FCPA Compliance and Ethics Blog

October 24, 2011

Against An FCPA Compliance Defense

Filed under: compliance programs,FCPA,Forbes.com,Howard Sklar — tfoxlaw @ 6:15 am
Tags: ,

Ed. Note-I had attempted to write a piece on this subject for some time. However, I after I saw this posting lasting week by Howard Sklar in his column in Forbes.com, I found this piece much better than I could have ever articulated my thoughts so I have abandoned my efforts. With Howard’s permission, I reprint his posting entitled “Against an FCPA Compliance Defense” posted October 18, 2011, in full. 

Howard SklarThere has been a serious push lately to amend the FCPA to include a compliance defense.  A compliance defense, according to the Chamber of Commerce’s Institute for Legal Reform (a chief proponent of FCPA reform), would allow companies to avoid liability “if the individual employees or agents had circumvented compliance measures that were otherwise reasonable in identifying and preventing such violations” (from the Institute’s publication “Restoring Balance: Proposed Amendments to the Foreign Corrupt Practices Act“).  A compliance defense is allegedly needed because “a company can now be held liable for violations committed by rogue employees, agents or subsidiaries even if the company has a state-of-the-art FCPA compliance program.”  This past summer, the House Judiciary Committee held a hearing (watch the video orread the transcript) to discuss FCPA enforcement and the amendments suggested by the Chamber of Commerce.  The “rogue employee” quote comes from the testimony of Hon. Michael Mukasey, former Attorney General of the United States, at that hearing. Concerns about a rogue employee aside, I am against an FCPA compliance defense.

I believe a compliance defense would not in fact be effective in giving companies the additional clarity or comfort in the design or implementation of their anti-corruption compliance program that Attorney General Mukasey advocates.  I also believe that a compliance defense could lead to unintended and adverse consequences that could seriously degrade the effectiveness of anti-corruption programs, and perversely lead to more risk and less effective risk mitigation.

I can see the appeal, however.  First, the UK Bribery Act has a purported compliance defense (as does the Italian anti-bribery law).  Second, corporations feel, rightly or wrongly, that their efforts at compliance don’t generate the benefit with the Department that they deserve.  As a consequence of this perceived lack of return on investment, corporations might feel an aversion to deep investigations of misconduct:

The system now in place has conflicting incentives.  On the one hand, an effective compliance program can hold out a qualified promise of indeterminate benefit should a violation occur and be disclosed.  On the other hand, if all that can be achieved is a qualified and indeterminate benefit, there is a perverse incentive not to be too aggressive lest wrongdoing be discovered, and there is a resulting tendency of standards to sink to the level of the lowest common denominator, or at best something that is only a slight improvement over it.  This Catch-22 policy doesn’t really serve anyone’s interest. (Mukasey’s written statement).

In his written testimony, Mukasey also emphasizes that the Department has taken other steps to induce and provide positive reinforcement to efforts to develop and implement an effective compliance program.  He writes, “[t]he absence of a compliance defense tells corporate America, in effect, no compliance effort can be good enough—even if you did everything we required, we still retain the right to prosecute purely as a matter of our discretion.”  I respectfully disagree.  It’s not that “no compliance effort is good enough.”  Corporations regularly get significant credit for having effective programs.  Corporations even get credit for promising to implement more effective ones (Alcatel and Johnson & Johnson come to mind).

Credit for good compliance is, in fact, mandated by the DOJ’s own prosecution guidelines.  The “Principles of Federal Prosecution of Business Organizations,” the Department of Justice’s official policy on what they consider when instigating a prosecution of a company, includes a requirement that prosecutors consider “the existence and effectiveness of the corporation’s pre-existing compliance program.”  Mukasey is correct that the Department’s actions underscore the importance of effective compliance.  In fact, the Department goes so far as to describe—in detail—exactly what they want companies to implement.  In each of the recent Deferred Prosecution Agreements, there is an appendix (colloquially referred to as “Schedule C,” after it’s place in the overall DPA) that lays out twelve elements to an effective compliance program.  More important than even Schedule C, however, is the information that trickles out of the DOJ on cases they decline to prosecute.  One element that is common among declinations is the existence of a robust compliance program.

A reasonable question follows from this discussion: if the Department places such emphasis on compliance, and everyone agrees that a company that does its utmost should get credit, up to getting a pass on prosecution, what does it hurt to embody that in legislation?

At best, in my opinion, making compliance an affirmative defense is useless.  Companies cannot and will not raise affirmative defenses.  The reason for this is simple: for a company to raise an affirmative defense, it has to actively defend itself in an FCPA litigation.  Corporations cannot afford to fight these cases through to the stage where an affirmative defense becomes relevant.  Doug Bain, the former General Counsel of Boeing, put it best when describing the effect on Boeing if it were to be indicted:

So what’s the impact if we get indicted or convicted?

Besides the normal fines and that kind of stuff, there’s a presumed denial of export licenses, and that would be both on the commercial and the government side. In a moment, I’ll give you an idea of why we are concerned about that one.

We can get re-suspended or all of IDS (Integrated Defense Systems) can be debarred.

We can lose our security clearances.

And one nasty little thing is that the Bureau of Alcohol, Tobacco and Firearms, which has an almost explicit prohibition on possessing explosives. For those of you who are at BCA [Boeing Commercial Airplanes], you might remember that every single door on an airplane has actuators that are triggered by explosives.

[Read the whole speech; it’s worth the time.]

Even if a company wins eventually, oftentimes the damage is done: see, e.g., Arthur Andersen.

A company, therefore, cannot rely on a defense that requires it to fight.  What companies are left with is an argument to the Department during negotiation that “if we were to fight the case, we could rely on the affirmative defense.”  Why a company would rather make that kind of aggressive argument over a more cooperative, “look at our wonderful compliance program,” I don’t know.  In either case, it’s up to the Department to decide how much weight to give the compliance program.  Plus, legislating the defense would allow the Department, at its discretion, to ignore the compliance program during negotiations, and in fact use the defense as a sword.  “If you think your program is so great, raise that as an affirmative defense,” knowing that it’s not a realistic possibility for companies.  I believe the Department is reasonable, and wouldn’t invoke that often, but there are contentious negotiations and situations where the Department has lost confidence in the company’s forthrightness, and I could imagine the Department taking a harder stance.  Plus, there’s no way that legislation would be completely prescriptive.  Even in the Chamber of Commerce’s own formulation, the company’s program would have to be “reasonable” in its design.  Who would decide what’s “reasonable?”  The Department would; and we’re back to “who’s on first?”

Even worse than weakening a company’s bargaining position with the Department, the affirmative defense could give companies a false sense of security that, combined with other recent regulations, can seriously degrade internal risk management.

A company’s decision to self-disclose takes numerous factors into account: factual, contextual, and political.  Most corporate internal investigations—the vast majority—never see the light of day.  Companies receive allegations through some internal channel (or external channel that doesn’t bring the matter to a regulator’s attention), investigate the case internally, and either find no substantiation, or discover real issues but then institute mitigation actions and call it a day.  It’s difficult to describe the level of resistance internally to making a self-disclosure to the Department that’s truly voluntary.  Getting a call from a reporter asking for comment, and then calling the Department isn’t what I’d call “truly voluntary.”  Making a truly voluntary disclosure is a Herculean task.  First, your anti-corruption compliance officer needs to convince the Chief Compliance Officer.  Then the CCO needs to convince the General Counsel.  Then the decision goes to senior business management and the Board of Directors.  Everyone knows that it’s a disclosable event.  And so everyone is looking for an excuse not to disclose (one person I know called it “putting six bullets in a six-shooter and pointing it at your leg.”  Inevitable, inescapable pain follows).  Even in today’s world, the task is near impossible.  An affirmative defense would give an additional excuse not to disclose.  “Sure, it might be a violation,” the argument goes, “but we can rely on our effective compliance program as an affirmative defense.”  And yet often the business’ evaluation of effectiveness and the Department’s is, to put it gently, at odds.  Compliance is a cost center into which companies regularly underinvest.

Further, no compliance officer would ever say that a program is fully “effective.”  It would eviscerate, for all time, any attempt to enhance the program.  Or at least to enhance it in a way that actually costs money.  So there would be documents out there that talk about areas in which the program is not fully effective.  The Department would look at those documents and could use them as leverage to deny the company any benefit for their program.  Nor would any outside counsel—even the ones I like—ever certify a compliance program as “effective” without a huge number of caveats that would make the “certification” all but meaningless.

The other huge loss is that the company would get no benefit for efforts to enhance the program.  Remember, Alcatel got a huge benefit for its promise to stop using third-party agents.  Where would that fit in?  Ah, you say, but the Department would still take that into account.  Really, who says?  As I said before, once the effect of an effective compliance program is defined by statute, the Department can rely on that definition also.  The Principles of Prosecuting Business Organizations was made by the Department, and it can be altered by the Department.  And is subject itself to a pre-emption argument.  Or even less: an argument that the legislative branch has defined what “taking into account” means, and that it’s fulfilled by considering the affirmative defense.  And aren’t we then back to exactly what the Chamber now is saying is insufficient?

But who’s to say that the Department would get their hands on the document saying the program isn’t fully effective?  Please welcome to the conversation Sen. Dodd and Congressman Frank.  The Dodd-Frank Act’s whistleblower provisions, more than anything else they do, throw the self-disclosure calculus I was discussing earlier into mathematical discombobulation.  The SEC is already seeing 1-2 legitimate complaints every day through the Whistleblower Office.  And practitioners are seeing whistleblowers coming into the SEC with multiple inches of documents.  Companies can no longer afford the false confidence they had that investigations, once closed, would stay closed.  Remember, conducting a thorough investigation takes time, but the whistleblower has 120 days in which to report the misconduct to the SEC.  That’s too short a window to conduct a real investigation.

So now where are we?  We have a company whose own internal documents say their program isn’t fully effective, conducting a slipshod investigation, in complete denial about the chances of their investigation becoming public, and making disclosure decisions based on an affirmative defense that (a) they can’t actually use; (b) the Department knows they can’t actually use; and (c) doesn’t give them credit for the work that they’re doing to improve.

How is that better, exactly?

Nor do I give any weight to the fact that the UK Bribery Act has a compliance defense.  The UK Act’s defense of “adequate procedures” is designed to address a type of liability we don’t have here: strict liability for corporations.  A corporation can avoid liability for “failure to prevent bribery”—a section with no scienter requirement—by showing the presence of an effective program.  [n.b. I don’t know why people say that “failure by a corporation to prevent bribery” is a strict liability offense, then in the next breath talk about the defense to that very offense: perhaps they’re unclear on the definition of “strict liability”].  Corporate liability in the US is based on concepts ofrespondeat superior.  An employee acting for the corporation’s benefit can bring liability to the corporation.  But the vast majority of cases involving corporate criminal liability include knowledge and active participation by senior management.  We simply don’t see, for the most part, situations where criminal liability attaches to someone without knowledge.  At least not in the FCPA context.  This inconsistency with the knowledge requirement is the first argument made by the Open Society Foundations in their excellent rebuttal to the Chamber’s white paper.  (And although Mike Koehler takes them to taskfor failure to distinguish between respondeat superior and the third-party payment know-or-should-have-known scienter requirements, I don’t think that invalidates the rest of their argument like Prof. Koehler does.)

I could actually more see a compliance defense added to the books-and-records provisions enforced by the SEC.  It’s more analogous to the UK Bribery Act’s defense, and there is no knowledge requirement for violations of the books-and-records provisions.  But there’s also no criminal liability without that knowledge.  Perhaps it’s theoretically possible, but it just doesn’t happen, and the Department has better things to do with its limited resources.

I see the appeal of a compliance defense, but I just don’t think people have thought through the collateral consequences, the real-world consequences of what it would mean internally for corporations and for their relationship with the Department.

This article was originally posted in Forbes.com.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. 

Blog at WordPress.com.