On October 14, the International Standards Organization (ISO) published ISO 37001, a standard for “Anti-bribery Management Systems.” The standard provides guidelines intended to help companies establish “a culture of integrity, openness, and compliance” with respect to their anti-bribery programs. It addresses both out-bound bribery, bribery by a company or its employees or affiliates, and in-bound bribery, bribery of a company or company personnel. ISO 37001 is designed to be auditable, and companies with anti-corruption programs that meet the standard may seek to have their programs certified as ISO 37001 compliant.
ISO 37001 has not been formally endorsed by the United States Department of Justice, the Securities and Exchange Commission, the United Kingdom Serious Fraud Office, or any other anti-bribery enforcement agency. However, U.S. officials have informally suggested that “[a]nything that tells companies, especially overseas companies, what is expected from an anti-corruption perspective is a good thing.”1
The standard is essentially intended to be a detailed outline of the elements of an effective anti-bribery compliance program. Among other things, the standard calls for an active commitment to compliance by top management, training for employees, and risk mitigation when dealing with third parties. Under the standard:
- Top management should receive anti-bribery training, as well as regular reports from the compliance function, which should also have a direct line of communication to the board of directors (if applicable).
- Management, compliance personnel, and the board should regularly assess the effectiveness of the compliance program, and management should make its commitment to compliance clear to the rest of the organization.
- Employees should be trained in the anti-bribery program in appropriate languages, and compliance with the anti-bribery program must be a condition of employment. More training should go to employees that face a higher bribery risk.
- Employees must be educated as to where to report bribery, and companies should investigate when there are such reports or other indicia of bribery.
- Employees cannot be penalized for reporting suspected bribery that they did not participate in, nor for refusing to participate in activities that involve “a more than low risk of bribery that has not been mitigated by the organization.”
- Companies should make sure that third-party associates are properly-formed legal entities, and that they are actually performing the services for which they are billing.
- Where a third-party associate has a “more than low” bribery risk, companies should ensure that appropriate general or transaction-specific anti-bribery controls are in place.
The standard is intended to be flexible. Smaller companies or companies that face little bribery risk can have a smaller compliance function and still meet the standard. Companies are asked to tailor their programs to the industry and location-specific bribery risk they face. Moreover, all companies that wish to meet the standard are asked to keep records of risk assessments, training, investigations, and ongoing assessments of the effectiveness of their compliance program.
Although most of the standard is written to describe what a conforming company “shall” do, certain sections are more open-ended. For example, the standard notes that companies “should” - rather than shall - prohibit facilitation payments and provide specific guidance to employees faced with requests for such payments. As a result, a company subject to, for example, the UK Bribery Act, which bars facilitation payments, ought to be cautious when dealing with companies that advertise ISO 37001 compliance or certification. Similarly, although the standard provides some examples to help an organization assess bribery risk, the organization seeking certification ultimately has discretion to weigh, prioritize, and evaluate bribery risk and its own risk tolerance. Questions of when and whether to report suspected bribery to the authorities are also left to the organization.
While the standard contemplates a certification program, the ISO does not certify companies directly.2 Instead, companies choose external certification bodies to perform audits for ISO standard compliance. The ISO’s Committee on Conformity Assessment has created standards for certification bodies to use during the certification process. Certification bodies may be accredited, but accreditation is not a requirement. Thus, companies seeking certification should choose a reputable certification body, and companies working with certified partners or agents should investigate the source of that certification.
Nothing about the ISO standard will be surprising to U.S. companies that have a generally current compliance program. However, for those that are a little behind, the standard can perhaps help guide the design or enhancement of one. Some of the ultimate significance of the standard will depend on how enthusiastic the global business community is about the standard and the certification program. One could envision a world where ISO certification serves as a helpful signal to companies seeking to do business with other organizations that take anti-bribery seriously, and it could even be a helpful point in a company’s favor in the context of an anti-bribery investigation. It is important to understand, however, that the quality of certification bodies can vary, that the standard has not been adopted by any governmental authority, and that it leaves significant room for discretion in assessing risk or even making payments. Most importantly, companies must avoid falling into the trap of thinking that there is a magic formula for an anti-bribery compliance program. Just as certification will only be a single data point when investigators assess an organization’s commitment to compliance, certification should be only a data point when companies do anti-bribery compliance diligence on partners. ISO certification of a company’s compliance program (or that of a relevant partner) will not, standing alone, serve to prove its effectiveness in the eyes of an enforcement agency.