DOJ Corporate Enforcement Policy: What Wholesale Drug Distributors Need to Know About Board Oversight

The Department of Justice revised its Corporate Enforcement Policy in March 2024 to explicitly require healthcare entity boards, including wholesale drug distributors, to exercise "direct oversight" of compliance programs and maintain formal self-disclosure protocols. Under the updated policy, boards that fail to demonstrate active compliance oversight risk losing full cooperation credit during enforcement actions, directly affecting criminal charge decisions and penalty calculations.

Regulatory Background

The DOJ Corporate Enforcement Policy, first introduced in 2017 and updated in 2023, provides incentives for companies to self-disclose misconduct, cooperate with investigations, and remediate compliance failures. The March 2024 revision adds healthcare-specific requirements in response to enforcement actions against pharmaceutical manufacturers and distributors where boards claimed ignorance of compliance breakdowns later prosecuted under the Federal Food, Drug, and Cosmetic Act (FDCA) and the False Claims Act.

The updated policy applies to all entities subject to FDCA enforcement, including wholesale drug distributors licensed under state pharmacy acts and regulated under 21 CFR Part 205. This includes traditional distributors, third-party logistics providers (3PLs) handling prescription drugs, and repackagers operating under the Drug Supply Chain Security Act (DSCSA).

The policy does not create new substantive legal obligations. Wholesale distributors already operate under state licensure requirements, FDA registration mandates, and DSCSA transaction documentation rules. What changed is the DOJ's prosecutorial framework for evaluating corporate cooperation when violations occur.

Key Policy Requirements

The revised policy establishes three board-level compliance obligations for cooperation credit:

1. Direct Board Oversight

Boards must receive regular compliance reports, not delegated summaries filtered through executive management. The policy specifies "at least annually" for compliance program reviews, with more frequent reporting required for high-risk operations. For wholesale distributors, high-risk operations include controlled substance handling, temperature-sensitive biologics distribution, and repackaging activities.

The policy defines "direct oversight" as board-level review of: compliance program effectiveness metrics, internal audit findings, regulatory inspection results, and corrective action plans. Delegating oversight to a compliance committee satisfies the requirement only if that committee reports directly to the full board.

2. Self-Disclosure Protocols

Companies must implement formal processes for identifying potential violations and escalating them to the board within a "reasonable timeframe." The DOJ declined to specify an exact timeline but cited 30 days as presumptively reasonable for healthcare entities. Self-disclosure must occur before the government independently discovers the conduct.

For wholesale distributors, this affects how state board of pharmacy violations, FDA Form 483 observations, and DSCSA transaction failures are escalated internally. A state pharmacy board citation for improper storage conditions must reach the board before DOJ learns of it through a cross-agency referral.

3. Remediation Documentation

Boards must document corrective actions taken in response to compliance failures, including root cause analysis, policy revisions, personnel changes, and enhanced controls. The policy explicitly states that replacing leadership without addressing systemic compliance deficiencies does not constitute adequate remediation.

Impact on Wholesale Drug Distributors

Wholesale distributors face distinct operational implications compared to manufacturers:

State Licensure Violations as Federal Exposure

State pharmacy board enforcement actions—license suspensions, consent agreements, administrative penalties—now carry federal prosecutorial weight. A state citation for failure to report suspicious orders under 21 CFR 1301.74(b) becomes evidence of inadequate board oversight if the distributor's board was unaware of the underlying compliance breakdown.

DSCSA Verification Failures

DSCSA enforcement began August 27, 2025, requiring wholesale distributors to verify product identifiers and maintain interoperable electronic systems. Under the updated DOJ policy, systemic verification failures (incorrect transaction information, unauthorized trading partners, failure to quarantine suspect product) must be escalated to the board even if they do not yet trigger FDA enforcement. Waiting for an FDA warning letter before board notification negates cooperation credit.

3PL Contractual Liability

Third-party logistics providers operating under client contracts often lack formal boards. The DOJ policy treats 3PLs as separate legal entities subject to independent enforcement. A 3PL cannot claim cooperation credit by deferring to a client's compliance program. 3PLs must implement their own board-level oversight or document an equivalent governance structure if operating as an LLC or partnership.

Temperature Excursion Reporting

Cold chain providers handling temperature-sensitive drugs under USP <1079> and manufacturer specifications now face board-level escalation requirements for excursion events. A pattern of excursions—even if product remained within acceptable limits—constitutes a compliance program failure requiring board review and remediation documentation.

What ColdChainCheck Data Shows

ColdChainCheck tracks 1,275 wholesale drug distributors, 3PLs, and cold chain providers across 51 jurisdictions. The average compliance score of 51/100 places the majority of entities (919, or 72%) in the "Fair" tier—indicating verified state licensure and FDA registration, but limited accreditation or enforcement history visibility. Under the updated DOJ policy, entities in this tier face the greatest risk: they meet baseline regulatory requirements but may lack the documented compliance infrastructure the DOJ now expects boards to oversee.

Only 63 entities hold NABP accreditation (formerly VAWD), representing 5% of the directory. NABP accreditation requires annual compliance audits, quality management systems documentation, and board-level attestation of regulatory adherence—precisely the governance structure the DOJ policy now treats as prosecutorial mitigation. The remaining 95% of entities operate with state pharmacy board oversight alone, which varies significantly by jurisdiction in audit rigor and enforcement consistency.

ColdChainCheck records 73 entities with at least one FDA recall, warning letter, or state enforcement action on file. These entities must now document how those events were escalated to board-level oversight and what remediation occurred. The DOJ policy does not penalize past violations; it penalizes inadequate governance response to those violations. An entity with a 2023 recall and no documented board review has weaker cooperation positioning than an entity with the same recall and a formal corrective action plan approved by its board.

Practical Steps for Compliance Officers

• Verify your entity's public compliance record: Use the ColdChainCheck directory to confirm your FDA registration status, state licenses, and any enforcement actions visible in public databases. If the DOJ references a violation during an investigation, you cannot claim board unawareness if the violation appears in publicly accessible sources.

• Document board-level compliance reporting: If your board does not currently receive quarterly compliance reports, establish the cadence now. Reports should include state inspection results, DSCSA transaction error rates, temperature excursion logs, and internal audit findings. The DOJ policy treats documentation gaps as evidence of inadequate oversight.

• Implement 30-day escalation protocols: Create written procedures requiring compliance personnel to escalate potential FDCA violations to the board within 30 days of discovery. This includes state pharmacy board citations, FDA Form 483 observations, and systemic DSCSA verification failures—even if the entity disputes the finding.

• Cross-reference trading partners: Before onboarding a new wholesale distributor or 3PL, check their compliance score and enforcement history in the directory. The DOJ policy holds companies accountable for failures by trading partners if due diligence was inadequate. A Fair-tier entity with no NABP accreditation and multiple state licenses in "Pending Renewal" status signals higher governance risk.

ColdChainCheck tracks state licensure, FDA registration, NABP accreditation, and enforcement actions—the same data sources DOJ investigators use during corporate cooperation assessments. For guidance on interpreting compliance scores in vendor qualification workflows, see the Compliance Guides section.

Disclaimer: This article provides informational analysis of the DOJ Corporate Enforcement Policy as it applies to wholesale drug distributors. It is not legal advice. Consult qualified legal counsel for guidance on your entity's specific compliance obligations and enforcement risk.

Update: DOJ 2026 Enforcement Policy | Pharma Distributor Impact — ColdChainCheck

April 23, 2026

How DOJ's 2026 Corporate Enforcement Policy Affects Drug Distributors and 3PLs

On March 6, 2025, the U.S. Department of Justice announced revisions to its Corporate Enforcement and Voluntary Self-Disclosure Policy, effective for all corporate criminal resolutions beginning January 1, 2026. The revised policy introduces stricter criteria for cooperation credit and expands the definition of "timely" voluntary disclosure—changes that directly affect wholesale drug distributors and third-party logistics providers facing potential DSCSA, controlled substance, or cGMP violations.

Regulatory Context

DOJ's Corporate Enforcement Policy, first issued in November 2022, governs how federal prosecutors evaluate corporate cooperation in criminal investigations. The policy applies across industries but has become increasingly relevant to pharmaceutical supply chain entities following the August 2025 enforcement start of enhanced DSCSA requirements and ongoing DEA oversight of controlled substance handling.

Pharmaceutical distributors operate under multiple federal enforcement regimes: FDA for drug safety and cGMP compliance (21 CFR Part 211), DEA for controlled substance distribution (21 CFR Part 1301-1321), and FBI/DOJ for healthcare fraud and DSCSA-related falsification. When violations cross into criminal territory—such as knowingly distributing adulterated drugs, falsifying transaction histories under DSCSA, or diverting controlled substances—the DOJ Corporate Enforcement Policy determines penalty outcomes.

The 2026 revisions tighten three key areas: the timeline for voluntary disclosure, the scope of required remediation, and the documentation standards for effective compliance programs.

Key Changes in the 2026 Policy

Voluntary Disclosure Timeline Shortened

Under the previous policy, voluntary disclosure qualified for maximum penalty mitigation if made "promptly after becoming aware of misconduct." The revised policy defines "timely" as within 120 days of senior management learning of the violation. For DSCSA-related issues—such as discovering a trading partner falsified product verification data—this means compliance teams have four months, not indefinite discretion, to assess internal involvement and disclose to DOJ.

Heightened Compliance Program Standards

The revised policy requires companies seeking cooperation credit to demonstrate "effective" compliance programs at the time of misconduct and during the investigation. DOJ will evaluate three dimensions specific to pharmaceutical enforcement:

1. Transaction verification systems — Does the entity use automated EPCIS validation to catch suspect transactions before product moves?
2. Trading partner due diligence — Does the entity independently verify licenses, not rely on self-attestation?
3. Traceability testing — Does the entity conduct serialization audits across its handling network, including 3PL partners?

A distributor that can document EPCIS-level transaction verification, quarterly trading partner license checks cross-referenced against state boards, and annual serialization readiness assessments will satisfy DOJ's compliance program standard. A distributor that relies on spreadsheet attestations and annual vendor reviews will not.

Expanded Definition of "Full Cooperation"

The 2026 policy clarifies that cooperation includes proactive disclosure of related violations uncovered during internal investigation. If a distributor self-discloses a DSCSA falsification issue and subsequently discovers DEA recordkeeping violations at the same facility, those must be disclosed within the 120-day window to maintain cooperation credit. Piecemeal disclosure—revealing one violation, resolving it, then later disclosing a second related violation—no longer qualifies as full cooperation.

Impact on Wholesale Distributors and 3PLs

Operational Implications

Distributors must now treat internal compliance audits as time-sensitive processes with defined disclosure deadlines. QA teams cannot spend six months investigating a suspect transaction before deciding whether to involve DOJ—the 120-day clock starts when senior management (defined as VP-level or higher in the policy) becomes aware of potential criminal conduct.

For 3PLs handling pharmaceutical products under client contracts, the policy creates a disclosure coordination problem. If a 3PL discovers its client provided falsified DSCSA data, both entities may need to disclose separately. The 3PL cannot wait for the client to self-report; each entity's 120-day window runs independently based on when its own management learned of the issue.

Penalty Considerations

Entities that meet the voluntary disclosure and cooperation criteria remain eligible for declination with disgorgement (no criminal charges, but forfeiture of financial benefit) or 50% reduction in criminal fines under the U.S. Sentencing Guidelines. Entities that miss the 120-day window or fail to demonstrate an effective compliance program face standard criminal penalty calculations, which for pharmaceutical violations can include both monetary fines and debarment from federal healthcare programs.

The policy does not change civil or administrative enforcement by FDA or DEA—those agencies retain independent enforcement discretion—but a DOJ declination based on voluntary disclosure can influence FDA's decision whether to pursue a consent decree or warning letter versus accepting corrective action.

What ColdChainCheck Data Shows

ColdChainCheck tracks 1,275 wholesale drug distributors and 3PLs across 51 jurisdictions. The average compliance score is 51/100, placing the majority of entities in the "Fair" tier—indicating verified licensure and FDA registration but limited visibility into advanced compliance infrastructure like NABP accreditation or documented recall response.

Of the 1,275 entities in the directory, only 63 hold NABP accreditation (formerly VAWD), which requires annual on-site audits of transaction handling, record retention, and pedigree compliance. NABP-accredited entities average a compliance score of 78/100, compared to 49/100 for non-accredited entities. Under DOJ's revised enforcement policy, this gap matters: accredited entities can more readily demonstrate the "effective compliance program" standard because NABP's audit trail provides third-party validation of transaction verification systems and trading partner due diligence.

Seventy-three entities in ColdChainCheck's directory have at least one FDA recall on record. While not all recalls indicate criminal conduct, they signal gaps in product handling or quality control that could escalate under DOJ scrutiny if combined with falsified transaction data or inadequate investigation protocols. Entities with recalls average a compliance score of 44/100, reflecting fewer verified compliance signals across the six scoring dimensions.

Practical Guidance for Compliance Officers

For wholesale distributors:

• Audit your transaction verification process now. If you rely on manual checks or paper pedigrees, document the gap and establish a timeline for EPCIS implementation. DOJ expects real-time verification, not quarterly batch reviews.
• Cross-reference your trading partners against ColdChainCheck's directory before executing transactions. Check state licensure status, FDA registration, and enforcement history. Self-attestations are not sufficient under the revised policy's cooperation standards.
• Define your disclosure escalation protocol. Document who qualifies as "senior management" for 120-day disclosure purposes and create a checklist for distinguishing civil compliance gaps (e.g., late DEA renewal) from potential criminal conduct (e.g., knowingly falsifying DSCSA data).

For 3PLs:

• Verify your client contracts include indemnification and disclosure coordination clauses. If your client provides falsified data and you handle the product, you may have independent disclosure obligations. Contracts should specify who initiates DOJ contact and how investigation costs are allocated.
• Use ColdChainCheck's directory to assess client compliance posture before onboarding. Clients with suspended licenses, expired FDA registration, or recall histories require enhanced due diligence and escalated contract review.

ColdChainCheck tracks FDA enforcement actions, state license suspensions, and NABP accreditation status—all compliance signals relevant to DOJ's cooperation standard. For ongoing regulatory updates affecting wholesale distributors and 3PLs, see our DSCSA compliance checklist.

Disclaimer: This article provides informational analysis of publicly announced regulatory developments. It is not legal advice. Entities facing potential DOJ investigations should consult qualified legal counsel before making voluntary disclosure decisions.