What Companies Should Know About the New ISO Anti-Bribery Standard
Global companies in the United States have an uneasy relationship with the Foreign Corrupt Practices Act. Most recognize that corruption can be damaging to business, but decry the statute as unfair: Because the United States is more aggressive about enforcing its anti-corruption laws than other countries, U.S. companies are more likely to be prosecuted for bribing foreign officials. The FCPA effectively tilts the playing field against us in foreign business transactions. But the global landscape gradually may be changing. Corruption prosecutions outside the U.S. are becoming more common, and many foreign governments have signaled a change in perspective by enacting new, more rigorous anti-corruption laws.
Now a movement is afoot to create a uniform anti-corruption compliance standard for companies around the world. The International Organization for Standardization – the same group that brought us the ISO 9001 quality certification – has drafted a new international standard targeted at defining best practices for managing the risks of corruption and bribery. The Anti-Bribery Management Systems Standard, ISO 37001, is currently in draft form. The draft Standard was approved by a majority of voting members in April 2016, and is scheduled for release in final form in September. The Project Committee in charge of drafting ISO 37001 is led by representatives from the U.K., with the U.S. and at least 35 other countries also participating, including Brazil, China, India, Mexico and Nigeria.
Like ISO 9001, the anti-bribery Standard will allow companies to obtain certification from accredited third parties that their management systems meet its requirements. None of the requirements listed in the draft Standard should come as a big surprise to U.S. companies that have already implemented anti-corruption compliance programs. They include:
- Implementing formal anti-bribery policies;
- Communicating these policies to employees and business associates;
- Assigning responsibility for the anti-bribery compliance function (e.g., appointing a Compliance Officer);
- Offering anti-corruption training to employees;
- Monitoring and auditing compliance;
- Conducting risk assessments and due diligence;
- Taking steps, where possible, to ensure business associates have implemented anti-bribery controls;
- Enacting policies and procedures that restrict gifts, hospitality and donations;
- Implementing other financial and non-financial controls;
- Establishing anonymous reporting systems for whistleblowers; and
- Establishing effective investigation procedures.
Obtaining ISO 37001 certification could benefit companies in a number of different ways. Companies will be able to point to certification as a means of assuring their customers, business associates and potential investors that they are taking reasonable steps to prevent bribery. Directors and officers similarly may look to certification as an affirmation that appropriate compliance measures are in place. For companies that are just beginning to branch out globally, the steps outlined in the 48-page draft Standard and its attached Annex provide detailed guidance as to how a global anti-corruption compliance program might look.
Companies should also be aware of what the Standard will not do. It will not establish binding legal requirements. Facilitation payments are an example of this. These are relatively small payments to public officials to secure or expedite the performance of services that are routine and non-discretionary, such as obtaining utilities, work permits, police protection or visas. Although facilitation payments to foreign officials are permitted under the FCPA, they are illegal under the laws of most other countries and effectively prohibited under ISO 37001. Annex A to the draft Standard states that “facilitation payments … are treated as bribes for purposes of this International Standard, and therefore should be prohibited by the organization’s anti-bribery management system.” The preface to Annex A states that it is intended to provide “illustrative” guidance only, but the conclusive nature of this statement creates ambiguity. Third party certifying agencies that regard facilitation payments as bribes could cite to this provision as a basis for denying certification to companies that allow them. Evidence that a U.S. company permits facilitation payments thus might jeopardize its certification under the Standard, but should not be a basis for prosecution in U.S. courts.
Conversely, compliance with the Standard will not establish a defense to prosecution for bribery in U.S. courts. A company’s certification under the Standard may influence a prosecutor’s decision whether to bring charges, decline prosecution, or offer resolution under a deferred or non-prosecution agreement. Certification also may help a company establish at trial that it has taken reasonable steps to prevent bribery, which could sway the jury towards a “not guilty” verdict. If the company is convicted, its certification may persuade the court that the company has an “effective compliance and ethics program” under the organizational Sentencing Guidelines, which could result in a sentence reduction (Federal Sentencing Guidelines Manual (2015), Sentencing of Organizations §§ 8B2.1, 8C2.5(f)). But it will not eliminate liability in the face of evidence that bribery has actually occurred.
Certification under the program similarly provides no guarantee that business partners are not participating in corruption. Companies should continue to conduct due diligence on acquisition targets, consultants, sales agents and other third parties, even if they can establish that they have complied with all of the ISO 37001 requirements. Although such compliance may lower the risk level associated with a potential business partner, to rely on its certification as a proxy for effective due diligence procedures would be unwise.
ISO 37001 further fails in its endeavor to create a platform for global uniformity. The draft Standard provides no clear definition of “bribery” and (facilitation payments excepted) defers to the laws of individual countries to establish what is prohibited. Its requirements are also flexible, allowing companies to vary the strength of adopted compliance measures depending on their size, geographic reach and other factors. While such flexibility is an absolute necessity if ISO 37001 is to have any real utility for smaller businesses, it prevents the Standard from giving businesses a means to clearly benchmark how far their compliance programs should go.
Finally, the draft of ISO 37001 includes an important proviso allowing certified companies to skip requirements that conflict with applicable law: “If the whole or part of any requirement in this International Standard is in conflict with, or prohibited by, any applicable law, then the organization will not be obligated to conform with the relevant whole or part of that requirement.” Anonymous reporting systems are an example of how this exemption applies. Section 8.9 of the draft Standard requires that: “The organization shall implement procedures which … allow anonymous reporting…” Although anonymous hotlines are widely used throughout the U.S., such systems violate the data protection laws of a number of countries in Europe. While necessary, this exemption undermines the potential benefits of the Standard for multi-national corporations seeking to develop compliance programs that can be implemented anywhere in the world. One wonders whether it would have been more effective to eliminate anonymity and other controversial requirements from the Standard, leaving companies free to adopt them (or not) where permitted by law.
Whether ISO 37001 will have any real impact on business relationships remains to be seen. The ISO has published nearly 20,000 international standards, the majority of which most people have never heard of. Others – like ISO 9001 – have an extraordinary reach. There is no guarantee that ISO 37001 will gain similar traction, but it has the potential to influence transactions even among parties who are not certified. Foreign business partners operating outside the jurisdiction of U.S. authorities tend to view U.S. companies that demand FCPA compliance as arrogant and imperialistic: Why should we be allowed to impose our moral code on cultures where bribery is accepted? By establishing a more neutral supporting authority, ISO 37001 could give U.S. companies greater leverage to negotiate anti-corruption compliance with third parties. Whether ISO 37001 becomes widely used or not, it underscores the global trend against corruption even in countries where bribery is culturally engrained.