As I continue my exploration of the new Department of Justice (DOJ) policy regarding Foreign Corrupt Practices Act (FCPA) enforcement, the FCPA Corporate Enforcement Policy (Policy), one of the things that struck me was the sound of the death-knell, once and for all time, of the call for a compliance defense. The protocol set up by the DOJ is certainly creative and perhaps even unique in federal criminal law enforcement. The enforcement aspects, coupled with the incentives provided to corporations and the detailing of compliance best practices, are much more comprehensive to and robust for the advancement of corporate compliance than any argument for a compliance defense.
In considering the new Policy, most practitioners have started with the presumption that if a company meets the requirements under the new Policy, they will receive a declination. There are a variety of factors present in FCPA enforcement actions which would lead the DOJ to make this blanket offer. As stated in the new Policy “The investigation and prosecution of particular allegations of violations of the FCPA will raise complex enforcement problems abroad as well as difficult issues of jurisdiction and statutory construction.”
Those who advocate a compliance defense argue it will somehow drive more compliance. Of course, there has never been any evidence to back up this claim. The structural problem with the compliance defense is it is simply a paper program to give companies cover as they look the other way while their employees engage in bribery and corruption. It is designed to a be a ‘wink-wink, we told you not to do it.’ Companies would then claim any FCPA violation is all those “rogue” employees out there and a company certainly cannot be expected to control its own workforce. The compliance defense is designed neither to encourage the doing of compliance nor operationalizing compliance in a company. It is simply designed to give companies a way to argue to the DOJ it is not our responsibility while not moving forward in the fight against international bribery and corruption one iota.
Yet perhaps the most basic misunderstanding that those advocating the compliance defense make is that there is simply a binary choice to be made: us vs. them; guilty vs. not guilty, conviction at trial vs. no conviction at trial. They fail to understand that the underpinnings of FCPA enforcement have always held a much broader view. It was true at the time of the FCPA’s enactment in 1977 and it is even more true today. The new Policy recognizes this unusual nature in the international fight against bribery and corruption. George J. Terwilliger III, writing in the FCPA Blog, said, “The new policy is grounded in the notion that companies and the government have a shared interest in securing the rule of law, which in this context includes global commercial markets freed from the influence and corrosive effects of corruption.”
This is the brilliance of the new Policy, as not only does it encourage doing compliance by mandating an operationalized compliance program. The new Policy also requires a company to do much more than simply operationalize compliance. Each component of the new Policy moves this notion forward. First there is a presumption created, not a guarantee, that a company will receive a declination. This is important for not only the aggravating factors that the Policy listed, “involvement by executive management of the company in the misconduct; a significant profit to the company from the misconduct; pervasiveness of the misconduct within the company; and criminal recidivism.” The carrot of a declination requires other steps and continuation of those steps throughout the investigation and enforcement process.
A company must voluntarily self-disclose with three requirements. It has to be (1) “prior to an imminent threat of disclosure or government investigation”. (2) The self-disclosure must be “within a reasonably prompt time after becoming aware of the offense,” which the company must demonstrate. (3) Finally, the company must disclose, “all relevant facts known to it, including all relevant facts about all individuals involved in the violation of law.” This means the company cannot wait until it is on the front page of the New York Times (NYT) or Wall Street Journal (WSJ) to then come in and report. The company cannot sit on the discovery as multiple US companies have done around their disclosures of data breaches. Finally, the new Policy continues the Yates Memo mandate that companies will have to continue to produce “Yates Binders” of information about the illegal conduct, including evidence of culpable individuals.
A company must proactively cooperate fully with the DOJ during the pendency of the investigation. This cooperation mandates presentation of the facts, in a manner not designed to violate attorney/client privilege, together with timely updates. There must be timely document security and if a company claims it is limited on information it can get out of another country into the US, the burden is on the company to demonstrate this legal restriction and not simply hide behind a foreign law. The new Policy also requires the company to find a way to get the evidence to the US stating, “Moreover, a company should work diligently to identify all available legal bases to provide such documents.” The Policy addresses two key issues not previously addressed formally by the DOJ. The first is requiring de-confliction with the DOJs investigation or other ongoing investigations. The second is to recognize that employees have Fifth Amendment rights in internal company investigations. Finally, and perhaps most timely in light of the latest Uber revelation, requires companies to prohibit “employees from using software that generates but does not appropriately retain business records or communications”.
I have written at length about the compliance program aspect of the new Policy. Here I would only note that it incorporates the 10 Hallmarks of an Effective Compliance Program by reference, certain requirements first articulated under the 2016 FCPA Pilot Program and requirements from the Evaluation of Corporate Compliance Programs. In one document, compliance practitioners can determine the most current best practices in compliance. This is welcomed by the compliance community.
The new Policy formalizes the declination with disgorgement, created under the FCPA Pilot Program. This formalization also works to further the goals of anti-corruption enforcement by recognizing companies should not retain their ill-gotten gains, which is also antithetical to the concept of the compliance defense which allows retention of such gains. This is an appropriate sanction.
The new Policy furthers the goals of global anti-corruption enforcement but does it a way in which all the stakeholders involved are a part of that effort. It gives companies a very bright line to work towards, with the presumption of a full declination to follow at the end. This is a much more well-rounded approach for incentivizing not only the increased importance of compliance but also other goals of cooperation, investigations and returning monies not obtained in legitimate commerce. As Telwelliger noted, the Policy is “a welcome step in a more positive relationship between government enforcers and the vast majority of U.S. businesses that are committed to legal compliance and strong business ethics.” It is this commitment to doing compliance and business ethics through operationalizing of compliance which will drive corporate compliance programs and the compliance profession forward, not a paper-program compliance defense.
[View source.]
