May You Get What You Want: The Curse Of The FCPA Compliance Defense

by Thomas Fox

IMG_3289Ed. Note – this week, I am pleased to join my colleagues David Simon, partner at Foley & Lardner LLP, and William ‘Bill’ C. Athanas, partner at Waller Lansden Dortch & Davis, LLP, in a tripartite debate on the efficacy of the affirmative defense of a compliance program to the Foreign Corrupt Practices Act (FCPA). Previously, I presented my views, from the perspective of a former in-house counsel, on why a compliance defense would not help to create greater compliance with the FCPA. Yesterday, Simon discussed his views, from the perspective a white collar defense practitioner, on why a compliance defense under the FCPA would foster greater compliance with the Act. In the concluding post today, Athanas presents his views as a former Department of Justice (DOJ) prosecutor. I hope that you have enjoyed our debate.

Watching the FCPA compliance defense debate from the sidelines over the past couple of years, I usually find myself agreeing with whomever I read last.  David Simon, Professor Kohler, and Chamber of Commerce’s position paper, Restoring Balance, all lay out compelling arguments in favor of a compliance defense, and Tom Fox, Howard Sklar and the Justice Department are equally persuasive in opposition.  If nothing else, I appreciate the opportunity to take part in this exercise because it forces me finally to stake out and defend a position on the issue.

In doing so, I have tried to consider the well-reasoned policy arguments for and against that have been made by others (particularly David and Tom’s articles), and re-examine them from a purely pragmatic standpoint.  Ultimately, I find that I concur in the view that enacting a compliance defense is unnecessary because: a) such evidence is already factored into the enforcement decision-making calculus, and b) the notion of enabling corporations to raise a defense at trials that will never occur is essentially meaningless.  But I do not oppose a compliance defense simply because I conclude that is has no utility.  Rather, my opposition to that defense stems from the belief that its enactment would actually cause harm to those companies who take seriously the FCPA’s obligations and endeavor to ensure compliance with its mandates, making it more difficult for them to operate in this enforcement environment.

I do not wish to rehash the points Tom makes so effectively, but I would like to add a comment or two on arguments often advanced by compliance defense supporters.  For example, the claim that a compliance defense is necessary to counterbalance the unfairness of enforcement actions premised on a “rogue employee” theory.  While few would dispute the injustice of isolated instances of misconduct carried out by a rogue employee in contravention of consistently expressed mandates serving as the basis for huge fines and collateral consequences imposed on otherwise well-intentioned corporate citizens, noting those concerns in the abstract falls short, in my view, without evidence that “rogue employee” enforcement actions are actually being pursued on a widespread – or even limited – basis.  In other words, before I can conclude that the FCPA enforcement model needs to be fixed, I need to see evidence that it is broken.

I do not see that evidence.  It may be that there are instances where otherwise marginal cases premised on discrete, quarantined conduct have been (or are being) pursued via enforcement action, and where a compliance defense, if it existed, would have prevented an unjust result.  But absent examples of such, I ground my opinion in my own experiences.  I am not foreclosing the possibility that a prosecutor might blithely disregard the existence of a suitably robust compliance program in order to advance a less than meritorious FCPA enforcement action knowing that the target company would be forced to settle rather than fight, but I do not see evidence that is occurring.

Nor am I moved by arguments that the lack of a compliance defense means that even those companies who install and maintain the most effective programs remain at the unchecked mercy of FCPA enforcement authorities.  David’s article makes this point by linking to an FCPA Professor post from September 1, 2011, which notes the apparent incongruity of Oracle – then recognized as one of the “World’s Most Ethical Companies” by Ethisphere – being scrutinized for FCPA violations.  In the post, Professor Koehler lists a number of other companies on that list who resolved FCPA actions or faced FCPA scrutiny, and concludes that this counterintuitive result highlights the need to revisit the compliance defense question.  But the major premise of the post – that Oracle had as sound and thorough a compliance program in place as could reasonably expected – is belied by the results of the inquiry.  While the nature and scope of Oracle’s issue were not known publicly at the time of the initial post, the SEC’s enforcement action announced August 16, 2012 revealed that it stemmed from Oracle’s failure to prevent a subsidiary from “secretly setting aside [$2.2 million] off the company’s books that was eventually used to make unauthorized payments to phony vendors in India.”  With all due respect to Ethisphere’s evaluative process, this outcome seems to suggest that while Oracle may well have gone to significant lengths in its FCPA compliance efforts, it clearly did not do enough.  I would submit that the question implicit in Professor Koehler’s post – “doesn’t something need to be done when even having a top flight compliance program is not enough to protect companies from FCPA enforcement actions?” – needs to be reformulated to ask, “can a compliance program really be deemed top flight when violations with the dimensions of Oracle’s FCPA issue are occurring?”

I do not mean to cast aspersions.  Although I am not concerned that the threat of a future epidemic of prosecutorial recklessness is so great that a compliance defense must be enacted, I appreciate that installing such a defense may serve to help level an otherwise uneven playing field.  While I believe few prosecutors set out to bring marginal cases simply because they recognize that the disparity of negotiating leverage may enable them to do so, I also understand that providing enforcement targets useful tools to defend actions can serve a vital purpose.  Even for those prosecutors who are motivated by the best of intentions, it can be difficult to write a declination memo and walk away from a case empty handed, particularly after conducting a lengthy investigation which reveals violations.  The thought of taking no action after investing years’ worth of prosecutorial and investigative resources is an unpleasant one for many if not most prosecutors, especially when there is a belief that the company bears some culpability for the violations which occurred.  While the existence of a compliance defense might deter a prosecutor pursing a weak case – by providing a clearly established legal means for the company to secure an acquittal where one might not otherwise have existed – I do not see this as a determinative factor.  I believe there are already adequate safeguards that operate as a check against marginal cases moving forward, including internally at the Department.  The process of getting indictments approved did not include any rubber stamps when I was at the Fraud Section, and I doubt very much that it has gotten easier over time.

Enough about why I do not support a compliance defense.  Here is why I oppose it:  while I am hard pressed to see the practical benefits of a compliance defense in the current environment, it is not at all difficult for me to envision the likely downside if one is enacted.  I believe the current FCPA enforcement model, in both theory and practice, reflects the government’s desire to identify a company’s genuine commitment to FCPA compliance.  Those companies able to identify tangible evidence of sincere dedication to addressing FCPA issues are well positioned to largely, if not completely, avoid the harsh consequences that might otherwise result, while those unable to do so are left to try to defend their inaction in a setting where hindsight rules the day.

While any model which relies on measuring sincerity will necessarily carry some degree of uncertainty, by most accounts, the system works.   I recognize that a statement of that type will likely bring howls of derision (or maybe worse) from some, but on the whole I believe the evidence supports my conclusion.  Have there been FCPA cases that should not have been pursued?  I am certain that is the case.  But as the saying goes, the plural is anecdote is not data.  Absent proof that the government holds companies to an unattainable standard and then punishes them when they cannot adhere to it, I am unwilling make that assumption.

By contrast, we know for a fact that the government routinely declines FCPA cases.  The Morgan Stanley declination is the highest profile example of an effective compliance program providing shelter from an FCPA enforcement action, but there can be no real doubt that countless other examples exist.  As Tom notes in his article, the recently issued Guidance listed a number of additional declinations based, at least in significant part, on the presence of suitably robust compliance defenses.  We also know – based on those companies who have reported receiving declinations, as well as the numerical disparity between the number of investigations disclosed and enforcement actions ultimately pursued – that many other declinations have occurred.  To be sure, these declinations can occur for a multitude of different reasons: including weak or no evidence of an underlying violation and lack of investigative or prosecutorial resources.  But the most common reason is the existence of a suitably sound compliance program which evidences a genuine commitment to preventing violations.

My concern is that a formalized compliance defense threatens to throw off that equilibrium, in both substance and application.  The certainty which comes with the formal enactment of a compliance defense bestows little benefit on companies if those clearly defined obligations are set so high as to render them virtually unattainable.  I had no difficulty foreseeing that the legislative compromise necessary to secure enactment of a compliance defense will necessitate that be narrow and difficult to invoke.  Moreover, companies can be sure that prosecutors who have seen their discretionary authority drastically reduced – if not entirely eliminated – will be exacting in their interpretation of whether the defense is meritorious when undertaking the enforcement decision making process.  As a result, if those who are fighting so hard for inclusion of an FCPA compliance defense are successful, they are likely to find that they much preferred the devil they knew – the de facto compliance defense already in existence and litigated over in Justice Department conference rooms – to the one they didn’t.

One final point: compliance defense supporters often tout the inclusion of a compliance defense in the UK Bribery Act and the Italian anti-corruption statute, both of which were enacted relatively recently.  Is there any evidence to suggest that the inclusion of the defense in those statutes has created a better system of enforcement in those jurisdictions?  If so, how?  If not, what is the significance to this debate of the inclusion of the defense in those statutes?  Those are not rhetorical questions – I think the answers might shed light on this debate, and I hope that some of Tom’s readers practicing in those jurisdictions will enlighten us on those issues.

Bill Athanas can be reached via email at

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Thomas Fox, Compliance Evangelist | Attorney Advertising

Written by:

Thomas Fox

Compliance Evangelist on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.