The FCPA Under Attorney General Loretta Lynch

After the third longest wait for Senate confirmation in history, Loretta Lynch finally received approval to be the next Attorney General of the United States on April 23. When she assumes her position as the head of the U.S. Department of Justice, complex challenges related to cybersecurity and community-police relations will likely be at the top of her list of undertakings. But Lynch has also vowed to make continuing the DOJ’s commitment to fighting global corruption “a top priority.”

Indeed, Lynch has substantial FCPA experience – more than any previous Attorney General (unsurprising, given that it was her two predecessors, Eric Holder and John Ashcroft, who largely oversaw the ascendance of the FCPA regime). As the U.S. Attorney for the Eastern District of New York, Lynch collaborated with the DOJ’s Fraud Section to secure the Ralph Lauren and Comverse non-prosecution agreements. She as worked on the other side as well. As a partner at Hogan & Hartson, she conducted internal investigations, advised clients that had run afoul of the FCPA, and conducted continuing legal education classes on anticorruption. As lawyers, scholars, and business leaders debate the need for FCPA reform (see, for example, here and here), what might the new Attorney General mean for the enforcement regime?

Continue reading

Private FCPA Enforcement: Some Troubling Trade-Offs

In my last post, I suggested that one possible drawback to dramatically ramping up enforcement of the Foreign Corrupt Practices Act against individuals (from the perspective of those who, like me, favor aggressive FCPA enforcement) is that individual defendants are relatively more likely to litigate than are corporate defendants. This not only might entail a greater drain on the resources of the government enforcement agencies—a familiar and well-understood concern—but it could also lead to adverse appellate rulings on the meaning of key FCPA provisions (particularly if the targeting of more individuals also entails the targeting of relatively more sympathetic individuals). In this post, I want to raise a similar concern in connection with a prominent proposal for increasing the FCPA’s deterrent effect: the addition of a private right of action under the statute.

The FCPA in its current form does not authorize private individuals to sue defendants for alleged violations of the statute. Although some other statutes might authorize certain forms of private FCPA enforcement—for example, in the form of shareholder derivative suits, or suits alleging violations of the antitrust laws or the RICO Act—these forms of private recourse are quite limited in their availability. (I won’t go into all the reasons in this post—Professor Gideon Mark has a nice discussion in his paper on the topic.) Yet many people (including Professor Mark) have advocated the addition of an express FCPA private right of action which, in the view of its proponents, would substantially enhance FCPA deterrence. This idea has attracted at least some interest in the U.S. Congress, though the proposed bills to add an FCPA private right of action have not yet gone anywhere.

My natural instincts are to support a proposal along these lines, both because I’m more of a “hawk” when it comes to FCPA enforcement, and because I’m generally an enthusiast for the “private attorney general” model for enforcing public law. And I could still be persuaded that a private FCPA action is a good idea. But I have concerns similar to those I raised in my last post about greater targeting of individuals, as well as some additional, closely related worries. Here are the main worries, as I see them: Continue reading

Why Do People Care So Much About the Proposed FCPA Compliance Defense?

A while back I posted a commentary on the proposal to add a so-called “compliance defense” to liability under the Foreign Corrupt Practices Act (FCPA). My basic take was that despite all the attention and controversy surrounding this proposal, in fact it would not make very much difference in practice. Without rehashing all the arguments in detail, my reasoning was basically as follows: First, corporate defendants (the only ones who would benefit from a compliance defense) are so reluctant even to be indicted—independent of the likely outcome if a case were actually to go to trial—that the addition of a formal compliance defense to liability would not significantly alter the bargaining game between the government and the corporate defendant. Second, the government already takes compliance efforts into account at several other stages in the process (and believes it is doing so appropriately), so the addition of the formal defense wouldn’t have much of an effect on the government’s position in settlement negotiations (which, as Jordan emphasized in a post from a few months ago, is really where all the action is).

I recently had an opportunity to discuss my hypothesis that the compliance defense wouldn’t actually matter much at a Duke Law School conference, where a bunch of white collar crime and FCPA experts who know much more about this subject than I do—including Duke Law Professor Sam Buell and Richmond Law Professor (and occasional GAB contributor) Andrew Spalding—pushed back against my argument. Among their many cogent criticisms, I wanted to address one in particular: If an FCPA compliance defense would make as little practical difference as I suggest, then why do the interested parties seem to care so much about it? Why (Professor Buell asks) have the Chamber of Commerce and the defense bar made this such a high priority on their FCPA reform agenda? And why (Professor Spalding asks) is the DOJ so dead set against it?

These are fair questions. I don’t have good answers, but in the interest of moving the conversation forward, let me suggest a few possibilities—and maybe folks out there in the blogosphere can react or offer their own explanations. Continue reading

The New Head of the DOJ’s Fraud Unit Advocated Gutting the FCPA: Shouldn’t We Be More Upset About That?

Two months ago, the U.S. Department of Justice announced that Andrew Weissmann would take over as chief of Fraud Section in the DOJ’s Criminal Division, a position that involves responsibility for, among other things, the DOJ’s enforcement of the Foreign Corrupt Practices Act (FCPA). Mr. Weissmann has had a distinguished professional career, with previous stints in private practice and in government, including prior positions as Special Counsel to the Director of the FBI, and as the director of the DOJ’s Enron Task Force. But for those of us who care about maintaining the US government’s aggressive enforcement of the FCPA and its leadership in the global fight against corruption, Mr. Weissmann’s appointment should be cause for concern. The reason? Mr. Weissmann was one of the principal authors of the U.S. Chamber of Commerce’s 2010 report, Restoring Balance: Proposed Amendments to the Foreign Corrupt Practices Act. That report is notable principally for three things: (1) its strident attack on aggressive FCPA enforcement, (2) its proposal of a series of amendments to the statute that would gut the FCPA, and (3) its misleading manipulation (and sometimes outright misrepresentation) of both facts and law in making its case.

Fortunately, Professor Dan Danielsen at Northeastern School of Law and my Harvard colleague Professor David Kennedy provided an exceptionally thorough take-down of the Chamber of Commerce’s arguments in a report for the Open Society Foundations (OSF), called Busting Bribery: Sustaining the Global Momentum of the Foreign Corrupt Practices Act. Aside from a few small (but admittedly important) errors, the OSF report provides a sufficiently thorough rebuttal that I won’t attempt to summarize it all here; rather, I urge readers to follow the links above. But let me just highlight a few aspects of Mr. Weissmann’s report for the Chamber of Commerce to explain why I think it deserves the harsh language I used. Continue reading

Dear Governments: Please Don’t Make Private Certification the Touchstone of an Adequate Anti-Bribery Program!!!

A little while back, I posted a couple of critical commentaries (here and here) about the efforts underway to develop an International Organization for Standardization (ISO) standard for corporate anti-bribery programs (ISO 37001), modeled on the already-existing UK standard developed by the British Standard Institute (BS 10500). (For those unfamiliar with these organizations or what they do, these standards are developed by a private consortium, and then private firms conduct–for a fee–audits of companies and provide a “certification” that the company is in compliance with the standard. These standards in the past have dealt with technical or quality control issues — the proposed anti-bribery standard is, to the best of my knowledge, the first ISO standard to deal with a legal issue of this type.) Without rehashing my earlier posts here, I raised questions both about how these certifications were supposed to work in practice, and about what they were for. I raised but dismissed the possibility that law enforcement might treat ISO/BS certification as an adequate indicator that a firm had a satisfactory compliance program (or that absence of ISO/BS certification as an indicator the compliance program was inadequate). I dismissed the possibility because lots of people (including those who work in the compliance certification business and those involved with the development of the ISO standard), assured me that such certification was not intended to have that kind of dispositive legal significance (even if it might be relevant to the law enforcement agency’s inquiry).

I would have left the matter there, and probably not written about it again, but for some remarks at last December’s World Bank International Corruption Hunters Alliance meeting. On a panel about “Fighting Transnational Bribery,” Detective Inspector Roger Cook, with the Operations area in the City of London Police’s Economic Crime Directorate, spoke with great enthusiasm about BS 10500, the model for the proposed ISO 37001. (This is perhaps unsurprising given that, as I just learned from his City of London police bio, he “contributed to the development and implementation of … BS 10500 and the developing ISO 37001.”) I don’t have a transcript or a video, nor am I a trained stenographer, but I tried to copy down Detective Inspector Cook’s remarks on this topic as close to verbatim as possible, and they went (according to my notes) more or less like this:

[If you’re a company, the BS 10500 standard] is going to give you a lot of comfort. Simply by getting accredited, then you have those adequate procedures that the UK Bribery Act requires companies to have [(that is, to satisfy the affirmative defense to the strict liability offense of failure to prevent foreign bribery)]. If the company has BS 10500 [certification], we’re not going to look much further, as long as they’re applying it properly. And an ISO standard [ISO 37001] is also in the works, about 18 months away. Think how good that would be, if every company going for a public contract were accredited. [We should] make that [certification] a condition for public contracts.

Now, Detective Inspector Cook was speaking in his personal capacity, not on behalf of the City of London Police or the British government. And he is not affiliated with the Serious Fraud Office (SFO), which has principal responsibility for bringing enforcement actions under the UK Bribery Act. But I nonetheless found these remarks quite troubling, so perhaps it’s worth restating the reasons why private anti-bribery certification or accreditation, according to something like the proposed ISO standard, should not be considered necessary or sufficient to establish the compliance defense under the UK Bribery Act, and should not be considered necessary or sufficient to engage in government contracting. Continue reading

More on Compliance Certification–A Response to TRACE International

In a recent post, which built directly on a report from Transparency International USA, I raised some questions about the value of the compliance program “certifications” that certain private firms offer to provide.  (In a follow-up post, I also expressed even greater skepticism about current efforts to generate an International Organization for Standards (ISO) anti-bribery compliance program standard.) I won’t repeat everything in the original post here, but to summarize quickly: I expressed concern that “certifying” a compliance program (as distinct from reviewing and assessing it) could prove counterproductive because (1) the certification would not (or should not) be treated as significant by government enforcers or third parties, and (2) the certification might lead companies either to do too little or too much.

TRACE, one of the leading firms that offers compliance certification services (and also, through a separate but affiliated nonprofit, provides anti-bribery compliance support to member companies), has provided a thoughtful, thorough, and enlightening response to my post on the TRACE blog. The TRACE post takes issue with my criticisms, and also uses my post as an opportunity to “address head-on some common assumptions and misunderstandings that … surround anti-bribery certifications.”

I highly recommend that readers interested in this debate — which TI-USA deserves credit for kicking off — read TRACE’s post; I won’t try to summarize it here.  Let me say a few words about where I think we actually agree, then highlight what I think are the most significant points of disagreement, and then highlight one particularly intriguing aspect of the TRACE post that may deserve more extensive consideration. Continue reading

Some Thoughts on Certification of Corporate Anticorruption Programs

Last week, I posted a brief announcement about an interesting new report from Transparency International USA about verification of corporate anticorruption compliance programs — that is, efforts to ensure that the measures companies put in place to ensure compliance with anti-bribery law (and other legal and ethical requirements) are actually working. One particularly interesting facet of the report, at least for me, was the discussion of the emerging “certification” industry: private firms that companies can hire to review their compliance programs, and that provide a public certification — basically, a statement saying “we’ve reviewed this company’s compliance program and we think it’s up to scratch.” These certification services are different from more familiar consulting services, where firms assist companies in designing or evaluating their compliance programs (though the firms that offer certification also often offer consulting services as well).

While I’m all for private sector initiative to improve corporate anti-bribery compliance, I’ll admit I’m a bit skeptical as to the value of these services. Indeed, I worry a bit about whether they might in some cases prove counterproductive. And while the TI-USA report uses careful language, I read the report as evincing a fair amount of skepticism as well. I also want to be appropriately circumspect, as I don’t really know enough to have strong views, but let me raise a few concerns about the private anticorruption certification industry.

Continue reading

The Irrelevance of an FCPA Compliance Defense

The U.S. Foreign Corrupt Practices Act (FCPA) exposes corporations to criminal (as well as civil) liability for acts committed by the corporation’s employees, pursuant to the standard principle of U.S. law the corporations are liable for the acts of their employees, if those acts were committed in the course of employment and for the benefit of the employer. This principle, in the FCPA context and elsewhere, has familiar advantages and disadvantages. The most straightforward advantage is that this “vicarious liability” gives corporations an incentive to establish robust compliance programs and to monitor their employees. The main disadvantage is that, because no compliance system is perfect, corporations might find themselves faced with substantial liability for acts committed by “rogue employees”. Moreover, precisely because of this concern, corporations might over-invest in anticorruption compliance, or might forgo certain transactions or investments, because of worries about FCPA exposure. This may be bad for society, not just the firm.

In the FCPA context, a range of critics have argued that the FCPA should be amended to add a “compliance defense,” so that a corporate defendant would not face criminal liability for the acts of its employees, so long as the corporation maintained an adequate system for promoting compliance with the FCPA’s restrictions. (The United Kingdom’s 2011 Bribery Act has such a defense.) Advocates of an FCPA compliance defense have suggested a range of possible forms the defense might take; critics have pushed back, arguing that the existence of the defense would undermine the fight against corporate corruption. My take on the debate over the compliance defense is somewhat different: I think the addition of an FCPA compliance defense, under current conditions, would have no significant effect on FCPA enforcement actions. A compliance defense would probably be neither good nor bad, but rather (mostly) irrelevant. Here’s why:

Continue reading