While expansive enforcement of the U.S. Foreign Corrupt Practices Act (FCPA) and the 2011 entry into force of the UK Bribery Act (Bribery Act)1 have received the greatest amount of attention, multinational corporations are also subject to anti-corruption laws wherever they do business. Designing an effective anti-corruption compliance program that meets the requirements of many different laws may at first appear nearly impossible to achieve. A comparison of laws from various jurisdictions, guidance issued by various responsible authorities, and guidance gleaned from settlement agreements and relevant private organizations, however, leads to a different conclusion: there is now a broad emerging global consensus on what governments expect for compliance programs. This global standard for effective anti-corruption compliance programs contains common elements and standardized responsibilities.
This Advisory reviews the core anti-corruption compliance program elements that form the basis of this global standard and discusses the foundations of an effective anti-corruption compliance program that need to reflect these key elements.
I. The Emerging Global Standard
The U.S. Department of Justice (DOJ) and the U.S. Securities and Exchange Commission (SEC) highlighted the existence of an emerging global standard in the recently published A Resource Guide to the U.S. Foreign Corrupt Practices Act (FCPA Guidance).2 Multinational corporations reviewing the FCPA Guidance are likely asking themselves whether implementing its compliance program recommendations will address concerns of other law enforcement authorities who are reviewing the adequacy of compliance under other anti-corruption laws with a view to determining whether any enforcement actions are needed to address possible improper conduct. The FCPA Guidance reflects in key respects the emerging common standards in its presentation of ten “hallmarks” for an effective anti-corruption compliance program:
- Commitment from senior management and a clearly articulated policy against corruption;
- Code of conduct and compliance policies and procedures;
- Oversight, autonomy, and resources;
- Risk assessment;
- Training and continuing advice;
- Incentives and disciplinary measures;
- Third-party due diligence and payments;
- Confidential reporting and internal investigations apparatus;
- Continuous improvement: periodic testing and review; and
- Mergers and acquisitions: pre-acquisition due diligence and post-acquisition integration.3
Key guidance publications of the Organisation for Economic Co-operation and Development (OECD), the Asia-Pacific Economic Cooperation, the International Chamber of Commerce (ICC), Transparency International, the United Nations, the World Bank, and the World Economic Forum lay out identical or very similar core anti-corruption compliance program elements.4 The same is true in governmental and private materials from countries such as the United Kingdom, Canada, Brazil, Japan, Germany, and South Africa.5
II. Core Components of an Effective Anti-Corruption Compliance Program
The FCPA Guidance is consistent with the wealth of other guidance issued or developing around the world, as reflected in the following brief summary of the elements in the U.S. Guidance and representative global guidance.
Commitment from Senior Management and a Clearly Articulated Policy Against Corruption. Boards of directors and senior executives are expected to set the proper tone to create a culture of compliance throughout their organization. The high-level commitment must be reinforced by middle-managers at all levels of the company, and enforcement authorities will evaluate, as described in the FCPA Guidance, “whether senior management has clearly articulated company standards, communicated them in unambiguous terms, adhered to them scrupulously, and disseminated them throughout the organization.”6 The Bribery Act Guidance adds that “[t]hose at the top of an organisation are in the best position to foster a culture of integrity where bribery is unacceptable.”7 Other guidance materials are consistent and reflect in parallel ways the need for a top-down unambiguous commitment.8
Code of Conduct and Compliance Policies and Procedures. Multinational corporations must have codes of conduct, as well as anti-corruption policies and procedures, that are “clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.”9 As noted, for example, in the Manual from the Office of the Comptroller General of Brazil in conjunction with the Ethos Institute for Business and Social Responsibility, “[t]he code serves to provide all agents operating on behalf or in name of the enterprise and other stakeholders with full knowledge of the principles, values, and standards and types of permissible activities and expected conduct in the enterprise.”10
Anti-corruption provisions in a corporate code, as well as relevant policies and procedures, must be binding on all directors; officers; employees; and, where appropriate, subcontractors, and should be tailored to a company’s specific individualized risks. As stated in Transparency International’s Business Principles for Countering Bribery, “[t]he Programme should be tailored to reflect an enterprise’s particular business circumstances and culture, taking into account such potential risk factors as size, business sector, nature of the business and locations of operation.”11 Controls are universally expected with regards to the use of third parties, gifts, hospitality, entertainment, travel, political contributions, charitable donations, sponsorships, facilitating payments, solicitation, extortion, and acceptance of bribes.12
These policies and procedures should also build in appropriate reviews and approvals by qualified business, legal, and compliance personnel, as well as confirm that there is a sound system of financial and accounting procedures and a system of internal controls reasonably designed to ensure the maintenance of fair and accurate books and records with appropriate documentation to support all entries.13
Oversight, Autonomy, and Resources. Multinational corporations should have a dedicated compliance infrastructure with “one or more specific senior executives within an organization” responsible for oversight and implementation, and “[t]hose individuals must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively.”14
Consideration should be given to reporting relationships to independent monitoring bodies. The FCPA Guidance, for example, states that “[a]dequate autonomy generally includes direct access to an organization’s governing authority,” such as the board of directors or an audit committee.15 This requirement is consistent with expectations outlined in international guidance resources, which contemplate “direct reporting obligations to independent monitoring bodies;”16 a committee responsible for “monitoring compliance with applicable standards of conduct;”17 regular reporting to the Board of Directors, “including the highest corporate officer,” by a compliance supervisor;18 and “adequate level of autonomy from management, resources, and authority.”19
Guidance resources also outline the necessity of dedicating adequate resources for a compliance program to be effective.20 According to the FCPA Guidance, enforcement authorities will look at whether a “company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”21
Risk Assessment. An anti-corruption compliance program should be designed and tailored to a company’s individualized risk.22 As articulated in the Bribery Act Guidance, companies must assess “its exposure to potential external and internal risks of bribery on its behalf by persons associated with it.”23
The OECD’s Good Practice Guidance on Internal Controls, Ethics, and Compliance represents broad consensus when outlining that anti-corruption compliance programs “should be developed on the basis of a risk assessment” and that a company’s risks should be “regularly monitored, re-assessed, and adapted as necessary.”24 As the FCPA Guidance makes clear, “[o]ne-size-fits-all compliance programs are generally ill-conceived and ineffective because resources inevitably are spread too thin, with too much focus on low-risk markets and transactions to the detriment of high-risk areas.”25
Several factors should be taken into consideration when performing the risk assessment, including, but not necessarily limited to, a company’s size, business sector, and geographic location; level of government oversight and interaction; reliance on third parties who interact with governments on behalf of the company; business strategies using mergers, acquisitions or other business combinations; exposure to customs and immigration authorities; involvement in joint venture agreements; and the importance of licenses and permits to the operations of a business.26 Furthermore, as corruption risks increase for a company “that business should consider increasing its compliance procedures, including due diligence and periodic internal audits.”27
Training and Continuing Advice. Policies and procedures cannot be effective without adequate training and ongoing advice for company directors; officers; employees; and, when appropriate, third parties.28 For example, the ICC Rules on Combating Corruption state that “key personnel in areas subject to high corruption risk should be trained and evaluated regularly,”29 the FCPA Guidance and a settlement agreement from Canada expect that the trainings should be “periodic,”30 and the CGU Manual from Brazil highlights the importance of training “new hires” as well as existing employees.31 A couple of sources similarly emphasize that the training programs should be “tailored to relevant needs, circumstances, roles and responsibilities” so that the information provided to the audience is of most relevance and utility.32 In this regard, the FCPA Guidance provides as an example that sales personnel and accounting personnel may benefit from different and tailored training that focuses on hypotheticals specific to their particular day-to-day work experiences.33 Certifications should be obtained from all directors; officers; employees; and, where appropriate, third parties.34 Finally, and as with other elements of anticorruption compliance programs, the “[t]raining activities should be assessed periodically for effectiveness.”35
Communication of company policies and procedures should not be reserved to periodic formal training programs. The CGU Manual, for example, recommends the “implementation of a permanent communications policy,” which could include such elements as “internal newsletters for employees; a separate space on the intranet devoted to ethics; dissemination of examples of good practices of ethical conduct; posting of pamphlets and announcements on bulletin boards; presentation of positive results obtained from the implementation of the code of conduct; and incorporation of the ethical and integrity principles and values in the organization’s mission and vision statements.”36 The World Bank Integrity Compliance Guidelines further recommends not keeping the communication internal, but that “[p]arty management also should make statements in its annual reports or otherwise publicly disclose or disseminate knowledge about its Program.”37
Incentives and Disciplinary Measures. No anticorruption compliance program can be effective if it is not enforced. To test the credibility of a program, government authorities will look to whether “a company has appropriate and clear disciplinary procedures, whether those procedures are applied reliably and promptly, and whether they are commensurate with the violation.”38 As highlighted by the World Bank Integrity Compliance Guidelines, disciplinary measures should include termination and apply to “all persons involved in Misconduct or other program violations, at all levels of the party including officers and directors.”39 In the words of the FCPA Guidance, “[a] compliance program should apply from the board room to the supply room—no one should be beyond its reach.”40
Companies also should reward their employees for good behavior and compliance with policies and procedures.41 For example, the ICC Rules on Combating Corruption recommend that multinational corporations include “the review of business ethics competencies in the appraisal and promotion of management and measuring the achievement of targets not only against financial indicators but also against the way the targets have been met and specifically against the compliance with the Enterprise’s anti-corruption policy.”42 The FCPA Guidance recommends incorporating adherence to compliance as “a significant metric for managements’ bonuses,” “recognizing compliance professionals and internal audit staff,” and making “working in the company’s compliance organization a way to advance an employee’s career.”43
Third-Party Due Diligence and Payments. Companies must be vigilant in selecting and monitoring third parties that act on their behalf in interactions with governmental officials. As detailed in the World Bank Integrity Compliance Guidelines, companies should “[a]void dealing with contractors, suppliers and other business partners known or (except in extraordinary circumstances and where appropriate mitigating actions are put in place) reasonably suspected to be engaging in Misconduct.”44
The FCPA Guidance lays out three “guiding principles” in addressing third party relationships: “understand the qualifications and associations” of third party partners, “understand the business rationale” for working with a third party, and “undertake some form of ongoing monitoring of third-party relationships.”45 Accordingly, international guidance materials are consistent in expecting that companies will institute risk-based due diligence that requires management and legal approval in order to identify, mitigate, and respond properly to specific risks posed by its third parties; inform third parties of the company’s commitment to complying with anti-corruption and anti-bribery laws, as well as the company’s policies and procedures; and seek reciprocal commitments from third party business partners.46 The guidance materials highlight that relationships with government-interacting third parties should include, among other protections, adequate anti-corruption commitments, termination provisions for wrongdoing, and transparency and reasonableness in payment terms.47 Finally, they concur that relationships with such third parties must also be continuously monitored.48
Confidential Reporting and Internal Investigation. An effective anti-corruption program must provide resources for company employees, and where appropriate third parties, to make anonymous reports about potential or actual misconduct.49 The goals are to create mechanisms so reports will be made “to responsible enterprise officials as early as possible,”50 and employees will not fear retribution or retaliation for making reports in good faith. Many companies make reporting a mandatory obligation of employment, an expectation that is built into the World Bank Integrity Compliance Guidelines.51 The FCPA Guidance implicitly commends companies that have instituted hotlines or ombudsmen to serve the role of receiving and processing reports.52 There is broad consensus internationally that the compliance infrastructure must have a system to respond to reports, conduct appropriate investigations, and to document the company’s response.53
Continuous Improvement: Periodic Testing and Review. There is similar broad consensus that a compliance program cannot be drafted and remain static, but needs to be periodically reviewed and tested to remain effective.54 Companies must take into consideration factors such as “business changes over time;”55 the program’s “suitability, adequacy and effectiveness;”56 weaknesses and shortcomings in the program that require enhancements;57 “relevant developments in the field;”58 and “evolving international and industry standards.”59
The FCPA Guidance recommends the following: 1) “employee surveys to measure their compliance culture and strength of internal controls, identify best practices, and detect new risk areas” and 2) periodic testing of “internal controls with targeted audits to make certain that controls on paper are working in practice.”60 The Bribery Act similarly recommends benchmarking with other organizations to help assess whether up-to-date good practices are being followed.61
Mergers and Acquisitions: Pre-Acquisition Due Diligence and Post-Acquisition Integration. Companies may face liability for the actions of entities with which they merge, acquire, or enter into other business combinations such as joint ventures. Because of successor liability, companies cannot erase potential corruption liability through a change in ownership or structure. For these reasons, companies should conduct effective due diligence prior to entering into the business combination in order to determine past improper conduct and potential risks associated with the transaction and the business combination moving forward.62 In this connection, under the FCPA, government enforcement authorities will also look to whether “the acquiring company promptly incorporated the acquired company into all of its internal controls, including its compliance program.”63
Governments worldwide expect companies to comply with relevant anti-corruption laws. As this Advisory illustrates, this compliance must include the framework and mechanisms to demonstrate to governments that proper controls are in place to prevent, detect, remediate, and respond to potential wrongdoing. Companies that fail to have in place an effective compliance program could expose themselves to increased risks of improper conduct occurring within the organization and to potentially greater corporate liability. The absence of an effective compliance program in many cases could make it more difficult for companies to show enforcement authorities that wrongdoing of employees, agents, or other third parties was merely individual misconduct.
To meet these expectations of government, the task is now clear. Multinational companies must minimize the risks presented by potentially corrupt activities in their international operations by developing effective and robust anti-corruption compliance programs. While there is no one-size-fits-all program, and attention must be paid to local laws and enforcement priorities, the emerging global standard on compliance programs provides valuable guidance that companies can reasonably use as a roadmap for developing a globally integrated and consistent program that is appropriate to the particular circumstances of the individual company involved.
Doing so will afford greater protection from liability and place companies in the best position to prevent, detect, remediate, and respond to potential corruption activities.