Dear Governments: Please Don’t Make Private Certification the Touchstone of an Adequate Anti-Bribery Program!!!

A little while back, I posted a couple of critical commentaries (here and here) about the efforts underway to develop an International Organization for Standardization (ISO) standard for corporate anti-bribery programs (ISO 37001), modeled on the already-existing UK standard developed by the British Standard Institute (BS 10500). (For those unfamiliar with these organizations or what they do, these standards are developed by a private consortium, and then private firms conduct–for a fee–audits of companies and provide a “certification” that the company is in compliance with the standard. These standards in the past have dealt with technical or quality control issues — the proposed anti-bribery standard is, to the best of my knowledge, the first ISO standard to deal with a legal issue of this type.) Without rehashing my earlier posts here, I raised questions both about how these certifications were supposed to work in practice, and about what they were for. I raised but dismissed the possibility that law enforcement might treat ISO/BS certification as an adequate indicator that a firm had a satisfactory compliance program (or that absence of ISO/BS certification as an indicator the compliance program was inadequate). I dismissed the possibility because lots of people (including those who work in the compliance certification business and those involved with the development of the ISO standard), assured me that such certification was not intended to have that kind of dispositive legal significance (even if it might be relevant to the law enforcement agency’s inquiry).

I would have left the matter there, and probably not written about it again, but for some remarks at last December’s World Bank International Corruption Hunters Alliance meeting. On a panel about “Fighting Transnational Bribery,” Detective Inspector Roger Cook, with the Operations area in the City of London Police’s Economic Crime Directorate, spoke with great enthusiasm about BS 10500, the model for the proposed ISO 37001. (This is perhaps unsurprising given that, as I just learned from his City of London police bio, he “contributed to the development and implementation of … BS 10500 and the developing ISO 37001.”) I don’t have a transcript or a video, nor am I a trained stenographer, but I tried to copy down Detective Inspector Cook’s remarks on this topic as close to verbatim as possible, and they went (according to my notes) more or less like this:

[If you’re a company, the BS 10500 standard] is going to give you a lot of comfort. Simply by getting accredited, then you have those adequate procedures that the UK Bribery Act requires companies to have [(that is, to satisfy the affirmative defense to the strict liability offense of failure to prevent foreign bribery)]. If the company has BS 10500 [certification], we’re not going to look much further, as long as they’re applying it properly. And an ISO standard [ISO 37001] is also in the works, about 18 months away. Think how good that would be, if every company going for a public contract were accredited. [We should] make that [certification] a condition for public contracts.

Now, Detective Inspector Cook was speaking in his personal capacity, not on behalf of the City of London Police or the British government. And he is not affiliated with the Serious Fraud Office (SFO), which has principal responsibility for bringing enforcement actions under the UK Bribery Act. But I nonetheless found these remarks quite troubling, so perhaps it’s worth restating the reasons why private anti-bribery certification or accreditation, according to something like the proposed ISO standard, should not be considered necessary or sufficient to establish the compliance defense under the UK Bribery Act, and should not be considered necessary or sufficient to engage in government contracting.

To a certain extent I’m repeating what I said in my earlier posts, but I think it bears repeating here.

Most importantly, there is no “one-size-fits-all” approach to an effective and appropriate anti-bribery compliance program. This is not a terribly controversial proposition; it is shared by just about every sensible person I’ve heard address this general topic (including the very thoughtful people who work in the anti-bribery certification industry, and who I very much respect even though we may have a few disagreements about the appropriate role of such certifications). Although there are some core elements that should be part of any effective compliance program, the details of such programs will (and should) vary considerably depending on the size and business of the firm, the countries in which it’s doing business, and a host of other factors. I’ll simply restate here what I said before:

[I]f [law enforcement agencies started] treating a private firm’s certification [under the ISO standard] as [establishing, for law enforcement purposes, that the firm had an adequate compliance program in place], that might cause more problems than it solves…. [I]n practice, if governments … started treating private anti-bribery certifications as important indicators of the existence of an effective program, I fear the result could be … reduc[ed program] quality and wast[ed] resources. This would occur if certifications ended up being relatively superficial evaluations of whether a company had an adequate formal program in place (particularly if the evaluation was based largely on the company’s self-reporting), without as much attention to intangible factors (such as the elusive but important “tone from the top”) and more rigorous internal testing. What we might get, in that case, are resources wasted on essentially duplicative external evaluations of things that companies themselves can and do evaluate internally — just to get the “gold star” of certification — while at the same time reducing the actual quality of programs, if the certification is perceived as obviating the need to do more extensive and expensive internal or external evaluations.

Or as I put this (a bit more succinctly) in a subsequent post:

If [law enforcement treats the ISO certifications as significant,] things might be even worse [than if they were ignored]: The ISO certification process might demand too little of firms (making it possible to get the ISO gold star with only a “paper program”) or it might demand too much (with rigid outside auditors insisting on features that the company does not need, given its risk profile). And why do we need this? Why not do what we have been doing — use a combination of the threat of legal liability and the promotion of ethical business norms to encourage a better compliance culture, without trying to reduce everything to a single international standard?

The larger point here is that I’m deeply troubled by the idea that law enforcement agencies (or government procurement officers) might outsource the evaluation of a firm’s anti-bribery compliance program to a private organization. And perhaps it bears emphasis that the auditing bodies performing these evaluations do so for a fee, and may not have the requisite expertise to make the fine-grained, risk-based, case-by-case assessments that law enforcement agencies (including the US Department of Justice and the UK Ministry of Justice), as well as the more competent and reputable private certification firms, routinely emphasize as necessary.

I want to emphasize that I am not here saying that private certifications of anti-bribery compliance do not perform a useful role, nor that the decision to develop the ISO 37001 standard is misguided. Admittedly, I have in the past at least hinted at the former, and have openly argued the latter. But neither of those stronger positions is necessary for the point that I want to make here. Even if private certification, or a uniform international standard of some kind, might play a useful role, such a standard should not be used by governments–and especially not by law enforcement–to determine whether a company’s anti-bribery program is in fact appropriate. To do so would be of great benefit to the organizations that provide the standards and the firms that do the certifications, but to nobody else.

6 thoughts on “Dear Governments: Please Don’t Make Private Certification the Touchstone of an Adequate Anti-Bribery Program!!!

  1. Matthew, this is great observation and comment. I do agree with you that such a certification should not be used on the law enforcement side or that of an anti-corruption agency to say “amen” for the company’s anti-corruption programme.
    However, we do need to think how to promote internal company anti-corruption programmes and make them effective but also make for the company this as a mandatory. Of course as you pointed out such programmes cannot be the same depending on the type of activities, turn-over, size, markets (domestic, foreign (EU/US) or in Africa, Latin America, Asia) and clients. May I note that for example in Serbia such company anti-corruption programmes are just absent but if the ISO standard goes through then there will be a big business for consultancy firms to sell the anti-corruption package. And the companies will pay for it if it will be sufficient to pass any routine control on the part of he anti-corruption agency or other law enforcement body. BTW, please note that the TI in its Company Bribery uses three indicators: presence of the anti-corruption programme, transparency in financial reporting and transparency in foreign market reporting. If such a TI “new” corruption measure becomes as internationally acknowledged as the CPI then we will have the whole industry of anti-corruption programmes and certificates. Thus, I do agree with your final statement that this may just bring money to few “opportunistic” consultants and companies as well.
    Still, there is a need to promote the anti-corruption culture and effective mechanisms within companies. This is a big challenge but I believe in some parts of the world it is indeed
    of utmost importance. Already the level of anti-corruption scrutiny over the state and public enterprises has drastically increased but not so vis-a-vis the private ones.
    Ugi Zvekic

    • I completely agree with everything you say about the need to promote more effective compliance programs, and a more robust “compliance culture”, in private firms — and I hope nothing that I wrote in this or any other post might suggest otherwise. I think on the essential points we are in broad agreement: It’s important to get private firms to take anti-bribery compliance more seriously and to do it better, and at the same time an ISO or equivalent certification by a private auditor should not be treated by law enforcement as determinative of whether the firm has an adequate program.

      The trickier question, and the question where we _might_ disagree slightly (though I’m not sure), concerns the degree to which something like an ISO anti-bribery standard might serve a useful purpose, stimulating more, and more effective, compliance programs, even if governments do not treat them as dispositive. I’m not sure, though in the past I’ve expressed some tentative skepticism. Your comment suggests to me that you’re a bit more optimisitic.

      • Well, maybe I am a bit more optimistic Under the condition that certificates are honestly issued. Yet that in itself is an issue of ethics in anti-corruption work. May sound strange but it is very relevant. Ugi

  2. This was a great piece to read, and makes many good points — but from a liability and deterrence standpoint I also wanted to note that, even if U.S. prosecutors declined to prosecute FCPA cases against U.S. government contractors as long as they submitted certifications of compliance, those contractors still could not avoid liability under other U.S. laws. Such certifications, if false, could expose them to liability under the False Claims Act, which authorizes both civil and criminal penalties for violations, including treble damages. And while an FCPA enforcement action can only be brought by the U.S. government, the False Claims Act’s qui tam provision allows private citizens with knowledge of violations to pursue their own cases against defendants, and incentivizes them to do so by allowing a qui tam plaintiff to receive a percentage of the damages if liability is found. A number of U.S. federal courts have construed liability under the act broadly, including finding FCA liability where a contractor has made either an express or implied certification to a government agency that it was in compliance with certain regulatory requirements. One U.S. company was recently found liable for civil penalties for anti-corruption-related violations of the False Claims Act by a federal jury in D.C., where the company had submitted a certification of compliance with the FCPA in connection with obtaining a loan from the Export-Import Bank to finance a project in Nigeria, and a whistleblower claimed that the company had in fact paid bribes to Nigerian government officials. For all of these reasons, the risk of FCA liability has to be a critical part of any U.S. contractor’s risk assessment in submitting certifications of anti-corruption compliance to the U.S. government.

    I note all the above not because I think other countries should necessarily follow the U.S. system, but because it raises some questions in my mind about the ways other laws that are not anti-bribery laws might also be used to promote more robust compliance programs:

    (1) What are the advantages and disadvantages of the FCA vs. the FCPA in penalizing contractors who falsely certify to the adequacy of their anti-corruption compliance programs? The treble damages and qui tam provisions in the False Claims Act can increase the liability risks for contractors, but, from the perspective of enforcing the laws, combating corruption, and bringing bad actors to justice, I’m not sure the FCA is sufficient. An FCPA case in the U.S. would probably be more likely to result in follow-on prosecutions in other jurisdictions; I tend to think a False Claims Act case in the U.S. (whether criminal or civil) would not have that same effect, and would undercut the goal of encouraging more prosecutions in countries where the bribes were actually demanded. From an enforcement standpoint I’m sure the answer is that it is good to have both the FCPA and FCA as tools to use against contractors (not to mention suspension and debarment under the Federal Acquisition Regulations). But from the standpoint of motivating corporate leaders to take seriously the adequacy of their corporate compliance programs by communicating how much it can affect their bottom line if they do not, I think in at least some cases FCA liability might prove to be a more effective deterrent for U.S. government contractors.

    (2) Is there a push in other countries to go after government contractors who make false certifications in connection with their government contracts? And, if there are such laws in those countries that allow the government to seek relief or otherwise penalize government contractors for false certifications, why or why not do they, or why or why could they not, be used to go after a contractor if a prosecutor declined to go after a government contractor for bribery? I have very little knowledge of non-U.S. government contracts law but would be curious to learn more about this.

    I realize this is a lengthy post, but at least wanted to put this out there if others reading who have experience in these areas wanted to weigh in as well.

  3. Strangely enough, as Chairman of the ETHIC Intelligence Certification Committee which has been certifying anti-corruption programs since 2006, I fully agree with your analysis. Thank your for clarifying this issue as many people are misled by the shortcut expression “anti-corruption certification” and falsely believe it offers watertight legal protection.

    Clearly authorities will launch criminal proceedings for corrupt acts because these constitute a criminal offense. Authorities examine the liabilities of:
    A/ The individual paying the bribe
    B/ The individual’s management, who
    1. may have asked for the bribe to be paid;
    2. may have tolerated, or turned a blind eye to, the payment of the bribe, or;
    3. may, on the contrary, have taken appropriate steps to prevent bribery which ultimately

    In the first two cases, the management is clearly liable. In the third case, the managers’ liability is mitigated if judges are convinced that the individual paid a bribe purposely circumventing company policy.

    The sole existence of a compliance program does not suffice. What counts is the fact the compliance program is designed to mitigate a company’s specific corruption risk.
    When it comes to certification, it follows that merely certifying the existence of a compliance program is neither sufficient nor useful.

    This is why ETHIC Intelligence certification is about ensuring that the program is adequate to the company’s specific risk and organization. At the core of our methodology:
    1. Regularly updated terms of reference gathering legal requirements (Italy, USA, UK…) voluntary guidelines (ICC, OECD, TI…), standards (BS 10500, ISO 19600…) and evolving best practices;
    2. A two-tiered evaluation process consisting of i) an independent accredited inspection company which carries out the in-situ evaluation and ii) a committee of international lawyers who evaluate audit reports and decide to award or deny certification.

    ETHIC Intelligence certification is unique in that it is a collective decision made by separate, independent parts (auditors and lawyers) having no conflict of interest with each other or with the company. We believe this provides a certain level of legitimacy and comfort to companies that the program evaluated is adequate to prevent their specific corruption risk.

    This is why I believe our certification process offers more than the BS 10 500 and the ISO 37001 standards (the latter still under discussion) which rely one level of evaluation and attest to the existence of an anti-corruption compliance program, not the adequacy of the program to the risk.

    ETHIC Intelligence certification is a form of “voluntary monitoring” by auditors and committee lawyers. It demonstrates management’s genuine commitment to ensuring that their company’s program is regularly adapted to evolving risk. As such I believe that it offers an element of legal comfort to managers truly committed to doing business with integrity.

  4. Pingback: The Draft ISO 37001 Anti-Bribery Standard’s Promise and Limitations | Global Investigations + Strategic Intelligence

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.