This past week, I was on a webinar with Mark Mendelsohn (the replay can be found here: http://bit.ly/gTAeKB). One of the things we spoke about was what companies need to do now to comply. I was a little more sanguine than Mark was; I thought that we should wait and see whether the UK actually enforces the Act before people spend a lot of money.
Mark made an excellent point right then. Can a company have “adequate procedures” if their compliance program doesn’t include anything about preventing private-sector bribery?
It’s a fair point. Let me think out loud for a minute about it. My first thought is that no one ever got very far disagreeing with Mark Mendelsohn about the FCPA or the UK Bribery Act. It might be a question of life not being fair, and companies just have to adjust to something that may turn out to be a theoretical risk. The difficulty is that it’s going to be a significant change.
Let me be Devil’s Advocate here for a moment. Can a company have adequate procedures without measures to prevent or detect private-sector bribery? Let’s play it out. A company has issues with a third party in Bribe-istan regarding a public-sector contract. The UK government comes in. Are they going to be looking at the private-sector pieces of your program? Now, if you have an issue with private-sector bribery, that’ll be problematic. The company, its officers and directors, and employees involved will all be in trouble. The difficulty here is that while I don’t believe the UK government will be looking for private-sector bribery cases, it’s often the fact that cases come to the regulator. This will become more true once the whistleblowing provsions of Dodd-Frank come into effect. So maybe not so theoretical at that.
Let’s pause for a second and talk about the cost. The cost of changing your program to include private-sector bribery. First, your training costs go up. It’s currently the case that programs spend time identifying who their public-sector-related employees are, and train them to a higher level. That effort involves cost as well. So those costs will go away, but training your entire sales force will cost you also. More. It’s time, and money. And just because the UK government passes an Act doesn’t make your company any more willing to donate time and money to compliance. One useful thing about the prescriptive rules the US puts into place is that you can go to your business and say “Reg C says we have to do x, y, or z.” This principle-based paradigm is harder to sell. Convincing your business to let you take every single sales and marketing employee out of commission for two or more hours is going to be tough. It’s ridiculous that it’s tough, but that’s reality. There’s also a monitoring aspect to it. Here’s a truth that you need to internalize: if you have a rule, you must—absolutely must—monitor compliance and punish recalcitrant employees. This is why I’m a fan of fewer rules, more stringently enforced. If you don’t, you have what regulators call a “paper program.” Disaster, if you’re ever challenged.
But training costs aren’t the biggest problem you have. The biggest problem is your third-party due diligence program. Unless you’ve spent considerable money on your DD program, you will likely have just a few employees involved, at minimal cost. That’s gone. Most programs were predicated on doing diligence on a small number of third parties. Almost all programs lack scalability. What might work for a 100 third parties won’t work for 1,000. Most compliance programs are working on shoestring budgets as it is. If you have to adjust to massively increased volumes, that Excel spreadsheet you have just won’t cut it.
You’re going to have to retool, not just readjust.
So you’re left with, on the one hand, a somewhat theoretical risk of having to justify your lack of a private-sector bribery program. One quick digression: I’d hate to make the argument to the UK authorities that the reason you don’t have a private-sector bribery piece to your program is that your program is geared to FCPA compliance. Somehow, I don’t think the SFO will be too receptive to that. Anyway, it’s that cost, versus the certain cost of completely restructuring your due diligence and training programs.
I hate to disagree with Mark, but I’m going to. I think you still don’t do anything too drastic to your FCPA compliance program (except enhance it…you know it needs it). Wait and see what the UK does. I said on the webinar that it would be bold of the UK if their first case was a private-sector case. That would certainly change the playing field, and give the UK enforcement regime a much needed boost.
Anyway, just something to think about.
I sometimes give this disclaimer, which I think might be needed here: I’m a lawyer, but I’m not your lawyer. This post is not legal advice, and you should not take it as directed at you. If you do, frankly, you need your head examined. This is a blog. If you want legal advice, there are quite a few lawyers who’d just love to help you. I’m offering informed commentary, not legal advice.