The U.S. Foreign Corrupt Practices Act (FCPA) exposes corporations to criminal (as well as civil) liability for acts committed by the corporation’s employees, pursuant to the standard principle of U.S. law the corporations are liable for the acts of their employees, if those acts were committed in the course of employment and for the benefit of the employer. This principle, in the FCPA context and elsewhere, has familiar advantages and disadvantages. The most straightforward advantage is that this “vicarious liability” gives corporations an incentive to establish robust compliance programs and to monitor their employees. The main disadvantage is that, because no compliance system is perfect, corporations might find themselves faced with substantial liability for acts committed by “rogue employees”. Moreover, precisely because of this concern, corporations might over-invest in anticorruption compliance, or might forgo certain transactions or investments, because of worries about FCPA exposure. This may be bad for society, not just the firm.
In the FCPA context, a range of critics have argued that the FCPA should be amended to add a “compliance defense,” so that a corporate defendant would not face criminal liability for the acts of its employees, so long as the corporation maintained an adequate system for promoting compliance with the FCPA’s restrictions. (The United Kingdom’s 2011 Bribery Act has such a defense.) Advocates of an FCPA compliance defense have suggested a range of possible forms the defense might take; critics have pushed back, arguing that the existence of the defense would undermine the fight against corporate corruption. My take on the debate over the compliance defense is somewhat different: I think the addition of an FCPA compliance defense, under current conditions, would have no significant effect on FCPA enforcement actions. A compliance defense would probably be neither good nor bad, but rather (mostly) irrelevant. Here’s why:
First of all, I’m going to eliminate from consideration two related possibilities. The first is a compliance defense that looks solely to the formal, on-the-books aspects of the compliance program—a so-called “check the box” approach. I don’t think any sophisticated advocates of a compliance defense endorse that approach anyway, and it’s pretty obvious why it would be a bad idea. Perhaps more controversially, I also don’t think it makes sense to entertain the possibility that the government might review a corporate compliance program in advance (so that the corporation that gets a passing grade from the government is presumptively off the hook for subsequent FCPA violations). Something like that could work if we had a check-the-box approach, but I don’t see how it would be feasible, at reasonable cost, for the government to verify that a corporation had a “genuine” compliance program ahead of time, particularly if there are hundreds of corporations that might apply for such verification. If we take those two possibilities off the table, that means that the adequacy of a corporation’s compliance program, under any reasonable version of a compliance defense, could not be determined until after the fact—that is, after an FCPA violation has already been uncovered.
This leads us to the second step in the argument: The U.S. Department of Justice (DOJ) already takes into account a corporation’s good-faith efforts to implement a meaningful compliance program when the DOJ decides whether to pursue an FCPA action against the corporation, and what penalties or other remedies to impose. Indeed, the adequacy of the corporation’s compliance program is a standard subject of negotiation between the DOJ and corporate defendants. To be sure, there are those who think DOJ doesn’t give corporations enough credit for the adequacy of their programs (and others who think, to the contrary, that DOJ gives corporations too much credit for programs that, by definition, have failed to prevent serious FCPA violations). But we’ll always have these debates. The point is that the DOJ already takes a corporation’s compliance program into account, and believes that it’s doing so properly. Therefore, the only way the formal addition of an FCPA “compliance defense” would alter outcomes is if it substantially altered the bargaining positions of the DOJ and corporate defendants.
And this brings us to the third and final piece of the argument: An FCPA compliance defense would only alter the DOJ’s bargaining position if a corporation unhappy with the DOJ’s position could either (1) convince the DOJ lawyers that the DOJ’s position is unreasonable in light of the corporation’s compliance program, or (2) credibly threaten to go to court and defeat the DOJ’s enforcement action altogether by successfully invoking the compliance defense before a federal judge. Possibility #1 seems unlikely for the reasons given above: DOJ lawyers already think of themselves as considering the adequacy of a corporation’s compliance program, and writing a defense into the law probably wouldn’t alter their thinking. Possibility #2 might make sense in some other context, but not in the context of FCPA actions against corporations. That’s because corporations are desperate to avoid formal criminal indictment—partly because of the reputational costs, and partly because there’s no guarantee that a judge or jury will ultimately deem the corporation’s compliance program sufficient to escape FCPA liability, and an FCPA conviction would be a disaster for the corporation.
In short, in order for the formal addition of an FCPA compliance defense to make more than a trivial difference in how these cases actually come out, one of two things would need to be true. Either the formal defense would need to make corporate defense counsel more willing to roll the dice at trial, or the existence of the defense would need to alter the DOJ lawyers’ perception of what counts as a reasonable resolution of corporate FCPA cases (even without a meaningful change in the probability of litigation). Neither possibility seems likely. If I’m right about that, then all the sturm und drang about the possibility of an FCPA compliance defense is mostly a waste of time and attention, and may be a distraction from more pressing issues.