At the end of last year, the U.S. Department of Justice announced a new Corporate Enforcement Policy to guide prosecutors charged with overseeing Foreign Corrupt Practices Act (FCPA) violations. This new policy codifies, and builds on, the DOJ’s FCPA Pilot Program, which had been in place since mid-2016. Under the Pilot Program, the DOJ announced that it would consider mitigated penalties for companies that voluntarily disclosed FCPA violations, fully cooperated with the government investigation, and agreed to remediation measures. Those mitigated penalties included a reduction in penalties by 50% below the low end of the U.S. Sentencing Guidelines range, or in some cases outright declination of prosecution.

The new Corporate Enforcement Policy goes further, stating that when a company voluntarily self-discloses an FCPA violation, fully cooperates, and adopts timely and appropriate remediation measures (including disgorgement of any gains from the violation), there is a presumption that the DOJ will offer the company a declination, absent aggravating circumstances (such as a particularly severe offense). This presumption of a declination is stronger than the Pilot Program, which only said that the DOJ would “consider” a declination. Additionally, while Pilot Program gave prosecutors the discretion to reduce requested fines, the new policy directs prosecutors to ask for lower fines as long as companies meet the requirements noted above. The new policy also gives favorable terms even to companies that do not voluntarily disclose misconduct, so long as they later fully cooperate and implement a remediation program. For these companies, the DOJ will recommend a sentence reduction of up to 25% off of the low end of the U.S. Sentencing Guidelines. (The DOJ also recently announced that it’s expanding this beyond the FCPA, applying it also to crimes such as securities fraud.)

One way to understand the new FCPA Corporate Enforcement Policy is as a response to concerns that the U.S. government’s traditional approach to enforcing the FCPA has over-emphasized corporate settlements at the expense of prosecuting individual wrongdoers. In that sense the new policy, and the Pilot Program before it, can be seen as consistent with the Yates Memo, which declared that the DOJ would focus more on individual liability. A related but distinct justification for the new Corporate Enforcement Policy is the idea that it will improve overall FCPA enforcement by encouraging more voluntary self-disclosures. The rationale is that there are likely a large number of low-level corporate bribery cases that companies learn about but don’t report, for fear of the expected penalties. The DOJ would prefer that companies disclose these transgressions, and the Department appears to have concluded that the benefits of encouraging such disclosures outweighs concerns about reducing punishments for FCPA violations. Indeed, in justifying the new enforcement policy, U.S. Deputy Attorney General Rod Rosenstein emphasized that under the Pilot Program, the number of voluntary disclosures during the program doubled to 30.

These justifications for the new policy at first seem plausible, but they suffer from an important flaw: They overlook the impact of DOJ’s enforcement posture on corporate culture. The new policy may increase incentives for voluntary self-disclosure and post hoc remediation, but at the same time the new policy weakens incentives for companies to actively work to promote a pro-integrity corporate culture. For that reason, the new policy may end up worsening overall foreign bribery activity, even if both corporate self-disclosures and prosecutions of individuals increase.

To untangle the complicated effects that different enforcement strategies can have on overall FCPA compliance, it’s helpful to distinguish among three typical archetypical scenarios for how a corporate FCPA violation might occur:

• Scenario #1 involves the top-down, deliberate bribery scheme, where those who pay the bribes are doing so at the direction of senior management. Such cases do, of course, occur: The Siemens case, resolved in 2008, and the more recent Odebrecht case, for example, appear to be cases where, before the firms got caught, foreign bribery was corporate policy.
• Scenario #2 involves the rogue employee who pays bribes without senior management’s knowledge or consent, and despite the fact that the corporation’s senior leadership would strongly prefer that the employee not do so. “Rogue employee” cases of course also occur.
• Scenario #3 is a hybrid of the first two. Sometimes, the decision to pay a bribe is made by a lower level employee without senior management’s knowledge and in contravention of official company policy—but at the same time, the corporate leadership has sent mixed signals (or worse) about how it expects its employees to behave. For example, as discussed previously on this blog (see here and here), the company might have a compliance program that looks great on paper, and perhaps even some reasonably vigorous enforcement of that policy. But at the same time, that company has a corporate culture that tacitly encourages prioritizing profits above integrity, using methods such as unrealistic sales targets, incentive-laden compensation systems, a dismissive or hostile attitude to whistleblowers or those who aren’t “team players,” and so forth. In this more complicated scenario, employees may feel like they are expected to cut corners (including by paying bribes) if they want to be rewarded by the firm, but the firm itself retains a kind of plausible deniability. The firm says, “Don’t pay bribes,” but in the context of the other aspects of the corporate culture, many employees hear, “Don’t get caught paying bribes.”

The net impact of the Corporate Enforcement Policy depends on the relative frequencies of Scenario 2 and Scenario 3. (Presumably the cases that fall under Scenario 1 would be unaffected by the change in policy, as such corporations would be unlikely to self-disclose.) In Scenario 2, the true “rogue employee” case, the Corporate Enforcement Policy makes sense. The policy encourages companies to identify and report those rogue employees as soon as they’re detected, instead of trying to hide the violations. And accordingly, as long as the individual is fired, the company isn’t punished harshly.

But in Scenario 3, the “mixed signals” case, the Corporate Enforcement Policy doesn’t seem to work as well. In this scenario, while it’s always helpful to penalize some more individual bribe payers, what we really want the government’s enforcement policy to accomplish is a change in the corporate culture—away from the mixed signals (or, worse, tacit encouragement of bribery as long as one is careful enough to avoid detection) and towards a more genuine culture of integrity. Building such a culture involves the sacrifice of some short-term profits, and the corporate leadership needs to be convinced that allocating resources to build a culture of integrity is worth the investment. But the new Corporate Enforcement Policy may discourage such investment by creating a kind of get-out-of-jail free card if an employee is careless enough to pay bribes in a way that the company’s compliance department is able to detect: the company can self-report, agree to take remedial measures and fire the individual. The company doesn’t have much incentive to change its culture, if the worst-case scenario, should an incident of bribery come to the company’s attention, is disgorging the gains and firing an individual employee. As long as managers can look the other way, and if they do find individuals who violate the FCPA they turn them in and get off without much penalty, the Corporate Enforcement Policy isn’t changing all that much.

While the previous enforcement system had flaws, the corporation sent signals to its employees that bribery needed to stop. Large monetary penalties communicate to the company that trying to make a short-term profit off of bribery will be costly in the long run, so it’s not worth it for any employee to try to get away with it. Companies know that even if they detect a violation, they may be subject to substantial penalties. That in turn gives companies a financial incentive to actually reform their culture into one of integrity.