FCPA Compliance and Ethics Blog

March 26, 2013

McNulty’s Maxim No. 3 and Response to Allegations of Bribery

In a Wall Street Journal (WSJ) article by Chris Matthews, Joe Palazzolo and Shira Ovide, entitled “U.S. Probes Microsoft Bribery Allegations”, they reported that the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) were investigating “kickback allegations made by a former Microsoft representative in China, as well as the company’s relationship with certain resellers and consultants in Romania and Italy”. A whistleblower alleged that an executive of Microsoft’s China subsidiary had told the whistleblower “to offer kickbacks to Chinese officials in return for signing off on software contracts”. Additionally, they reported that “investigators are also reviewing whether Microsoft had a role in allegations that resellers offered bribes to secure software deals with Romania’s Ministry of Communications”.

Interestingly, as reported by Chris Matthews in a WSJ post in Corruption Currents, entitled “Microsoft Responds to FCPA Allegations”, Microsoft publicly responded to the reports. Matthews reported that Deputy General Counsel (GC) John Frank wrote in a blog post “As our company has grown and expanded around the world, one of the things that has been constant has been our commitment to the highest legal and ethical standards wherever we do business”. Frank also said that “The matters raised in the Wall Street Journal are important, and it is appropriate that both Microsoft and the government review them.”

Commenting on this situation with Microsoft, Alexandra Wrage, President of Trace International, wrote an article on Forbes.com, entitled “Microsoft And The Rising Federal Scrutiny Of Bribery”, where she said, “All of this should not be discouraging to companies worried about complying with anti-bribery laws. Strong compliance programs, even those that fail to prevent all forms of bribery, do provide protection from liability. “[A] company’s failure to prevent every single violation does not necessarily mean that a particular company’s compliance program was not generally effective,” write the DOJ and SEC in their recently published Resource Guide to the FCPA. “[The] DOJ and SEC…do not hold companies to a standard of perfection,” the Guide continues. This may not be enough to guarantee corporate compliance officers a full night’s rest, but it should provide some comfort.”

Wrage also noted that the Microsoft investigation underscores that fact that with any company that does business internationally you cannot watch all the people, or indeed all the third parties, all the time and that violations of anti-corruption laws such as the FCPA or anti-bribery laws, such as the UK Bribery Act, are a constant risk in worldwide business operations. She believes that Microsoft, by all accounts, would appear a robust anti-bribery compliance program. She understands that Microsoft’s Standards of  Business Conduct intones a strict policy against bribes, quoting it for the following:

“Microsoft prohibits corruption of government officials and the payments of bribes or kickbacks of any kind, whether in dealings with public officials or individuals in the private sector. Microsoft is committed to observing the standards of conduct set forth in the United States Foreign Corrupt Practices Act and the applicable anti-corruption and anti-money laundering laws of the countries in which we operate.”

The company also requires all outside vendors to read and comply with the Microsoft Vendor Code of Conduct, which also prohibits incentives such as kickbacks or bribes.

But, as she says, for a large multinational like Microsoft, which has offices in more than 100 countries, it does not always mean that thousands of business partners all across the globe will be compliant all of the time. Indeed, as admitted by Microsoft Deputy GC Frank in his blog post, “In a company of our size, allegations of this nature will be made from time to time. It is also possible there will sometimes be individual employees or business partners who violate our policies and break the law. In a community of 98,000 people and 640,000 partners, it isn’t possible to say there will never be wrongdoing.”

I think the final quote from Frank above, points to the specific usefulness of the Guidance, which states, “In the end, if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will allow the company generally to prevent violations, detect those that do occur, and remediate them promptly and appropriately.” These three clauses point to Paul McNulty’s three maxims but the Microsoft response points to McNulty Maxim No. 3, “What did you do about it?

I have asked Paul what he meant by this which he broke down into two parts. The first part is did you investigate it thoroughly and did you remediate those factors which led to the underlying issue? As reported by Matthews, Palazzolo and Ovide “The allegations in China were also the subject of a 10-month internal investigation that Microsoft concluded in 2010, according to people briefed on the internal investigation. The probe, conducted by an outside law firm, found no evidence of wrongdoing, these people said.” As noted above, DOJ and SEC lawyers are now looking at these allegations, as well as those issues in Romania and Italy.

The second part is what remediation did you do? At this point it is not clear what remediation, if any, will be appropriate so we may have to leave that prong open at this time. However, there is one other matter brought up by the Guidance that is certainly raised in the context of this Microsoft matter that should be looked at. It is government involvement. One of the nine factors listed in the US Sentencing Guidelines state, “the corporation’s timely and voluntary disclosure of wrongdoing and its willingness to cooperate in the investigation of its agents”. Further, the Guidance makes clear throughout that a company benefits from self-disclosing and cooperating with the government. While it is not clear if Microsoft self-disclosed anything back in 2010 when it conducted its internal investigation, it does appear that it is cooperating with the DOJ and SEC at this time.

While several commentators have pointed to this Microsoft matter as an example of how difficult it might be to do business in full compliance with the US Foreign Corrupt Practices Act (FCPA) all the time, I draw a different lesson from this matter. I believe that an aggressive approach to McNulty Maxim No. 3 shows that it is not about how hard it is to do business internationally, or that the FCPA is too difficult to follow; but it is the strength of your compliance program and your response to allegations which should be the determinative factor for compliance. I think McNulty’s advice was good when I initially heard and I think it is good now. Moreover, it is a part of the FCPA Guidance which shows it is not just how McNulty might think through these issues but how the DOJ and SEC do so as well.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

December 18, 2012

Banks Behaving Badly or Brother Can You Spare A Billion (or Two)?

Remember when a billion dollars was real money? Over the past couple of weeks there have been some mammoth fines paid by financial institutions for conduct, which would appear to fall under the category of “Banks Behaving Badly”. Last week HSBC agreed to pay a fine of $1.92 billion for its transgressions involving money laundering. UBS is in the final stages of negotiations to pay $1.5 billion to resolve allegations that it tried to rig interest rate benchmark (i.e. ‘Libor’) to boost trading profits. Finally, on December 10, coming in at a paltry $327 million are our old friends Standard Chartered, which admitted processing thousands of transactions for Iranian and Sudanese clients through its American subsidiaries; subsequently to avoid having Iranian transactions detected by the US Treasury Department computer filters, Standard Chartered deliberately removed names and other identifying information, according to the authorities. All in all, it’s not been a bad couple of weeks for the US Treasury, given the current stalemate over the ‘fiscal cliff’ and the need to reduce the US deficit.

For those of you keeping score at home, we present our updated Banks Behaving Badly Box Score of Settlements

Banks Behaving Badly – Box Score of AML Settlements

Bank Amount Date of Settlement
Lloyds TSB Bank $567MM December 2009
Credit Suisse $536MM December 2009
ING Bank $619MM June 2012
Royal Bank of Scotland $500MM May 2012
Barclays $298MM August 2012
Standard Chartered – NY state $340MM August 2012
Standard Chartered – Federal $327MM December 2012
HSBC $1.92 BN December 2012
Total $4.004BN

Banks Behaving Badly – Box Score of Libor Manipulation Settlements

Bank Amount Date of Settlement
Barclays $450MM June 2012
UBS $1.5BN (proposed) December 2012?
Total $1.95BN (proposed)

If you do not have a calculator handy, for the 2012 banking season alone, that is $4,004,000,000 all going to the US Treasury thanks to our friends at Banks Behaving Badly. If you want to sneak-a-peak at what it might look like if the UBS settlement comes through just add on an additional $1.5 bn so that is over $6 billion in fines, penalties and disgorged profits from one industry sector in one year. And people have the temerity to complain about the energy industry being corrupt.

So what is the cause of ‘Banks Behaving Badly’? Back in June, at the time of the Barclays Libor manipulation settlement, the Financial Times (FT) wrote on its Op-Ed page in the piece entitled “Shaming banks into better ways” that “few have shone such an unsparing light on the rotten heart of the financial system” and then went on to say “nothing less than a long-running confidence trick played on the public for personal and institutional advantage” and even pointed out the “rotten culture at Barclays”. The FT editorial clearly focused on ethics when it said “But beyond the questions about legality there is a bigger worry about the wayward behavior of the financial sector.” The FT editorial concluded by telling banks that if “banker-bashing is to stop, the banks themselves must change.” Typical British understatement at its finest wouldn’t you say?

The HSBC settlement was announced by Lanny A. Breuer, Assistant Attorney General of the Justice Department’s Criminal Division. In the Department of Justice (DOJ) Press Release it was reported that HSBC received a Deferred Prosecution Agreement (DPA) which required, among other things, that it “committed to undertake enhanced AML and other compliance obligations and structural changes within its entire global operations to prevent a repeat of the conduct that led to this prosecution.  HSBC has replaced almost all of its senior management, “clawed back” deferred compensation bonuses given to its most senior AML and compliance officers, and has agreed to partially defer bonus compensation for its most senior executives – its group general managers and group managing directors – during the period of the five-year DPA.  In addition to these measures, HSBC has made significant changes in its management structure and AML compliance functions that increase the accountability of its most senior executives for AML compliance failures.” There will also be an independent outside monitor appointed to oversee the bank’s compliance efforts and report periodically to the DOJ.

Even with all the above and the fines, penalty and profit disgorgement, the DOJ has come under withering criticism for its failure to both let HSBC off so lightly, with a DPA, where “HSBC Bank USA failed to monitor over $670 billion in wire transfers and over $9.4 billion in purchases of physical U.S. dollars from HSBC Mexico” and no individuals were indicted. CNN reported that Sen. Charles Grassley, R-Iowa, sent a stinging letter to Attorney General Eric Holder, calling it “inexcusable” for the department [DOJ] not to prosecute criminal behavior by HSBC. Senator Grassley’s letter was quoted as saying, “What I have seen from the department is an inexplicable unwillingness to prosecute and convict those responsible for aiding and abetting drug lords and terrorists.” Further, “By allowing these individuals to walk away without any real punishment, the department is declaring that crime actually does pay,” Grassley asserted.

Halah Touryalai, in an article entitled “Final Thought On HSBC Settlement: How Much Bad Behavior Will We Tolerate?” in forbes.com, put it another way. Touryalai asked “What’s a bank got to do to get into some real trouble around here?” She went on to say, “So, let’s get this straight. A major global bank failed to catch activity that put our country’s security at risk and now it is sorry… The HSBC case brings to the forefront a big question for the U.S.: How much are we willing to tolerate from financial services companies? If we’re looking at the HSBC case then a lot, apparently.” Finally, Touryalai spoke for many when she said, “The scary part about the HSBC settlement is that U.S. authorities are essentially saying they couldn’t act on criminal charges because it would harm the larger financial system. That’s got many calling HSBC (and potentially others) too-big-to-jail.”

However, the DOJ had many data points to factor into its calculus on settlement. First, and foremost, (apparently) remains Arthur Anderson. If the DOJ had pushed for a criminal settlement, would it have debarred HSBC from doing business with the US government or its monies going through the US banking system? What would be the effect of such a remedy? What if the DOJ had pushed too far and HSBC felt it had no choice but to go to trial, would they have been Arthur Andersen’d out of business? Perhaps this is a variant of the “too big to fail” argument, called the ‘too-big-to-put-out of business’ argument.

But there is another reason for the specific terms of the HBSC settlement, which was discussed by Lanny Breuer during the news conference. He stressed the extraordinary cooperation by HSBC during the investigation in addition to the structural changes the bank put in place as noted above. If the DOJ wants to obtain the highest level of cooperation from a defendant during an investigation, turning around after such cooperation and indicting either the entity or a bunch of its employees will most probably end such a level of cooperation. My guess is that the DOJ wants to encourage as much cooperation as it can from parties under investigation. That would include greater compliance after the resolution in addition to extraordinary cooperation during the investigation. However this may not be enough to quell the critics. So the DOJ may be stuck in the position of damned if they do (indict) and damned if they don’t (indict).

But whatever your take on the DOJ’s position as to HSBC, it certainly has been a year of reckoning for “Banks Behaving Badly”.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

November 21, 2012

Why Perform Due Diligence?: “That’s PR Speak for fraud”

Yesterday brought some very interesting news from both ‘across the pond’ and here in the US. From the UK, there was the news of the arrests of former News Corp head honchos Rebekah Brooks, who ran Murdoch’s newspaper holdings in Britain, Andy Coulson, former editor of the now defunct News of the World. Dominic Rushe, writing in the Guardian, quoted the FCPA Professor who said it “would be hard for the Department of Justice [DOJ] and the Securities and Exchange Commission [SEC] to ignore. We have been hearing allegations for a year and a half now, now we clearly have charges against high ranking officials at a foreign subsidiary.” More ominously, Rushe cited to a report from The Daily Beast that the “Daily Beast alleged that the Murdoch tabloids the Sun and the New York Post may have made payments to a US official on American soil in order to obtain a photo of a captive Saddam Hussein, the deposed Iraqi leader, in his underwear.” Rushe did note that “News Corporation has denied the claims.” But we will leave a more detailed discussion of the events for a later post.

The second piece of news was almost as breath-taking. As reported in the Wall Street Journal (WSJ), Hewlett-Packard (HP) wrote down $8.8bn of its $11bn purchase value of the UK Company Autonomy. HP said “that an internal investigation had revealed “serious accounting improprieties” and “outright misrepresentations” in connection with U.K. software maker Autonomy.” Further, according to HP Chief Executive Officer (CEO) Meg Whitman, “”There appears to have been a willful sustained effort” to inflate Autonomy’s revenue and profitability. This was designed to be hidden.” Speaking more bluntly (as always) Francine McKenna, in her post entitled “Hewlett-Packard’s Autonomy Allegations: A Material Writedown Puts All Four Audit Firms On The Spot”, in forbes.com said “That’s PR-speak for fraud.”

Not to be outdone, the WSJ reported that “Michael Lynch, Autonomy’s founder and former CEO, fired back hours later, denying improper accounting and accusing H-P of trying to hide its mismanagement. “We completely reject the allegations,” said Mr. Lynch, who left H-P earlier this year. “As soon as there is some flesh put on the bones we will show they are not true.”” In other words, Lynch accused HP of mismanaging his former company and destroying its value in less than 12 months. It should also be noted that the Autonomy acquisition was pushed through by the former CEO of HP, Leo Apotheker; not the current CEO.

I thought about the HP story in the context of the section in the recently released DOJ/SEC A resource Guide to the U.S. Foreign Corrupt Practices Act (FCPA) on successor liability and why a company needs to perform pre-acquisition due diligence:

First, due diligence helps an acquiring company to accurately value the target company. Contracts obtained through bribes may be legally unenforceable, business obtained illegally may be lost when bribe payments are stopped, there may be liability for prior illegal conduct, and the prior corrupt acts may harm the acquiring company’s reputation and future business prospects. Identifying these issues before an acquisition allows companies to better evaluate any potential post-acquisition liability and thus properly assess the target’s value.

 It should be noted that Autonomy’s outside auditor before the deal, Deloitte UK, gave the company a clean bill of health. Further, HP had its own outside auditor, KPMG, brought in at the pre-acquisition stage to conduct due diligence work, which was essentially to check Deloitte’s audit work of Autonomy. In other words, two of the world’s top auditing firms passed muster over Autonomy’s books and records and gave the entity’s financial statements a passing grade.

Once, when asked why men play football, Jet coach Herm Edwards emphatically said “You play to win the game.” I think people need to realize that compliance due diligence under the FCPA can also be used to help company’s do more than uncover potential FCPA issues but also help correctly assess the value of target companies. It might help prevent multi-billion dollar write downs. Unless of course the target company has engaged in an on-running, long term fraud…

Happy Thanksgiving to all…


I will be discussing the recently released FCPA Guidance next Tuesday afternoon in a webinar, hosted by World Compliance. The event will be held at 2 PM CST. Details and registration can be found here. I hope that you can attend.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

October 24, 2011

Against An FCPA Compliance Defense

Filed under: compliance programs,FCPA,Forbes.com,Howard Sklar — tfoxlaw @ 6:15 am
Tags: ,

Ed. Note-I had attempted to write a piece on this subject for some time. However, I after I saw this posting lasting week by Howard Sklar in his column in Forbes.com, I found this piece much better than I could have ever articulated my thoughts so I have abandoned my efforts. With Howard’s permission, I reprint his posting entitled “Against an FCPA Compliance Defense” posted October 18, 2011, in full. 

Howard SklarThere has been a serious push lately to amend the FCPA to include a compliance defense.  A compliance defense, according to the Chamber of Commerce’s Institute for Legal Reform (a chief proponent of FCPA reform), would allow companies to avoid liability “if the individual employees or agents had circumvented compliance measures that were otherwise reasonable in identifying and preventing such violations” (from the Institute’s publication “Restoring Balance: Proposed Amendments to the Foreign Corrupt Practices Act“).  A compliance defense is allegedly needed because “a company can now be held liable for violations committed by rogue employees, agents or subsidiaries even if the company has a state-of-the-art FCPA compliance program.”  This past summer, the House Judiciary Committee held a hearing (watch the video orread the transcript) to discuss FCPA enforcement and the amendments suggested by the Chamber of Commerce.  The “rogue employee” quote comes from the testimony of Hon. Michael Mukasey, former Attorney General of the United States, at that hearing. Concerns about a rogue employee aside, I am against an FCPA compliance defense.

I believe a compliance defense would not in fact be effective in giving companies the additional clarity or comfort in the design or implementation of their anti-corruption compliance program that Attorney General Mukasey advocates.  I also believe that a compliance defense could lead to unintended and adverse consequences that could seriously degrade the effectiveness of anti-corruption programs, and perversely lead to more risk and less effective risk mitigation.

I can see the appeal, however.  First, the UK Bribery Act has a purported compliance defense (as does the Italian anti-bribery law).  Second, corporations feel, rightly or wrongly, that their efforts at compliance don’t generate the benefit with the Department that they deserve.  As a consequence of this perceived lack of return on investment, corporations might feel an aversion to deep investigations of misconduct:

The system now in place has conflicting incentives.  On the one hand, an effective compliance program can hold out a qualified promise of indeterminate benefit should a violation occur and be disclosed.  On the other hand, if all that can be achieved is a qualified and indeterminate benefit, there is a perverse incentive not to be too aggressive lest wrongdoing be discovered, and there is a resulting tendency of standards to sink to the level of the lowest common denominator, or at best something that is only a slight improvement over it.  This Catch-22 policy doesn’t really serve anyone’s interest. (Mukasey’s written statement).

In his written testimony, Mukasey also emphasizes that the Department has taken other steps to induce and provide positive reinforcement to efforts to develop and implement an effective compliance program.  He writes, “[t]he absence of a compliance defense tells corporate America, in effect, no compliance effort can be good enough—even if you did everything we required, we still retain the right to prosecute purely as a matter of our discretion.”  I respectfully disagree.  It’s not that “no compliance effort is good enough.”  Corporations regularly get significant credit for having effective programs.  Corporations even get credit for promising to implement more effective ones (Alcatel and Johnson & Johnson come to mind).

Credit for good compliance is, in fact, mandated by the DOJ’s own prosecution guidelines.  The “Principles of Federal Prosecution of Business Organizations,” the Department of Justice’s official policy on what they consider when instigating a prosecution of a company, includes a requirement that prosecutors consider “the existence and effectiveness of the corporation’s pre-existing compliance program.”  Mukasey is correct that the Department’s actions underscore the importance of effective compliance.  In fact, the Department goes so far as to describe—in detail—exactly what they want companies to implement.  In each of the recent Deferred Prosecution Agreements, there is an appendix (colloquially referred to as “Schedule C,” after it’s place in the overall DPA) that lays out twelve elements to an effective compliance program.  More important than even Schedule C, however, is the information that trickles out of the DOJ on cases they decline to prosecute.  One element that is common among declinations is the existence of a robust compliance program.

A reasonable question follows from this discussion: if the Department places such emphasis on compliance, and everyone agrees that a company that does its utmost should get credit, up to getting a pass on prosecution, what does it hurt to embody that in legislation?

At best, in my opinion, making compliance an affirmative defense is useless.  Companies cannot and will not raise affirmative defenses.  The reason for this is simple: for a company to raise an affirmative defense, it has to actively defend itself in an FCPA litigation.  Corporations cannot afford to fight these cases through to the stage where an affirmative defense becomes relevant.  Doug Bain, the former General Counsel of Boeing, put it best when describing the effect on Boeing if it were to be indicted:

So what’s the impact if we get indicted or convicted?

Besides the normal fines and that kind of stuff, there’s a presumed denial of export licenses, and that would be both on the commercial and the government side. In a moment, I’ll give you an idea of why we are concerned about that one.

We can get re-suspended or all of IDS (Integrated Defense Systems) can be debarred.

We can lose our security clearances.

And one nasty little thing is that the Bureau of Alcohol, Tobacco and Firearms, which has an almost explicit prohibition on possessing explosives. For those of you who are at BCA [Boeing Commercial Airplanes], you might remember that every single door on an airplane has actuators that are triggered by explosives.

[Read the whole speech; it’s worth the time.]

Even if a company wins eventually, oftentimes the damage is done: see, e.g., Arthur Andersen.

A company, therefore, cannot rely on a defense that requires it to fight.  What companies are left with is an argument to the Department during negotiation that “if we were to fight the case, we could rely on the affirmative defense.”  Why a company would rather make that kind of aggressive argument over a more cooperative, “look at our wonderful compliance program,” I don’t know.  In either case, it’s up to the Department to decide how much weight to give the compliance program.  Plus, legislating the defense would allow the Department, at its discretion, to ignore the compliance program during negotiations, and in fact use the defense as a sword.  “If you think your program is so great, raise that as an affirmative defense,” knowing that it’s not a realistic possibility for companies.  I believe the Department is reasonable, and wouldn’t invoke that often, but there are contentious negotiations and situations where the Department has lost confidence in the company’s forthrightness, and I could imagine the Department taking a harder stance.  Plus, there’s no way that legislation would be completely prescriptive.  Even in the Chamber of Commerce’s own formulation, the company’s program would have to be “reasonable” in its design.  Who would decide what’s “reasonable?”  The Department would; and we’re back to “who’s on first?”

Even worse than weakening a company’s bargaining position with the Department, the affirmative defense could give companies a false sense of security that, combined with other recent regulations, can seriously degrade internal risk management.

A company’s decision to self-disclose takes numerous factors into account: factual, contextual, and political.  Most corporate internal investigations—the vast majority—never see the light of day.  Companies receive allegations through some internal channel (or external channel that doesn’t bring the matter to a regulator’s attention), investigate the case internally, and either find no substantiation, or discover real issues but then institute mitigation actions and call it a day.  It’s difficult to describe the level of resistance internally to making a self-disclosure to the Department that’s truly voluntary.  Getting a call from a reporter asking for comment, and then calling the Department isn’t what I’d call “truly voluntary.”  Making a truly voluntary disclosure is a Herculean task.  First, your anti-corruption compliance officer needs to convince the Chief Compliance Officer.  Then the CCO needs to convince the General Counsel.  Then the decision goes to senior business management and the Board of Directors.  Everyone knows that it’s a disclosable event.  And so everyone is looking for an excuse not to disclose (one person I know called it “putting six bullets in a six-shooter and pointing it at your leg.”  Inevitable, inescapable pain follows).  Even in today’s world, the task is near impossible.  An affirmative defense would give an additional excuse not to disclose.  “Sure, it might be a violation,” the argument goes, “but we can rely on our effective compliance program as an affirmative defense.”  And yet often the business’ evaluation of effectiveness and the Department’s is, to put it gently, at odds.  Compliance is a cost center into which companies regularly underinvest.

Further, no compliance officer would ever say that a program is fully “effective.”  It would eviscerate, for all time, any attempt to enhance the program.  Or at least to enhance it in a way that actually costs money.  So there would be documents out there that talk about areas in which the program is not fully effective.  The Department would look at those documents and could use them as leverage to deny the company any benefit for their program.  Nor would any outside counsel—even the ones I like—ever certify a compliance program as “effective” without a huge number of caveats that would make the “certification” all but meaningless.

The other huge loss is that the company would get no benefit for efforts to enhance the program.  Remember, Alcatel got a huge benefit for its promise to stop using third-party agents.  Where would that fit in?  Ah, you say, but the Department would still take that into account.  Really, who says?  As I said before, once the effect of an effective compliance program is defined by statute, the Department can rely on that definition also.  The Principles of Prosecuting Business Organizations was made by the Department, and it can be altered by the Department.  And is subject itself to a pre-emption argument.  Or even less: an argument that the legislative branch has defined what “taking into account” means, and that it’s fulfilled by considering the affirmative defense.  And aren’t we then back to exactly what the Chamber now is saying is insufficient?

But who’s to say that the Department would get their hands on the document saying the program isn’t fully effective?  Please welcome to the conversation Sen. Dodd and Congressman Frank.  The Dodd-Frank Act’s whistleblower provisions, more than anything else they do, throw the self-disclosure calculus I was discussing earlier into mathematical discombobulation.  The SEC is already seeing 1-2 legitimate complaints every day through the Whistleblower Office.  And practitioners are seeing whistleblowers coming into the SEC with multiple inches of documents.  Companies can no longer afford the false confidence they had that investigations, once closed, would stay closed.  Remember, conducting a thorough investigation takes time, but the whistleblower has 120 days in which to report the misconduct to the SEC.  That’s too short a window to conduct a real investigation.

So now where are we?  We have a company whose own internal documents say their program isn’t fully effective, conducting a slipshod investigation, in complete denial about the chances of their investigation becoming public, and making disclosure decisions based on an affirmative defense that (a) they can’t actually use; (b) the Department knows they can’t actually use; and (c) doesn’t give them credit for the work that they’re doing to improve.

How is that better, exactly?

Nor do I give any weight to the fact that the UK Bribery Act has a compliance defense.  The UK Act’s defense of “adequate procedures” is designed to address a type of liability we don’t have here: strict liability for corporations.  A corporation can avoid liability for “failure to prevent bribery”—a section with no scienter requirement—by showing the presence of an effective program.  [n.b. I don’t know why people say that “failure by a corporation to prevent bribery” is a strict liability offense, then in the next breath talk about the defense to that very offense: perhaps they’re unclear on the definition of “strict liability”].  Corporate liability in the US is based on concepts ofrespondeat superior.  An employee acting for the corporation’s benefit can bring liability to the corporation.  But the vast majority of cases involving corporate criminal liability include knowledge and active participation by senior management.  We simply don’t see, for the most part, situations where criminal liability attaches to someone without knowledge.  At least not in the FCPA context.  This inconsistency with the knowledge requirement is the first argument made by the Open Society Foundations in their excellent rebuttal to the Chamber’s white paper.  (And although Mike Koehler takes them to taskfor failure to distinguish between respondeat superior and the third-party payment know-or-should-have-known scienter requirements, I don’t think that invalidates the rest of their argument like Prof. Koehler does.)

I could actually more see a compliance defense added to the books-and-records provisions enforced by the SEC.  It’s more analogous to the UK Bribery Act’s defense, and there is no knowledge requirement for violations of the books-and-records provisions.  But there’s also no criminal liability without that knowledge.  Perhaps it’s theoretically possible, but it just doesn’t happen, and the Department has better things to do with its limited resources.

I see the appeal of a compliance defense, but I just don’t think people have thought through the collateral consequences, the real-world consequences of what it would mean internally for corporations and for their relationship with the Department.

This article was originally posted in Forbes.com.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. 

Blog at WordPress.com.