Recently, the International Organization for Standardization (ISO) adopted a new set of voluntary standards, designated as ISO 37001, to assist organizations in their ongoing fight against bribery. As a result of recent increases in the enforcement of the U.S. Foreign Corrupt Practices Act of 1977 (FCPA) and, notwithstanding the guidance provided by the U.S. Department of Justice's (DOJ) Resource Guide to the U.S. Foreign Corrupt Practices Act (Guide), for-profit and notfor-profit organizations continue to seek greater clarity when establishing and maintaining their anti-bribery compliance programs. By developing a set of standards that adopts best practices in the area of anti-bribery compliance across industries, and organization types and sizes, ISO 37001's adoption may assist organizations in their development and implementation of stronger anti-bribery compliance programs.
FCPA and the Guide
The FCPA makes it unlawful for certain classes of persons and entities to make payments to foreign government officials in furtherance of obtaining or retaining business. More specifically, the anti-bribery provisions of the FCPA prohibit payments to foreign officials to obtain or retain business, while the accounting provisions require issuers to make and keep accurate books and records, and to maintain an adequate system of internal accounting controls. The anti-bribery provisions not only apply to all U.S. persons and certain foreign issuers of securities, they also apply to foreign firms and persons who cause, directly or through agents, an act in furtherance of a corrupt payment to take place within the U.S.
Largely as a result of increased enforcement of the FCPA over the past decade, some have expressed frustration with the perceived inconsistency in the manner in which the government approaches FCPA violations. In response to these voices, the DOJ issued the Guide in 2012. Although not providing bright line rules, the Guide provides extensive case studies and hypothetical scenarios intended to assist organizations navigate compliance with the FCPA, and thus avoid potential enforcement actions. Moreover, the Guide has conveyed an essential message to organizations subject to the FCPA that proactive and effective self-oversight and management of conduct by an organization is the key to avoiding FCPArelated prosecution and liability, and ensuring compliance. Such conduct can be satisfied through the establishment and maintenance of an effective anti-bribery compliance program to prevent corrupt, violative behavior by employees and agents.
As part of its objective of developing and publishing international standards, the ISO has drawn upon the national standards bodies of 163 member countries to develop nearly 20,000 voluntary international standards across industries and sectors to date. ISO 37001, published in October 2016, is designed to help an organization establish, implement, maintain and improve an effective and proactive anti-bribery compliance program using a series of measures and controls that represent global anti-bribery best practices. The set of standards set forth in ISO 37001 can be used as a standalone program or can be integrated into a pre-existing overall management system.
ISO 37001 addresses the following bribery types in relation to an organization's activities:
- Bribery in the public, private and not-for-profit sectors;
- Bribery by an organization (e.g., bribery by the organization's personnel or business associates acting on the organization's behalf or for its benefit);
- Bribery of an organization or its personnel or business associates; and
- Direct and indirect bribery (e.g., a bribe offered or accepted through or by a third party).
ISO 37001 compliance requires organizations to implement a series of measures and controls in a reasonable and proportionate manner to help prevent, detect and effectively deal with bribery. Below are the relevant requirements set forth by ISO 37001:
a. Anti-bribery policies & procedures: Develop appropriate anti-bribery compliance policies and procedures in accordance with applicable laws to prevent bribery. Ensure that the policy and procedures are communicated in appropriate languages to employees and business associates, and are available to all relevant stakeholders.
b. Management leadership, commitment & responsibility: Obtain the organization's governing body approval of an anti-bribery policy that is appropriate for the organization's strategy, receive and review information about the anti-bribery management system, and exercise reasonable supervision. Charge top management with the establishment, implementation and review of an adequate anti-bribery system, communication of the anti-bribery policies with employees and business associates, and promotion of an anti-bribery culture while continually updating and improving the chosen system.
c. Personnel controls & training: Provide employees with adequate and appropriate anti-bribery training. When the organization deals with a third party, ensure the third party's employees receive the same compliance training from the organization or a third party.
d. Risk assessments: Undertake planned and periodical bribery risk assessments in order to identify and cope with related risks, and assess whether the existing controls are suitable and effective. Regularly review the assessment and retain relevant records.
e. Due diligence on projects & business associates: When a bribery risk assessment establishes a greater than "low" risk in relation to specific transactions, projects, activities or business associates, conduct due diligence necessary to obtain sufficient information to separately assess the risk.
f. Financial, commercial and contractual controls: Implement financial and non-financial controls to manage bribery risk. Require employees to comply with the anti-bribery policies of the management system and give the organization the right to discipline in the event of non-compliance. Require that business associates commit to prevent bribery, and formally advise that business relationships will be terminated in the event of bribery.
g. Reporting, monitoring, investigation and review: Develop procedures that encourage whistleblowing on possible or actual bribery. Treat such reports confidentially and allow anonymous reporting. Continually assess and review the anti-bribery function to determine whether it is adequate to manage the bribery risks faced by the organization effectively and whether it is being effectively implemented.
h. Corrective action and continual improvement: When there is violation in the anti-bribery management system, promptly take action to control and correct it, and to deal with the consequences. Revise the management system if necessary. Continually improve the suitability, adequacy and effectiveness of the anti-bribery management system.
In addition, ISO 37001 notes that while "facilitating payments" are permitted by the FCPA, such payment type is illegal under many other countries' foreign bribery laws. Given the ISO's broad global perspective, it is not surprising that ISO 37001 treats facilitating payments as bribery and advocates that such payments should be prohibited by an organization's anti-bribery management system.
Organizations can only be designated as ISO 37001-certified by an external certification body, such as the American National Standards Institute - American Society for Quality National Accreditation Board LLC (ANAB), the American National Standards Institute (ANSI), or the International Accreditation Service (IAS). ISO, itself, is not involved in the certification process. Before engaging a certification body, it is suggested that organizations review their anti-bribery policies and management systems internally to ensure they are in accordance with the requirements of ISO 37001. Organizations may also seek assistance from law firms or other third parties with relevant experience.
In short, ISO 37001 benefits organizations by providing:
- guidance for developing and maintaining an effective anti-bribery management system;
- assurance to the organization and interested parties that the organization is proactively taking actions to identify and prevent bribery; and
- evidence that the organization has taken reasonable steps to prevent bribery in the unfortunate event of an investigation.
Though it is still to be determined whether the relevant authorities will view ISO 37001 as helpful for evaluating FCPA compliance programs, ISO 37001 does provide organizations with a clear and uniform standard of anti-corruption measures to guide them when establishing, implementing and improving their anti-corruption compliance programs. With such standards in place, organizations may gain greater confidence as they navigate regulatory interpretation, treatment and enforcement of the FCPA.