By Joseph W. Yockey, Professor and Michael and Brenda Sandler Faculty Fellow in Corporate Law and Nicole Saleem, Iowa JD 2011. 

The story is enough to make any corporate executive (and her counsel) lose sleep. A company’s crown jewel and biggest international success story—the one held up to investors as a testament of competitive prowess—is now said to be the product of nothing less than systematic bribery and corruption. This is a situation that executives at Wal-Mart faced with respect to the company’s largest foreign subsidiary, Wal-Mart de Mexico. As first reported by the New York Times, employees at Wal-Mart de Mexico allegedly paid over $24 million in bribes to various Mexican officials to secure permits, silence environmental objections, and change zoning maps—all to fuel unprecedented growth in the region. If true, the allegations suggest that bribery, and not just business savvy, is why twenty percent of Wal-Mart stores are located in Mexico, as well as why the company is Mexico’s largest private employer.

The allegations also mean that Wal-Mart remains firmly in the crosshairs of federal enforcers intent on using powerful statutory tools and sanctions to root out foreign corruption wherever and whenever it might occur.

Our goal in this essay is to help companies avoid bribery through measures that minimize the risk of corrupt practices at every point on the corporate hierarchy. And we think that means taking a fundamentally new approach to anti-corruption compliance and ethics-building—one that goes beyond “mission statements” to proactively reshape organizational culture and teach employees to exercise sound judgment in the face of myriad shades of legal gray.

Rising Tides in Anti-Corruption Enforcement

Stories like the one involving Wal-Mart are becoming all too familiar within a larger narrative surrounding the U.S. Foreign Corrupt Practices Act (FCPA). Enacted in 1977, the FCPA prohibits companies from paying bribes to foreign officials for the purpose of getting business. The statute also requires issuers of publicly traded securities to maintain accurate books and records and to institute various internal accounting controls. The Justice Department and the U.S. Securities and Exchange Commission (SEC) both enforce the statute’s anti-bribery provisions, but only the SEC enforces the recordkeeping and internal control requirements.
FCPA penalties can be severe. In addition to the risk of substantial criminal and civil sanctions, violators face the possibility of debarment from government contracts. Siemens AG, a German conglomerate, still holds the title for the highest penalty in FCPA history. In 2008, the company and three of its subsidiaries pleaded guilty to FCPA-related charges and agreed to pay a criminal fine of $450 million to the Justice Department, disgorge $350 million to the SEC, and settle separate charges with German authorities for $800 million—bringing the total penalty to $1.6 billion.

Though it stayed off the map for most of its early history the FCPA is now in the midst of an unprecedented surge in enforcement. The Justice Department says FCPA enforcement is its top priority, second only to fighting terrorism. Along with Siemens and Wal-Mart, hundreds of high-profile companies and their executives have come under FCPA scrutiny within the past five years.

What explains this rise in enforcement? One answer involves shifting economic and political forces. As our world becomes smaller and national economies increasingly intertwine, a greater number of companies do business in foreign markets, many of which feature widespread corruption. The vigorous enforcement of international anti-bribery laws is seen as essential to promoting economic growth and maintaining trust in today’s global marketplace. A recent shift in investigatory resources and tactics is another factor. The FBI now maintains an FCPA-specific unit of full-time special agents, and a specialized group of Assistant U.S. Attorneys handles most of the FCPA prosecutions brought by the Department of Justice. Prosecutors also continue to bring tools to bear on FCPA matters that were traditionally reserved for cases involving organized crime or narcotics. For example, a recent undercover sting led to the FCPA arrests of twenty-two executives in the arms industry. The operation—which some liken to a Hollywood crime thriller—relied upon a cooperating witness, the seizure of evidence in multiple countries, and collaboration among several international law enforcement agencies.

Settlement Practices and Compliance Challenges

For firms doing business abroad, these developments move FCPA compliance to the vanguard of international operations. But this is where several complications arise. The first stems from an enforcement climate that leads almost invariably to settlement. With FCPA enforcers becoming more aggressive, and scrutiny therefore becoming more likely, most firms try to get out in front of potential violations by voluntarily disclosing them to regulators and seeking leniency. Inside and outside counsel generally advise firms facing a possible FCPA investigation to focus on obtaining a settlement on the best possible terms rather than risk later independent discovery by regulators. The negative collateral consequences arising from an indictment, let alone conviction, are seen as too great for firms to risk adopting any strategy other than cooperation and settlement. The Wal-Mart case is a good example. As soon as the problems in Mexico became public the company began its own internal investigation to lay a foundation for future cooperation with a parallel federal FCPA investigation, eventually expanding its internal examination to corporate activities in Brazil, India, and China.
Once cooperation begins, the focus typically becomes reaching an agreement that bypasses litigation and trial. A clear majority of FCPA investigations end in plea agreements or deferred prosecution agreements (DPAs). DPAs look similar to probation in that the government files a formal charging document but agrees to suspend it in exchange for a firm’s agreement to take certain steps. Usually the target firm must agree to do things like pay a fine, disgorge profits, implement various corporate governance reforms, retain a monitor to oversee an internal compliance program, and cooperate with any related ongoing investigations. If the firm fulfills its obligations, then the prosecution agrees to dismiss charges after a period of time, usually between two and four years. Though they aren’t new, the average annual number of DPAs rose from fewer than five per year in 2004 to over twenty per year in 2010. With respect to FCPA matters specifically, the Justice Department used DPAs to resolve over 75% of all actions from 2004 to 2010, leading many to view them as the expected outcome in every FCPA case.

At first glance, FCPA settlement trends might not seem like much of an issue. Firms benefit by avoiding formal prosecution and the inherent expense and uncertainties of litigation. Regulators benefit from the considerable enforcement flexibility that DPAs provide. Just as the prosecution of Arthur Andersen in the wake of the Enron scandal served as a warning sign to firms, federal officials also took heed of the dangers that come with entity-level prosecutions. The Supreme Court ultimately overturned Arthur Andersen’s criminal conviction but the appeal came too late to save the firm from going out of business. The upside of DPAs is that they give regulators a way to prevent similar results—and any corresponding adverse effects on shareholders or employees—without letting companies completely off the hook.

The trouble, though, is that the current FCPA settlement dynamic masks several dangers. For one, the current enforcement climate encourages firms to focus on compliance strategies that they can defend later should they happen to come under investigation. This has serious drawbacks. Regulators typically lack the expertise (or the interest) necessary to gain context-specific knowledge about how risk manifests itself across different firms or industries. Thus, rather than collaborating with firms to address the unique compliance challenges that they confront, regulators tend to work from a menu of one-size-fits-all governance reforms and policy recommendations. On the flip side, firms looking at FCPA settlements in other cases often feel bound to implement the same type of rigid compliance programs in order to “check the boxes” that regulators appear to credit without first assessing whether they actually prevent wrongdoing.

Black-and-white compliance playbooks might be fine in some situations but the problem in the context of foreign corruption is that matters on the ground are anything but black and white. Corruption comes in all shapes and sizes. The days where a foreign official asks for a suitcase full of cash in exchange for awarding a contract are largely over. Most corrupt officials drop hints that bribes will move things along without ever explicitly asking for money. Moreover, providing cash, gifts, or other tangible objects directly to a government official is not the only way for FCPA liability to attach. For example, regulators recently alleged that Schering-Plough paid illegal bribes to a government official when it donated funds to a charity whose director also worked for a Polish health fund tasked with deciding how the government allocates health-related resources. In other situations, it is thoroughly understood in the local community that no business happens without sponsoring certain public events or paying various “service fees” or “commissions” to government intermediaries.

Additional cases feature conduct that arguably rises to the level of extortion, where employees or their families find themselves in physical danger if funds are not channeled to various government officers. This happened to NATCO, a Texas-based oil and gas company. After a NATCO subsidiary won a government contract in Kazakhstan, Kazakh immigration prosecutors threatened to fine, jail, or deport the workers if the company refused to pay cash fines. Believing the threats to be genuine, senior management authorized the payments and the employees used personal funds to pay $45,000 to the Kazakh prosecutors. The SEC acknowledged that the employees were the victims of extortion but still charged NATCO with FCPA accounting violations because the company recorded the ransom payments as standard salary advances.
And nothing ever stays the same. As soon as one scheme becomes apparent, corrupt officials add new variables or mechanisms to blur the lines between purportedly lawful payments and illegal kickbacks. Unique cultural norms—like the strong gift-giving cultures in many Asian countries—further muddy the compliance waters.
From an internal governance standpoint, it can be difficult or impossible for employees to respond to such a diverse set of situations through reference to a compartmentalized, checklist-style compliance program. Things just happen too fast and are rarely clear-cut. This means regulators need a certain degree of breadth and flexibility to capture the range of corruption in the marketplace, but it also means that firms need to take a similar approach to compliance.

Compliance 2.0

Each of these considerations—from the dangers of crafting compliance solely in the shadow of settlement to the challenge of dealing with the dynamic nature of corruption itself—convince us of a need for new strategies to improve anti-corruption risk management within the firm. Our approach is simple. We start by likening compliance to the medical notion of preventive care, where the goal is to prevent illness rather than cure it, and the emphasis is on promoting overall health rather than simply reducing rates of sickness.

For companies, we argue that the first step along this path requires looking outside of the firm. As things stand, the only real guidance that companies have when developing FCPA compliance initiatives is what they see in public enforcement outcomes and generalized comments in regulatory releases. What firms should really be focusing on, however, is what they can learn about mitigating the risk of corruption from the outset by talking to peer companies, their own stakeholders, third party experts (like anti-corruption NGOs), and perhaps even regulators themselves. A robust framework for external engagement will harness the expertise of actors who are closest to the ground and thus best situated to offer ideas for dealing with the complex problem of corruption. Firms can share their experiences with new forms of corrupt schemes; NGOs can share information obtained through their diverse research activities; and federal authorities can share information about country-specific risk factors that they discover through dialogue with foreign law enforcement agencies. These and similar efforts ought to provide companies with the knowledge necessary to develop compliance tools and “best practices” that are anticipatory rather than simply reactionary, and which can better adapt to rapidly changing market conditions.

Meaningful external engagement will also help companies when it comes to educating their own employees. The more time that firms spend developing a rich understanding of the whys and wherefores of corruption, the more successful they will be in explaining to employees that their actions have real and significant societal repercussions. This is important because employees who are taught why a law exists and what it means to violate it are more likely to internalize the values that led to the law in the first place. These employees, in turn, will be better equipped to exercise judgment in the face of evolving challenges than those left to fit unique variables into a static set of rules.
Of course, internalizing anti-corruption values is easier said than done. It will not happen overnight, and companies must take affirmative steps to get the ball rolling. Internalization begins when members of senior management stress that anti-corruption compliance is taken seriously within all facets of the organization. This will underscore that clean business practices are seen as a core company value. Likewise, it is important for anti-corruption expertise to be decentralized within the firm. One promising development in this regard is the emergence of a new category of corporate officer: the Chief FCPA Compliance Officer. If there is a silver lining to the Wal-Mart bribery scandal, this might be it. In an effort to reform its FCPA compliance system in the wake of the Times report, Wal-Mart became one of the first companies in the world to put someone in an FCPA-specific executive position. We believe this strategy will soon spread to every firm with a strong international presence. For one thing, having an FCPA point-person in the executive suite will make it easier for companies to execute the type of external dialogue process mentioned above. FCPA compliance officers can then share the lessons they learn through outside engagement with their fellow senior managers and the board of directors as the company shapes its overall business and risk-management strategy. Similarly, a dedicated FCPA expert will be better positioned to carry a singular message about FCPA compliance to employees throughout each layer of the organization. Employees will also benefit from having a primary point of contact for any concerns that arise, and an FCPA compliance officer can use the resulting feedback loop to develop the type of granular knowledge necessary for crafting training methods that teach how to anticipate and respond to new challenges.
None of this means that sanctions and other traditional mechanisms to encourage law-abiding behavior are unnecessary. There will always be defectors who can only be reached through the threat of severe penalties. Much also depends on a new breed of executives and regulators coming around to the view that they should devote more time and resources to building proactive compliance programs outside the context of a specific enforcement action or investigation.

What we simply hope to do is encourage companies and their leaders to take the long-view—to think beyond the risk of federal scrutiny and focus on making anti-corruption values a part of their corporate DNA. This mindset might not stop every bribe, but we believe that building a smart and sustainable culture of compliance is the most promising step in that direction.