Deferred Prosecution Agreements: How Corporations Avoid Prosecution—and Why It Matters
Deferred Prosecution Agreements—known as DPAs—were meant to help small, first-time offenders get a second chance. Instead, they’ve become the corporate world’s ultimate loophole. From GM’s deadly ignition switches to HSBC’s cartel money laundering and Boeing’s fatal aircraft failures, this investigation explores how billion-dollar companies repeatedly avoid prosecution, pay manageable fines, and move on—while victims are left without justice.
The moment we’re in
Across multiple administrations, U.S. corporate crime enforcement has grown notably lax. Since the current president took office, more than a hundred enforcement actions against corporate misconduct have been halted or dropped, and the first-ever presidential pardon of a corporation—granted to a cryptocurrency exchange that had been fined $100 million for anti–money laundering violations—was issued. Experts describe the climate as the ripest environment for corruption by public officials and business executives in a generation. That broader context helps explain why a specific legal tool has become so consequential: the deferred prosecution agreement.
What a DPA (and an NPA) actually is
A Deferred Prosecution Agreement (DPA) is a deal in which prosecutors say they have evidence to bring criminal charges against a company but agree to pause the case. If the company meets specified conditions (pay fines, overhaul compliance, submit to monitoring) and avoids new violations for a set period, the government dismisses the charges. A Non-Prosecution Agreement (NPA) goes further: prosecutors agree not to file charges at all, and the agreement typically isn’t filed in court—making it even less visible to the public.
These arrangements are now routine in business coverage: banks, consultancies, manufacturers, and tech firms regularly announce that they’ve entered a DPA or NPA to “resolve” investigations.
Ubiquity on Wall Street
DPAs and NPAs are now woven into the operating fabric of major financial institutions. To cite just a few examples: AIG (two NPAs and a DPA), Barclays (a DPA and an NPA), Credit Suisse (a DPA), JPMorgan (an NPA and a DPA), Lloyds (two DPAs), Royal Bank of Scotland (a DPA), Wachovia (a DPA and an NPA), and UBS (a DPA and two NPAs). In practice, many large banks carry multiple agreements over time.
Where this all came from—and why use exploded
DPAs weren’t designed for corporations. They grew out of a 1974 statute intended to help first-time and juvenile nonviolent offenders avoid criminal records while they focused on rehabilitation. Corporate use surged after the government successfully prosecuted Arthur Andersen, auditor to Enron. The facts were stark: amid investigations, Andersen deleted roughly 30,000 electronic files and emails and shredded more documents in three days than it typically destroyed in a year. Employees publicly protested that prosecution would punish innocents—but the firm had already been shedding clients and faced SEC scrutiny; the criminal case was the final blow, not the sole cause.
That outcome made prosecutors far more reluctant to bring cases that could collapse a firm. The numbers tell the story: in the decade before Andersen’s fall, DPAs/NPAs were used 18 times; in the 14 years after, they were used 419 times.
The promise vs. the results
Supporters claim DPAs protect innocent workers and shareholders from collateral harm, deter future wrongdoing, and leave prosecutors free to charge culpable individuals. Yet outcomes often fall short:
- Nearly half of companies receiving DPAs/NPAs paid no fine at all.
- In roughly two-thirds of cases, no individual employees were prosecuted.
The following case studies show how light-touch resolutions can fail victims, enable repeat violations, and leave core risks unaddressed.
Case Study 1: General Motors—The Ignition Switch That Cut Power and Cost Lives
What happened. GM sold vehicles with an ignition switch defect that could shut off the engine mid-drive, disabling airbags, power steering, and power brakes—causing crashes. GM ultimately acknowledged 124 deaths and 274 injuries linked to the defect.
What GM knew. By early 2012, GM knew about the defect and several fatal incidents. Federal law required reporting within 5 days; the company took about 20 months.
Culture and communications. In 2008, GM circulated guidance telling employees to avoid words like “problem,” “safety,” and “defect” in internal communications—an unmistakable signal to minimize risk language rather than escalate it.
The deal. In 2015, GM entered a DPA: a $900 million penalty against ~$10 billion in annual profit; admission to a “statement of facts” but no guilty plea; no individual prosecutions.
The human cost. Candice Anderson, whose boyfriend died in a crash, was allowed to plead guilty to negligent homicide in 2007 while GM’s internal review had already identified the car as the cause. Her conviction was later overturned, but no individual GM decision-maker was held criminally accountable.
Bottom line. A large fine relative to most cases still amounted to a small share of annual profits. The lack of individual charges sent a clear signal about personal risk: minimal.
Case Study 2: HSBC—Money Laundering and Sanctions Evasion
What happened. HSBC facilitated laundering of at least $881 million in Mexican cartel proceeds and roughly $660 million in transactions involving sanctioned regimes (Burma, Iran, Cuba, Libya). At one point, a cartel boss was recorded saying HSBC was “the place to launder money.” Cash volumes were so large that cartels designed boxes to fit the bank’s teller windows.
Compliance in name only. The bank’s U.S. compliance unit was under-resourced and inexperienced. Evasion was brazen: to bypass sanctions filters (e.g., the designated entity TAJCO), wires were manipulated with dots/dashes (e.g., “TAJ.CO”) so screening systems wouldn’t flag them. An internal memo captured the awareness: “We are allowing organized criminals to launder their money.”
The deal. In 2012, HSBC entered a DPA with nearly $2 billion in penalties—against $13+ billion in profit that year—plus a monitor. Even the bank’s own reports later noted the monitor had “significant concerns” about the pace of remediation and potential financial crime exposure.
Then, again. The DPA lapsed at the end of 2017. The very next month, HSBC agreed to another DPA (FX rate-rigging probe) with a $100 million penalty.
Bottom line. The bank avoided charges against individuals, paid fines it could absorb, and then entered another DPA. Deterrence looked like a cost center, not an existential risk.
Case Study 3: Boeing—From Deadly Crashes to an Open Mid-Flight Fuselage
What happened. Two 737 MAX crashes in 2018 and 2019 killed 346 people. Internal communications described the MAX’s design as deeply flawed.
The deal. In 2021, Boeing entered a DPA: admitted misrepresentations to regulators about critical software tied to the crashes, paid a fine, and agreed to three years of good behavior.
Then, a near-miss. In January 2024, just two days before the DPA period was to end, a 737 MAX door plug blew off mid-flight—an event the DOJ deemed a violation of the DPA. Rather than prosecute, DOJ offered a plea: another fine, more safety/compliance spending, and an independent monitor.
Downgraded accountability. This year the punishment was reduced to an NPA: Boeing would pay an additional $444 million into a crash-victims fund, avoid a felony conviction, and replace independent monitoring with a company-hired compliance consultant.
Bottom line. After the deadliest corporate crime characterization by a judge and a fresh safety incident during the DPA window, the ultimate sanction moved from prosecution risk to no-prosecution—precisely the opposite of escalating consequences.
What the pattern shows
Across these cases, DPAs/NPAs function less as exceptional tools and more as a recurring operating expense. Three dynamics are consistent:
- Fines that don’t bite. Penalties often equal a modest fraction of annual profits; nearly half of cases involve no fine at all.
- Opacity and amnesia. Especially with NPAs, terms and monitor reports remain out of public court records. Each new agreement can feel like a reset rather than the latest entry in a misconduct record.
- No personal accountability. In roughly two-thirds of cases, no individuals are charged—blunting deterrence where it matters most: executive decision-making.
What would meaningful reform look like?
- Make penalties consequential. Scale fines to profits and harm; add mandatory restitution; impose escalating penalties for repeat offenders.
- Charge people, not just entities. Prioritize investigations of executives and supervisors who designed, approved, or concealed unlawful conduct.
- Bring DPAs/NPAs into the sunlight. File all agreements in court; require public monitoring reports; maintain an accessible record so repeat conduct triggers automatic escalations.
- Prosecute repeat offenders. Reserve DPAs for truly exceptional, remediated cases; if a company offends again, bring charges—even if it disrupts business.
The bottom line
Right now, the DPA/NPA system allows corporations to avoid the one consequence that most reliably changes behavior: prosecution that threatens the business or the people running it. When companies can sell unsafe cars, act as conduits for cartel and sanctions-busting funds, or put unsafe aircraft into service—and resolve it with manageable fines and private compliance promises—public safety and the rule of law take a back seat. If we want accountability that actually prevents the next tragedy, fines must bite, executives must face real risk, and repeat offenders must be prosecuted.
