Audit and Small Business Compliance Policy Disclosures Now Subject to Mandatory Electronic Submission

Date: Jan 26, 2016

Beginning December 9, 2015, voluntary disclosures and related submissions to the U.S. Environmental Protection Agency (EPA) under the Agency’s “Audit Policy” and “Small Business Compliance Policy” must be made electronically using EPA’s new “eDisclosure” system.   This new system does not modify the substantive requirements of either of these policies but effectively adds additional requirements that merit careful attention.

EPA Voluntary Disclosure Policies

EPA’s “Incentives for Self-Policing: Discovery, Disclosure, Correction and Prevention of Violations” (65 Fed. Reg. 19,618 (April 11, 2000)) (“Audit Policy”) provides a substantial incentive for companies to discover violations of EPA-administered statutes through voluntary compliance audits or compliance management systems (CMS), and to promptly disclose such violations to EPA.  The Audit Policy can reduce and in many cases completely eliminate significant monetary penalties levied by EPA for violations of these statutes. 

EPA’s related Small Business Compliance Policy (SBCP) (65 Fed. Reg. 19,630 (Apr. 11, 2000)) provides additional benefits and protections for qualifying small businesses.  EPA’s “Interim Approach to Applying the Audit Policy to New Owners” (73 Fed. Reg. 44,991 (Aug. 1, 2008)) (“New Owner Policy”) provides additional benefits and protections to companies that acquire new facilities (“new owners”) and that evaluate the acquired company’s environmental compliance status promptly after acquisition.  

New eDisclosure System

The eDisclosure system was announced in the Federal Register on December 9 (80 Fed. Reg. 76,476), and the system and its accompanying requirements became effective the same day.  See http://www2.epa.gov/compliance/epas-edisclosure.  Use of eDisclosure is mandatory for Audit Policy and SBCP submissions, but EPA is continuing to accept and process outside the eDisclosure system “New Owner” disclosures and potential criminal violations disclosed to the Voluntary Disclosure Board (VDB).

EPA continues to support use of these self-disclosure policies (i.e., to provide penalty mitigation and other incentives for companies that detect, disclose, correct, and prevent violations).  The eDisclosure system was launched simply to facilitate processing of disclosures and to conserve EPA and industry resources. 

Disclosure Categories

Companies that disclose potential violations using eDisclosure may qualify for one of two categories -- Category 1 or Category 2.  

    Category 1

Category 1 covers:  (1) Emergency Planning and Community Right to Know Act (EPCRA) violations meeting all Audit Policy conditions; and (2) EPCRA violations meeting all SBCP conditions.   Excluded from this category are CERCLA section 103/EPCRA section 304 release reporting violations, and EPCRA violations with “significant economic benefit.” 

For qualifying Category 1 disclosures, the eDisclosure system automatically issues an electronic Notice of Determination (eNOD), confirming that the disclosed violations have been resolved with no assessment of civil penalties (conditioned on the completeness and accuracy of the disclosure).

    Category 2

Category 2 covers:  (1) all non-EPCRA violations; (2) EPCRA violations where the discloser can only certify compliance with Audit Policy Conditions 2 through 9 (i.e., discovery was not systematic); and (3) the EPCRA/CERCLA violations excluded from Category 1.

For qualifying Category 2 disclosures, the eDisclosure system automatically issues an Acknowledgement Letter (AL) noting EPA’s receipt of the disclosure and agreeing that EPA will make a determination as to eligibility for penalty mitigation if and when it considers taking enforcement action for the disclosed violations.

Required eDisclosure Steps

Companies using the eDisclosure system must follow a three-step process:

    1)  Register to submit eDisclosure documentation using EPA’s Central Data Exchange (CDX).

    2)  Submit a disclosure within 21 calendar days of discovery of the potential violation(s).

    3)  Certify compliance with the Audit Policy or SBCP, within 60 days of submitting an Audit Policy disclosure or 90 days for a SBCP disclosure by submitting a Compliance Certification in the eDisclosure system.


Registration requires entities to register with EPA’s CDX system.  Existing CDX registrants who have been identity-proofed under the Cross Media Electronic Reporting and Recordkeeping Rule (CROMERR) need not re-register with CDX.  “Paper” identity-proofing may be used if electronic identity-proofing is unavailable.  The system allows consultants, attorneys, and other such agents to disclose violations through the eDisclosure portal on behalf of a regulated entity.

Reporting Period Extensions

Extensions of correction and Compliance Certification deadlines are unavailable for Category 1 disclosures.  For Category 2 Audit Policy disclosures, an online request can be submitted for up to 30 additional days, with no explanation required, and are considered granted at the time of the request.  The eDisclosure system automatically will extend the Compliance Certification due date by an equal amount.   

Requests can also be submitted for Audit Policy extensions of more than 30 additional days, provided the correction date does not extend beyond 180 days after the date of discovery.  For such requests, however, the discloser must include a justification for the requested extension.  These types of requests are not considered granted or denied at the time they are made and are subject to additional Agency scrutiny.  SBCP extensions are treated similarly but with correspondingly longer time increments (90 additional days and 360 days after the date of discovery, respectively).

Confidentiality Issues

Confidentiality claims cannot be asserted for any information submitted through the eDisclosure system, as the system can neither receive nor process any information claimed as Confidential Business Information (CBI).  Thus, companies must only submit “sanitized” (non-CBI) information through the online system.  This stands in contrast to the pre-eDisclosure era, where CBI was routinely asserted and included in submissions.

Given that eDisclosure cannot handle CBI, any CBI relating to a disclosure must be submitted manually under EPA’s CBI procedures and 40 C.F.R. Part 2.  Further, the discloser must contact the eDisclosure Help Desk to arrange for secure transmittal, an approach that appears to be a work-in-progress at EPA. 

It is important to note that EPA historically considered and will continue to consider resolved Audit Policy disclosures to be publicly releasable under the Freedom of Information Act (FOIA).  Thus, FOIA requests for eDisclosure eNODs generally will be granted. 

In contrast, EPA historically withheld from public disclosure unresolved disclosures under the “law enforcement proceeding” exemption from FOIA.  Under eDisclosure, however, EPA has effectively revised its policy, viz., has eliminated the presumption in favor of withholding unresolved disclosures and replaced it with a presumption in favor of disclosure.  Accordingly, in response to FOIA requests for individual unresolved disclosures EPA now plans to determine on a case-by-case basis whether the Agency foresees information release would harm an interest protected by a FOIA exemption.


Although the Audit Policy requires disclosed violations to be corrected within 60 calendar days of discovery, prior to launch of eDisclosure companies often certified as such at some later time (e.g., at the end of a audit under which multiple disclosures may be made throughout the course of the audit).  Further, prior to launch of the eDisclosure program companies often provided significant details in their disclosures. 

Under eDisclosure, however, a disclosure itself contains very little information (viz., little more than the company name, site location, statutory section involved, and date of discovery).  The bulk of the details of the disclosed violation(s) are provided in the subsequent Compliance Certification.  In essence, companies undertaking audits must now “close out” each disclosed violation (or batch of violations) on an ongoing basis.  This change will require companies to carefully plan their auditing activities to balance effort required to timely complete Compliance Certifications with the effort required to track and submit multiple Compliance Certifications during the audit.  

Moreover, companies and EPA will need to come to an understanding as to how the Agency can be provided with the information it needs while avoiding the need to submit CBI through eDisclosure.  It also remains to be seen whether this system will speed the process of obtaining an NOD from EPA for Category 2 disclosures, particularly when a broad audit with multiple disclosures is at issue.  Follow-up communications with EPA Office of Enforcement and Compliance Assurance staff will likely continue to be a part of any robust and comprehensive audit.

In light of the preceding, companies would be well advised to be extraordinarily vigilant in terms of making timely submissions and in assessing and submitting CBI.  While EPA’s voluntary disclosure policies can be very powerful and useful tools, failure to properly use them can have disastrous consequences.

For further information regarding voluntary disclosures or eDisclosure, please contact Tom Berger (202.434.4285, berger@khlaw.com), or Greg Clark (202-434.4302, clark@khlaw.com).