A key pillar of trust in business is the belief that companies conduct their operations —at a minimum—in compliance with the law. This chapter investigates this premise and finds that companies will be more likely to prevent crime and to cooperate in the detection and resolution of cases if the law provides compelling incentives for them to do so. Legal systems change slowly but Parties to the Anti-Bribery Convention have made significant progress over the last 20 years in creating such incentives and are continuing to build the legal frameworks needed to enforce laws covering economic crime.1*
OECD Business and Finance Outlook 2019
Chapter 3. Trust and corporate liability
Abstract
3.1. Can companies be trusted to obey the law?
A key pillar of trust in the rule of law is the belief that businesses will strive to conduct their operations in ways that comply with the law. The building of this kind of trust takes place in two, related spheres of action. First, companies need to take appropriate steps to prevent unlawful activity from occurring within their operations. Second, once suspicions have arisen that unlawful activities have taken place, companies can report these suspicions to law enforcement authorities and cooperate in the investigation and resolution of the case (determining what happened, who was responsible and agreeing on appropriate sanctions). This degree of co-operation with law enforcement may sound unrealistic, but it does in fact occur – as discussed below, OECD data show that almost a quarter of sanctioned foreign bribery cases with known detection sources involved self-reporting by companies.2
3.2. Establishing a solid basis for trust
Enforcement experience relating to corporate crime suggests that trusting in companies to comply with the law should not be automatic. While companies can do much good, they can also do much harm. A company can become a nexus of criminality if it has poorly designed and implemented management systems for coordinating the activities of its employees and business partners3. Setting up management systems to counter the risks of criminal activity can help both prevent and detect corporate crime. The government can promote the adoption of such management systems and, more broadly, law-abiding behaviours by building in appropriate incentives, including by expanding and refining corporate liability laws to encourage compliance with law and co-operation with law enforcement.
The idea is for law enforcement authorities to tap into the comparative advantage of companies in detecting crime and contributing to investigations. To do this, corporate liability systems need to be complex enough to provide incentives for prevention, but also for constructive co-operation with law enforcement when suspicions of unlawful behaviour arise. Policy makers must also take steps to ensure that the corporate liability system is transparent and predictable for all parties potentially affected by it and that law enforcement authorities appropriately assume their roles in the law enforcement system. This is a subtle mix, one that countries are still trying to achieve.
This approach to corporate liability recognises that companies can be valuable participants when cooperating with law enforcement authorities because they know more about what happens in their operations than external investigators ever could. As will be discussed below, almost a third of countries Party to the Anti-Bribery Convention now have policies that create incentives for crime detection and prevention, as well as for self-reporting and co-operation with law enforcement authorities. With such policies in place, societies have more compelling reasons to trust business to make genuine efforts to comply with law and to contribute constructively to the law enforcement process.
3.3. Self-reporting by companies – a reliable source of detection
OECD data indicate that self-reporting by companies is, numerically, the most important single source of detection for the crime of foreign bribery. As noted earlier, OECD (2017a) shows that, while the detection source is still unknown for 55% of the foreign bribery schemes covered in the study, self-reporting played a role in almost a quarter of sanctioned foreign bribery cases, (see Figure 3.1).
In law enforcement, case development begins with detection – that is, law enforcement authorities become aware of suspicions of criminal activity which they then pursue through investigation, prosecution and resolution in courts or by agreement with the accused. Obviously, law enforcement officials do not go to the expense and trouble of developing cases in order to have these cases dropped at the investigation or prosecution stages or to end with a ‘not guilty’ finding in court. Efficient law enforcement requires that enforcement authorities pursue cases that have a reasonable chance of ending with sanctions for unlawful activity or other reasonable resolutions that will stop the behaviour and reduce recidivism. Having reliable sources for the detection of crimes is important if law enforcement authorities are to zero in on such cases.
Generally, companies covered by the detection study obtained the information they self-reported from a variety of internal control processes that they use in the broader conduct of business. The most important of these is the internal audit function, which generated the information in 24% of the self-reported cases. ‘Mergers and acquisitions due diligence’ accounts for 7% of the self-reported cases, whistleblowers reporting to internal processes for 5% and pre-listing due diligence for 4% (OECD, 2017a, page 8).
In any case, OECD data show that self-reporting is a highly reliable source of detection. In particular, cases that were originally detected through corporate self-reporting have a higher ‘yield’ in terms of sanctions than the other sources of detection (such as the media or whistleblowers).
The OECD data used to show this consists of a sample of 65 concluded foreign bribery cases for which detection sources are known. These cases were resolved in one of three ways: with dropped investigations; with an acquittal or dropping at the prosecution stage; or with sanctions being imposed on individuals, companies or both. Cross tabulations between the detection sources and the sanctions allow the comparison of sanctions rates for the various sources of detection. Figure 3.2 shows that 100% of the cases that were detected through self-reporting by companies led to sanctions on companies, individuals or both.
Another relatively reliable source of detection is information provided by ‘other government agencies’ (which, in this sample, mainly refers to tax authorities4). This source of detection led to sanctions in 65% of the cases. Media and whistleblowers produced sanctions rates of 25% and 20%, respectively.
This finding of a high sanctions ‘yield’ from self-reporting by companies is not surprising. As noted above, there are compelling reasons to believe that the information generated from companies’ internal processes offers more reliable sources of detection than other sources. The challenge for policy makers in law enforcement is to develop incentives systems that motivate companies to divulge accurate and complete information about wrongdoing that they suspect has occurred in the context of their operations.
It is important to stress that the data also suggest that detection sources interact and are possibly mutually reinforcing – in 10 of the 65 cases, there was more than one source of detection. Thus, information provided by other government agencies, media and financial intelligence units seems to foster self-reporting by companies, possibly because they may cause the company to fear detection through other information sources if it does not self-report.
3.4. Creating corporate liability systems
The key point made in the preceding section is that law enforcement authorities seeking to make efficient use of their resources should adopt policies to incentivize self-reporting as it is a reliable source of detection. Self-reporting and co-operation with law enforcement can be encouraged by building incentives into the law enforcement processes. But in order to do this, it has to be possible to hold companies liable for unlawful acts. Thus, the first and most basic incentive is to have laws in place that make companies liable for crimes committed in the context of their business operations.
Without corporate liability, only individuals are subject to criminal enforcement -- companies, as entities, cannot be the subject of law enforcement processes. As a result, law enforcement procedures are powerless to address the entire organisational dimension of economic crime.
This organisational dimension touches on many facets of activity within business organisations. For example, what incentives do employees face (e.g. are sales targets set so high that employees are implicitly encouraged to break the law in order to meet them)? What kinds of operational and financial information are collected and who has the authority to act on this information?
Under corporate liability laws, management processes themselves have a central role to play in enabling or preventing corporate crime; the responsibility of individuals, while extremely important, is seen as part of the larger picture of formal and informal practices within the company. Corporate liability systems allow law enforcement to incorporate this larger, managerial picture into their sanctioning processes.
At the end of the 20th century, many countries Party to the Anti-Bribery Convention did not have corporate liability but they agreed to create such systems when they acceded to the Convention, at least for foreign bribery (OECD, 1997, Article 2). OECD stocktaking shows that the countries Party to the Anti-Bribery Convention had very different starting points in this law-making process.5 Sixteen of them had no established system for corporate liability prior to acceding to the Convention, except possibly in some areas of administrative law (e.g. tax and customs). For these countries, corporate liability was essentially a foreign concept, alien to their legal traditions and practices. They had to create their corporate liability systems ‘from scratch’. In contrast, 25 countries had some prior legal basis for liability of legal persons, including codified law and judicial decisions.
Whether they were establishing systems for corporate liability for the first time or refining existing systems, all of the 41 Parties covered by the stocktaking exercise engaged in some kind of law-making activity relevant for corporate liability after the adoption of the Convention. Thus, after almost 20 years of intensive monitoring, all countries Party to the Anti-Bribery Convention can hold a corporation liable for the crime of foreign bribery6 and many Parties are fine-tuning their systems. These systems are the starting point for creating a corporate role in corporate crime prevention and for motivating co-operation with law enforcement authorities in investigations and case resolutions.
3.5. Building incentives for compliance systems into the corporate liability system
“Compliance systems” are what managers put in place in order to reduce the risk that misconduct will occur in the context of their company’s operations. Under some countries’ corporate liability systems, the existence of a compliance system can completely preclude liability for foreign bribery. In such jurisdictions, it is up to the prosecutor to prove that the compliance system was not a genuine and well-designed effort to prevent crime.7 In other countries, the company can use a compliance system to defend itself against charges – that is, if the company proves that its compliance system represented a serious attempt to deter criminal conduct, it cannot be held liable for unlawful conduct. For example, Australia provides that corporate liability will not apply “if the body corporate proves that it exercised due diligence to prevent the conduct”.
Another approach (not mutually exclusive with the first) is to establish ‘mitigating factors’ that permit reductions in sanctions if the company self-reports and cooperates with law enforcement. Figure 3.4 shows how many Parties provide for reduction of sanctions in view of: (i) the existence and effectiveness of a compliance system, (ii) self-reporting suspicions of criminal activity to the authorities; and (iii) co-operation with investigations. These mitigating factors for sanctions are a key part of the incentive system that encourages companies to cooperate constructively with law enforcement authorities.
3.6. Building incentives for co-operation into the corporate liability system
Figure 3.5 shows that 14 Parties to the Convention allow for the reduction of corporate sanctions if the company cooperates with law enforcement authorities. Jurisdictions define in their own way what constitutes co-operation and concepts of co-operation vary across Parties. A broad definition of co-operation would mean that the company conducted timely and thorough internal investigations of suspected wrongdoing and disclosed the findings of these investigations to law enforcement authorities. Such disclosure would include providing to law enforcement authorities the information revealed by the internal investigation on culpable employees and business partners. 8
As already noted, providing incentive for companies to cooperate (including through internal investigations) provides a number of benefits, both for themselves and for law enforcement. Companies can be more effective than outside law enforcement authorities at investigating suspected wrongdoing because they already know the details of their operating and financial activities. This then assists law enforcement authorities in making a thorough, timely and efficient investigation (including checking information provided by companies for accuracy and completeness). It also helps authorities to conduct investigations in ways that that minimise disruption to the company’s legitimate business operations and that preserve procedural transparency and predictability.
Company investigations also have other procedural advantages. A company can conduct cross border investigations without facing the major procedural barriers that often confront law enforcement officials. Such legal barriers to international co-operation in law enforcement can include cumbersome procedures for obtaining legal assistance from foreign authorities (e.g. to seize evidence or to conduct interviews).9 They may also constrain the uses to which such information may be put in a law enforcement context (e.g. evidence obtained from interviews conducted abroad might not be admissible in court). Finally, international investigations can be costly – creating incentives for companies to bear at least some of these costs allows for fuller internalisation of the costs of corporate crime since businesses then bear the cost of uncovering some of the facts associated with the wrongdoing.
The Siemens foreign bribery case provides insights into the details of internal investigations of company misconduct and shows how extensive these investigations can be. This case involved a global bribery scheme that straddled many of the markets in which Siemens did business. Bribery was deeply rooted in the company’s corporate culture and affected company operations across the globe. In co-operation with a multi-jurisdictional law enforcement effort, Siemens conducted an internal investigation that is reported to have cost €550 million. According to settlement documents, Siemens hired more than 300 lawyers, forensic accountants and support staff from a law firm and an accounting firm for a two-year internal probe. The company estimated that the firms billed 1.5 million hours of legal and accountancy work. The investigation spanned 34 countries and included 1 750 interviews. Of the roughly 100 million documents collected in the investigation, Siemens produced about 24 000 documents for the US Department of Justice (Jones, 2012). Siemens settled with German and US law enforcement authorities in 2007 and 2008, respectively, and agreed to pay what were, at the time, record fines.
3.7. Conclusions and additional considerations
Progress in creating legal frameworks. Legal systems change slowly, but over the 20 years since the Anti-Bribery Convention entered into force, Parties to the Convention have made significant progress in building the legal frameworks applying to unlawful conduct by corporations.
The creation and refinement of corporate liability systems are key elements of this progress. At the time the Anti-Bribery Convention entered into force, a third of the Parties had no legal framework for corporate liability and many of the others had only very sketchy systems that did not reflect the complexities of business management. 10 Now, all Parties to the Anti-Bribery Convention can hold business organisations liable for crime in some form or other. In most cases, corporate liability systems make companies accountable for foreign bribery and for a wide variety of other unlawful acts. This, along with the adoption of increasingly dissuasive sanctions for foreign bribery, strengthens incentives for companies to adopt management systems designed both to prevent corporate crime and to encourage them to cooperate with law enforcement.
As noted above, the current state of play in the area of corporate criminal law is one of great progress, but also of great variation in law and practice among Parties to the Anti-Bribery Convention.
Strengthening newly established corporate liability systems. Some countries are at the early stages of developing their corporate liability systems. They need to build on and refine their systems, including by adopting incentives for self-reporting and co-operation.
Further improvements of long standing corporate liability systems in light of enforcement experience. Other countries have long traditions of corporate liability, but still need to fine-tune their systems. OECD monitoring shows that Parties to the Anti-Bribery Convention are refining their corporate liability systems in light of enforcement experience in order to obtain better outcomes. Some of the objectives of these refinements include:
Increasing public access to information about corporate resolutions. Making it possible for law enforcement authorities to release more information about the procedures and outcomes of the system (e.g. increasing public access to information about resolutions).
Clarifying and protecting the rights of individuals involved in cases concluded with corporate resolutions. As noted above, corporate investigations are not subject to the same procedural disciplines as investigations by law enforcement authorities. Although this has clear advantages in terms of rapidly generating relevant information, the law needs to ensure that the procedural rights of all parties to the investigation – including the individuals who may be implicated in the criminal activity -- are not infringed in the course of corporate co-operation with law enforcement authorities.
Managing how the systems interact internationally. The number of multi-jurisdictional corporate crime cases is increasing (OECD, 2017b). As a result, it has become increasingly apparent that the international enforcement community needs to refine the current modus operandi for co-operation in order to promote the orderly resolution of cases across jurisdictions. What are the rules for sharing information obtained from company self-reporting across jurisdictions? Does a resolution obtained by agreement between a company and law enforcement authorities in one country mean that that company cannot be held liable for the same offence in other countries? This work can be done on a country-by-country basis.
The creation of legal systems in general and of corporate liability in particular is an evolutionary process that involves continual adaptation and refinement. The OECD Working Group on Bribery provides a platform in which its members can share information and experiences and exert peer pressure in order to improve both their laws and their enforcement practices.
References
Jones, M. (2012), ‘The High Cost of Non-Compliance’, FCPA Compliance & Ethics, http://fcpacompliancereport.com/2012/11/the-high-costs-of-non-compliance/.
OECD (2017a), The Detection of Foreign Bribery, www.oecd.org/corruption/the-detection-of-foreign-bribery.htm.
OECD (2017b), 2016 Data on Enforcement of the Anti-Bribery Convention: Special focus on international co-operation, www.oecd.org/daf/anti-bribery/Anti-Bribery-Convention-Enforcement-Data-2016.pdf.
OECD (2016), The Liability of Legal Persons for Foreign Bribery: A Stocktaking Report, www.oecd.org/corruption/liability-of-legal-persons-for-foreign-bribery-stocktaking-report.htm.
OECD (1997), OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions, www.oecd.org/corruption/oecdantibriberyconvention.htm.
Notes
← 1. The statistical data for Israel are supplied by and under the responsibility of the relevant Israeli authorities. The use of such data by the OECD is without prejudice to the status of the Golan Heights, East Jerusalem and Israeli settlements in the West Bank under the terms of international law.
← 2. Page 13 of OECD (2017a) states the following about self-reporting: ‘Generally, the notion of self-reporting applies to companies, whereas individuals reporting themselves would be considered as confidential informants or cooperating witnesses. A company that self-reports will often also continue to provide ongoing co-operation with law enforcement authorities in the context of related investigation and related proceedings. There is currently no international anti-corruption standard relating specifically to self-reporting and practices vary across jurisdictions.’
← 3. Enforcement experience in countries Party to the Anti-Bribery Convention has shown the significant degree to which lack of management systems and a tolerant corporate culture can lead to widespread criminal activity across through a company’s business operations.
← 4. This statistic reflects mainly the German tax authorities’ role in detecting foreign bribery, which detected 17 cases, of which 11 resulted in at least one sanction on an individual or a corporate entity. Germany’s Phase 4 Report notes the proactive role in detection of the German tax authorities (see, for example, page 5), www.oecd.org/corruption/anti-bribery/Germany-Phase-4-Report-ENG.pdf.
← 5. As shown on page 8 of OECD (2016) and in Part 1 of this report, the development of corporate liability systems is an ongoing process, with virtually all countries Party to the Anti-Bribery Convention taking legislative action to establish and/ or refine their corporate liability systems.
← 6. As shown on page 21 of OECD (2016), most countries Party to the Anti-Bribery Convention apply their corporate liability systems to a broader range of criminal activity than just foreign bribery and no Party to the Convention has a corporate liability system that applies only to foreign bribery.
← 7. See page 66 of OECD (2016) for a discussion of where and under what circumstances compliances systems can preclude liability for foreign bribery.
← 8. One public official participating in Working Group comment procedures noted that ‘inviting companies to conduct investigations themselves could lead to unwarranted privilege claims. This can create satellite litigation and can take months or even years to resolve.’
← 9. The EU’s General Data Protection Regulation (GDPR) raises concerns for some countries in the area of cross border information sharing for law enforcement purposes. Countries are still exploring the impact that the GCPR will have on international co-operation in law enforcement.
← 10. For example, many of the common law members of the Working Group on Bribery had a “directing mind” approach to the standard of corporate liability, meaning that involvement by the top decision-making echelons of the company must be proved, if liability is to be established.