the selection was made by the United States Attorney in New Jersey without a competitive process. The controversy contributed to subsequent DOJ guidance requiring more structured monitor selection procedures.

Research using the Corporate Prosecution Registry has found that monitors are required in roughly half of DPAs and in a smaller fraction of NPAs. Monitor requirements correlate with the severity of the underlying conduct, the company's compliance history, and whether the company self-disclosed. FCPA cases involving systematic bribery schemes almost always require monitors; cases where the company self-disclosed and had a functioning compliance program at the time of the violation are more likely to avoid a monitor requirement.

Landmark resolutions in the registry

HSBC's 2012 DPA ($1.9 billion) for money laundering on behalf of Mexican drug cartels and sanctions violations remains the defining case of the too-big-to-jail era. Pfizer's 2009 NPA ($2.3 billion), involving off-label promotion of Bextra and other drugs, was the largest criminal fine in U.S. history at the time of settlement; it was structured as an NPA for the parent company and a guilty plea by a Pfizer subsidiary, Pharmacia & Upjohn, to avoid the Medicare/Medicaid exclusion that a Pfizer parent guilty plea would have triggered. Boeing's 2021 DPA ($2.5 billion) resolved charges arising from the 737 MAX crashes, with DOJ finding that Boeing employees had deceived the Federal Aviation Administration about the Maneuvering Characteristics Augmentation System. The resolution was subsequently renegotiated in 2024 after a federal judge rejected the original deal and Boeing ultimately agreed to plead guilty to a single count of conspiracy to defraud the United States.

The registry's value is not only in the landmark cases but in the pattern across the full population. Analysis of the dataset shows that the median DPA fine has increased substantially since 2010, reflecting both larger cases and DOJ's upward revision of fine calculations under the Sentencing Guidelines. The distribution is heavily right-skewed: a small number of very large FCPA and financial institution cases account for a disproportionate share of total fines, while the majority of DPAs involve fines in the tens of millions of dollars.

Analyzing the dataset with Python

The bulk CSV download from the Corporate Prosecution Registry is the most direct path to systematic analysis. The code below loads the registry, filters to DPAs and NPAs, converts fine amounts to numeric, and identifies the top ten industries by total DPA/NPA fine volume. Because the registry's column names have varied across releases, the script uses heuristic column detection rather than hardcoded field names.

import pandas as pd
import requests
import io

# The Corporate Prosecution Registry bulk download is available at:
# https://lib.law.virginia.edu/Garrett/corporate-prosecution-registry/
# Download the CSV from that page and point this script at it,
# or fetch it directly if a stable URL is available.

CPR_CSV_URL = (
    "https://lib.law.virginia.edu/Garrett/corporate-prosecution-registry/"
    "databases/CPR_Data.csv"
)

def load_registry(url=CPR_CSV_URL):
    """Load the Corporate Prosecution Registry into a DataFrame."""
    resp = requests.get(url, timeout=60)
    resp.raise_for_status()
    df = pd.read_csv(io.StringIO(resp.text), low_memory=False)
    print("Columns:", df.columns.tolist())
    print("Total records:", len(df))
    return df

df = load_registry()

# Normalize column names to lowercase with underscores
df.columns = df.columns.str.strip().str.lower().str.replace(r"[\s/]+", "_", regex=True)

# The registry uses varied spellings for the resolution type field.
# Common values: 'DPA', 'NPA', 'Guilty Plea', 'Declination', 'Information'
# Inspect what is actually in the data:
print("\nResolution type distribution:")
if "resolution_type" in df.columns:
    print(df["resolution_type"].value_counts())
elif "type" in df.columns:
    print(df["type"].value_counts())

# Identify the fine amount column and resolution type column
# (field names have varied across CPR releases)
fine_col = next(
    (c for c in df.columns if "fine" in c or "penalty" in c or "amount" in c), None
)
res_col = next(
    (c for c in df.columns if "resolution" in c or "type" in c), None
)
industry_col = next(
    (c for c in df.columns if "industry" in c or "sector" in c), None
)
year_col = next(
    (c for c in df.columns if "year" in c), None
)

print("\nUsing columns:")
print("  Fine:       " + str(fine_col))
print("  Resolution: " + str(res_col))
print("  Industry:   " + str(industry_col))
print("  Year:       " + str(year_col))

# Filter to DPAs and NPAs only (exclude guilty pleas, declinations)
if res_col:
    mask_dpa_npa = df[res_col].str.upper().str.strip().isin(["DPA", "NPA"])
    df_dpa_npa = df[mask_dpa_npa].copy()
else:
    df_dpa_npa = df.copy()

print("\nDPA/NPA records:", len(df_dpa_npa))

# Convert fine column to numeric
if fine_col:
    df_dpa_npa[fine_col] = (
        df_dpa_npa[fine_col]
        .astype(str)
        .str.replace(r"[\$,]", "", regex=True)
        .str.strip()
    )
    df_dpa_npa[fine_col] = pd.to_numeric(df_dpa_npa[fine_col], errors="coerce")

# Aggregate total fines by industry
if industry_col and fine_col:
    by_industry = (
        df_dpa_npa
        .groupby(industry_col)[fine_col]
        .sum()
        .sort_values(ascending=False)
        .reset_index()
    )
    by_industry.columns = ["industry", "total_fines_usd"]
    by_industry["total_fines_bn"] = (by_industry["total_fines_usd"] / 1e9).round(2)

    top10 = by_industry.head(10)
    print("\nTop 10 industries by DPA/NPA fine volume:")
    for _, row in top10.iterrows():
        line = "  " + str(row["industry"]) + ": $" + str(row["total_fines_bn"]) + "B"
        print(line)
else:
    print("Industry or fine column not found; check column names above.")

# Aggregate total fines by year (DPA/NPA only)
if year_col and fine_col:
    by_year = (
        df_dpa_npa
        .groupby(year_col)[fine_col]
        .agg(["sum", "count"])
        .sort_index()
        .reset_index()
    )
    by_year.columns = ["year", "total_fines_usd", "deal_count"]
    by_year["total_fines_bn"] = (by_year["total_fines_usd"] / 1e9).round(2)
    print("\nDPA/NPA activity by year:")
    for _, row in by_year.iterrows():
        line = (
            "  " + str(int(row["year"])) + ": "
            + str(row["deal_count"]) + " deals, "
            + "$" + str(row["total_fines_bn"]) + "B"
        )
        print(line)

The year-by-year analysis is particularly informative. FCPA enforcement surged after 2007, peaked in the 2014–2016 period following landmark resolutions with Alstom, Petrobras-connected defendants, and others, and has remained elevated since. Financial services DPAs peaked in the 2012–2015 period covering post-crisis bank settlements and have declined somewhat as that enforcement wave resolved. Healthcare and pharmaceutical DPAs have been consistent throughout the dataset, often appearing in parallel with DOJ False Claims Act civil settlements for the same underlying conduct.

Relationship to other federal enforcement data

The Corporate Prosecution Registry does not exist in isolation. DOJ criminal resolutions frequently occur alongside SEC enforcement actions, often resolving the same underlying conduct through parallel civil and criminal tracks. The FCPA cases in the registry can be cross-referenced against the SEC's FCPA enforcement page and the DOJ-SEC joint FCPA guide. The financial penalty in an SEC administrative cease-and-desist order supplements rather than replaces the DOJ criminal fine; in large cases, the total economic consequence to the company is the sum of both.

False Claims Act civil settlements (tracked separately by DOJ's Civil Division) frequently accompany DPAs and NPAs in healthcare and defense cases. Pfizer's 2009 resolution illustrates the structure: the $2.3 billion total included a $1.195 billion criminal fine (the largest criminal fine in U.S. history at that time) and a $1 billion civil FCA settlement. The corporate prosecution registry records the criminal resolution; the FCA civil settlement appears in DOJ's civil press releases. Linking the two databases by company name and year allows researchers to quantify the full government take from a corporate enforcement action.

USASpending.gov debarment data provides another downstream link. Companies that plead guilty or, in some cases, accept DPAs may face debarment from federal contracting. The debarment list maintained by the System for Award Management (SAM.gov) can be joined to the Corporate Prosecution Registry to identify which companies lost federal contracting eligibility following criminal resolutions and for how long. Lobbying disclosure data from the Senate Office of Public Records can identify which resolved companies increased lobbying expenditures in the years following their resolutions—a pattern that has been documented in academic research on corporate response to enforcement actions.

For DOJ's parallel civil enforcement database—the False Claims Act settlements that frequently accompany DPAs and NPAs in healthcare and defense: DOJ False Claims Act Settlements: The $70 Billion Fraud Recovery Database →

For the SEC's civil enforcement actions, AAERs, and the parallel securities fraud enforcement that runs alongside many FCPA and bank DPAs: SEC enforcement actions: insider trading, accounting fraud, and the AAER database →

For lobbying disclosure data that can be joined to corporate prosecution records to track industry responses to enforcement waves: Lobbying Disclosure Act data: who is registered, what they spend, and how to bulk-download it →