The recent Securities and Exchange Commission enforcement action against BHP Billiton on Foreign Corrupt Practices Act violations provides some clear guidance for the compliance professional about the difference between having a paper compliance program in place and the actual doing of compliance. What’s more, the enforcement action demonstrates why having a compliance defense added to the FCPA would not move forward the law’s goals of furthering anti-corruption and anti-bribery across the globe.

The facts underlying the BHP Billiton case relate to the company’s program for client entertainment at the 2008 Beijing Olympics. Recognizing the high risk of an FCPA violation in paying for foreign government officials to travel to, attend, and be feted at the Olympics, BHP Billiton established a risk management solution in the form of an in-house Olympic Sponsorship Steering Committee (OSSC) and Global Ethics Panel Sub-Committee, together with a specific set of written requirements for identifying and approving requests for travel and entertainment from it business operations.

It turned out, however, that the Ethics Panel’s charter stated that its role simply was to provide advice on ethical and compliance matters, and that “accountability rest[ed] with business leaders.” Members of the Ethics Panel understood that, consistent with their charter, their role with respect to implementation of the hospitality program was purely advisory. Unfortunately BHP neglected to tell business unit folks that the Panel was simply advisory, and it would not be making decisions. Moreover, BHP did not give these same business folks the tools to allow them to evaluate their own requests fully.

The BHP paper program appeared robust. As laid out in the SEC cease-and-desist order, “BHPB developed a hospitality application which business managers were required to complete for any individuals, including government officials, whom they wished to invite.” The application included these questions to be answered fully:

What business obligation exists or is expected to develop between the proposed invitee and BHP Billiton?

Is BHP Billiton negotiating or considering any contract or license agreement or seeking access rights with a third party, where the proposed invitee is in a position to influence the outcome of that negotiation?

Do you believe that the offer of the proposed hospitality would be likely to create an impression that there is an improper connection between the provision of the hospitality and the business that is being negotiated, considered, or conducted or that in any way might be perceived as breaching the Company’s Guide to Business Conduct? (If yes, please provide details); and

Are there other matters relating to the relationship between BHP Billiton and the proposed invitee that you believe should be considered in relation to the provision of hospitality having regard to BHP Billiton’s Guide to Business Conduct?

So the right forms were in place, and some of them were fully filled out. As the cease-and-desist order made clear, however, an effective compliance program doesn’t end there. The company failed because it did not do the work of compliance.

I recognize that the BHP enforcement was not a criminal enforcement action; still, the case demonstrates the fallacy of the idea that by having a compliance defense, it will actually promote anti-corruption compliance.

Where BHP failed was that “other than reviewing approximately 10 hospitality applications for government officials in mid-2007 in order to assess the invitation process, the OSSC and the Ethics Panel sub-committee did not review the appropriateness of individual hospitality applications or airfare requests … As a result, business managers had sole responsibility for reconciling the competing goals of inviting guests—including government officials—who would “maximize [BHPB’s] commercial investment made in the Olympic Games” without violating anti-bribery laws.

But there was more than just a failure of oversight by the Ethics Panel. The cease-and-desist order noted that not all of the forms were filled out with the critical information around whether a proposed recipient might have been a government official. Even worse, information was missing on whether the proposed recipient was in a position to exert influence over BHP business.

Moreover, BHP did not provide training to the business-unit employees who ended up deciding whether or not to provide the hospitality on payment of travel and hospitality for spouses. The cease-and-desist order stated that BHP “did not provide any guidance to its senior managers on how they should apply this portion of the Guide when determining whether to approve invitations and airfares for government officials’ spouses.” Finally, no controls were in place to update or provide ongoing monitoring of the critical information in the forms.

All of this led to the SEC to state: “As a result of its failure to design and maintain sufficient internal controls over the Olympic global hospitality program, BHPB invited a number of government officials who were directly involved with, or in a position to influence, pending negotiations, efforts by BHPB to obtain access rights, or other pending matters.” The bottom line was phrased most succinctly by Antonia Chion, associate director of the SEC’s Division of Enforcement, when she said in a press release about the case, “A check-the-box compliance approach of forms over substance is not enough to comply with the FCPA.”

How about those still urging that the FCPA be amended to give companies a free pass if they have a compliance defense? I recognize that the BHP enforcement was not a criminal enforcement action; still, the case demonstrates the fallacy of the idea that by having a compliance defense, it will actually promote anti-corruption compliance. Simply put, BHP had a robust paper compliance program. Yet when it came down to doing the simple and straight-forward work, apparently that wasn’t something BHP could be bothered to do.

In addition to the failures I outline above, the company’s own compliance solution acknowledged that its high-risk operation failed in the following ways: the Ethics Panel, which was charged with reviewing and approving each application, was not fulfilling its function. This allowed the operational business managers to have sole authority to review and approve the application. Some hospitality applications were not accurate or complete, and did not identify some invitees as government officials—even when BHP had ongoing negotiations or efforts to obtain access to mining rights. Many applications were simply cut-and-paste jobs, as they had the same explanation or information for multiple foreign government officials.

The company did not even bother to train its employees on how to fill out the forms or how to evaluate whether the invitation complied with its business conduct policies. There was no process for updating information if conditions changed prior to the event.

Finally, and perhaps most importantly, BHP had no mechanism to evaluate the tie between the foreign government official being entertained and the business that person had with BHP or potential work he could direct to the company.

Basically, BHP had a paper program in place but could not be bothered to follow it. This was for a huge event involving foreign government officials (and their spouses) who would receive benefits, in the form of gifts, travel, and entertainment the company estimated at a value of $12,000 to $16,000.

The company clearly assumed that by having a paper program, it was insulated from FCPA liability. The reality was this: Even though there was no evidence of bribes paid out under BHP’s Olympic hospitality program, the simple fact that the company had a paper compliance program was not evidence that BHP was effective in the doing of compliance.

The BHP Billiton FCPA enforcement action will resonate for quite a while in the compliance community. The FCPA Professor has reported the $25 million fine is the largest civil penalty assessed by the SEC in an FCPA enforcement action. This fine was for the violation of internal controls only, which reinforces the SEC commitment to rigorous enforcement of the books-and-records provision of the FCPA, independent of the Justice Department’s attention to criminal provisions of the law.

More importantly, it drives home the need of doing compliance in your anti-corruption compliance program—not simply saying that you do, or even have a written program in place.