Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

Fool me once, shame on . . . Who?

By Aaron G. Murphy

An interesting piece recently appeared in Randy Cohen’s “The Ethicist” column in the New York Times Magazine.

It discussed  an exchange with a company employee that should keep corporate legal and compliance departments awake at night. An employee, unhappy that his company wanted him to take a four hour on-line training course about the Foreign Corrupt Practices Act (FCPA), claiming it was a waste of his time, asked The Ethicist if he had an ethical obligation to complete the training. The Ethicist gave the best possible answer, stating that even if it was inefficient, it was the company’s prerogative to train its people, and that it might not be the waste of time the employee assumed since the company could have a larger plan of action invisible to the employee.

The punch line lay in the “Update” posted later: The employee skipped the course, went straight to the on-line test, and passed it. The employee, who underwent no training of any kind (and arrogantly assumed he needed no such training), is now certified by his own company as having mastered the FCPA. This is an all too common scenario, and everyone involved in it is a fool.

The employee is a fool for assuming that one of the most aggressively enforced and far-reaching criminal laws in America does not apply to him. It does, plain and simple. Even if he does not deal directly with foreign officials or companies, he undoubtedly touches transactions, corporate records, and other company employees that do. I have investigated many FCPA matters in recent years and have had countless conversations with these kinds of employees who never stop to think of the larger connections between the world of global commerce and their own activities. You can aid and abet FCPA violations from within the walls of your cubicle, whether that cubicle is in Boston or Bangalore. And now that the deceptive employee has tricked a simplistic training course into thinking he is an expert in the FCPA, what exactly will his excuse be when someone like me comes and asks him why he did not see a violation occurring right under his nose?  He’s an expert, after all.

But companies in these situations are fools for thinking that their compliance programs are working. A training course that can be passed by employees who skip the training is no training course at all. This fiction of corporate training happens all the time, and there are two serious problems with it: First, people are not actually trained, so FCPA violations still occur with the same frequency, and second, the U.S. government will give no leniency to companies with such blatantly ineffective training programs. Companies spend a lot of money on these programs, and the get nothing in return – neither trained employees nor protection from prosecution.

This is a serious issue, the U.S. government has collected billions of dollars in fines for FCPA violations in the past few years and has announced that it intends to be even more aggressive going forward. The United Kingdom has just enacted its own global anticorruption law too, and will be itching to try it out when it goes into effect this coming April.

There has been much talk of the U.K. Bribery Act’s new defense that lets companies off the hook where they have “adequate procedures” – including proper antibribery training and policies. Many in this country think the FCPA should have a similar defense available for companies with good FCPA compliance programs.

But it would be foolish to think that the compliance program discussed in The Ethicist post would ever be viewed as “adequate” by U.S. or U.K. authorities. An adequate compliance program should actually result in educated employees and, well, compliance. Not reams of paper certificates that show nothing more than an employee’s ability to game a simplistic training program.

Aaron G. Murphy is partner at Latham & Watkins specializing in the Foreign Corrupt Practices Act and corporate compliance issues. He is the author of the book: Foreign Corrupt Practices Act: A Practical Resource for Managers and Executives.

Share this post



  1. Wow. There are just so many things wrong with this scenario. A *four hour* FCPA training course? Seriously? And this person thought it didn't apply to him? It sounds like this company wasn't segregating its training courses. Meaning, higher risk employees—who presumably would know that the FCPA applies to them—get better and more training. Even then, I think four hours in one shot is a bit much. It seems to me that this is a paper program.

    Training, especially for your higher risk folks, isn't a one-time thing. It's not even "training" per se, but a system of messaging to those employees around compliance. It's training, employee calls, leader site visits, newsletters, emails from senior leaders, mentions in team meetings, live training, online training, all over time. It's not a four-hour-seminar-and-you're-done kind of thing, not if you want to do it right. It's also publicized incentives, publicized sanctions, keeping compliance-related metrics, and making them matter to the business…it's a system of learning, not just training.

    It sounds like this company still doesn't get it.

  2. Aaron,

    One of the problems with any compliance regime is that its effectiveness depends upon whether management is genuinely committed to ethical behavior. For many corporate execs, lawyers are nothing more than a tool and the FCPA just one of a constellation of impediments to profitability. I think the test is whether, in the absence of effective enforcement, would management refuse to engage in criminal conduct. If the answer to that is no, is the fear of enforcement sufficient to cause them to take the law seriously or do they think that spending money on compliance programs is sufficient to minimize exposure in case one of their employees gets caught violating the law. In both situations, employees are going to mirror management's attitude.

    I disagree with your statement that the FCPA is one of the most aggressively enforced criminal laws in America, if you are talking about numbers of cases investigated. It certainly is not anywhere near the top of the list of enforcement priorities in most of the 96 federal districts. If however you are referring to the government's willingness to commit time, money, and energy to the investigation of those companies that appear on the government's radar, I would agree. The problem is that until the likelihood of punishment reaches a critical mass (or maybe tipping point is the correct term today) many companies are not going to make "lawabidingness" a genuine part of their corporate culture.

    I think compliance programs fail because they depend too heavily on educating employees on the requirements of the law. Compliance begins with hiring moral and ethical employees. Compliance is fostered by companies demonstrating their concern, not just with the bottom line, but with having a positive impact upon the community. Compliance succeeds where management is invested in the long term growth of the company, not just short term profits. We all talk about corporate culture. But culture is not taught. It is lived.


Comments are closed for this article!