Anti-Bribery Compliance: Don’t Forget ISO 37001
Corporate compliance enthusiasts have one more item on their To Do list this winter: be sure to review and comment on ISO 37001, the draft standard for anti-bribery management systems.
The International Standards Organization has been working on ISO 37001 since 2013, and the goal is a final standard approved and available by the end of 2016. The current draft was published in November, and is open for comment until later this spring. Copies of ISO 37001 are only available for purchase, for about $60. That’s a small price to pay for anyone who takes anti-bribery compliance seriously, so let’s get to the nitty-gritty of the standard itself.
U.S. compliance officers can rest easy: this standard is nothing that you are not doing already. Risk assessments, preventive and detective controls, remediation, strong tone at the top, anonymous reporting channels, training, anti-retaliation policies—they are all in there, just as you would expect. So is language about bribery as misconduct that should be prohibited by policy (the criminal side), and bribery as a failure of your financial systems that should be thwarted by strong internal controls (the civil side).
The few departures ISO 37001 makes from “standard” U.S. anti-corruption compliance are small, and largely theoretical. For example, the standard bans facilitation payments as well as bribery, where the former are technically allowed under the Foreign Corrupt Practices Act (even if facilitation payments are usually illegal in the country where you would actually pay them). As a practical matter, I haven’t met a chief compliance officer yet who is comfortable with facilitation payments anyway, so this difference isn’t likely to upset any CCOs here.
Likewise, ISO 37001 applies to commercial bribery as well as bribing of government officials, where the FCPA addresses bribery of government officials only. Again, I don’t encounter many compliance officers who say commercial bribery is fine, and the U.K. Bribery Act does ban commercial bribery too, so this is another bit of hair-splitting.
Two parts of the standard did give me pause. First, I tried to parse out whether the executive who oversees the anti-bribery program can be a general counsel or not. Granted, ISO designs its standards to be so agnostic that you rarely even see the phrases “compliance officer,” “chief audit executive,” or “general counsel,” let alone a description of what that person should do. You don’t see them in ISO 37001. The standard does, however, stress the need for the anti-bribery director to have as much independence as possible:
“Independence” means that the relevant person(s) assigned the compliance responsibility is as far as possible not personally involved in the activities of the organization which are exposed to bribery risk… Where the anti-bribery compliance function is part time, the role should not be performed by an individual who may be exposed to bribery while performing their primary function.
Well, general counsels review and advise on lots of contracts, and theoretically you could bribe a GC to skew his or her advice to some nefarious purpose—but again, we’re splitting hairs. (More clearly, however, this standard does suggest that business unit chiefs do not qualify as independent executives who can oversee an anti-bribery program.)
One other point in the ISO 37001 draft that I liked: it also talks about inbound bribery to your own employees. That’s not something we discuss often enough in FCPA circles, since we’re busy obsessing over outbound bribery your own employees might pay to some deputy under-secretary somewhere. ISO 37001 includes some useful observations about the different challenges of inbound bribery (lack of visibility into employees’ activity, for example; you can’t see what’s in their personal bank accounts) and how you might try to combat it.
Now, for U.S. compliance officers, the standards that matter most are always going to be the U.S. Sentencing Guidelines and their elements of an effective compliance program; plus the FCPA Guidance published in 2012 by the Justice Department and Securities and Exchange Commission. In this country, ISO 37001 is closer to an academic debate about how to structure your program, while the Sentencing Guidelines and FCPA Guidance dictate how you really work on a daily basis.
That said, ISO 37001 is an important document that deserves support from the compliance and FCPA community. Many countries still don’t have a strong culture of anti-bribery enforcement, so even when corporations in those places want to crack down on bribery (and many do), they struggle to find a straightforward framework upon which to build their program. ISO 37001 does that job—and without the mark of Uncle Sam upon it, to ease the chances that employees will ignore anti-bribery compliance as just another U.S.-driven burden.