Numerous prior posts have highlighted various aspects of the DOJ’s “FCPA Corporate Enforcement Policy” announced last week.
To be clear, this post does not advocate or even imply that the corporate community should ignore the “FCPA Corporate Enforcement Policy.” After all, the DOJ has extreme leverage over business organizations subject to FCPA scrutiny and it is always wise to at least be cognizant of what an adversary possessing a big and sharp stick is saying.
Nevertheless, absent limited circumstances not often present in instances of FCPA scrutiny, how to respond to internal breaches of FCPA compliance policies is a business decision entrusted to those charged with managing the business organization. In exercising this business judgment, the corporate community should take the “FCPA Corporate Enforcement Policy” with a grain of salt for at least ten reasons.
Before highlighting these reasons, it is important for the corporate community to recognize that much of what is being written about “FCPA Corporate Enforcement Policy” is being authored by those with a vested interest in facilitating more FCPA voluntarily disclosures.
The reason is simple: voluntary disclosures yield more expanded FCPA investigations, more meetings with FCPA enforcement attorneys, more FCPA enforcement actions (regardless of what form of resolution is used), more post-enforcement compliance requirements, and more FCPA ripple effects such as related civil litigation.
Even certain – what may appear to be objective media sources – have for-profit risk and compliance divisions with a vested interest in facilitating more FCPA voluntarily disclosures.
First, the “FCPA Corporate Enforcement Policy” is non-binding and commits the DOJ to absolutely nothing. Like prior DOJ FCPA guidance, such as the 2016 FCPA Pilot Program and the 2012 FCPA Guidance, in connection with release of the new policy, Deputy Attorney General Rosenstein stated: “The new policy, like the rest of the Department’s internal operating policies, creates no private rights and is not enforceable in court.” Sure, unlike prior FCPA Guidance, the new “FCPA Corporate Enforcement Policy” is incorporated into the U.S. Attorneys’ Manual, but here again it is important to highlight that the first section of the USAM (1-1.000) states:
“The Manual provides only internal Department of Justice guidance. It is not intended to, does not, and may not be relied upon to create any rights, substantive or procedural, enforceable at law by any party in any matter civil or criminal. Nor are any limitations hereby placed on otherwise lawful litigative prerogatives of the Department of Justice.”
Second, the notion that the “FCPA Corporate Enforcement Policy” provides immunity, a pass, or no enforcement action (as has been widely reported) is simply false.
Even if a business organization does all that the DOJ wants it to do under the program (more on that below) there is still a requirement that a “company is required to pay all disgorgement, forfeiture, and/or restitution resulting from the misconduct at issue.” This so-called “declination with disgorgement” enforcement action is nothing new, it was developed as part of the 2016 FCPA Pilot Program and thus far the DOJ has resolved four instances of alleged FCPA scrutiny this way with overall settlement amounts being: $335,000; $2.7 million; $4 million; and $11.2 million (See here, here, and here). Even if a company is not required to pay this amount to the DOJ, it will be required to pay this amount to the SEC or another “relevant regulator.”
In short, the best a business organization can do under the “FCPA Corporate Enforcement Policy” is an FCPA enforcement action (albeit using a recently invented and creative form) and all of the potential collateral consequences of an FCPA enforcement (negative media coverage, reputational damage, related civil litigation, etc.) are still likely to result.
Third, even gaining the greatest benefit under the “FCPA Corporate Enforcement Policy,” (a “mere” requirement of a disgorgement / forfeiture enforcement action as highlighted above), is contingent upon a business organization meeting the DOJ’s vague concepts of “voluntary self-disclosure,” “full cooperation,” and “timely and appropriate remediation.” Among other key terms or concepts that the DOJ possesses absolute, unreviewable discretion over are:
- what is an “imminent threat of disclosure”?
- what does “reasonably prompt time” mean?
- what are “all relevant facts”?
- what does “disclosure on a timely basis of all facts relevant” mean?
- what does “proactive cooperation” really mean?
- what does “timely preservation, collection, and disclosure of relevant documents and information,” really mean?
- what does “de-confliction of witness interviews and other investigative steps” really mean?
- what does “demonstration of thorough analysis of causes of underlying conduct” really mean?
- what does “appropriate discipline of employees,” really mean?
- what does “appropriate retention of business records,” really mean?
- what does the following phrase really mean: “any additional steps that demonstrate recognition of the seriousness of the company’s misconduct, acceptance of responsibility for it, and the implementation of measures to reduce the risk of repetition of such misconduct, including measures to identify future risks.”
In short, even gaining the greatest benefit under the “FCPA Corporate Enforcement Policy,” (a “mere” requirement of a disgorgement / forfeiture enforcement action as highlighted above), is contingent upon a business organization meeting the DOJ’s vague concepts of “voluntary self-disclosure,” “full cooperation,” and “timely and appropriate remediation. Indeed, as Deputy Attorney General Rosenstein stated in his speech “The new policy does not provide a guarantee. We cannot eliminate all uncertainty. Preserving a measure of prosecutorial discretion is central to ensuring the exercise of justice.”
Fourth, even gaining the greatest benefit under the “FCPA Corporate Enforcement Policy,” (a “mere” requirement of a disgorgement / forfeiture enforcement action as highlighted above), is further contingent upon the DOJ not finding the existence of certain “aggravating circumstances.” As stated in the “FCPA Corporate Enforcement Policy,” these “aggravating circumstances” are not non-exclusive (which in and of itself is a big deal) and may include:
“involvement by executive management of the company in the misconduct; a significant profit to the company from the misconduct; pervasiveness of the misconduct within the company; and criminal recidivism.”
Here again, the DOJ possesses absolute, unreviewable discretion as to the existence of “aggravating circumstances” and the DOJ has refused to provide greater clarity as to what certain key terms such as “executive management” and “significant profit” actually mean. (See here).
Perhaps the most vague and ambiguous is the term “criminal recidivism.” Does “criminal recidivism” refer to under the FCPA or any criminal statute? Regardless of the answer, does “criminal recidivism” refer to any form of DOJ resolution such as (in addition to actual plea agreements) deferred prosecution agreements, non-prosecution agreements, and “declinations with disgorgement.”? Here again, the DOJ has refused to provide greater clarity. (See here).
Fifth, even if a business organization gains the greatest benefit under the “FCPA Corporate Enforcement Policy,” (a “mere” requirement of a disgorgement / forfeiture enforcement action as highlighted above) or failing this:
- (i) (because of “aggravating circumstances”) a 50% reduction off of the low end of the U.S. Sentencing Guidelines (U.S.S.G.) fine range; or
- (ii) (because of the lack of voluntary disclosure) a “up to a 25% reduction off of the low end of the U.S.S.G. fine range”
the DOJ possesses extreme leverage and absolute, unreviewable discretion as to what the disgorgement / forfeiture / guidelines range amounts will be. As knowledgeable observers recognize, the reality is that this “final number” is the product of and contingent upon several less than transparent discretionary calls made by the DOJ. Indeed, as FCPA practitioners have rightly observed:
“[T]he exercise of calculating tainted profits is subjective and is the focus of considerable negotiation with the DOJ (and the SEC), often involving experts. Unsurprisingly, the government’s calculation of “profits” often exceeds that of the disclosing party, and the government has substantial leverage to impose its conclusion.”
Sixth, the “FCPA Corporate Enforcement Policy” states that even if “aggravating circumstances” are present and thus a criminal resolution may be warranted, that (for a company that has voluntarily disclosed, fully cooperated, and timely and appropriately remediated) there will “generally” not be a requirement for “appointment of a monitor.”
While this sounds significant, in reality it isn’t.
In fact, very few FCPA enforcement actions in recent years against U.S. companies (as opposed foreign companies) have required the formal appointment of a compliance monitor. Nevertheless, in nearly all instances, the DOJ has required, as a condition of settlement, that the company, through counsel, report to the DOJ (and SEC) throughout the 1-3 year term of the resolution agreement.
While this is no doubt cheaper for the company compared to appointment of a formal monitor, such post-enforcement action reporting requirements can easily aggregate into the millions of dollars and the “FCPA Corporate Enforcement Policy” is silent on this form of post-enforcement action reporting.
Seventh, and implicit in the above reasons as well, for why the corporate community should take the “FCPA Corporate Enforcement Policy” with a grain of salt is perhaps obvious but bears repeating: the DOJ is an adversary.
Imagine a business organization facing an adversary in other legal actions and the adversary possesses absolute, unreviewable discretion as to how the action will be resolved.
It is doubtful that any business organization, and rightly so, would accede to the demands of this adversary. While the DOJ possesses bigger and sharper sticks than most legal adversaries, the fact remains: the DOJ is an adversary to a business organization under FCPA scrutiny and the business organization has no legal or moral obligation to assist the DOJ. As Deputy Attorney General Rosenstein rightly noted in this speech: “Of course, companies are free to choose not to comply with the FCPA Corporate Enforcement Policy. A company needs to adhere to the policy only if it wants the Department’s prosecutors to follow the policy’s guidelines.”
An eighth reason why the corporate community, at least so-called issuers under the FCPA, should take the “FCPA Corporate Enforcement Policy” with a grain of salt is that it is an incomplete program because issuers are subject to FCPA enforcement by both the DOJ and SEC. However, the “FCPA Corporate Enforcement Policy” is a DOJ program only.
To be sure, just like the DOJ, the SEC has long encouraged voluntary disclosure of FCPA violations coupled with repeated assurances that voluntary disclosure will result in meaningful credit. However, unless and until the SEC articulates a similar FCPA program (a program that will likely suffer from the same deficiencies as the DOJ’s program), the DOJ’s “FCPA Corporate Enforcement Policy” addresses only half of the enforcement landscape facing issuers.
Ninth, and perhaps the biggest reason, why the corporate community should take the “FCPA Corporate Enforcement Policy” with a grain of salt is that it only addresses a relatively minor component of the overall financial consequences to a business organization the subject of FCPA scrutiny and enforcement.
For obvious reasons, settlement amounts in an FCPA enforcement action tend to get the most attention. After all, settlement amounts are mentioned in DOJ / SEC press releases, press releases generate media coverage, and the corporate community reads the media. However, knowledgeable observers recognize, as depicted in the below representative picture, that FCPA scrutiny and enforcement results in “three buckets” of financial exposure to a business organization. (To read more about this dynamic, read this article “FCPA Ripples.”).
In nearly every instance of FCPA scrutiny and enforcement, bucket #1 (pre-enforcement action professional fees and expenses) is the largest financial hit to a business organization. The reasons for this are both practical and potentially provocative. In term of the practical, all instances of FCPA scrutiny have a point of entry, for instance problematic conduct in China, that then often results (if there is a voluntary disclosure) in the “where else” question from the enforcement agencies which often prompts the company under scrutiny to conduct a much broader review of its business operatons. In terms of the provocative, FCPA scrutiny arising from voluntary disclosure can easily become a billing boondoggle for FCPA Inc. participants.
A couple of specific examples highlight how extensive pre-enforcement action professional fees and expenses can become. For instance, Avon resolved an FCPA enforcement action for $135 million in aggregate DOJ and SEC settlement amounts, but disclosed approximately $550 million in pre-enforcement action professional fees and expenses (a 2.5:1 ratio compared to the settlement amount). Likewise, Bruker Corp. resolved an FCPA enforcement action for $2.2 million, but disclosed approximately $22 million in pre-enforcement action professional fees and expenses (a 10:1 ratio). Perhaps most eye-popping, Hyperdynamics resolved an FCPA enforcement action for $375,000, but disclosed approximately $12.7 million in pre-enforcement action professional fees and expenses (a 170:1 ratio).
Even if the “FCPA Corporate Enforcement Policy” was binding on the DOJ (which it is not), the fact is the policy only addresses bucket #2 (settlement amount) and does not address pre-enforcement action professional fees and expenses – the biggest financial hit to a business organization the subject of FCPA scrutiny.
On this issue, it is perhaps notable that the “FCPA Corporate Enforcement Policy” falls short and is less explicit than the 2016 FCPA Pilot Program. On the issue of internal investigations, the prior “FCPA Pilot Program” stated:
“[T]he Fraud Section does not expect a small company to conduct as expansive an investigation in as short a period of time as a Fortune 100 company. Nor do we generally expect a company to investigate matters unrelated in time or subject to the matter under investigation in order to qualify for full cooperation credit. An appropriately tailored investigation is what typically should be required to receive full cooperation credit; the company may, of course, for its own business reasons seek to conduct a broader investigation. For instance, absent facts to suggest a more widespread problem, evidence of criminality in one country, without more, would not lead to an expectation that an investigation would need to extend to other countries. By contrast, evidence that the corporate team engaged in criminal misconduct in overseeing one country also oversaw other countries would normally trigger the need for a broader investigation. In order to provide clarity as to the scope of an appropriately tailored investigation, the business organization (whether through internal or outside counsel, or both) is encouraged to consult with Fraud Section attorneys.”
This language followed then Assistant Attorney General Caldwell’s April 2015 speech that the DOJ “does not expect companies to aimlessly boil the ocean” in FCPA investigations.
The mention of the scope and breath of FCPA internal investigation in the 2016 FCPA Pilot Program was most welcomed by the corporate community and the absence of this issue in the “FCPA Corporate Enforcement Policy” is notable.
Yet another reason why the corporate community should take the “FCPA Corporate Enforcement Policy” with a grain of salt is that the “FCPA Corporate Enforcement Policy” does not address the many other “ripple” effects of FCPA scrutiny and enforcement. (Again, to read more about this dynamic, read this article “FCPA Ripples.”).
A company (particularly an issuer) subject to FCPA scrutiny and enforcement will often also experience several other negative financial consequences above and beyond the “three buckets” of financial exposure depicted above. Such financial consequences often include a drop in market capitalization, an increase in the cost of capital, a negative impact on merger and acquisition activity, lost or delayed business opportunities, and shareholder litigation. In certain cases, these other negative financial consequences can far exceed even the “three buckets” of financial exposure discussed above.
Moreover, FCPA scrutiny and enforcement actions are increasingly spawning related foreign law enforcement investigations and enforcement actions. Indeed, as the DOJ is fond of saying:
“It is safe to say that we are cooperating with foreign enforcement on foreign bribery cases more closely today that at any time in history”
“An international approach is being taken to combat an international criminal problem. We are sharing leads with our international law enforcement counterparts, and they are sharing them with us”
In short, corporate leaders need to fully understand and appreciate (in addition to the specific topics discussed above) that a voluntary disclosure of potential FCPA violations is going to set into motion a wide-ranging sequence of events that will be far more costly to the company than any marginal benefit obtained through the “FCPA Corporate Enforcement Policy.”
No doubt there are some who are likely to respond along the following lines: if a business organization does not voluntarily disclose FCPA violations, it is likely that the enforcement agencies will independently find out about the violations and when this happens the company is going to experience the same negative financial consequences highlighted above plus, because of the lack of voluntary disclosure, a potential larger settlement amount.
However, this line of reasoning represents pure speculation.
Recognize that the following is anecdotal and not offered to establish the truth of the matter asserted. However, I have been actively involved in the FCPA space for approximately 15 years both as a lawyer in private practice who conducted FCPA internal investigations around the world and in other professional capacities. To my knowledge, never once did the DOJ independently find out about the underlying conduct and in speaking to other FCPA practitioners about this precise topic, it has never happened to their clients either.
Add it all up and the message to the corporate community is this: thoroughly investigating an FCPA issue, promptly implementing remedial measures, and effectively revising and enhancing compliance policies and procedures – all internally and without disclosing to the DOJ (or SEC) – is a perfectly acceptable, legitimate, and legal response to FCPA issues in but all the rarest of circumstances.
FCPA Institute - Denver (May 4-5)
A unique two-day learning experience ideal for a diverse group of professionals seeking to elevate their FCPA knowledge and practical skills through active learning. Learn more, spend less. CLE credit is available.