Like other areas, developing compliance with anti-corruption regulations is a tall endeavor whose requirements can vary based on a number of factors, including jurisdiction, size, and sophistication of the company. The emerging International Standards Organization (ISO) 37001:2016 standard for Anti-Bribery Management Systems, issued in October 2016, may be a significant move towards some clarity and standardization in this area, right? Maybe, but not so fast.
A number of jurisdictions such as Singapore have adopted the ISO 37001 standard, and Microsoft announced earlier this year it will be the first public U.S. company to adopt the standard. Does this mean we will soon be seeing “compliance in a box” solutions that could help companies large and small circumvent the need for customized compliance programs? Probably not.
First off, the ISO 37001:2016 standard only covers bribery and not other activities like fraud prevention or anti-money laundering (AML).
Second, the jury is out on whether this standard will become an worldwide industry standard like ISO 9001 (quality management) or whether the early interest we are seeing will fizzle out. US commentators think that while the guidance is a useful tool its core principles are effectively the same as what you already see in the US Department of Justice (DOJ), US Securities & Exchange Commission (SEC), US Foreign Corrupt Practices Act (FCPA) Guidelines, and the Federal Sentencing Guidelines. There are also some minor differences. For example, the standard does not allow for the facilitation (or so-called “grease”) payments, which can under certain circumstances be acceptable under the FCPA (but not the UK Bribery Act).
That said, having an independent third party audit and provide a certification for a company’s anti-bribery management system may carry appreciable weight with US regulators. It remains to be seen what the DOJ and SEC say on this particular point. That being said, the DOJ did in February release guidance on the Evaluation of Corporate Compliance Programs.
But how can you define a standard when governments tend to look at many, not to mention different, factors?
Interestingly, for countries like Singapore and Peru (and others that follow them) it may be that government contractors or those seeking public tenders may eventually need to certify that they are ISO 37001 compliant to even bid for projects in certain countries. In drafting contracts for international counterparties it may be less controversial to incorporate compliance provisions referencing a neutral ISO standard that say, referring to the FCPA.
While following a standard could be a great place to start, the reality is that anti-corruption laws are national in nature and not international, even though effort has been made to harmonize some of these laws. A solid compliance program will adopt policies that are tailored to the requirements of the local jurisdiction but with an eye to establishing an over-arching “best practice” standard that would not cause reputational damage for the company in other countries. Importantly, compliance programs also have an entirely proprietary dimension – they must cover key exposure points, which can vary not only from country to country but business to business and business line to business line.
For now, it is clear that no one size fits all, and attention to domestic nuances remains critical for compliance with anti-corruption requirements.
Note: Eric Ubias (Senior Counsel, Akrivis Law Group, PLLC) contributed to this post.