I just read the interview with DLA Piper’s Sharie Brown by Corporate Crime Reporter. I like Sharie, and you never get very far betting against her. Basically, Sharie says that people should stop freaking out about the UK Bribery Act. (Alexandra Wrage recently took a similar position). She argues that a lot will depend on enforcement.
So, even though there has been a lot written about this law and how much more extensive it is and the fact that it also includes an offense for the official who receives the bribe, not just the parties who pay the bribe, and it deals with commercial and foreign bribery, there remains in my mind the question about whether there is the will and the resources and the tenacity to enforce this law in all of its elements to the same extent that we aggressively enforce the FCPA.
I’m not shy about disagreeing with people, as you can tell if you’ve read my blog, even a little. I can’t say as I disagree with her. I especially like her concentrating on the “will” to enforce this law. That really hits the nail on the head.
The Bribery Act has only one really major area that will effect change. Yes, yes, I know, facilitation payments are prohibited. But that’s not actually a change in UK law. In fact, most EU country anti-corruption laws don’t make an exception for facilitation payments. Then again, I remember reading guidance from the Home Office that said they wouldn’t touch facilitation payments with a 10 meter pole. I’m paraphrasing, of course.
The major change is the criminalization of international private-sector bribery. Sharie’s argument is that until we see how the law is enforced, almost any reaction would be an overreaction.
She makes a good point. I have two reactions: first, no one will want to be the test case, which means companies have to react now to ensure their compliance programs encompass this kind of activity. Second, compliance is forward looking but risk reactive. This effect of this dichotomy is that a lot of companies follow a race-to-the-bottom mentality. They control for the most restrictive rule so they can more easily implement. The efficiency balances out the lost opportunity. At least, that’s the theory. It’s why most data breach notification policies follow the Massachusetts rules. It’s the most restrictive, so by complying with it, the company doesn’t have to create 47 different data breach notification policies. (Yes, I know there are 50 states. But the last thing I read said 47 of htem had data breach notification laws.)
I have concern that compliance departments will say “well, the UK bill is the most restrictive, so let’s just comply with that.”
The question is, is that the right way to go?
One thing to keep in mind. Before the UK Bribery Act came on the scene, the DOJ was slyly bringing private-sector corruption into their cases. In a couple of cases, they used the Travel Act to prosecute bribery on the private side. Not in isolation, mind you, but as part of larger cases. Think back to Control Components Inc. They were prosecuted, in addition to FCPA charges, with the Travel Act; traveling internationally to further a violation of the California statute outlawing private-sector bribery. Thing was, nobody really paid attention to that. There was a flurry of activity, client alert emails, that kind of thing, but no fundamental change to compliance thinking. This, the UK Bribery Act, seems different to me. People are paying attention.
So I tend to think that companies should react. It’s going to be a big change, but a positive one. It’ll take time to get onto the radar of the sales and marketing folks, but it’ll get there eventually.
Between this and Dodd-Frank’s Whistleblower provisions—another one where some are freaking out and some are saying “let’s wait and see”—major changes to compliance are afoot.