On October 15, 2016, the International Organization for Standardization, known as "ISO", published the first international anti-bribery management system standard (ISO 37001 or the standard). ISO is a Swiss-based international organization with representatives from around the world that seeks to develop and set universal guidelines and specifications for the international marketplace, including business processes standards, such as quality management, occupational health and safety, and now, anti-bribery. ISO 37001, developed by a committee that included representatives from the UK, US, and other ISO member states, is designed to help organizations reduce bribery risk within their own organizations and, through its intended widespread adoption, to create a common baseline of minimum anti-bribery efforts that should be taken by organizations.
ISO 37001 Is Intended to Reflect and Support Consensus Anti-Bribery Best Practices
The standard, according to ISO, draws on existing anti-bribery and anti-corruption guidance and aims to represent a global consensus on preferred anti-bribery practices. As such, the standard supplies familiar requirements for an anti-bribery program:
- An anti-bribery policy and corresponding procedures
- Top management leadership on, commitment to, and responsibility for anti-bribery compliance
- Oversight by an independent compliance manager or function
- Anti-bribery training
- Risk assessments and due diligence on projects and business associates
- Financial, procurement, commercial and contractual controls
- Reporting, monitoring, investigation and review Corrective action and continual improvement
The standard provides flexibility in implementing these requirements. It specifically states that implementation should be "reasonable and proportionate" to the bribery risk and exposure faced by the implementing organization, including based on the organization's size. It also allows for flexibility by providing a general definition of bribery that is superseded by the anti-bribery laws that govern the organization--so a US company can consider implementation based on the definition of bribery in the Foreign Corrupt Practices Act (FCPA), while a UK company can focus its implementation based on the UK Bribery Act.
Notably, however, the standard includes three specific requirements. First, the new ISO standard treats commercial bribery and bribery of a government official similarly, whereas the FCPA and certain other anticorruption statutes focus only on bribery of government officials. Second, it includes provisions aimed at situations where employees of an organization are the recipients of the bribe rather than company representatives offering or providing bribes. Third, it provides that a company's policies should prohibit facilitation or "grease" payments, i.e., small payments to obtain an outcome to which the payor is legally entitled that are exempted from the FCPA and some other anti-corruption laws. How these requirements, which appear in the UK Bribery Act but not the FCPA, will be interpreted within the flexible implementation scheme that is intended to support best practices is unclear.
ISO 37001 Seeks to Create a Universal Anti-Bribery Standard
The publication of the anti-bribery standard is significant because the ISO certification infrastructure provides incentives for widespread adoption of ISO standards, as the certification itself will operate as a widely accepted indicator that the certified business has an adequate anti-bribery system. Under the intended certification process, an organization may seek certification from the appropriate third party that the organization's anti-bribery system meets the ISO 37001 requirements. The third party, which may be accredited by a nationally based accreditation body, would charge the organization a fee, assess its antibribery system's compliance with ISO 37001's requirements, and issue a certification of compliance. (ISO itself is not involved in the accreditation or certification process.) Other ISO business system standards have become widely adopted through the same accreditation and certification mechanism--most prominently, more than 1 million companies from around the world are certified under ISO 90001, which provides requirements for quality management systems. (Many of the other thousands of ISO standards have not had the same reach.)
It remains to be seen whether ISO 37001 will have such an impact. In light of the significant anti-bribery risks associated with third parties, a globally recognizable symbol that a business's anti-bribery program can be trusted could be attractive. Such a symbol, if reliable, could help reduce due diligence costs and, especially for smaller or medium sized businesses struggling to meet compliance standards of larger business partners, simplify compliance obligations. Even without widespread adoption, certification could become a marketing tool for companies located in high-corruption-risk jurisdictions seeking to attract international business partners.
The flexibility, however, that is essential to allowing the standard to effectively apply to businesses of different sizes and risk profiles could be in tension with the intended standardization. A US company may view the flexibility afforded to smaller businesses in high-corruption risk jurisdictions as providing for too much risk, eliminating the potential benefits of certification. The marketplace also must believe that accredited parties, and any others issuing certificates, are competent to assess ISO 37001 compliance--and are not themselves subject to corruption. It remains to be seen whether the system of accreditation and certification itself will be sufficiently reliable to trust ISO 37001 certification. Moreover, the relevant compliance requirements for companies facing FCPA scrutiny will remain the requirements stated in the Federal Sentencing Guidelines and by the Department of Justice and Securities and Exchange Commission to receive mitigation credit (and likewise the requirements in the UK Bribery Act for a UK company).
The ultimate impact of ISO 37001 will not be clear for some time. The standard does not impose significant new compliance requirements beyond current best practices in existing anti-corruption programs. But its ultimate impact could be in widespread adoption of certified anti-bribery systems. While there are shortcomings in implementation that will need to be navigated, the standard could eventually become an important requirement in demonstrating compliance competence and, potentially, a must-have for doing business in the international market place.