I’m taking a page from my colleague Ralph Losey (let there be truth between us: I’ve met him once and talked to him twice, but he’s a “colleague” in the general sense, and I’m entitled to a little literary license, no?). In a recent piece, Losey wrote about the dirty little secret of attorney incompetence around eDiscovery. I feel the call to also write something uncomfortable. 
 
I know this is a strange thing to hear coming from a man who writes constantly about anti-corruption, and even who co-hosts a weekly videocast on that very subject, but I’m frankly wondering if the whole area hasn’t gotten a little bit overblown. Sometimes I want to tell everyone—the Chamber of Commerce comes to mind—to just calm down.
 
Our dirty little secret, if this could rightly be called that, is that we practitioners vastly overstate the risk that the FCPA brings to companies. In-house Compliance officers have a good reason for it: we need to spur change. In order to get a corporation, especially a large multi-national corporation, to move you sometimes need a significant amount of pressure to overcome its inertia. Once you get things moving—that is, get budget, resources, and priorities—around the effort, momentum and positive inertia will keep you going.
 
Slight digression: most people use “inertia” to mean that it’s tough to get people to move. That’s true, but only half the definition. Bodies at rest tend to stay at rest, bodies in motion tend to stay in motion unless acted on by an outside force. I call “positive inertia” the second half of that statement: once you’ve got the corporation moving, it’s easier to keep it moving. Budgets, however, always act as a net negative force on Compliance.
 
Anyway, that’s why Compliance people have a motive to overstate risk: if they correctly state the risk, it won’t exert enough pressure on the business to get them to do anything. I’m trying to understand why outside counsel does it. The cynic in me believes that I already know the answer, but my better angels are still searching for a reason.
 
First, though, let’s explore whether I’m correctly stating a problem: do we overstate FCPA risk?
 
I’ve read with interest (and sometimes distaste) the efforts to reform the FCPA. I’ve seen presentations by firms about gifts and hospitality, and I’ve heard Ken Clarke talk about it in front of the House of Lords. He was talking about why the MOJ was going to issue guidance (which they did, and which I pilloried). He said that British companies were afraid:

fears sometimes aroused by the compliance industry, the consultants, the lawyers who will of course try to persuade companies that millions of pounds must expended on new systems which in my opinion no honest firm will require to comply with the act.

The only issue I’d raise with this quote is the word “sometimes.”
 
Compliance officers regularly talk about how they need to “scare the sh%t out of the business.” We develop Powerpoint slides with headlines like “Siemens pays $1.2 billion.” If we can get away with exclamation points, it’s “SIEMENS PAYS $1.2 BILLION!!!” We talk about “hundreds of millions” in fines. Truth be told, in the 34 years since the Act was passed, there have been, what, 8 cases where the fine has gone over $100 million?Eight. Granted, they were mostly in the last two years, but if we’re going to honestly quantify financial risk, it’s not nine figures.  And reputation risk?  What’s the real risk?  How much business did Siemens lose after their incident?  Answer: I understand they gained revenue. Sure, being on the front page is uncomfortable, but it’s not a show-stopper.  
 
Same thing with the whole knowledge argument. Theoretically, a company can be held liable for the actions of an employee of which no senior management was aware. But has it happened? I can’t think of a case. In the vast majority of cases, senior management not only knew, but either actively participated or gave a wink and nod to the scheme.
 
Same thing with the whole “the FCPA is vague” argument. Oh, please. The DOJ has taken a remarkably even-keeled stance on interpreting the FCPA. The “novel” legal theories simply aren’t. You have your run-of-the-mill respondeat superior cases. Successor liability cases. And state-owned-entities are government officials. Even if you disagree with it, you can’t say it’s vague, or that the DOJ has inconsistently applied its definitions. I think the SOE interpretation has been around since the Stone Ages (aka Peter Clark). These are not novel legal theories, and any attempt to paint them as such is disingenuous at best.
 
Nor can you say that the DOJ hasn’t been clear about what it expects from companies. As far back as the Metcalf and Eddy case in 1999, the DOJ has—I was going to say “signaled,” but it’s more overt than that—outright told us exactly what they expect. Over time, it’s been clarified: opinion release 04-02, then the current Schedule C, and the enhanced obligations of J&J. It’s not rocket science. Have a clear policy. Implement it in a real way. Make sure that senior people take accountability for it. The rest is just details. And by the way, you can read everything you need and never attend a single luncheon. The problem here isn’t “I don’t know what to do,” the problem is “I know what I need to do, I’m just not willing to do it; it’s too hard, and it costs too much.” (Or the ubiquitous “you’ll kill the business.” Or worse: “if we don’t make these payments, our competitors will.”) That’s a horse of an entirely different hue.
 
And who says we’re even entitled to this kind of hand-holding? We don’t expect the DOJ to fall over themselves when it comes to antitrust laws, telling us how to comply. And talk about vague! What exactly is a “contract, combination, or conspiracy in restraint of trade?” We don’t expect it when it comes to the False Claims Act. And wow, what a gold mine that is for the government. Between 1986-2010, the government recovered over $25 BILLION for violations of the FCA. Take out the “P”, and boy do the numbers get big in a hurry. That’s what, 8 times the FCPA? 9 times?
 
What about facilitation payments? Neither the DOJ nor the SEC has ever brought a case solely because of a facilitation payment. Talk about overblown hype! It’s also not a definitional problem. If you are legally entitled to what you’re paying for, it’s a facilitation payment. If it’s a decision, however minor, it’s a bribe. Plus, let’s face it, facilitation payments aren’t your problem. They’re a red herring. I’ve done this myself, sadly. What I used to call the “nightmare scenario.” A facilitation payment gets made. Because SAB 99 doesn’t quantify “materiality,” but instead uses factors to be considered, including whether a payment violates a law, you could conceivably have a $5 payment which you thought was a facilitation payment—but which wasn’t—be a material misstatement which would require an 8-K. Is that full of crap, or what? Again, facilitation payments aren’t your problem. If you’re thinking about those, you’re wasting your time. We all need to take a deep breath and lighten up about it. I don’t like them, but seriously, lighten up. The chance of you getting prosecuted for foreign bribery because you paid some cop $5 to let you out of a ticket is exactly nil. The chance of the SEC bringing a books-and-records case because of facilitation payments is nil. What you can get is an internal controls problem, if the numbers get big, but even that’s unlikely.  And your internal controls problem isn’t because you’re not measuring your facilitation payments. It’s a symptom of a larger problem.  Plus, in every case I can think of, any mention of facilitation payments was a minor adjunct to a more traditional bribery scheme.
 
Dodd-Frank?  Well, maybe the odds of a whistleblower going in are a little higher, but the Whistleblower Action Network says that most whistleblowers report in-house first, and get rebuffed at best. So your problem is cultural. But even so, the SEC can’t possibly act on every whistleblower complaint: not enough resources. So even that “increased risk” is minuscule. 
 
These are picayune details. The DOJ doesn’t deal with the small stuff, frankly. There’s just too much huge, obvious, blatant, right-in-the-wheelhouse, didn’t-care, out-and-out bribery going on to worry that someone put a tenner in their passport when they handed it to the Customs guy, you know? Even the poster boy for petty prosecutions, the SEC bringing the Veraz Networks case, I don’t think would have been brought if there hadn’t been that “gift scheme” email. I might be wrong. Could be, some supervisor at the SEC needed a stat. I also don’t know how significant it was that it wasn’t a home-office case. It was brought by the San Francisco office; it was also brought about two months after the FCPA Office in San Francisco was formed.  Cheryl Scarboro’s name is nowhere to be found on the complaint. Significant?  There might have been other forces at work, besides how bad the underlying acts were. And the former AG, talking about the “$200,000 cab ride?” That is, the DOJ getting a company to spend over $200,000 on an investigation because of a cab ride? Never happened. They tried to track it down, and it was one of those “it happened to a friend of my brother’s cousin” kind of stories. In other words, bullsh%t.
 
And we’re all talking about 2011 being “the year of the trial.” Really? How many trials have there been? Five? Maybe? WooHoo! Five whole trials. Even Chuck Duross, at a recent conference, when asked about trends in trials, said that the sample size was too small to form any real conclusions.
 
The DOJ’s enforcement record, and the perception of that record, are wildly different. I would call the DOJ’s enforcement of the Act to be restrained, reasonable, conventional, and maybe even unoriginal. If a legitimate criticism could be leveled, I would rather take the DOJ to task for structuring deals to the benefit of corporations! Why charge subsidiaries with bribery, and internal controls violations for the parent? Because that avoids debarment issues. Fines, as a percentage of corporate revenue, are tiny. I would push the DOJ to be more aggressive, not less.
 
Are we wrong to try to scare the crap out of the business? I don’t know. The business doesn’t move over theoretical risk.  But certainly the degree to which the industry that has popped up around the FCPA has an inherent interest in puffing up the underlying risk creates at the least an apparent bias. We all feed off it: risk equals fear equals action equals money for consultants, lawyers, compliance people (in the form of jobs, resources, and budgets), training suppliers, and everyone down the line. It’s not a flattering equation.