Early last month, the OECD released its first Foreign Bribery Report. According to Angel Gurria, the organization’s Secretary-General, the report “endeavors to measure, and to describe, transnational corruption based on data from the 427 foreign bribery cases that have been concluded since the entry into force of the OECD Anti-Bribery Convention in 1999.” The report as a whole is quite interesting, but I would like to hone in on the OECD’s findings regarding who engages in bribery, and how this should change how we approach arguments on whistleblower internal reporting requirements.
The report found that, contrary to popular belief, in the majority of cases senior management were aware of or endorsed the payment of whatever bribe occurred (in 41% of the cases senior management was implicated, in 12% even the highest level executives were aware of the bribe being paid). As the report notes, this “debunk[s] the “rogue employee” myth,” and this, I would argue, calls into question internal reporting requirements as a means of combating foreign bribery.
The rogue employee myth would have us believe that bribery more often than not results from the independent acts of mid-level officials; for example, the manager of a distribution center paying a customs official to process goods faster or the head of a local construction branch slipping a stuffed envelope into a bid for a public roads contract. As it is hugely impractical for multinational corporations which employee thousands of individuals and operate in diverse jurisdictions to monitor each and every mid-level manager, it seems unfair—to say nothing of economically destructive—to punish the company as a whole for actions outside its control. Governments do, however, want to encourage corporations to develop internal anti-bribery mechanisms. These mechanisms are intended not only to detect and punish bribery, but they are thought to be uniquely suited to the corporation in question, so as to discourage bribes from being paid in the first place. In order to develop such robust systems, companies need to be aware of how bribes are being paid by their employees. This is where the arguments in favor of internal reporting requirements come in.
As Lauren discussed in an earlier post, Switzerland is currently considering a legal change that would require all potential whistleblowers to first inform the corporation of the alleged misconduct (except in situations where there is a risk to life, health or safety); only if the corporation takes no action whatsoever may the whistleblower contact an outsider. In the US, after much debate, the SEC determined that the Dodd-Frank Act’s whistleblower rules would strongly encourage, though not require, internal reporting through the following mechanisms: 1) making the whistleblower eligible for a financial award if the whistleblower reports internally and the company informs the SEC of the corrupt actions; 2) allowing the whistleblower to “hold his place in line,” such that, should the corporation not self-report and should the individual then contact the SEC, the SEC will treat the information as “original information” eligible for reward if it was not known to the SEC at the time of the internal reporting; and 3) allowing for a whistleblower’s voluntary participation in an internal compliance program to support increasing the award amount (and treating a whistleblower’s interference with an internal compliance program as a factor which may decrease the amount).
The basic idea is that in encouraging whistleblowers to first report misdeeds internally, companies are given access to the information necessary to develop effective anti-bribery mechanisms. In a positive feedback loop, the development of a functioning and effective internal anti-bribery system encourages more of those who observe misdeeds to come forward, as they have confidence that the company backs them up. Finally, internal reporting gives the company the opportunity to self-report to government authorities, allowing for mitigated sanctions and/or settlements should investigation and prosecution follow. To varying degrees each of these arguments implicitly assume that companies are in the dark when it comes to the sources of corruption within their own organization; they are the victims of “rogue employees”; internal reporting requirements give them the information they need to fight the good fight.
This assumption, however, is belied by the OECD’s finding that more often than not it is those at the very top who condone the payment of bribes. An internal reporting program may be successfully isolated from the influence of mid-level managers, even if those managers directly supervise the whistleblower, but it is decidedly less probable that an internal reporting system would be well and truly isolated from the executive leadership. That being the case, internal reporting requirements and incentives (1) may actively discourage potential whistleblowers from coming forward because employees lack confidence in a system ultimately overseen by those it is designed to police; or (2) even worse, could provide the upper-level management with important information on when and how bribes are observed, thereby better equipping them to shield future bribes, while also allowing them to self-report the internally reported incident, use a mid-level employee as a scapegoat, and protect the company from higher sanctions. While this may seem a bit too much like a conspiracy theory, it is worth noting that, as Patrick Moulette, head of the OECD’s anticorruption division noted, “Most of the time the bribes are made with the knowledge of senior management which is surprising because in most cases of international bribery sanctions are imposed on second row employees.”
Internal reporting is important, but companies should be made to create the incentives for internal reporting themselves rather than relying on external requirements or encouragements. In competing to be a whistleblowers’ first call, companies will develop more robust compliance programs as well as demonstrate the seriousness of their commitment to their employees. Companies could offer rewards at a lower threshold than the Dodd-Frank minimum sanction of $1 million, could voluntarily develop and publicly enforce anti-retaliation measures, or could routinely have their compliance programs publicly audited by independent organizations. In instituting internal reforms, rather than relying on external incentives, corporations demonstrate that they take their compliance program seriously. If employees trust that their complaints will be handled well, they’ll rely on the internal system; if an employee doubts the internal system, perhaps—particularly given the OECD’s findings that complicity in bribery more often than not reaches to the highest level of a company—it’s better for the anti-bribery fight not to push them in that direction.
GAB | The Global Anticorruption Blog 
I’m not as convinced as you are that the OECD Report debunks the “rogue employee myth,” for reasons that I’ll develop in a post later this week. But on the policy question, I tend to agree with you: though I can see the plausible arguments on the other side, I don’t think we should require whistleblowers to report internally in all cases in order to be entitled to anti-retaliation protection or to receive a reward–though I do think creating strong incentives for internal reporting is desirable. The only point I want to make here is that one can believe that cases in which bribery is directed by the CEO or other senior corporate officers may be relatively rare, but still support the SEC’s position on whistleblower rewards (and oppose the proposed Swiss law Lauren discussed). The reverse position–C-Suite directed corruption is common, internal reporting should be required first–is also possible, I suppose, but seems to me harder to defend.
This is great — but isn’t there some value in creating a paper trail that definitively proves upper management had knowledge of bribes being paid on their behalf? I ask this but perhaps already know how you are going to answer, with your “conspiracy theory.” Your theory, I think, would say that whatever paper trail would be created would show how upper management learned of the bribery, took care of it through the proper channels, and then the paper trail would stop because management simply allowed the same activity to go on afterwards, just so long as it is not reported. I see how such a scenario would militate against internal reporting requirements, but perhaps I am just struggling to imagine a C-suite that is so cynical and so reckless as to take that course of action. Maybe I’m just naive, but the incentives seem to cut the other way, and that’s the whole point of an internal reporting system.
Is there an analogy here to the anti money-laundering laws? The Bank Secrecy Act requires financial services firms to generate a paper trail to be shared with the government whenever a transaction looks “suspicious.” These reports can be used against the financial services firm if they somehow failed to mitigate the continued use of their services for purposes that they know are illicit after receiving the reports. Now I’m moving into justifying all internal compliance, but I think the analogy generally works.