Richard L. Cassin Publisher and Editor

Andy Spalding Senior Editor

Jessica Tillipman Senior Editor

Elizabeth K. Spahn Editor Emeritus

Cody Worthington Contributing Editor

Julie DiMauro Contributing Editor

Thomas Fox Contributing Editor

Marc Alain Bohn Contributing Editor

Bill Waite Contributing Editor

Shruti J. Shah Contributing Editor

Russell A. Stamets Contributing Editor

Richard Bistrong Contributing Editor 

Eric Carlson Contributing Editor

Bill Steinman Contributing Editor

Aarti Maharaj Contributing Editor

FCPA Blog Daily News

« Naaman Argues For 'Time Served' | Main | Two-Year Prison Sentence In Haiti Telco Case »

Fool me once, shame on . . . Who?

Aaron Murphy warns about training programs that don't train employees. By Aaron G. Murphy

An interesting piece recently appeared in Randy Cohen’s “The Ethicist” column in the New York Times Magazine.

It discussed  an exchange with a company employee that should keep corporate legal and compliance departments awake at night. An employee, unhappy that his company wanted him to take a four hour on-line training course about the Foreign Corrupt Practices Act (FCPA), claiming it was a waste of his time, asked The Ethicist if he had an ethical obligation to complete the training. The Ethicist gave the best possible answer, stating that even if it was inefficient, it was the company’s prerogative to train its people, and that it might not be the waste of time the employee assumed since the company could have a larger plan of action invisible to the employee.

The punch line lay in the “Update” posted later: The employee skipped the course, went straight to the on-line test, and passed it. The employee, who underwent no training of any kind (and arrogantly assumed he needed no such training), is now certified by his own company as having mastered the FCPA. This is an all too common scenario, and everyone involved in it is a fool. 

The employee is a fool for assuming that one of the most aggressively enforced and far-reaching criminal laws in America does not apply to him. It does, plain and simple. Even if he does not deal directly with foreign officials or companies, he undoubtedly touches transactions, corporate records, and other company employees that do. I have investigated many FCPA matters in recent years and have had countless conversations with these kinds of employees who never stop to think of the larger connections between the world of global commerce and their own activities. You can aid and abet FCPA violations from within the walls of your cubicle, whether that cubicle is in Boston or Bangalore. And now that the deceptive employee has tricked a simplistic training course into thinking he is an expert in the FCPA, what exactly will his excuse be when someone like me comes and asks him why he did not see a violation occurring right under his nose?  He’s an expert, after all.

But companies in these situations are fools for thinking that their compliance programs are working. A training course that can be passed by employees who skip the training is no training course at all. This fiction of corporate training happens all the time, and there are two serious problems with it: First, people are not actually trained, so FCPA violations still occur with the same frequency, and second, the U.S. government will give no leniency to companies with such blatantly ineffective training programs. Companies spend a lot of money on these programs, and the get nothing in return – neither trained employees nor protection from prosecution.

This is a serious issue, the U.S. government has collected billions of dollars in fines for FCPA violations in the past few years and has announced that it intends to be even more aggressive going forward. The United Kingdom has just enacted its own global anticorruption law too, and will be itching to try it out when it goes into effect this coming April. 

There has been much talk of the U.K. Bribery Act’s new defense that lets companies off the hook where they have “adequate procedures” – including proper antibribery training and policies. Many in this country think the FCPA should have a similar defense available for companies with good FCPA compliance programs.

But it would be foolish to think that the compliance program discussed in The Ethicist post would ever be viewed as “adequate” by U.S. or U.K. authorities. An adequate compliance program should actually result in educated employees and, well, compliance. Not reams of paper certificates that show nothing more than an employee’s ability to game a simplistic training program. 

Aaron G. Murphy is partner at Latham & Watkins specializing in the Foreign Corrupt Practices Act and corporate compliance issues. He is the author of the book: Foreign Corrupt Practices Act: A Practical Resource for Managers and Executives.

Reader Comments (2)

Wow. There are just so many things wrong with this scenario. A *four hour* FCPA training course? Seriously? And this person thought it didn't apply to him? It sounds like this company wasn't segregating its training courses. Meaning, higher risk employees---who presumably would know that the FCPA applies to them---get better and more training. Even then, I think four hours in one shot is a bit much. It seems to me that this is a paper program.

Training, especially for your higher risk folks, isn't a one-time thing. It's not even "training" per se, but a system of messaging to those employees around compliance. It's training, employee calls, leader site visits, newsletters, emails from senior leaders, mentions in team meetings, live training, online training, all over time. It's not a four-hour-seminar-and-you're-done kind of thing, not if you want to do it right. It's also publicized incentives, publicized sanctions, keeping compliance-related metrics, and making them matter to the's a system of learning, not just training.

It sounds like this company still doesn't get it.
January 24, 2011 | Unregistered CommenterHoward Sklar

One of the problems with any compliance regime is that its effectiveness depends upon whether management is genuinely committed to ethical behavior. For many corporate execs, lawyers are nothing more than a tool and the FCPA just one of a constellation of impediments to profitability. I think the test is whether, in the absence of effective enforcement, would management refuse to engage in criminal conduct. If the answer to that is no, is the fear of enforcement sufficient to cause them to take the law seriously or do they think that spending money on compliance programs is sufficient to minimize exposure in case one of their employees gets caught violating the law. In both situations, employees are going to mirror management's attitude.

I disagree with your statement that the FCPA is one of the most aggressively enforced criminal laws in America, if you are talking about numbers of cases investigated. It certainly is not anywhere near the top of the list of enforcement priorities in most of the 96 federal districts. If however you are referring to the government's willingness to commit time, money, and energy to the investigation of those companies that appear on the government's radar, I would agree. The problem is that until the likelihood of punishment reaches a critical mass (or maybe tipping point is the correct term today) many companies are not going to make "lawabidingness" a genuine part of their corporate culture.

I think compliance programs fail because they depend too heavily on educating employees on the requirements of the law. Compliance begins with hiring moral and ethical employees. Compliance is fostered by companies demonstrating their concern, not just with the bottom line, but with having a positive impact upon the community. Compliance succeeds where management is invested in the long term growth of the company, not just short term profits. We all talk about corporate culture. But culture is not taught. It is lived.

January 24, 2011 | Unregistered CommenterJon May

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
All HTML will be escaped. Hyperlinks will be created for URLs automatically.