Last week, I posted a brief announcement about an interesting new report from Transparency International USA about verification of corporate anticorruption compliance programs — that is, efforts to ensure that the measures companies put in place to ensure compliance with anti-bribery law (and other legal and ethical requirements) are actually working. One particularly interesting facet of the report, at least for me, was the discussion of the emerging “certification” industry: private firms that companies can hire to review their compliance programs, and that provide a public certification — basically, a statement saying “we’ve reviewed this company’s compliance program and we think it’s up to scratch.” These certification services are different from more familiar consulting services, where firms assist companies in designing or evaluating their compliance programs (though the firms that offer certification also often offer consulting services as well).
While I’m all for private sector initiative to improve corporate anti-bribery compliance, I’ll admit I’m a bit skeptical as to the value of these services. Indeed, I worry a bit about whether they might in some cases prove counterproductive. And while the TI-USA report uses careful language, I read the report as evincing a fair amount of skepticism as well. I also want to be appropriately circumspect, as I don’t really know enough to have strong views, but let me raise a few concerns about the private anticorruption certification industry.
First, as the TI-USA report points out, most of these firms are quite opaque about their methodology, and as a result it’s difficult to know what a certification means. Furthermore, as yet there’s no agreed-upon industry standard for anti-bribery certifications. By itself, these are minor problems, but they connect to a bigger worry: I’m not sure anybody really knows enough yet to “certify” that a compliance program is adequate. That’s not to say that nobody knows anything, or that external advice is not valuable. Expert consultants, particularly those with auditing and accounting experience, can point out to companies where weak there are weak points in their systems. And lawyers, particularly those with government experience (or experience dealing with government enforcement agencies) can give helpful advice on what government prosecutors are likely to think about a company’s compliance efforts. But a “certification” sounds a little too much like a definitive judgment that the program is adequate, and I’m not sure whether anyone — particularly an outside consultant — could ever make such a judgment confidently.
And then there’s the question of what, exactly, the certification is supposed to be for. Who is the audience? There are a few possibilities, I suppose. One is that government enforcers might use a certification to determine whether a company had an adequate compliance program — an inquiry that may matter if there’s a formal “adequate compliance program” defense, as there is under the UK Bribery Act, but may also be relevant even under statutes like the US Foreign Corrupt Practices Act, which lacks such a defense but where the adequacy of the compliance program is nonetheless an important consideration. Another possibility is that these certifications are meant to be used by other firms. After all, because bad conduct by a company’s business partners and agents can get it into legal trouble, companies generally conduct due diligence on their partners and demand assurances — contractual representations & warranties, etc. — regarding anti-bribery and similar matters. A private certification could be useful in this context if it would allow firms to more efficiently evaluate potential business partners. One could similarly imagine that governments might use certifications as an additional criteria to consider when making procurement decisions.
Those are all possible — but I have my doubts. It seems to me highly unlikely that US, UK, or other enforcement agencies are going to start treating private compliance certifications as either necessary or sufficient for establishing that a firm had an adequate compliance program in place — especially if, as noted above, the methodology the certification firms provide remains opaque. For similar reasons, it’s hard to envision sophisticated private firms or government procurement agencies treating an anti-bribery certification as a substitute for meaningful diligence and other measures to protect themselves from corruption risk.
And if any of these entities did start treating a private firm’s certification as meaningful, that might cause more problems than it solves. Ideally, a private certification service could conserve resources and increase quality in the evaluation of anti-bribery programs: It could increase quality, because the certification firms might have much more expertise in program evaluation than the average small or medium-sized entity. And it could conserve resources, both because economies of scale allow evaluation of compliance programs to be outsourced, and because the certification (or its absence) provides a kind of shorthand, or shortcut, obviating the need for other parties to do their own independent investigations. But in practice, if governments or other businesses started treating private anti-bribery certifications as important indicators of the existence of an effective program, I fear the result could be the opposite: reducing quality and wasting resources. This would occur if certifications ended up being relatively superficial evaluations of whether a company had an adequate formal program in place (particularly if the evaluation was based largely on the company’s self-reporting), without as much attention to intangible factors (such as the elusive but important “tone from the top”) and more rigorous internal testing. What we might get, in that case, are resources wasted on essentially duplicative external evaluations of things that companies themselves can and do evaluate internally — just to get the “gold star” of certification — while at the same time reducing the actual quality of programs, if the certification is perceived as obviating the need to do more extensive and expensive internal or external evaluations.
So I’m not sure I quite “get” the emerging private anti-bribery certification industry. But again, this is not something I know much about, so perhaps someone out there with more familiarity with these issues can enlighten me.