Editor: Please provide our readers with a brief description of your professional background. Is there a particular case that stands out in your early career?
Murphy: I started my career as a general white collar criminal defense lawyer at Latham & Watkins. Early on, the practice entailed a broad range of white collar crimes such as Medicare fraud and tax and financial fraud. The case that got me hooked into a white collar practice involved the collapse of the Baptist Foundation of Arizona. I was a second-year lawyer, and I found the human story of how the Foundation collapsed to be so compelling. It was a religious organization that had all of the best motivations behind it but ran afoul of its good intentions by misusing funds received from retired pensioners – investing in speculative land deals instead of building new churches, as they represented they would. As the deals collapsed, the foundation had to get more funds just to keep their current debts serviced. It became a classic Ponzi scheme. I became enamored with the human stories of how fraud occurs. I generally believe that many people who get caught up in fraud do not start out wanting to be fraudsters; they evolve into it.
In 2001, I worked on an FCPA case in Indonesia, but when the uptick in enforcement came about in 2004-2005, with this background, I started working solely on fraud matters. Since 2005, 80 or 90 percent of my practice has been corruption cases. Corruption is a very particular kind of fraud that tends to have many patterns. Once you have conducted enough investigations, you see the patterns that emerge over and over again. They are endlessly fascinating because everyone involved has his own motivations and different stories to tell about why he has done these things. Placed in context, many of these cases are explainable, if not necessarily legal.
Editor: In-house compliance counseling is an integral part of your practice. What are the key elements of a good compliance program, and why is in-house counseling so vital to a successful program?
Murphy: There are obvious elements that are most critical to a compliance program, number one of which is that companies have to have a top-level commitment to compliance. If the board and senior management are not totally committed to compliance (both in terms of sending the right messages to the organization and in terms of funding the program), then there is no way for a program to be successful. Business leaders in different parts of the world also need to be responsible for making sure the organization is compliant. It is very easy for compliance people to have the support of management back at headquarters, but where it is important is when they are back in the field, training people, implementing programs and investigating issues. If managers don’t have the support of the local business leaders, it can be a frustrating exercise. Lastly, an important element is a high-quality training program. Corruption law is simple to explain, but, in practice, it is murky since many unforeseen issues arise.
Editor: You are the author of Foreign Corrupt Practices Act: A Practical Resource for Managers and Executives. Why is it so important that the boots on the ground understand what constitutes an FCPA violation? What are some common misconceptions about what constitutes an FCPA violation?
Murphy: I’ve done investigations in about 25 different countries, many of them repeated investigations in countries like China. As I mentioned earlier, over time, if you do enough of these things, you tend to see the same kinds of structures of bribery transactions, but they’re all embedded in local custom, culture and social mores. Fundamentally, it may be a kickback scheme through a channel partner or distributor, but the way they might be implemented could vary from culture to culture.
Without getting out into the field to understand how business is conducted in different parts of the world as well as how certain high-risk industries operate in different parts of the world, it would be difficult to mandate compliance standards. Establishing standards is just a function of experience. There is just no way to reduce your risks to zero. What you need to be talking about is managing risk, and there’s no way you can properly manage risk if you don’t really understand what the risk is.
As for common misconceptions about FCPA violations, there’s a misconception that confuses regulatory problems with bribery. Statutes run to all kinds of regulatory interaction that is not necessarily tied to winning contracts. There are many internal investigations, never reported to the government, that are dealt with in-house, a vast majority of which revolve around regulatory problems. They happen every day around the world and in jurisdictions with a complex and opaque regulatory environment, such as China, where there may be multiple officials having partial jurisdiction over every issue, and there’s no clear rulebook. In many cases, it is impossible to ascertain that corruption exists.
Editor: Please share a bit about how you counsel clients on the topic of voluntary disclosures. Have you found that the guidelines on self-reporting issued by the Department of Justice have restored the corporate community’s confidence in expecting a certain amount of leniency if they self-report?
Murphy: The short answer is no. I think that the guidance that was issued by the Justice Department was a very good thing for the government to do. It’s useful, but its use is more in terms of creating a very clear set of policy statements that compliance officers and companies can use to indicate this is the way Justice views the world, and this is the issue they are focused on. That is a powerful message that has been helpful to compliance professionals around the world. But it has not made the voluntary disclosure calculus any easier because, at the end of the day, every case stands or falls on its own. No one has any guarantees as to whether they will get lenient treatment going into a session with the SEC or DOJ. The voluntary disclosure calculus is still a very anxiety-producing event. In some cases, where a reporter is sniffing around or a disgruntled employee is making waves, there is no choice of non-reporting. The harder cases depend on how management and the board view their tolerance for risk and for going through the pain of an investigation since the process is disruptive and fraught with some degree of risk.
Editor: I understand that you’ve been involved in several multijurisdictional FCPA probes. What are some of the biggest difficulties in preparing a multinational company for an FCPA investigation?
Murphy: The biggest difficulty is getting management to understand how big the scope of the inquiry is likely to be. Many are not prepared and don’t always understand the manner in which these investigations need to proceed. Unlike civil litigation issues, corruption matters are often dynamic, real-time problems. What you know at the beginning of an investigation is often very different from what you know at the end. We have no ability to predict at the outset who is involved in the possible corruption and how high up the chain of command it goes. You’re often in the posture where you need to say, “Look, we need to make some kind of bad assumptions, which is that senior management might be involved” – which is a route difficult to accept. The natural reaction to collecting and preserving everyone’s email and data is one of total disruption, so it needs to be done very quietly. You have to be able to explain to management that a blanket search is not our aim. What we’re trying to do is protect the company – and particularly senior management – in the event the investigation ends before the DOJ or SEC. Those agencies are going to want to know whether senior management is involved, and if I say no, I need to be able to explain why I’m confident that that is the case. Determining who the bad actors aren’t is just as important as determining who the bad actors are.
Editor: What are the trends in global enforcement, and what international anti-corruption initiatives should U.S. corporations be especially aware of?
Murphy: The question is unanswerable in some respects, other than to say the trend is toward increased international enforcement. Countries like China have suddenly come to life in this area. The GlaxoSmithKline investigation is a case in point. Can we expect to see Chinese authorities become very aggressive across different industries? We’re going to start seeing more and more cases that don’t start with U.S. officials, but as a result of government authorities in other countries beginning an investigation. Looking at the history of the development of this area of law, it is only recently that countries adopting the various U.N. conventions have begun to implement these conventions by enacting laws and having the mechanisms in place for enforcing them. They’re starting to take action under these laws, and I expect to see explosive growth in cases that are being initiated and brought by other jurisdictions. Cases that may have started in the U.S. may also end up with prosecutions and resolutions in many different countries.
Editor: Parties are increasingly advised to be cautious about use of third-party agents, but if a company must use a third-party agent, what can it do to limit its risk exposure?
Murphy: This is where compliance programs are critical. I tell people all the time that no compliance program is ever going to be perfect, and every company at some point is going to have a problem in this area. The best thing that you can do is have a very strong compliance program that has a good set of diligence procedures. Everyone is going to find herself in a position where she has some agent in some part of the world where there are a lot of inexplicable facts that make it hard to know what the agent is doing. That’s actually more likely the common scenario than the commission of a blatantly illegal act. Having that diligence program in place is critical because a good compliance program will, in fact, make you largely compliant. It serves as a reliable rebuttal to any inquiry by a governmental body.
Editor: The DOJ and SEC are increasingly prosecuting individuals for personal liability in fraud cases – as seen in the Corzine and PetroTiger cases. Is there a sense that concern about being personally prosecuted will make senior executives more wary of corporate governance lapses?
Murphy: That is clearly why they are bringing more cases against individuals. Whether it really has that effect is unclear. What’s the deterrent effect of prosecution? Most executives don’t expect to become corrupt or fraudsters. The fact that someone got caught and prosecuted may not have the deterrent effect that the government would like it to have.
Editor: Please talk about the instrumentalities of the interstate commerce provision and the impact of SEC v. Straub. It is difficult to imagine that most executives know which servers their emails pass through at a given time, so how did the SEC make a case to charge three foreign executives of foreign corporations with an FCPA violation when the only apparent connection to the United States was an email sent by one of the executives that happened to pass through a U.S. server? And, more importantly, what would wide adoption by foreign jurisdictions of this sort of broad reading of corrupt practices mean for U.S. corporations?
Murphy: There are really two things that are important to keep in mind about how Straub and those kinds of cases work. One is you have the interstate commerce jurisdiction requirement for these foreign parties that would not otherwise be subject to the FCPA. If you’re routing messages through servers, that is just the hook the government uses to say you are now conducting some activity that is clearly interstate or international commerce, which touches the U.S. The piece that is really problematic for foreign employees is whether the sender personally is subject to jurisdiction in the U.S. Many companies are struggling with these big compliance issues since there are many back-up servers retaining emails in case the system goes down, many of which end up in the U.S.
The other piece is that of personal jurisdiction, which requires that a person must have directed some activity at this jurisdiction, a concept from the 1930s Supreme Court cases regarding signatories to stock certificates. I find this a much greater risk element since employees all over the world are essentially required by their jobs to sign all kinds of certifications. In signing that an employee is not aware of any violations (although there may be violations), he is involved in the compliance program. Upon signing, an employee is placing himself under the jurisdiction of the United States. Is he subjecting himself to personal jurisdiction in the U.S.? It is a hard question! The one thing that is very clear that the DOJ and the SEC are doing is they are aggressively pushing the boundaries of jurisdiction as far as the courts will allow them.