By almost any measure, the new FCPA enforcement policy is an important and positive development. Tom Fox, Bill Steinman, George Terwilliger, and others both here and beyond have noted as much, and I rise in concurrence.
But what does it mean for pre-existing compliance? On the surface, it means absolutely nothing — the enforcement policy, and the declinations announced under it, are entirely about remedial compliance.
But I’m afraid that, quite by accident, it might lead us to view pre-existing compliance differently. To capture that difference, consider the following hypothetical dialogue between a fair but business-minded CEO and a determined chief compliance officer.
CEO: I’d like to do a little more to protect our company from FCPA liability. I know we work in high-risk markets, and I’m nervous. Tell me, what can I do?
CCO: We actually have some new and very helpful guidance. The DOJ has just announced a new enforcement policy, and it’s the best, most specific guidance we’ve ever seen on how to get the thing you really want from the DOJ — a declination.
CEO: What does this new enforcement policy say I should do?
CCO: Four specific things: voluntary disclosure, remediation, cooperation, and disgorgement. It’s very clear.
CEO: That’s nice, but I need more than vague policy pronouncements. I want proof that if I do these things,I’m likely to get a declination. Do we have proof?
CCO: We actually do. That’s the best part, really. The DOJ seems to understand that you need proof, and has provided it. We now have a series of public declination announcements from the DOJ. I can put my finger on them, I can read them, and so can you. There’s a bunch of them, and they’re remarkably consistent. The DOJ is proving to companies like ours that if we do these things, we too can get a declination, just like these other companies did. Let’s be clear, the declination is not guaranteed — the DOJ retains its prosecutorial discretion. But there’s a presumption now, which is new to this area of the FCPA. And that’s about as much as you could reasonably ask for. It’s actually a big gesture from the DOJ — an important step in providing clarity and predictability to enforcement.
CEO: Okay, I get it. If I want a declination, I need to do these things. Tell me again, what were they? I want this on my radar.
CCO: They are voluntary disclosure, cooperation, remediation, and disgorgement.
CEO: Okay, good . . . but wait a minute. These are all about what I’m supposed to do after a violation occurs, if a violation occurs. So once we’ve screwed up, we know what to do. That’s helpful, to an extent. But what can I do before a violation occurs — like, right now, in a preventative way — to significantly improve our chances of getting a declination if we find ourselves in discussions with the DOJ?
CCO: Well, this is kind of hard to explain. We have a kind of two-track declination procedure now: the public declinations under the enforcement policy, and what you might call private declinations, where the company gets a declination but without the DOJ making an announcement or providing a public explanation of the reasons for granting it. On these private declinations, there are various memos, the relevant U.S. Attorney’s Manual sections, the 2012 Guidance, and of course the U.S. Sentencing Guidelines which all tell us they should occur. And the DOJ has told us, repeatedly, that it has in fact granted declinations on the basis of pre-existing compliance.
CEO: Sure, but again, where’s the proof?
CCO: That’s the tricky part. Because they’re not published, we don’t have this same kind of proof or detailed explanations.
CEO: So the DOJ publishes declinations when granted based on what the company does after a violation occurs, but not when granted based on what the company does to prevent violations?
CCO: Well, there were a couple of public declinations based on pre-existing compliance, several years ago. One was for Morgan Stanley, which got a lot of attention at the time. I think there was at least one more. But our memory of them seems to be fading — they’re not discussed much anymore. It’s pretty clear now that the DOJ does not publicly grant declinations on the basis of pre-existing compliance.
CEO: So the DOJ publishes declinations to incentivize disclosure, cooperation, remediation, and disgorgement, but it won’t do so to incentivize pre-existing compliance?
CCO: Well, no one really said it that way, but yes, that appears to be the situation now.
CEO: Do they want me to just trust that if I invest in pre-existing compliance, they’ll credit me later? After they’ve basically admitted in this new enforcement policy that taking their word for it really isn’t enough?
CCO: I know, on the business side it might sound a bit unrealistic . . .
CEO: And it leaves the impression that the DOJ simply cares more about disclosure, cooperation, and remedial compliance than it does about pre-existing compliance — that incentivizing pre-existing compliance is a lower priority. They don’t seem committed to providing the same level of resources and giving us the same kind of assurance they’re providing in the enforcement policy. I thought that historically the DOJ was all about pre-existing compliance, but now, it seems like a kind of second-tier thing.
CCO: Yeah, I don’t really know what to say. Having said that, can we change the subject? I wanted to talk to you about something else. I’ve identified a few weaknesses in our pre-existing compliance program that we really need to improve. It’s going to cost a little bit, but it’s worth it.
CEO: Sorry. I’ve gotta wrap up now.
Andy Spalding is a lecturer at the International Anti-Corruption Academy, Professor at the University of Richmond School of Law, and Senior Editor of the FCPA Blog.