Global companies in the United
States have an uneasy relationship with the Foreign Corrupt Practices Act. Most
recognize that corruption can be damaging to business, but decry the statute as
unfair: Because the United States is more aggressive about enforcing its
anti-corruption laws than other countries, U.S. companies are more likely to be
prosecuted for bribing foreign officials. The FCPA effectively tilts the
playing field against us in foreign business transactions. But the global
landscape gradually may be changing. Corruption prosecutions outside the U.S.
are becoming more common, and many foreign governments have signaled a change
in perspective by enacting new and stricter anti-corruption laws.
Now a movement is afoot to
create a uniform anti-corruption compliance standard for companies around the
world. The International Organization for Standardization - the same group that
brought us the ISO 9001 quality certification - has drafted a new international
standard targeted at defining best practices for managing the risks of
corruption and bribery. The Anti-Bribery Management Systems Standard, ISO
37001, is currently in draft form. The draft Standard was approved by a
majority of voting members in April 2016, and is scheduled for release in final
form in September. The Project Committee in charge of drafting ISO 37001 is led
by representatives from the U.K., with the U.S. and at least 35 other countries
also participating, including Brazil, China, India and Nigeria.
Like ISO 9001, the
anti-bribery Standard will allow companies to obtain certification from
accredited third parties that their management systems meet its requirements.
None of the requirements listed in the draft Standard should come as a big
surprise to U.S. companies that have already implemented anti-corruption
compliance programs. They include:
Implementing formal
anti-bribery policies;
Communicating these policies
to employees and business associates;
Appointing a compliance
officer;
Offering anti-corruption
training to employees;
Monitoring compliance;
Conducting risk assessments
and due diligence;
Taking steps to ensure
business associates have implemented anti-bribery controls;
Enacting policies and
procedures that restrict gifts, hospitality and charitable donations;
Implementing other financial
controls;
Establishing anonymous
reporting systems for whistleblowers; and
Establishing effective
investigation procedures.
Obtaining ISO 37001
certification could benefit companies in a number of different ways. Companies
will be able to point to certification as a means of assuring their customers,
business associates, and potential investors that they are taking reasonable
steps to prevent bribery. Directors and officers similarly may look to
certification as an affirmation that appropriate compliance measures are in
place. For companies that are just beginning to branch out globally, the steps
outlined in the draft Standard provide detailed guidance as to how a global
anti-corruption compliance program might look.
Companies should also be aware
of what the Standard will not do. It will not establish
binding legal requirements. Facilitation payments are an example of this. These
are relatively small payments to public officials to secure or expedite the
performance of routine and non-discretionary services, such as obtaining
utilities, work permits, police protection or visas. Although facilitation
payments to foreign officials are permitted under the FCPA, they are illegal
under the laws of most other countries and prohibited under ISO 37001. Evidence
that a U.S. company permits facilitation payments might jeopardize its
certification under the Standard, but should not be a basis for prosecution in
U.S. courts.
Conversely, compliance with
the Standard will not establish a defense to prosecution for bribery in U.S.
courts. That a company is certified may influence a regulator’s decision
whether to bring charges or not. Certification will also provide evidence in
court that a company has taken reasonable steps to prevent bribery - which
could substantially mitigate any sentence imposed. But it will not eliminate
liability in the face of evidence that bribery has actually occurred. A
business associate’s certification under the program similarly provides no
guarantee to partners that it doesn’t participate in bribery.
ISO 37001 further fails in its
endeavor to create a platform for global uniformity. The draft Standard
provides no clear definition of “bribery” and (facilitation payments excepted)
defers to the laws of individual countries to establish what’s prohibited. Its
requirements are also flexible, allowing companies to vary the strength of
adopted compliance measures depending on their size and geographic reach. While
such flexibility is an absolute necessity if ISO 37001 is to have any real
utility for smaller businesses, it prevents the Standard from giving businesses
a means to clearly benchmark how far their compliance programs should go.
Finally, ISO 37001 includes an
important proviso allowing certified companies to skip requirements that
conflict with applicable law. Anonymous reporting systems are an example of
this. Although they are widely used throughout the U.S., such systems violate
the data protection laws of a number of countries in Europe. While necessary,
this exemption undermines the potential benefits of the Standard for
muti-national corporations seeking to develop compliance programs that can be
implemented anywhere in the world. One wonders whether it would have been more
effective to eliminate anonymity and other controversial requirements from the
Standard, leaving companies free to adopt them (or not) where permitted by law.
Whether ISO 37001 will have
any real impact on business relationships remains to be seen. The ISO has
published nearly 20,000 international standards - the majority of which most
people have never heard of. Others - like ISO 9001 - have an extraordinary
reach. Whether ISO 37001 becomes widely used or not, it underscores the global
trend against corruption even in countries where bribery is culturally
engrained.
No comments:
Post a Comment