In relation to the U.K. Bribery Act’s so-called adequate procedures defense, how does a company know whether it has adopted adequate procedures so that it can avail itself of the defense should its conduct come under scrutiny? It is a darn good question.
Last week, thebriberyact.com (see here ) had a post regarding an adequate procedures certificate. The post profiled a recent speech by Richard Alderman (Director of the U.K. Serious Fraud Office) on the issue of a lawyer’s certificate for adequate procedures. As detailed in the post, Alderman stated as follows. “We know, for example, that some companies believe that all they need is a certificate from a firm of lawyers that they have adequate procedures. We hear about this. We hear as well that the company is not prepared to pay very much for this and expects a certificate of adequate procedures for its worldwide enterprise under say £25,000. This will not impress us very much. This does not mean that we expect companies to spend millions of pounds on this. What we do expect though is a proportionate approach by companies focussing on the key risks and on what they are doing in order to be able to combat those risks. This is what companies should be doing anyway. Indeed some companies have told us that this is a valuable exercise for them for all sorts of reasons that they should have carried out before. A company that does this but which finds problems will receive very sympathetic treatment at the SFO. A company that closes its mind to the issues while perhaps having some veneer of paper procedures will receive different treatment.”
One of the FCPA reform proposals under consideration – and a reform proposal I support (see here  and here  for prior posts) – is creation of a compliance defense. If enacted, the same issue will arise as under the U.K. Bribery Act – how does a company know whether it has adopted sufficient measures so that it can avail itself of the defense should its conduct come under scrutiny?
Is a compliance certificate the answer?
In Chile, the answer is yes. As detailed in this  prior “Compliance Defense Around the World” post, Chile is one of several OECD Anti-Bribery Convention countries to incorporate compliance defense principles into its “FCPA-like” law.
Under Chilean law: in order for a legal person to be held responsible for a foreign bribery offence, the following “three cumulative requirements” must be satisfied: (1) the offence must be committed by a person acting as a representative, director or manager, a person exercising powers of administration or supervision, or a person under the “direction or supervision” of one of the aforementioned persons; (2) the offence must be committed for the direct and immediate benefit or interest of the legal entity. No offence is committed where the natural person commits the offence exclusively in his/her own interest or in the interest of a third party; and (3) the offence must have been made possible as a consequence of a failure of the legal entity to comply with its duties of management and supervision. An entity will have failed to comply with its duties if it violates the obligation to implement a model for the prevention of offences, or when having implemented the model, it was insufficient.”
As to the final element, the OECD report states as follows. “The final cumulative requirement for responsibility stresses that the offence must have been made possible as a consequence of the failure of the legal person to comply with its duties of administration and supervision. The entity will have failed to comply with its duties if it violated the obligation to implement a model for the prevention of offences, or when having implemented the model, the latter was insufficient. It shall be considered that the functions of direction and supervision have been met if, before the commission of the offense, the legal person had adopted and implemented organization, administration and supervision models, pursuant to the following article, to prevent such offenses as the one committed.”
The minimum features of a prevention system under the law are as follows: identify the different activities or processes of the entity, whether habitual or sporadic, in whose context the risk of commission of the offences emerges or increases; establish protocols, rules and procedures that permit persons involved in above-mentioned activities or processes to program and implement their tasks or functions in a manner that prevents the commission of the indicated offences; identify procedures for the administration and auditing that allow the entity to impede their use in the listed offences; establish internal administrative sanctions, as well as procedures for reporting or pursuing pecuniary responsibility against persons who violate the prevention system; introduce the above-mentioned duties, prohibitions and sanctions into the internal regulations of the legal person, and ensure that they are known by all persons bound to apply it (workers, employees, and service providers).
The OECD report states – as to the minimum requirements as follows. “It also aims to introduce a system of self-regulation by companies. Having a code of conduct on paper will not be sufficient to avoid responsibility. If prosecutors can prove that the code does not meet the minimum requirements of or that it is not implemented, the company can be responsible for the offence.” Under Chilean law, “the failure to comply with duties of management and supervision is an element of the offence rather than a defence. Therefore the burden of proof lies on prosecutors, i.e. it will be up to prosecutors to prove that the entity failed to comply with its duties of management and supervision.” The OECD report notes as follows. “This will require prosecutors to prove that the company failed in the design and/or implementation of the offense prevention model including why, in the circumstances, the prevention model was insufficient. This would appear to also require the prosecutor to establish that this failure made perpetration of the offence possible.”
Chilean law sets forth a detailed process by which legal persons are able to undergo a certification process on the existence and relevance of their organizational model. The OECD report states as follows. “Certification will confirm that the offence-prevention model complies with the minimum requirements [set forth above], taking into account the characteristics of the legal person. The certification is valid as long as the situation of the company does not change. Certification will be carried out by private institutions which have been authorised by public agencies to undertake this role. Two points should be noted. The first is that certification will not, by itself, avoid responsibility, since it will remain possible to convict a legal person if it can be proved that, notwithstanding the certification, the preventive model did not meet the minimum requirements [set forth above]; and/or that the model was not implemented. The second point to note is that, pursuant to [the Chilean law], private institutions carrying our certification will be carrying out public functions, which means that they will be criminally responsible in the event of a failure to act properly in the execution of those functions. The sole function of public agencies will be to authorise institutions to carry out these functions, and to keep record of certifications.”
What do you think? Is the Chilean certification process the answer? What are the pros and cons of such an approach? If anyone can direct me to Chilean counsel knowledgeable about this certification process or the “private institutions” authorized to issue such certifications, please send me an e-mail so that I can inquire and report back any findings.
If the FCPA were amended to include a compliance defense, would Chile’s certification approach work here in the U.S.?
For starters, it is useful to observe that the DOJ is already handing out compliance certificates in at least two respects – even if not formally called compliance certificates.
First, the FCPA’s Opinion Release Procedure results in the DOJ issuing – for all practical purposes – a compliance certificate in that the DOJ opines whether a proposed course of conduct, based on the requestor’s disclosed information and various representations, complies with the FCPA. Pursuant to the governing regulations (see here ), “there shall be a rebuttable presumption that a requestor’s conduct, which is specified in a request, and for which the Attorney General has issued an opinion that such conduct is in conformity with the Department’s present enforcement policy, is in compliance with those provisions of the FCPA.”
Second, every NPA or DPA contains a clause stating that the DOJ will not bring an enforcement action if the company complies with the undertakings set forth in the agreement – including an appendix which sets forth various compliance obligations. (See here  for the recent Armor Holdings NPA). As with the FCPA Release Procedure, the term compliance certificate is lacking, but in substance that is likewise the end result.
That the DOJ is already issuing “compliance certificates” makes the DOJ’s firm opposition to an FCPA compliance defense (see here  for more) all the more curious – and all the more contradictory.