Commentary on Mukasey written testimony

Commentary on the Written Testimony of the Honorable Michael B. Mukasey to the House of Representatives Judiciary Committee, Subcommittee on Crime, Terrorism and Homeland Security, June 14, 2011.

By Stephen Clayton  June 20, 2011

Mr. Mukasey's written testimony calling for significant changes in the Foreign Corrupt Practices Act presents a series of proposals some of which would, in the unlikely event they are implemented as is, significantly weaken the ability of the US government to use the FCPA to deter and punish bribery in international business. The full text of Mr. Mukasey’s written testimony can be found here:

The testimony begins by correctly stating the FCPA targets foreign bribery and the improper business practices that enable and facilitate bribe schemes. Then as justification for changes to the FCPA, Mr. Mukasey states that US companies are subject to criminal and civil penalties for a wide variety of conduct which is beyond their control or their knowledge. This is not the case.  His proposal for reform contains 6 enumerated changes to the law and two additional changes are also mentioned in his 16 page written testimony.

The US has made significant progress in raising awareness of bribery in international business and in the last decade US companies in many industries have started to put in place robust anti-corruption compliance programs.  The increased but still moderate amount of enforcement activities by the DOJ and SEC in the past 5-6 years has accelerated that process.  Despite this progress, bribery in international business is still commonplace, and there is still a lax attitude toward bribery in overseas business. 

The FCPA is not perfect, but neither is the language of the law seriously flawed. The problems are all capable of being addressed by reasonable guidance from the DOJ and SEC.  Congress should be very careful to not revise the FCPA in ways that make it easier to pay or conceal bribes in international business.

This Article will examine each of Mr. Mukasey's points:

1. Adding a Compliance Defense

It is true that the FCPA does not have a Compliance Defense written into the law. But in practice companies that have paid attention to the FCPA know that there are enormous advantages to running, in Mukasey's words,  "compliance measures reasonably designed to identify and prevent violations." Mukasey's argument in favor of a Compliance Defense is based on two fallacies.  The first is that companies that have put in place state of the art FCPA compliance programs are subject to prosecutorial oppression, and the second is the belief that a large number of the US and other companies subject to the FCPA have "state of the art" FCPA compliance programs.  He provides no examples of the first. His second premise, that the  "overwhelming majority" of businesses operating in the US or listed on US exchanges seek to ensure they do not violate the FCPA and have put in place robust compliance programs, is wishful thinking. 

To bolster his claim that a Compliance Defense is reasonable, Mukasey discusses UK and Italian laws. One has to smile at the thought of a Republican asking the US congress to rely on foreign legal precedent to make US law. Mr. Mukasey references the UK Bribery Act which is not even in effect.  He also references an Italian law that was, in part, based on the guidance found in the US Federal Sentencing Guidelines.  The Italian law has caused Italian companies to put in place compliance programs and has no track record of actually reducing business corruption. His call to align US practice, which is working, with the untried and as yet ineffective enforcement regimes of the UK and Italy is audacious.  Mr. Mukasey had to stretch to find two countries which, on paper, have this affirmative defense. I admit I have not reviewed the laws of the other 36 member countries of the OECD Convention on Combating Bribery in Public Officials in International Business (1997) before writing this blog, but I believe none of them have seen fit to introduce a corporate compliance affirmative defense into their national legislation. If he were really concerned that the US works for "alignment of the international enforcement regime” he would recommend following the vast majority of countries that have not put a compliance affirmative defense for corporations in place.

The trend in international jurisprudence since the 1990s has been for more and more countries to make it a crime for corporations to engage in bribery in international business. The United States strongly advocated for and accelerated that trend in the 1990s in its efforts to get the OECD Convention in place.  In many Civil Law countries, the laws criminalizing bribery in international business enacted in the late 1990s to implement the OECD treaty were among the first laws imposing criminal liability directly on corporations. The US pushed for criminalization of corporate bribery in other countries in order to level the playing field in international business between US companies and those of other countries.  In large part due to US efforts, other countries, most notably Germany, are now very actively enforcing their laws against corruption in international business.  Other countries have passed laws but are lagging in enforcement. If the US government reduces its commitment to fight corruption in international business by amending the FCPA to weaken enforcement, will other nations follow our lead and also relax enforcement?  

Mr. Mukasey makes it appear that UK affirmative defense applies to the crime of bribery of a foreign public official stated in Section 6 of the UK Bribery Act.  In fact, the UK affirmative defense of having in place adequate procedures to prevent persons associated with the company from bribing only applies to the strict liability crime of "Failure of Commercial Organisations to Prevent Bribery" stated in Section 7 of the Bribery Act.  The FCPA does not contain the strict liability crime of Failure of a Commercial Organization to Prevent Bribery. 

The most amazing part of Mukasey's referencing the UK Bribery Act as an example for FCPA reform is that, on the face of the laws the UK Act is the FCPA on steroids.  On paper, the UK law states a much stricter enforcement regime compared to the FCPA. The UK Act has higher penalties for violations compared to the FCPA. One major difference is the British law very sensibly makes commercial corruption (bribing employees of a private company) a crime. By following the UK lead and making it a federal crime to bribe employees of a commercial organization, the US Congress could end the often-feigned "confusion" over who is a government official and what is an "instrumentality."  Under the UK law it is a crime to bribe anyone.  The UK law also contains no exception for “facilitating payments,” and no affirmative defense for reasonable and bona fide promotional expenditures; those issues are mentioned in Ministry of Justice Guidance, not the law itself. 

Another important point is the British definition is vague as to what the "Adequate Procedures" that qualify a company to claim the limited affirmative defense actually are. The definition is contained in Guidance published by the Ministry of Justice. That Guidance is authoritative, but is not binding on the courts.  The Guidance is not specific but relies on companies to apply 6 general principles and develop their own adequate procedures.  Compared to the UK law, the current status of guidance for the FCPA by the Department of Justice (which could be improved) sets a clearer standard for US companies to follow. The Department of Justice has stated a consistent set of specific factors that make up an adequate FCPA Compliance Program in a number of cases over the past 11 years.   If a US company is confused as to what it needs to do to put in place a state of the art FCPA compliance program, it can find a very clear example of a specific program in Attachment C to the 2010 Alcatel-Lucent FCPA Deferred Prosecution Agreement. This document sets out in specific detail and more or less plain English, the 13 elements that a 2010 State-of-the-Art FCPA compliance program must contain. Those 13 elements are very similar to the elements stated in the Metcalf  & Eddy case in 1999, and the "Attachment C's” in many other cases in between.  

Mr. Mukasey argues that the US needs to devise an affirmative defense that a company has "adopted and vigorously enforces FCPA compliance programs," or the company had "established an implemented procedures designed to prevent FCPA violations and had exercised due diligence to prevent the violation at issue." He states that, "Responsible companies implement and enforce strong compliance measures designed to avoid and promptly address infractions."  The trouble is that, in practice, a majority of US companies have not put in place robust FCPA compliance programs. Many FCPA compliance programs exist on paper and follow a check the box approach to create the appearance of a robust program, but are not staffed or budgeted to achieve results.  Yes, there are a large number of US and a some non-US companies which have implemented state of the art FCPA compliance programs, containing all the 13 elements stated in Alcatel-Lucent. An FCPA compliance program must be properly budgeted and staffed, and needs an effective team that understands international business, is authorized to put in place adequate deterrence procedures and has the authority and ability to investigate allegations of foreign corruption and take action. At this point the majority of US companies have not thoroughly examined their company's specific risks of corruption in international business and addressed those risks through a rigorous FCPA compliance program.  Weakening enforcement of the FCPA will reduce their incentive to do so.

In following FCPA cases and investigations closely for the past 5 years, one has to conclude that those US companies which have, in Mr. Mukasey's words, "a strong preexisting FCPA Compliance program that is effective in identifying and preventing violations," are very unlikely to face criminal prosecution.  The DOJ and SEC have not been bringing actions against a company that can show it has had in place a "state of the art " FCPA Compliance Program for the past several years, unless the company had actually made a significant profit from corruption in their business. In that case the company would arrange a civil settlement.  The DOJ does not need to go after the obvious good guys when they can prosecute many companies that do not "get it" when it comes to FCPA compliance.

Mr. Mukasey raises the boogie man of the "rogue employee."   There are always a few criminals among the employees and business partners of every large company. And there are other good employees and managers who are willing to, or feel pressured to, break the rules and falsify company records and pay bribes to obtain or retain business "for the good of the company." That is part of what a strong compliance program is supposed to address. If anything, this pressure to do whatever it takes to get business is worse now than it was 10 years ago due to more intense international competition and the economic downturn.  And given President Obama’s goal of doubling US exports in the next 5 years, there will be more pressure to do international business by US companies that have little experience doing business outside the USA – which may result in an increase in bribery to get that business.

A common situation is for an employee or group of employees to conspire with local agents or distributors to pay bribes or give kickbacks "for the good of the company" so they can secure business or hold on to what they have. Often they will do this because they believe (or know) their competitors are paying bribes. Under the company's "adequate" FCPA compliance program all of these employees have taken a required 45-minute on-line course on the company's anti-corruption compliance program and received the "read, laugh and file" memo on FCPA compliance from some foreign lawyer. They even saw video a year or so ago of the CEO speaking about the importance of compliance. When faced with losing a key contract or customer, and their commission income, FCPA compliance is not their first thought. 

In the case of bribery by rogue employees, remember, when companies do get business through bribery committed by one of their employees who has gone rogue, the company makes a significant profit.   The fact this profit was made due to criminal acts by an employee does not reduce the impact on the country where the bribe was paid, the business lost by honest non-bribing competitors, or the erosion of the company's commitment to ethical business practices. If the company decides to keep the profit it acquired due to the rogue's bribes and not report, it is ratifying the illegal conduct.

It is not necessary or advisable to revise the FCPA to add a Compliance Defense.   The UK Compliance Defense applies to a specific crime which does not exist under the FCPA. Adding such a defense is out of step with the trend in international anti-corruption law.  The same result can be achieved by the DOJ and SEC providing reasonable guidance as mentioned in #3 below.

2. Clarifying the meaning of "Foreign Official"

When a manager comes to me and says he is not sure if an individual he is dealing with is a government employee, my first question to him is usually (somewhat in jest)  - "Why to do you care  - Are you going to bribe him?"

Mr. Mukasey states that uncertainty over the precise definitions of "government official" and "instrumentality” makes it "impossible for companies to determine in advance what conduct may and may not present a meaningful risk of violating the FCPA."   Most businessmen do not split hairs and worry about whether the person who asked for a bribe is a government official or an employee of a private company. Smart business people in all countries know the difference between normal business hospitality and a bribe.  If your business people in China really can't tell who is or is not a government official in China, then establish a single set of simple rules for all your business in China to follow with all customers - and get on with doing business. When you look at the facts, there may be no compelling business reason to provide greater or different hospitality or gifts to private business people than you provide to government officials.

This is not to say it is not important for a company to know when it is dealing with government officials and government owned companies. Corruption involving government officials is what is covered by the FCPA so a company should always make a serious effort to know whether its customers and business partners are government officials.   Government employees including those such as professors in government run universities, employees of national health systems and employees of government owned and managed companies, are usually under restrictive rule as to what they can accept. This is similar to the $25 limits on gifts and meals for federal and some state employees in the USA. If your company cannot give a gift of over $25 to an employee of the SEC, why would you think you could give more to a Chinese government official?

If a company is flummoxed by trying to understand who is a government official and what is an instrumentality, it is probably not running a state of the art FCPA compliance program.  A company should look at the issue, recognize that the definitions of pubic official and instrumentality are very broad and make its internal policy and programs accordingly.  Then follow the policy and train its employees.  

The hyperbolic statements that employees of AIG or GM would be "foreign officials" miss the point.  When your employees are bribing private individuals they are violating your company's ethical standards and compliance policies and they are almost certainly falsifying your company's books and records to hide the private bribery. Do you really want foreign companies bribing employees of GM or AIG just because those companies' employees are not US government officials?  If your employees are willing to falsify your books and bribe employees of private companies they will have no hesitation doing the same with government officials.

As pointed out earlier, the "tremendous uncertainty" Mr. Mukasey states exists with the definitions of government official and instrumentality could be resolved by having US Federal law criminalize the payment of bribes to employees of private companies - as is done in the UK law Mr. Mukasey seems to want the US to follow as well as the laws of many other countries.  The US Federal government sees fit to rely on the laws of the 28 US states that have made private bribery a criminal act rather than follow the international trend to make that part of national law.

3. Improving Guidance from the DOJ

The DOJ could give better guidance and the SEC could join in the guidance.

Formal Guidelines in addition to the current Opinion Process would be helpful. The Opinion Process could be improved. 

The DOJ should consider implementing a Leniency Policy along the lines laid out in the article by Robert Tarun and Peter Tomczak in American Criminal Law Review, Volume 47, Number 2, Page 153, Spring 2010.

It would also be a great help to have the DOJ and SEC publish information on those disclosures and investigations that have been completed and resulted in no action by the DOJ or SEC. That information would help companies learn what factors influenced the authorities to not bring a case. 

The DOJ and the SEC should get the message – and just do it. 

None of this requires amending the FCPA

4.  Limiting Criminal Successor Liability

Mr. Mukasey is right that in a merger or acquisition that includes significant foreign business, the acquiring party should conduct robust FCPA due diligence to understand if part of the value they are purchasing was produced due to bribery.  But even when significant international business is involved, few mergers and acquisitions include robust FCPA due diligence.  In many M & A transactions, FCPA due diligence is a set of routine checklists and is conducted by M & A/corporate lawyers who are not familiar with international business, the FCPA or how corruption schemes work in the industry involved. When robust due diligence is conducted, it may frequently uncover Red Flags or even proof of corruption, and/or inaccurate or intentionally falsified books and records. 

Some companies do decide not to go forward with a transaction when they find out the target was involved in corruption. That is a sensible business decision.  A company which has built a substantial part of its value based on bribery should not be allowed to cash in and avoid liability by selling itself to another company.  Knowing that bribery and intentionally false records will make your company less valuable to an acquirer may be a significant deterrent to corruption.

Mr. Mukasey is arguing for a defense to criminal liability if the acquiring company has conducted "reasonable due diligence."  This is similar to his argument in favor of a "Compliance Defense."  Mr. Mukasey does seem to be OK with the DOJ and SEC imposing civil liability on the successor for the corrupt activities of the acquired company.

Though Mr. Mukasey does not say it clearly, others involved in the request for changes to the FCPA want an acquiring company to have a clear shield from any liability, criminal or civil, for pre-acquisition acts of the acquired company or its employees and business partners.  Corruption in international business is very common in many countries, so in a percentage of acquisition cases roust due diligence may find evidence of bribery and a quantifiable amount of past or ongoing business which is based on the payment of bribes.  An acquisition or merger must not become a shield to prosecution for the crime or the civil violation.  If the party that committed the act of bribery no longer exists, it is fair and reasonable that the successor in the business be responsible.  The successor is enjoying the fruit of the illegal conduct and should bear the consequences.

Mr. Mukasey does not give any detail of what he considers to be "exhaustive due diligence " which will earn the successor the right to claim an affirmative defense to criminal prosecution.  However he does cite DOJ FCPA Opinion Procedure Release No. 08-02 (June 13, 2008). That Opinion responded to a request by Halliburton to conduct post acquisition due diligence on the operations of a company involved in a very corrupt business in many very corrupt countries. The Opinion release sets out a detailed due diligence process which was, presumably, negotiated and agreed between Halliburton and the DOJ.  This process is the M & A equivalent of the 13 point Compliance Program in Alcatel-Lucent.  It is robust and state of the art. The process laid out in the Halliburton opinion would have a good chance of actually uncovering corrupt activities. It is far beyond what most companies do in practice.

While it is not necessary or appropriate to amend the FCPA, it would be useful for the DOJ/SEC to issue Guidance to inform companies of the benefits of conducting pre or post acquisition due diligence in accordance with the standard of due diligence set out in the Halliburton Opinion.   That could also be done in the Federal Sentencing Guidelines.

5.  Adding a Willfulness Requirement for Corporate Criminal Liability

Mr. Mukasey’s basis for this requested change is the idea that corporate senior management does not know what its employees are doing.  Therefore the company should not be held criminally responsible for corrupt acts of employee unless an executive officer or member of the board was involved in or condoned the illegal conduct.

The corollary is that corporations don't know what their subsidiaries are doing and should be able to set up subsidiaries to shield themselves from liability for violations of the FCPA.

In effect, this is a defense that declares the management of the company was not competent in managing its employees and subsidiaries, did not know what they were doing, and therefor should not be liable for violations of the law by their employees or subsidiaries.

Mr. Mukasey’s statement that a company could "...not have knowledge of the improper payments, but also do not know that US law is applicable to the conduct at issue” is completely contrary to his earlier assertions that the majority of companies have great FCPA compliance programs.  If a company has a great FCPA compliance program, every employee in that company and its subsidiaries and most of its business partners should know with no doubt what constitutes a violation of US law.  The tone from the top should be clear, consistent and frequently repeated. Training should be clear and appropriate for the company.  In addition to having the right to know what is going on in its subsidiaries, a company with a state of the art FCPA compliance program will want to have actual knowledge of what is going on in its subsidiaries, especially its subsidiaries in countries with a high risk of corruption. A well-run company with normal business processes and a desire to make a profit should always know what is going on in its subsidiaries. 

The request for a willfulness requirement is simply a vehicle to weaken enforcement of the FCPA and make it easier for companies which pay bribes in their international business to avoid liability for corrupt acts done to further their business.  

At the end of this section Mr. Mukasey also asks for 2 additional changes to the FCPA. 

1) A rebuttable presumption that gifts of a truly de minimis value shall be presumed not to violate the FCPA, and 

2) There should be a materiality standard for books and records and internal controls violations. 

The de minimis issue is a solution looking for a problem.  There is virtually no doubt among companies that run state of the art FCPA compliance programs that small gifts and modest business lunches provided in accordance with the rules in their compliance program will not be subject to prosecution. Adding the requested presumption would muddy the water rather than provide clarity.  This is another area where reasonable Guidelines for the DOJ/SEC would be welcomed and would be helpful for the many companies that have not yet established a robust FCPA compliance program.

The "materiality standard" is a change, which would effectively gut the Books and Records and Internal Controls sections of the FCPA.   Though it would probably weaken FCPA enforcement the most, Mr. Mukasey states this most significant change in an offhand manner, as if it is a casual afterthought.  What is the materiality of a false record?  Of 20 false records?  Do books and records have any material monetary value?  What is the materiality of a $2,500 bribe to secure $1M of on-going business?  What is the materiality of failure to set up or maintain adequate internal controls? Do any of these have any monetary value?  Or are they all immaterial?

The vast majority of bribes paid in international business are in the twenty dollar to $50,000 range, indeed a large majority are under $10,000.  [See statistics for 6 countries at the BRIBEline website,]. Most public companies would argue that a $50,000 item is clearly "not material." Large companies would argue that an item of $1M or more is not material under SOX. The materiality standard would effectively shield most companies from liability for falsification of books and records to conceal bribes in international business or from failure to set up effective internal controls.

Adding a "Materiality" standard to the Books and Records and Internal Controls sections of the FCPA would ignore the reality of how bribes are used and paid in international business. Bribes are almost never of a "material" amount and are nearly always hidden in a company's records under false or misleading entries. It is and should be a serious crime for a public corporation to falsify any records, financially material or not. 

6. Limiting Parent Liability for Subsidiary's Conduct Not Known to the Parent.

This requested reform would reward companies for irresponsible behavior.   Companies set up international subsidiaries to aid them with expanding and doing business overseas.  If a US company is doing international business, it should have managers whose job is to know in detail what is going on in its foreign subsidiaries. Parent companies have the ability to know, and if they are well run, actually do know, what is going on in their foreign subsidiaries. Parent companies certainly have access to all a subsidiary's information.  Companies should not be allowed to set up subsidiaries to be shields from liability for criminal acts or conduits for paying bribes. The management of a parent company has complete control over its subsidiaries. The parent has the ability to hire, fire, train, and direct each subsidiary's management, and to determine the subsidiary's important policies. The subsidiary is an extension of the parent company set up for the convenience and business purposes of the parent company. The parent company is always "acting through" its subsidiaries. Allowing parent company management a legal pass to be irresponsible to their shareholders and fail to adequately supervise and monitor the business activities of their subsidiaries would be misguided. 


Taken as whole, the 6 - 8 proposals in Mr. Mukasey's written testimony would make the world a much safer place for bribery in international business.  The premises on which he builds his case for reform are largely illusory. 

The provisions of the FCPA are not more strict or less clear than the international anti-corruption laws of the other 37 members of the OECD Convention. As a treaty, the OECD convention is US law and substantial changes to the FCPA which would reduce its effectiveness, as proposed by Mr. Mukasey, may be in violation of the US's obligations under that treaty or of US obligations under the United Nations Convention Against Corruption, which is also US law.  The biggest difference with the FCPA and other countries' efforts against corruption in international business is that from around 2004 under the Bush II administration, the US finally began to enforce the FCPA.  The increased enforcement in the past 5 years has started to make an impact and change behavior.  Today bribery in international business is widely condemned, but infrequently punished.  The USA is still many years away from achieving the goal of the FCPA- substantially reducing bribery and corruption in international business.

In the 5 years 2005 to 2010 the DOJ and SEC have brought roughly 170 civil and criminal FCPA cases (depending on who is counting) and if estimates are correct now have about 15O cases at some point in the investigation process. Corruption is widespread and frequent in international business.  The 30-40 cases the DOJ and SEC have recently stated to bring each year is hardly a landslide of enforcement warranting radical change. The chance of prosecution is still so remote that most US business people and lawyers involved in international business in US companies and members of boards of directors have little incentive to acquire more than a casual understanding of the FCPA. Most companies feel so little threat of FCPA enforcement that they have not even taken the initial step of formally identifying the risks of corruption to their companies, let alone set up a state of the art compliance program. 

The FCPA is not broken and does not require radical changes that will reduce the incentives for companies in the US and other countries to combat bribery in international business.  Weakening the US commitment to reduce bribery in international business would be a mistake that could jeopardize 30 years of progress by the international community under US leadership.

Stephen Clayton