IMG_3289Ed. Note – this week, I am pleased to join my colleagues David Simon, partner at Foley & Lardner LLP, and William ‘Bill’ C. Athanas, partner at Waller Lansden Dortch & Davis, LLP, in a tripartite debate on the efficacy of the affirmative defense of a compliance program to the Foreign Corrupt Practices Act (FCPA). Previously, I presented my views, from the perspective of a former in-house counsel, on why a compliance defense would not help to create greater compliance with the FCPA. Yesterday, Simon discussed his views, from the perspective a white collar defense practitioner, on why a compliance defense under the FCPA would foster greater compliance with the Act. In the concluding post today, Athanas presents his views as a former Department of Justice (DOJ) prosecutor. I hope that you have enjoyed our debate.


Watching the FCPA compliance defense debate from the sidelines over the past couple of years, I usually find myself agreeing with whomever I read last.  David Simon, Professor Kohler, and Chamber of Commerce’s position paper, Restoring Balance, all lay out compelling arguments in favor of a compliance defense, and Tom Fox, Howard Sklar and the Justice Department are equally persuasive in opposition.  If nothing else, I appreciate the opportunity to take part in this exercise because it forces me finally to stake out and defend a position on the issue.

In doing so, I have tried to consider the well-reasoned policy arguments for and against that have been made by others (particularly David and Tom’s articles), and re-examine them from a purely pragmatic standpoint.  Ultimately, I find that I concur in the view that enacting a compliance defense is unnecessary because: a) such evidence is already factored into the enforcement decision-making calculus, and b) the notion of enabling corporations to raise a defense at trials that will never occur is essentially meaningless.  But I do not oppose a compliance defense simply because I conclude that is has no utility.  Rather, my opposition to that defense stems from the belief that its enactment would actually cause harm to those companies who take seriously the FCPA’s obligations and endeavor to ensure compliance with its mandates, making it more difficult for them to operate in this enforcement environment.

I do not wish to rehash the points Tom makes so effectively, but I would like to add a comment or two on arguments often advanced by compliance defense supporters.  For example, the claim that a compliance defense is necessary to counterbalance the unfairness of enforcement actions premised on a “rogue employee” theory.  While few would dispute the injustice of isolated instances of misconduct carried out by a rogue employee in contravention of consistently expressed mandates serving as the basis for huge fines and collateral consequences imposed on otherwise well-intentioned corporate citizens, noting those concerns in the abstract falls short, in my view, without evidence that “rogue employee” enforcement actions are actually being pursued on a widespread – or even limited – basis.  In other words, before I can conclude that the FCPA enforcement model needs to be fixed, I need to see evidence that it is broken.

I do not see that evidence.  It may be that there are instances where otherwise marginal cases premised on discrete, quarantined conduct have been (or are being) pursued via enforcement action, and where a compliance defense, if it existed, would have prevented an unjust result.  But absent examples of such, I ground my opinion in my own experiences.  I am not foreclosing the possibility that a prosecutor might blithely disregard the existence of a suitably robust compliance program in order to advance a less than meritorious FCPA enforcement action knowing that the target company would be forced to settle rather fight, but I do not see evidence that is occurring.

Nor am I moved by arguments that the lack of a compliance defense means that even those companies who install and maintain the most effective programs remain at the unchecked mercy of FCPA enforcement authorities.  David’s article makes this point by linking to an FCPA Professor post from September 1, 2011, which notes the apparent incongruity of Oracle – then recognized as one of the “World’s Most Ethical Companies” by Ethisphere – being scrutinized for FCPA violations.  In the post, Professor Koehler lists a number of other companies on that list who resolved FCPA actions or faced FCPA scrutiny, and concludes that this counterintuitive result highlights the need to revisit the compliance defense question.  But the major premise of the post – that Oracle had as sound and thorough a compliance program in place as could reasonably expected – is belied by the results of the inquiry.  While the nature and scope of Oracle’s issue were not known publicly at the time of the initial post, the SEC’s enforcement action announced August 16, 2012 revealed that it stemmed from Oracle’s failure to prevent a subsidiary from “secretly setting aside [$2.2 million] off the company’s books that was eventually used to make unauthorized payments to phony vendors in India.”  With all due respect to Ethisphere’s evaluative process, this outcome seems to suggest that while Oracle may well have gone to significant lengths in its FCPA compliance efforts, it clearly did not do enough.  I would submit that the question implicit in Professor Koehler’s post – “doesn’t something need to be done when even having a top flight compliance program is not enough to protect companies from FCPA enforcement actions?” – needs to be reformulated to ask, “can a compliance program really be deemed top flight when violations with the dimensions of Oracle’s FCPA issue are occurring?”

I do not mean to cast aspersions.  Although I am not concerned that the threat of a future epidemic of prosecutorial recklessness is so great that a compliance defense must be enacted, I appreciate that installing such a defense may serve to help level an otherwise uneven playing field.  While I believe few prosecutors set out to bring marginal cases simply because they recognize that the disparity of negotiating leverage may enable them to do so, I also understand that providing enforcement targets useful tools to defend actions can serve a vital purpose.  Even for those prosecutors who are motivated by the best of intentions, it can be difficult to write a declination memo and walk away from a case empty handed, particularly after conducting a lengthy investigation which reveals violations.  The thought of taking no action after investing years’ worth of prosecutorial and investigative resources is an unpleasant one for many if not most prosecutors, especially when there is a belief that the company bears some culpability for the violations which occurred.  While the existence of a compliance defense might deter a prosecutor pursing a weak case – by providing a clearly established legal means for the company to secure an acquittal where one might not otherwise have existed – I do not see this as a determinative factor.  I believe there are already adequate safeguards that operate as a check against marginal cases moving forward, including internally at the Department.  The process of getting indictments approved did not include any rubber stamps when I was at the Fraud Section, and I doubt very much that it has gotten easier over time.

Enough about why I do not support a compliance defense.  Here is why I oppose it:  while I am hard pressed to see the practical benefits of a compliance defense in the current environment, it is not at all difficult for me to envision the likely downside if one is enacted.  I believe the current FCPA enforcement model, in both theory and practice, reflects the government’s desire to identify a company’s genuine commitment to FCPA compliance.  Those companies able to identify tangible evidence of sincere dedication to addressing FCPA issues are well positioned to largely, if not completely, avoid the harsh consequences that might otherwise result, while those unable to do so are left to try to defend their inaction in a setting where hindsight rules the day.

While any model which relies on measuring sincerity will necessarily carry some degree of uncertainty, by most accounts, the system works.   I recognize that a statement of that type will likely bring howls of derision (or maybe worse) from some, but on the whole I believe the evidence supports my conclusion.  Have there been FCPA cases that should not have been pursued?  I am certain that is the case.  But as the saying goes, the plural is anecdote is not data.  Absent proof that the government holds companies to an unattainable standard and then punishes them when they cannot adhere to it, I am unwilling make that assumption.

By contrast, we know for a fact that the government routinely declines FCPA cases.  The Morgan Stanley declination is the highest profile example of an effective compliance program providing shelter from an FCPA enforcement action, but there can be no real doubt that countless other examples exist.  As Tom notes in his article, the recently issued Guidance listed a number of additional declinations based, at least in significant part, on the presence of suitably robust compliance defenses.  We also know – based on those companies who have reported receiving declinations, as well as the numerical disparity between the number of investigations disclosed and enforcement actions ultimately pursued – that many other declinations have occurred.  To be sure, these declinations can occur for a multitude of different reasons: including weak or no evidence of an underlying violation and lack of investigative or prosecutorial resources.  But the most common reason is the existence of a suitably sound compliance program which evidences a genuine commitment to preventing violations.

My concern is that a formalized compliance defense threatens to throw off that equilibrium, in both substance and application.  The certainty which comes with the formal enactment of a compliance defense bestows little benefit on companies if those clearly defined obligations are set so high as to render them virtually unattainable.  I had no difficulty foreseeing that the legislative compromise necessary to secure enactment of a compliance defense will necessitate that be narrow and difficult to invoke.  Moreover, companies can be sure that prosecutors who have seen their discretionary authority drastically reduced – if not entirely eliminated – will be exacting in their interpretation of whether the defense is meritorious when undertaking the enforcement decision making process.  As a result, if those who are fighting so hard for inclusion of an FCPA compliance defense are successful, they are likely to find that they much preferred the devil they knew – the de facto compliance defense already in existence and litigated over in Justice Department conference rooms – to the one they didn’t.

One final point: compliance defense supporters often tout the inclusion of a compliance defense in the UK Bribery Act and the Italian anti-corruption statute, both of which were enacted relatively recently.  Is there any evidence to suggest that the inclusion of the defense in those statutes has created a better system of enforcement in those jurisdictions?  If so, how?  If not, what is the significance to this debate of the inclusion of the defense in those statutes?  Those are not rhetorical questions – I think the answers might shed light on this debate, and I hope that some of Tom’s readers practicing in those jurisdictions will enlighten us on those issues.


Bill Athanas can be reached via email at


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author.

Bill Wilson
Bill Wilson

To my mind, the best argument against the compliance defense is the disingenuity that many investigations have revealed. The citation of Oracle is but one example. Consider what's been reported about Wal-mart: management gets a report outlining the offending conduct in heinous detail, and then instead of acting on it and issuing orders to clean up their act to the regional management, you return control of the investigation to the regional attorney, and ultimately promote the head of the group. (NY Times here: Who knows what the truth is in this particular case, but frankly similar fact patterns aren't really that unique in FCPA cases. But even the dumbest employee on this planet can read that kind of message without magnification: "Compliance isn't as important as the bottom line. Go forth, and meet your targets any way you can get away with." Examine the paperwork that is publicly available in other cases, and you come away with the impression that many if not all of the prosecuted entities exerted considerable effort on compliance. But countervailing forces - the unrelenting pursuit of profits to the exclusion of other objectives, a lack of message reinforcement from the C-suite, field troops who failed to heed the message from the top (or who perhaps were getting conflicting messages in quarterly business reviews) - all of these forces and still others which were the undoing of those compliance efforts can be viewed in all of their glory - and gory detail - in the NPA and DPA documents. One other factor bears mentioning on this issue: for many defendants, it's not their first FCPA rodeo. Some cases involve companies who should have a deep abiding religion in this area after their first encounter with the SEC or DOJ. And yet remarkably, their name pops up once again, sometimes within a few years, and when you read the details, you get the unmistakable impression their new-found faith was not all that deep. In short, I think the Sentencing Guidelines have it right: give credit for having made the effort when it comes time to decide on punishment, but don't let a compliance program be a "get out of jail free" ticket. A last point: examine the compliance programs of many companies, particularly small and mid-sized companies, and you will find the FCPA highlighted, but a lot are still behind the curve when it comes to commercial bribery, which as the GSK case in China makes clear, you do so at your peril, whether in China, the UK or even here in the US, where 18 states make it a felony and DOJ doesn't lack for ways to prosecute it.