As highlighted in this prior post, numerous FCPA reform bills in the 1980's included a specific defense which stated a company would not be held vicariously liable for a violation of the FCPA’s anti-bribery provisions by its employees or agents, who were not an officer or director, if the company established procedures reasonably designed to prevent and detect FCPA violations by employees and agents. An FCPA reform bill containing such a provision did pass the U.S. House, but was not enacted into law.
Amending the FCPA to include a compliance defense is one of the U.S. Chamber's FCPA reform proposals (see here). In November 2010, Andrew Weissman, on behalf of the Chamber, testified in favor of a compliance defense (and other reform proposals) during the Senate's FCPA hearing (see here for the prior post) and during the House hearing earlier this month (see here for the prior post), former Attorney General Michael Mukasey, on behalf of the Chamber, also testified in favor of a compliance defense (and other reform proposals).
During the House hearing, there appeared to be bi-partisan support for consideration of an FCPA compliance defense.
Even so, Greg Andres, testifying on behalf of the DOJ, stated that a potential FCPA compliance defense was "novel and risky" and that the "time is not right to consider it."
Public debate on a potential compliance defense has thus far focused, from a comparative standpoint, on the United Kingdom and Italy.
The purpose of this post is to further inform the public debate on a potential compliance defense by highlighting various compliance-like defenses around the world in other countries that are signatories (like the U.S.) to the OECD Anti-Bribery Convention.
This post is further to my work in progress - Revisiting an FCPA Compliance Defense - and represents hours of research analyzing 38 OECD Country Reports.
The post provides an overview of compliance-like defenses in the following OECD Convention signatory countries: Australia, Chile, Germany, Hungary, Italy, Japan, Korea, Poland, Portugal, Sweden, and Switzerland. [The U.K. Bribery Act, set to go live on July 1st, also contains a compliance-like defense in Section 7].
A first reaction might be - only 12 of the 38 OECD member countries have a compliance-like defense.
However, this number must be viewed against the backdrop of the following dynamics: (i) in many OECD Convention signatory countries, the concept of legal person criminal liability (as opposed to natural person criminal liability) is non-existent; and (ii) in many OECD Convention signatory countries that do have legal person criminal liability, such legal person liability can only result from the actions of high-level executive personnel or other so-called "controlling minds" of the legal person.
Obviously if a foreign country does not provide for legal person liability, there is no need for a compliance defense, and the rationale for a compliance defense is less compelling if legal exposure can result only from the conduct of high-level executive personnel or other "controlling minds."
When properly viewed against these dynamics, a compliance-like defense (whether specifically part of a foreign country's "FCPA-like" law or otherwise generally part of a foreign country's legal principles) is far from a "novel" idea, but rather common among OECD Anti-Bribery Convention signatory countries that - like the U.S. - have legal person criminal liability that can attach based on the conduct of non-executive officers or other "controlling minds."
[The below information is based strictly on OECD country reports and is subject to the qualification that in many instances the most recent information concerning a particular country may be several years old. If anyone has more recent information concerning any particular country, how the compliance defense in a particular country has worked in practice, or any other relevant information, please leave a comment on this site or contact me at firstname.lastname@example.org]
Australian law implementing the OECD Convention entered into force on December 18, 1999.
Thereafter, a section of the Criminal Code on corporate criminal liability came into full force establishing an organizational model for the liability of legal persons. “Bodies corporate” are liable for offences committed by “an employee, agent or officer of a body corporate acting within the actual or apparent scope of his or her employment, or within his or her actual or apparent authority” where the body corporate “expressly, tacitly, or impliedly authorised or permitted the commission of the offence”.
Pursuant to the Criminal Code, authorisation or permission by the body corporate may be established in the following ways: (1) the board of directors intentionally, knowingly or recklessly carried out the conduct, or expressly, tacitly or impliedly authorised or permitted it to occur; (2) a high managerial agent intentionally, knowingly or recklessly carried out the conduct, or expressly, tacitly or impliedly authorised or permitted it to occur; (3) a corporate culture existed that directed, encouraged, tolerated or led to the offence; or (4) the body corporate failed to create and maintain a corporate culture that required compliance with the relevant provision.
However, under the Criminal Code, “if a high managerial agent is directly or indirectly involved in the conduct, no offence is committed where the body corporate proves that it “exercised due diligence to prevent the conduct, or the authorisation or permission."
Chilean law implementing the OECD Convention entered into force on October 8, 2002.
In December 2009, a separate Chilean law entered into force establishing criminal responsibility of legal persons for a limited list of offences including bribery of foreign public officials.
In order for a legal person to be held responsible for a foreign bribery offence, the following “three cumulative requirements” must be satisfied: (1) the offence must be committed by a person acting as a representative, director or manager, a person exercising powers of administration or supervision, or a person under the “direction or supervision” of one of the aforementioned persons; (2) the offence must be committed for the direct and immediate benefit or interest of the legal entity. No offence is committed where the natural person commits the offence exclusively in his/her own interest or in the interest of a third party; and (3) the offence must have been made possible as a consequence of a failure of the legal entity to comply with its duties of management and supervision. An entity will have failed to comply with its duties if it violates the obligation to implement a model for the prevention of offences, or when having implemented the model, it was insufficient."
As to the final element, the OECD report states as follows. “The final cumulative requirement for responsibility stresses that the offence must have been made possible as a consequence of the failure of the legal person to comply with its duties of administration and supervision. The entity will have failed to comply with its duties if it violated the obligation to implement a model for the prevention of offences, or when having implemented the model, the latter was insufficient. It shall be considered that the functions of direction and supervision have been met if, before the commission of the offense, the legal person had adopted and implemented organization, administration and supervision models, pursuant to the following article, to prevent such offenses as the one committed.”
The minimum features of a prevention system under the law are as follows: identify the different activities or processes of the entity, whether habitual or sporadic, in whose context the risk of commission of the offences emerges or increases; establish protocols, rules and procedures that permit persons involved in above-mentioned activities or processes to program and implement their tasks or functions in a manner that prevents the commission of the indicated offences; identify procedures for the administration and auditing that allow the entity to impede their use in the listed offences; establish internal administrative sanctions, as well as procedures for reporting or pursuing pecuniary responsibility against persons who violate the prevention system; introduce the above-mentioned duties, prohibitions and sanctions into the internal regulations of the legal person, and ensure that they are known by all persons bound to apply it (workers, employees, and service providers).
The OECD report states - as to the minimum requirements as follows. “It also aims to introduce a system of self-regulation by companies. Having a code of conduct on paper will not be sufficient to avoid responsibility. If prosecutors can prove that the code does not meet the minimum requirements of or that it is not implemented, the company can be responsible for the offence.”
Under Chilean law, “the failure to comply with duties of management and supervision is an element of the offence rather than a defence. Therefore the burden of proof lies on prosecutors, i.e. it will be up to prosecutors to prove that the entity failed to comply with its duties of management and supervision.”
The OECD report notes as follows. “This will require prosecutors to prove that the company failed in the design and/or implementation of the offense prevention model including why, in the circumstances, the prevention model was insufficient. This would appear to also require the prosecutor to establish that this failure made perpetration of the offence possible.”
As noted in the OECD report, the Chilean “standard of liability is inspired from the Italian system of liability of legal persons" (discussed below).
German law implementing the OECD Convention entered into force on February 15, 1999.
German law establishes the liability of legal persons, including liability for the foreign bribery offence, under an administrative (i.e. non-criminal form) act.
Pursuant to the administrative act, “the liability of legal persons is triggered where any “responsible person” (which includes a broad range of senior managerial stakeholders and not only an authorised representative or manager), acting for the management of the entity commits i) a criminal offence including bribery; or ii) an administrative offence including a violation of supervisory duties which either violates duties of the legal entity, or by which the legal entity gained or was supposed to gain a “profit”.”
As noted in the OECD report, “in other words, Germany enables corporations to be imputed with offences i) by senior managers, and, somewhat indirectly, ii) with offences by lower level personnel which result from a failure by a senior corporate figure to faithfully discharge his/her duties of supervision.”
The OECD report states that the “standards for a violation of supervisory duties include consideration of factors such as whether the company has in place a monitoring system or in-house regulations for employees.”
Hungarian law implementing the OECD Convention entered into force on March 1, 1999.
In 2004, a separate law was enacted specifying the individuals whose actions can trigger the liability of the legal person.
The OECD report states as follows. “The specific persons and additional conditions for liability are defined as follows: (i) the bribery is committed by one of the members or officers [of the legal entity] entitled to manage or represent it, or a supervisory board member and/or their representatives acting within the legal scope of activity of the legal person ; (ii) the bribery is committed by one of the members of the legal entity or an employee acting within the legal scope of activity of the legal person provided the bribery could have been prevented by the chief executive fulfilling his supervisory or control obligations; and (iii) the bribery is committed by a third party individual, provided that the legal entity’s member or officer entitled to manage or represent the it had knowledge of the facts.”
According to the OECD report, the relevant law does not provide any guidance as to the necessary degree of supervision to avoid liability for bribery.
Italian law implementing the OECD Convention entered into force on October 26, 2000.
Under Italian law, “criminal liability cannot be attributed to legal persons” however, “administrative liability may be attributed to legal persons for certain criminal offences (including foreign bribery) committed by a natural person.
The relevant administrative decree provides a “defence of organisational models” to a body which makes reasonable efforts to prevent the commission of an offence.
The OECD report states as follows. “… [A] body is not liable for offences committed by persons in senior positions if it proves the following. First, before the offence was committed, the body’s management had adopted and effectively implemented an appropriate organisational and management model to prevent offences of the kind that has occurred. Second, the body had set up an autonomous organ to supervise, enforce and update the model. Third, this autonomous organ had sufficiently supervised the operation of the model. Fourth, the perpetrator committed the offence by fraudulently evading the operation of the model.” The defence of organisation models operates as a full defence which completely exculpates a legal person.
The relevant administrative decree stipulates the essential elements of an acceptable organisational model described in the OECD report as follows. “First, the model must identify activities which may give rise to offences. Second, the model must define procedures through which the body makes and implements decisions relating to the offences to be prevented. It must also prescribe procedures for managing financial resources to prevent offences from being committed. Third, the model must oblige the internal organ responsible for supervision and enforcement to provide information to the body. Finally, the model must include a disciplinary system for non-compliance.”
Japanese law implementing the OECD Convention entered into force on February 15, 1999 .
“Under Japanese law, criminal responsibility of a legal person is based on the principle that the company did not exercise due care in the supervision, selection, etc. of an officer or employee to prevent the culpable act.
The burden rests on the legal person to prove that due care was exercised. Where a legal person raises the defence, a person must be identified as having exercised due care, etc., and the court must determine whether it was exercised properly having regard to the nature of the legal person and the circumstances of the case.”
Korean law implementing the OECD Convention entered into force on February 15, 1999.
Korean law establishes the criminal responsibility of legal persons for the bribery of a foreign public official, however, a legal person is exempt from liability where it has paid “due attention” or exercised “proper supervision” to prevent the offence.
The statute itself does not provide information about what constitutes “due attention” or “proper supervision.” A representative of the Supreme Public Prosecutor’s Office informed the OECD that “the exemption is triggered when a director or ‘superior person’ exercises due attention.” The Explanatory Manual published by the Ministry of Justice states that “it is difficult to standardize the extent of attention or supervision in deciding whether a legal person can be exempted from criminal punishment.” The Explanatory Manual further states that whether the exemption applies depends upon “general circumstances such as the motive and background that led to the bribery, intervention of exclusive members of the legal person, whether it was informed earlier, and how much effort was usually made by the corporation to prevent bribery, etc.” and that companies involved in international business must prevent violations of the law by all employees and executives of the company “through sufficient necessary management”.
Polish law implementing the OECD Convention entered into force on February 4, 2001.
Polish law provides “a noncriminal form of responsibility for collective entities.” Among the requirements for liability is the offence was committed “in the effect of at least absence of due diligence in electing the natural person [committing the act] or of at least the absence of due supervision over this person by an authority or a representative of the collective entity.”
According to the relevant Polish legislative history, “the perpetration of a prohibited act by a natural person will trigger liability of the
collective entity where the act occurred as a result of negligence on the part of the authority or representative of the collective entity.”
Portuguese law implementing the OECD Convention entered into force on June 9, 2001.
Under Portuguese law relevant to corruption in international business transactions, legal persons can be liable for conduct committed “on their behalf and in the collective interest by natural persons occupying a leadership position within the legal person structure” or by “whoever acts under the authority” of such natural persons.
However, “[t]he liability of legal persons and equivalent entities is excluded when the actor has acted against the orders or express instructions of the person responsible.”
Swedish law implementing the OECD Convention entered into force on July 1, 1999.
Under Swedish Law, only natural persons can commit crimes. However, pursuant to the Swedish Penal Code, a “kind of quasi-criminal liability is applied to an ‘entrepreneur’ (a general term meaning “any natural or legal person that professionally runs a business of an economic nature) for a ‘crime committed in the exercise of business activities.’”
However, one requirement under the Penal Code is that “the entrepreneur has not done what could reasonable be required of him for prevention of the crime.”
Swiss law implementing the OECD Convention entered into force on May 1, 2000.
Article 100quater of the Swiss Criminal Code requires “defective organisation as a condition for corporate criminal liability.”
In order to incur criminal liability, “the enterprise must not have taken all reasonable and necessary organisational measures to prevent the individual from committing the offence.”
Under Swiss law, the burden is on the prosecutor to furnish proof of defective organization and according to Swiss authorities contacted by the OECD “steps should be taken to assess whether employees have been sufficiently informed, supervised and controlled” and “the fact that an enterprise is organised in compliance with international management standards will not be sufficient to rule out all liability on its part; it will be one element to take into consideration among others …”. In the view of Swiss authorities, “ shifting the burden of proof in criminal cases would contravene Article 6 of the European Convention on Human Rights.”