The U.S. Foreign Corrupt Practices Act (FCPA) exposes corporations to criminal (as well as civil) liability for acts committed by the corporation’s employees, pursuant to the standard principle of U.S. law the corporations are liable for the acts of their employees, if those acts were committed in the course of employment and for the benefit of the employer. This principle, in the FCPA context and elsewhere, has familiar advantages and disadvantages. The most straightforward advantage is that this “vicarious liability” gives corporations an incentive to establish robust compliance programs and to monitor their employees. The main disadvantage is that, because no compliance system is perfect, corporations might find themselves faced with substantial liability for acts committed by “rogue employees”. Moreover, precisely because of this concern, corporations might over-invest in anticorruption compliance, or might forgo certain transactions or investments, because of worries about FCPA exposure. This may be bad for society, not just the firm.
In the FCPA context, a range of critics have argued that the FCPA should be amended to add a “compliance defense,” so that a corporate defendant would not face criminal liability for the acts of its employees, so long as the corporation maintained an adequate system for promoting compliance with the FCPA’s restrictions. (The United Kingdom’s 2011 Bribery Act has such a defense.) Advocates of an FCPA compliance defense have suggested a range of possible forms the defense might take; critics have pushed back, arguing that the existence of the defense would undermine the fight against corporate corruption. My take on the debate over the compliance defense is somewhat different: I think the addition of an FCPA compliance defense, under current conditions, would have no significant effect on FCPA enforcement actions. A compliance defense would probably be neither good nor bad, but rather (mostly) irrelevant. Here’s why:
First of all, I’m going to eliminate from consideration two related possibilities. The first is a compliance defense that looks solely to the formal, on-the-books aspects of the compliance program—a so-called “check the box” approach. I don’t think any sophisticated advocates of a compliance defense endorse that approach anyway, and it’s pretty obvious why it would be a bad idea. Perhaps more controversially, I also don’t think it makes sense to entertain the possibility that the government might review a corporate compliance program in advance (so that the corporation that gets a passing grade from the government is presumptively off the hook for subsequent FCPA violations). Something like that could work if we had a check-the-box approach, but I don’t see how it would be feasible, at reasonable cost, for the government to verify that a corporation had a “genuine” compliance program ahead of time, particularly if there are hundreds of corporations that might apply for such verification. If we take those two possibilities off the table, that means that the adequacy of a corporation’s compliance program, under any reasonable version of a compliance defense, could not be determined until after the fact—that is, after an FCPA violation has already been uncovered.
This leads us to the second step in the argument: The U.S. Department of Justice (DOJ) already takes into account a corporation’s good-faith efforts to implement a meaningful compliance program when the DOJ decides whether to pursue an FCPA action against the corporation, and what penalties or other remedies to impose. Indeed, the adequacy of the corporation’s compliance program is a standard subject of negotiation between the DOJ and corporate defendants. To be sure, there are those who think DOJ doesn’t give corporations enough credit for the adequacy of their programs (and others who think, to the contrary, that DOJ gives corporations too much credit for programs that, by definition, have failed to prevent serious FCPA violations). But we’ll always have these debates. The point is that the DOJ already takes a corporation’s compliance program into account, and believes that it’s doing so properly. Therefore, the only way the formal addition of an FCPA “compliance defense” would alter outcomes is if it substantially altered the bargaining positions of the DOJ and corporate defendants.
And this brings us to the third and final piece of the argument: An FCPA compliance defense would only alter the DOJ’s bargaining position if a corporation unhappy with the DOJ’s position could either (1) convince the DOJ lawyers that the DOJ’s position is unreasonable in light of the corporation’s compliance program, or (2) credibly threaten to go to court and defeat the DOJ’s enforcement action altogether by successfully invoking the compliance defense before a federal judge. Possibility #1 seems unlikely for the reasons given above: DOJ lawyers already think of themselves as considering the adequacy of a corporation’s compliance program, and writing a defense into the law probably wouldn’t alter their thinking. Possibility #2 might make sense in some other context, but not in the context of FCPA actions against corporations. That’s because corporations are desperate to avoid formal criminal indictment—partly because of the reputational costs, and partly because there’s no guarantee that a judge or jury will ultimately deem the corporation’s compliance program sufficient to escape FCPA liability, and an FCPA conviction would be a disaster for the corporation.
In short, in order for the formal addition of an FCPA compliance defense to make more than a trivial difference in how these cases actually come out, one of two things would need to be true. Either the formal defense would need to make corporate defense counsel more willing to roll the dice at trial, or the existence of the defense would need to alter the DOJ lawyers’ perception of what counts as a reasonable resolution of corporate FCPA cases (even without a meaningful change in the probability of litigation). Neither possibility seems likely. If I’m right about that, then all the sturm und drang about the possibility of an FCPA compliance defense is mostly a waste of time and attention, and may be a distraction from more pressing issues.
What about making the compliance “defense” a pre-indictment phase of corporate criminal proceedings? To avoid litigating the merits during this phase, a corporation’s proof of a robust corporate compliance program could simply create a rebuttal presumption that the conduct at issue in the proposed indictment may not be imputed to the company.
To avoid making the FCPA any more unique than it already is (and because vicarious criminal liability is just as relevant in other statutes), this could be written into the Fed. R. Crim. P. for all corporate indictments.
That’s a clever idea, but I’m not sure whether that would make much difference. I’m not sure if you’re envisioning a judicial proceeding prior to indictment. If not, then it seems like this is more or less the system we have now. If so, then this would seem like a very cumbersome system — basically every FCPA case has to go to a pre-trial trial — unless the defendant could reach a diversion agreement with the government before even this stage, in which case we again get the system we have now.
To be clear, I agree that there ARE some things we could do if we wanted to create a meaningful corporate compliance defense. Some version of your proposal might be one of them. Or, more simply, we could pass a statute forbidding the use of DPAs/NPAs, or any pre-indictment diversion agreement. Or we could allow firms to submit their compliance programs in advance for pre-approval. Or we could create a private right of action, which would give corporations many more opportunities (and incentives) to invoke the compliance defense in litigated cases. But all these proposals have significant unattractive features.
My main point is that unless we want to take one or more of these additional steps, simply writing a compliance defense into the statute is unlikely to lead to any meaningful changes in the way the cases are resolved.
A very, very belated response – here’s hoping that you get an alert when new comments are posted.
First, I agree that a pre-indictment hearing is unworkable, for many reasons. That said, I’m not sure that a post-indictment, pre-trial judicial hearing necessarily would turn into a “pre-trial trial.” Courts currently have many types of pre-trial evidentiary proceedings on all types of issues, many of which are substantial. Summary judgment is the most obvious, but Markman hearings in IP cases might also be analogous. Indeed, a compliance defense proceeding might be even less cumbersome than those proceedings, as it shouldn’t require litigation of the underlying offense (in other words, if the availability of the compliance defense was predicated on the absence of the charged offense, it wouldn’t be particularly meaningful).
I think the bigger issue is how much discovery the DOJ would get regarding the corporation’s pre-existing compliance program. Assuming we enshrined the USSG’s compliance program elements as the elements of the defense, the DOJ might reasonably argue that it is entitled to information about:
(1) The organization’s governing authority’s “reasonable oversight” over the “implementation and effectiveness” of the compliance program;
(2) The organization’s “monitoring and auditing to detect criminal conduct;”
(3) The organization’s “appropriate disciplinary measures for engaging in criminal conduct;” and
(4) The organization’s periodic assessment of the risk of criminal conduct.
…among other things. Providing for this discovery might be dicey. In particular, does the DOJ get access to previous whistleblower complaints and information about how they were addressed?
On the other hand, the company might not be entirely adverse to providing this information – in the event that it didn’t avail itself of the compliance defense, it might be providing this information anyway during sentencing. And, as you point out, this really is all about pre-indictment bargaining – the company could always threaten to invoke the compliance defense during negotiations, even if it later declined to plead it post-indictment.
Lastly, however, I should note that because this would be a post-indictment, pre-trial phase, the corporation may already be suffering from some collateral effects of indictment.
In sum, I think you’re right that the compliance defense isn’t some magical cure-all. But I do think it might nudge the relative bargaining position of a generally compliant company in the right direction, without helping egregious offenders.
Thanks for your further thoughts on this. I actually don’t think we’re all that far apart. You say (and I think I agree) that it would be possible to have some kind of post-indictment, pre-trial hearing on the adequacy of a corporate defendant’s compliance program. I say (and I think you agree) that (1) such a hearing would be quite challenging in many respects, and (2) it might not matter that much if the main objective of the corporation is to avoid indictment in the first place.
Insofar as we disagree, I think the disagreement comes down to the feasibility of constructing a meaningful pre-trial hearing on the compliance defense, and on the degree to which creating such a process would influence the parties’ pre-indictment bargaining position.
On the former matter, what you say is reasonable — and much more sensible than any published article I’ve seen on this topic — but I still think you’re overly sanguine about the ability of a court to hold a manageable pre-trial hearing on the adequacy of a firm’s compliance procedures. Summary judgment and Markman hearings are not really great analogies, I don’t think, because those proceedings are in principle mainly about legal disputes, taken the facts as given. (That’s not totally true now with summary judgment, but it’s still mostly true.) Everyone seems to agree that there’s no one-size-fits-all approach to compliance, and it’s likely to be a case-specific and fact-intensive inquiry, involving (as you say) extensive discovery. I don’t think the company would be as likely to turn over the kind of material you mention in a pre-trial hearing like this, nor do I think DOJ would demand the same kind of information at the sentencing stage, because the stakes are quite different. The only way to avoid what I called a pre-trial trial would be to limit the scope of the inquiry in some way — the way we do for summary judgment motions, Markman hearings, and the like — and I just don’t see the way to do that in this context. But I’d certainly be open to being proved wrong, if you or others are interested in fleshing out the details of what the procedure could or should look like.
As for the impact on bargaining — again, most of what I’ve read on this, including from staunch advocates of the compliance defense, suggests that corporations _really_ don’t want to be indicted under the FCPA. Also, I do think the evidence is pretty good that DOJ and SEC do factor in their sense of how seriously the corporation has tried to insure compliance at every stage in the process, including pre-indictment. If those things are true, then I don’t think the compliance defense will make much difference. Perhaps I was exaggerating when I suggested it would make no difference whatsoever, but I still doubt that it would ever make enough of a difference to justify the substantial investment of resources into something along the lines you proposed.
Thanks for the quick follow-up, particularly after the long delay on my part.
I think you’re right that we agree on a lot of things: pre-indictment hearings aren’t feasible; avoidance of indictment (not just conviction) is very important to many companies; a compliance defense isn’t going to wholly fix the FCPA; and the DOJ already considers compliance in its charging decisions.
That said, I might push back on a few things. First, I think SJ may be a better analogy than you give it credit for. I actually think there wouldn’t be much factual dispute about the company’s compliance program – it has X policies, Y third party diligence procedures, trained its employees Z times. The fight would be over whether those facts result in a “reasonable” compliance program (or whatever other wiggle word we write into the defense).
I also think that it changes the bargaining a bit more than you may give it credit. If we take DOJ at its word that its pros memos pre-indictment take a fair view of the evidence, having a compliance defense moves those pros memos from (1) we have discretion to prosecute, but might decline to do so based on the compliance program to (2) we do not have discretion to prosecute the company because they can establish the compliance defense. (Query whether we make the compliance “defense” a jurisdictional element that the defendant would functionally have the obligation to establish – just spitballing there).
This still leaves the issue of discovery – I think we may be close to agreeing here. I might protest that Morgan Stanley certainly provided a lot of information about their compliance program in the Garth Peterson prosecution, but your point is well-taken. And the bottom line is that proponents of a compliance defense have the burden to explain how it would be workable, and I’m not sure we’ve entirely fleshed that out yet. (Although I think that might be possible – perhaps an article for another day.)
One parting thought- I think your very accurate point about indictment, not conviction, often being a relevant inflection point for many companies, I think that highlights the problem with collateral consequences that attach at indictment (e.g. Debarment proceedings, etc.). That seems inconsistent with basic notions of justice, but that’s also an issue for another day.