In the world of foreign anti-bribery law, there has been much discussion (including on this blog – see here and here) about whether to adopt a so-called “compliance defense” that would allow corporate defendants to escape criminal liability for bribery committed by their agents if the corporation can show that it had an adequate compliance system in place. Some countries’ foreign bribery laws – most notably the US Foreign Corrupt Practices Act – do not have such a defense; others – most notably the UK Bribery Act – do (though the UK Act combines the defense with strict corporate liability not only for the acts of employees, but also of other agents). Spain recently joined the latter group of countries with an amendment to its criminal law (Article 31 bis) that went into effect last month (see summaries here and here). That amendment (which covers not only Spain’s foreign bribery offense, but also domestic bribery and other corporate criminal offenses) allows the corporation to avoid criminal liability if it can establish that, prior to the commission of the crime, the board of directors implemented an adequate compliance program that meets certain requirements laid out in the statute.
Proponents of the compliance defense cheered. And a report on the new law from the law firm Miller & Chevalier predicted that this legal change “should encourage companies doing business in Spain to adopt a rigorous compliance program”—a claim that presumably would also apply to Spanish companies doing business abroad, given that the provisions also apply to Spain’s foreign bribery offense.
I’m not so sure, for reasons I’ve discussed before, but I do think the change in the Spanish law might provide an interesting opportunity to test the hypothesis.
First, just to recap some of my reasons for skepticism:
I’m not sure why we would expect that the addition of a compliance defense would make that much of a difference to the corporation’s incentives to adopt a compliance program. The main incentive to adopt an effective compliance system is (and should be) the desire to prevent the criminal conduct from taking place at all (or taking prompt remedial action if prevention fails)–thus avoiding even the risk of corporate liability. If that consideration, plus the penalty mitigation that was already provided under Spanish law before the recent amendment, is not enough to convince a corporation to invest in compliance, I’m not convinced that the formal compliance defense would make much difference. And at least in the foreign bribery context, Spain’s enforcement of its foreign bribery laws against its domestic firms is already so low – almost zero – that it’s hard for me to imagine that the addition of a new defense to (the practically non-existent threat of) criminal liability would alter a firm’s incentives appreciably.
Now, one potentially interesting feature of the new Spanish law is that it is a bit more specific (though not as much as its celebrants have sometimes implied) about the ingredients of an adequate compliance program. That specificity might push firms to adopt compliance programs with particular characteristics. That could be a good thing. Then again, it could be a bad thing, for two reasons. First, if the specific features of a compliance program listed in the statute are inadequate—if they can be met to a court’s satisfaction without really investing the resources and effort required to effect genuine changes in a firm’s organizational culture—then the defense will prove counterproductive. Second, the particular measures specified by the statute (or inferred by Spanish courts) might not be suitable for all industries and all contexts, and might introduce unnecessary inefficiencies.
But putting those concerns to the side for the moment, I do think that the recent change to the Spanish law might provide an opportunity to test the hypothesis that a formal compliance defense changes (and possibly improves) corporate compliance program. This observation is partly inspired by recent work by Transparency International UK’s report on corporate compliance programs in the defense sector, which I posted about earlier this summer. That report evaluated, and graded, the quality of defense contractor compliance programs, based on publicly available sources (supplemented, for a subset of firms, by a survey requesting additional information). Suppose we could use a similar technique to gather information on the quality of compliance programs on a set of Spanish firms (or foreign firms affected by the Spanish law) today (on the assumption that most firms would not yet have had a chance to alter their compliance programs in response to the new law). We could then gather similar information on a comparable set of firms in some other country, similar in most respects to Spanish firms but not affected by the new law (perhaps firms in a nearby European country?). We could then gather information a year or two from now on the quality of compliance programs in those firms to see if there was any systematic difference. (It would be even better if we could get evaluations of the quality of compliance programs from a year ago, before the change in the law was announced, but the necessary information is probably not available.) Alternatively (or in addition), we could imagine commissioning a survey (say, this time next year) of compliance officers at Spanish corporations (along with a control group of corporations from other countries) asking them if there have been any significant changes to their compliance programs in within the last 18 months, and if so what the reasons were, to see how frequently corporate officers mention the new law as a reason for change in compliance practices (and what those changes were).
I realize it’s much easier to suggest that research be done than to actually do it. And alas, I don’t have the time (or expertise or resources) to pull off something like what I just described. Still, it seems like it might be a worthwhile project, so we can actually get at least some (admittedly imperfect) hard empirical data on whether the addition of a compliance defense actually affects firms’ compliance programs. Maybe something TI’s Spain chapter might be interested in? Or some enterprising academic researcher?