Global companies in the United States have an uneasy relationship with the Foreign Corrupt Practices Act. Most recognize that corruption can be damaging to business, but decry the statute as unfair: Because the United States is more aggressive about enforcing its anti-corruption laws than other countries, U.S. companies are more likely to be prosecuted for bribing foreign officials. The FCPA effectively tilts the playing field against us in foreign business transactions. But the global landscape gradually may be changing. Corruption prosecutions outside the U.S. are becoming more common, and many foreign governments have signaled a change in perspective by enacting new and stricter anti-corruption laws.
Now a movement is afoot to create a uniform anti-corruption compliance standard for companies around the world. The International Organization for Standardization - the same group that brought us the ISO 9001 quality certification - has drafted a new international standard targeted at defining best practices for managing the risks of corruption and bribery. The Anti-Bribery Management Systems Standard, ISO 37001, is currently in draft form. The draft Standard was approved by a majority of voting members in April 2016, and is scheduled for release in final form in September. The Project Committee in charge of drafting ISO 37001 is led by representatives from the U.K., with the U.S. and at least 35 other countries also participating, including Brazil, China, India and Nigeria.
Like ISO 9001, the anti-bribery Standard will allow companies to obtain certification from accredited third parties that their management systems meet its requirements. None of the requirements listed in the draft Standard should come as a big surprise to U.S. companies that have already implemented anti-corruption compliance programs. They include:
- Implementing formal anti-bribery policies;
- Communicating these policies to employees and business associates;
- Appointing a compliance officer;
- Offering anti-corruption training to employees;
- Monitoring compliance;
- Conducting risk assessments and due diligence;
- Taking steps to ensure business associates have implemented anti-bribery controls;
- Enacting policies and procedures that restrict gifts, hospitality and charitable donations;
- Implementing other financial controls;
- Establishing anonymous reporting systems for whistleblowers; and
- Establishing effective investigation procedures.
Obtaining ISO 37001 certification could benefit companies in a number of different ways. Companies will be able to point to certification as a means of assuring their customers, business associates, and potential investors that they are taking reasonable steps to prevent bribery. Directors and officers similarly may look to certification as an affirmation that appropriate compliance measures are in place. For companies that are just beginning to branch out globally, the steps outlined in the draft Standard provide detailed guidance as to how a global anti-corruption compliance program might look.
Companies should also be aware of what the Standard will not do. It will not establish binding legal requirements. Facilitation payments are an example of this. These are relatively small payments to public officials to secure or expedite the performance of routine and non-discretionary services, such as obtaining utilities, work permits, police protection or visas. Although facilitation payments to foreign officials are permitted under the FCPA, they are illegal under the laws of most other countries and prohibited under ISO 37001. Evidence that a U.S. company permits facilitation payments might jeopardize its certification under the Standard, but should not be a basis for prosecution in U.S. courts.
Conversely, compliance with the Standard will not establish a defense to prosecution for bribery in U.S. courts. That a company is certified may influence a regulator’s decision whether to bring charges or not. Certification will also provide evidence in court that a company has taken reasonable steps to prevent bribery - which could substantially mitigate any sentence imposed. But it will not eliminate liability in the face of evidence that bribery has actually occurred. A business associate’s certification under the program similarly provides no guarantee to partners that it doesn’t participate in bribery.
ISO 37001 further fails in its endeavor to create a platform for global uniformity. The draft Standard provides no clear definition of “bribery” and (facilitation payments excepted) defers to the laws of individual countries to establish what’s prohibited. Its requirements are also flexible, allowing companies to vary the strength of adopted compliance measures depending on their size and geographic reach. While such flexibility is an absolute necessity if ISO 37001 is to have any real utility for smaller businesses, it prevents the Standard from giving businesses a means to clearly benchmark how far their compliance programs should go.
Finally, ISO 37001 includes an important proviso allowing certified companies to skip requirements that conflict with applicable law. Anonymous reporting systems are an example of this. Although they are widely used throughout the U.S., such systems violate the data protection laws of a number of countries in Europe. While necessary, this exemption undermines the potential benefits of the Standard for muti-national corporations seeking to develop compliance programs that can be implemented anywhere in the world. One wonders whether it would have been more effective to eliminate anonymity and other controversial requirements from the Standard, leaving companies free to adopt them (or not) where permitted by law.
Whether ISO 37001 will have any real impact on business relationships remains to be seen. The ISO has published nearly 20,000 international standards - the majority of which most people have never heard of. Others - like ISO 9001 - have an extraordinary reach. Whether ISO 37001 becomes widely used or not, it underscores the global trend against corruption even in countries where bribery is culturally engrained.