Guest Post: The Draft ISO 37001 Anti-Bribery Standard’s Promise and Limitations

William Marquardt and David Holley, respectively Director and Managing Director at the Berkeley Research Group, LLC (a private management consulting firm) contribute the following guest post, which is written in their personal capacity and does not necessarily reflect the opinions, position, or policy of the Berkeley Research Group or its other employees and affiliates:

This past April, the International Organization for Standardization (ISO) released its draft standard on anti-bribery management systems (ISO 37001). The standard is tentatively scheduled to be finalized later this year. In substantive content, the draft ISO standard is similar to the FCPA Resource Guide provided by the U.S. Department of Justice and Securities and Exchange Commission, in that it provides a list of elements that an effective anti-bribery/corruption (“ABC”) program should contain. In terms of the specific elements listed, the proposed ISO standard provides a number of sound recommendations – such as a comprehensive, risk-based approach, as well as management commitment to promoting an ethical corporate culture—but with a few exceptions, the draft ISO 37001 standard is not much different from the guidance available from the DOJ/SEC and other sources in multiple jurisdictions.

That’s not to say that there is nothing whatsoever distinctive about ISO 37001. It does differ from the existing guidance in some ways, some good (such as the comprehensive focus on documentation, document retention, and document availability) and some not so good (such as the unrealistic recommendations regarding extension of management’s internal control systems to third-party vendors). The draft ISO standard also puzzlingly omits consideration of certain key issues –such as the labor law and data privacy issues that arise in connection with bribery investigations, questions regarding how to address anti-bribery concerns in connection with M&A or joint venture due diligence, and (most generally) the integration of ABC management systems into the firm’s wider financial, operational, and regulatory functions. But, again, in most respects the ISO 37001 draft standard closely resembles existing ABC guidance.

What makes the ISO 37001 standard distinctive, and the reason its finalization would be potentially such big news, is that ISO 37001 (like other ISO standards dealing with more technical matters) is intended to be subject to independent “certification” by third-party auditors. In other words, if and when the ISO 37001 standard is finalized, companies will be able to hire auditing firms to review their ABC programs and (if the auditor determines the firm meets the ISO 37001 criteria) to provide a formal certification that the company is ISO 37001-compliant. The question whether formal ISO 37001 certification of this sort will be a good thing (for firms, or for the world) has been hotly debated (for previous discussions on this blog, see here and here). Continue reading

Claims Against Petrobras Highlight Prospects for Shareholder Enforcement in US Courts

The fallout continues from the ongoing investigation of corruption at Petrobras, Brazil’s giant state-owned oil company. (See New York Times coverage here, and helpful timelines of the scandal here and here.) In March of 2014, Brazilian prosecutors alleged that Petrobras leadership colluded with a cartel of construction companies in order to overcharge Petrobras for everything from building pipelines to servicing oil rigs. Senior Petrobras executives who facilitated the price-fixing rewarded themselves, the cartel, and public officials with kickbacks, and concealed the scheme through false financial reporting and money laundering. The scandal has exacted a significant human toll: workers and local economies that relied on Petrobras contracts have watched business collapse: several major construction projects are suspended, and over 200 companies have lost their lines of credit. One economist predicted unemployment may rise 1.5% as a direct result of the scandal.

The enormous scale of the corruption scheme reaches into Brazil’s political and business elite. The CEO of Petrobras has resigned. As of last August, “117 indictments have been issued, five politicians have been arrested, and criminal cases have been brought against 13 companies.” In recent months, the national Congress has initiated impeachment proceedings against President Dilma Rousseff, who was chairwoman of Petrobras for part of the time the price-fixing was allegedly underway. And last month, federal investigators even received approval from the Brazilian Supreme Court to detain former President Luiz Inácio Lula da Silva for questioning. (Lula was President from 2003 to 2010—during the same period of time that Ms. Rousseff was chairwoman of Petrobras.) Meanwhile, the House Speaker leading calls for President Rousseff’s impeachment has himself been charged with accepting up to $40 million in bribes.

As Brazilian prosecutors continue their own investigations, another enforcement process is underway in the United States. Shareholders who hold Petrobras stock are beginning to file “derivative suits,” through which shareholders can sue a company’s directors and officers for breaching their fiduciary duties to that company. Thus far, hundreds of Petrobras investors have filed suits. In one of the most prominent examples, In Re Petrobras Securities Litigation, a group of shareholders allege that Petrobras issued “materially false and misleading” financial statements, as well as “false and misleading statements regarding the integrity of its management and the effectiveness of its financial controls.” (For example, before the scandal broke, Petrobras publicly praised its Code of Ethics and corruption prevention program.) The claimants allege that as a result of the price-fixing and cover-up, the price of Petrobras common stock fell by approximately 80%. In another case, WGI Emerging Markets Fund, LLC et al v. Petroleo, the investment fund managing the Bill & Melinda Gates Foundation has alleged that the failure of Petrobras to adhere to U.S. federal securities law resulted in misleading shareholders and overstating the value of the company by $17 billion. As a result, the plaintiffs claim they “lost tens of millions on their Petrobras investments.”

Thus, in addition to any civil or criminal charges brought by public prosecutors, private derivative suits offer a way for ordinary shareholders to hold company leadership accountable for its misconduct. In these derivative suits, any damages would be paid back to the company as compensation for mismanagement; the main purpose of the suits is not to secure a payout for shareholders, but to protect the company from bad leadership. The Petrobras cases illustrate how derivative suits can offer a valuable mechanism for anticorruption enforcement, but they also face a number of practical challenges.

Continue reading

The Internal Revenue Service’s (Potential) Role in Combating Foreign Bribery

The uptick in FCPA investigations in recent years is well-known. The two agencies responsible for FCPA enforcement—the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC)—now have special units focused on FCPA cases. Both have been aggressively pursuing cases against corporations and (increasingly) individuals. But there is a third U.S. agency that can and should be more involved in the fight against transnational bribery: the Internal Revenue Service (IRS).

The IRS already has some role in FCPA cases, though the extent of that involvement is not entirely clear. Recently, its joint investigative role has been mentioned in a few high-profile matters. Notably, criminal FCPA charges against Vicente Eduardo Garcia (an SAP regional director who in August pled guilty to an FCPA violation involving bribery for Panamanian government contracts) were investigated cooperatively by the FBI and IRS, a fact that some commentators cautioned signaled a need for companies to increase FCPA compliance efforts through additional channels. IRS Criminal Investigation was also involved in the case against Hewlett-Packard Russia, which last year pled guilty to violating the FCPA, and even the (non-FCPA but bribery-related) investigation of FIFA started with the IRS. Beyond investigation, the IRS can bring separate tax charges related to incidents of bribery or other inappropriate payments. A 2014 settlement included a multi-million-dollar forfeiture to the IRS, apparently the first such forfeiture in an FCPA settlement, though the exact reason for the forfeiture was not revealed.

Several observers have speculated that the last decade’s increase in FCPA actions could lead to an increase in tax-related actions. Up until now it has been relatively rare for FCPA actions to include associated tax charges, but the 2014 settlement might be one indication that the relative scarcity of tax involvement could change. The IRS can further develop its responsibility in FCPA investigations with an expanded formal cooperative role, if indeed it does not have one already, in DOJ or SEC prosecutions. This would be a positive step, since there are two major advantages to FCPA investigations assisted, or tax charges brought, by the IRS:

Continue reading

NYU Roundtable on the DOJ Fraud Section’s New “Corporate Compliance Counsel”: The Video and Some Thoughts

As many readers are likely aware, the U.S. Department of Justice Fraud Section (now headed by Andrew Weissmann), which has responsibility for enforcing the Foreign Corrupt Practices Act (among other things), recently created a new position called the “Corporate Compliance Counsel,” and appointed to the post Hui Chen, a former corporate compliance officer for a number of major firms (including Microsoft, Pfizer, and Standard Chartered). The avowed purpose of the new position is to assist the DOJ in assessing the quality of a company’s internal compliance program and remediation measures. In the FCPA context (and others), these assessments are relevant to the DOJ’s decisions regarding whether to prosecute, what penalties to seek, and what additional remedial measures to pursue, even though there is not a formal “compliance defense” under the FCPA (or other statutes that the Section enforces). Thus, the thinking behind the creation of the new DOJ position seems to be that having someone in the Section with a lot of background in corporate compliance will enable the DOJ prosecutors to do a better job in evaluating the quality of a company’s compliance program and remedial efforts.

The creation of the Corporate Compliance Counsel position has garnered praise in some quarters, but also attracted some criticism; the critics tend to argue that the creation of the new position is, at best, a public relations move with little real consequence, and at worst an indirect effort to weaken the enforcement of corporate criminal laws.

Last week, the NYU Program on Corporate Compliance and Enforcement (PCCE) hosted a public forum where Mr. Weissmann and Ms. Chen discussed the new position and answered some questions posed by NYU Professor (and PCCE co-director) Jennifer Arlen. Because I thought that this might be of interest to some readers, here’s a link to a video of the discussion.

A few additional thoughts about what I thought were the more interesting exchanges: Continue reading

Should FCPA Enforcers Focus on Bribe-Paying Employees or Their Corporate Employers?

These days most (though not all) resolutions in Foreign Corrupt Practices Act cases involve corporate defendants paying fines or other penalties to the government. Usually (again, not always) the government does not bother prosecuting the employees who paid the bribes. (While the government has recently made individual liability in corporate criminal cases more of a point of emphasis — as exemplified by the DOJ’s Yates Memo, which Danielle discussed in yesterday’s post — the targets in those cases are typically senior executives who orchestrated bribe-paying schemes, not the lower-level executives or employees who actually paid the bribes.) The government also uses various legal tools to encourage lower-level employees blow the whistle on their employers.

Do we have this backwards? Right now, the government focuses its enforcement efforts on the corporate employers, rather than the lower-level employees who pay the bribes. Should the government instead emphasize enforcement actions against the employees? Right now, the government tries to give employees incentives to uncover and disclose evidence of FCPA violations committed by their employers. Should the government instead focus on encouraging the employers to uncover and disclose FCPA violations committed by their employees?

This past summer, I was fortunate enough to attend the Third Annual Conference on Evidence-Based Anti-Corruption Policies in Bangkok, and the keynote speaker at that event, New York University Law Professor Jennifer Arlen, made a case along those lines. (Professor Arlen’s address was actually a much more wide-ranging discussion of corporate criminal liability; I’ve extracted, and possibly oversimplified or distorted, one thread of her argument. But it’s an interesting enough argument that I think it’s worth engaging, and I’ll focus on the simple version, even though her position is more nuanced.) The argument goes something like this: The DOJ should adopt a policy that any corporation that discovers FCPA violations by its employees, and then promptly (a) discloses the violation to the government, (b) provides the government with information, and (c) assists the government in prosecuting the employee, should be exempt from corporate criminal liability for the violation; the DOJ should instead vigorously prosecute the individual employees in this situation (using the evidence that the corporate employer has itself provided). If the corporation fails to promptly disclose such a violation, however, and the government subsequently finds out about it, the corporation should be held criminally liable for the FCPA violation, and penalized accordingly.

I think this proposal is interesting enough to take seriously, though in the end I remain unconvinced that this shift in emphasis would be a good idea. Let me first lay out the argument in favor of this change, and then explain why I ultimately disagree. Continue reading

No Longer a Cost of Doing Business: The Yates Memo Signals DOJ Is Serious About Going After Individuals

As many observers have noted, penalties for Foreign Corrupt Practices Act (FCPA) violations tend to fall on corporations, rather than individual wrongdoers. The individual employees responsible for the unlawful conduct rarely pay fines or go to prison. The FCPA is not unique in this regard; many U.S. Department of Justice (DOJ) settlements with corporate defendants shield executives and employees from personal liability so long as the corporation accepts institutional responsibility. Yet this enforcement posture has been unsatisfying, and critics argue that many corporations simply treat the fines as an accepted cost of doing business. In response to this concern, and after much foreshadowing, the DOJ formally released a new policy on individual liability last week—a policy that applies to all corporate prosecutions and settlements, including those involving the FCPA. Known as the “Yates Memo” (it was announced by Deputy Attorney General Sally Quillian Yates in her remarks at NYU School of Law on September 9th), this new policy statement—the first major policy announcement from the DOJ under Attorney General Loretta Lynch—signals that the “cost of doing business” model of corporate compliance is coming to a definitive end.

Continue reading

TI Report on Anti-Bribery Compliance Programs in the Defense Industry: Some Quick Reactions

Last April Transparency International UK released a very interesting report on the quality of corporate anti-bribery compliance programs in the defense industry. (This was the second such report; the first was issued in 2015). The report evaluated the ethics and anti-bribery compliance programs of 163 defense companies along five dimensions (leadership & governance, risk management, policies & codes, training, personnel & helplines) using publicly available information, supplemented with additional internal information from 63 cooperating firms, and assigned each firm a letter grade (A-F). The most eye-catching result, and the one that has gotten the most attention in the press releases and reporting on the report, is how badly the defense industry seems to be doing overall on this issue: Of the 163 firms included in the review, there were 4 As, 23 Bs, 29 Cs, 31 Ds, 19 Es, and 57 Fs. Thus, fewer than 17% of the defense firms examined scored in the A or B range, while close to half (47%) received a failing grade of E or F.

That’s certainly a notable and important (and depressing) finding, but digging a bit deeper, there are a few other interesting features of the report that have gotten a bit less attention, and are worth highlighting. Continue reading

Guest Post: The Role of Compensation Systems in Promoting Anti-Bribery (Non-)Compliance

GAB is pleased to welcome back anti-bribery consultant Richard Bistrong, who contributes the following guest post:

These days, most sophisticated multinational firms, at least those that might be subject to liability under the Foreign Corrupt Practices Act or similar laws, have official anti-bribery compliance programs. But as many observers have rightly noted, while formal control systems are important, they have their limits: the formal rules in place, or what top-level management asserts when setting the “tone from the top,” may often differ from what actually happens on the ground. As I’ve emphasized my earlier posts on this blog, understanding what actually happens out in the field requires careful attention to the actual incentives of the people on the front lines: the regional managers, salespeople, and the like. And with respect to these individuals, many corporations that have seemingly robust anti-bribery programs, and whose C-Suite executives say all the right things about ethics and integrity and zero tolerance, are actually creating incentives that foster corruption. Here I want to focus on incentive plans for international sales, marketing, and business development teams. I have identifies three common features of the compensation system for salespeople may contribute substantially to bribery risk. Continue reading

The OECD Report on Corruption in Sectors: Will it Hurt the Brand?

Consequences of Corruption at the Sector Level and Implications for Economic Growth and Development is the OECD’s latest report on corruption. Released March 25, it was written at the request of G-20 governments and follows an earlier one the organization did for the G-20’s September 2013 meeting.  Whereas that report examined the impact of corruption on rates of economic growth and levels of development, this one adopts a micro perspective, analyzing the effect of corruption and suggesting ways to fight it for four sectors of national economies: i) extractive industries, ii) utilities and infrastructure, iii) health, and iv) education. Among its more striking conclusions:

  • ”independent, competent and better regulatory and law enforcement systems” are critical for combating corruption;
  • “transparency should be an integral component of all anti-corruption strategies;” and
  • “anti-corruption measures must . . . be targeted and tailored.”

Additional examples of focused, cutting edge policy recommendations can be found by clicking “Continue reading.” Continue reading

Dear Governments: Please Don’t Make Private Certification the Touchstone of an Adequate Anti-Bribery Program!!!

A little while back, I posted a couple of critical commentaries (here and here) about the efforts underway to develop an International Organization for Standardization (ISO) standard for corporate anti-bribery programs (ISO 37001), modeled on the already-existing UK standard developed by the British Standard Institute (BS 10500). (For those unfamiliar with these organizations or what they do, these standards are developed by a private consortium, and then private firms conduct–for a fee–audits of companies and provide a “certification” that the company is in compliance with the standard. These standards in the past have dealt with technical or quality control issues — the proposed anti-bribery standard is, to the best of my knowledge, the first ISO standard to deal with a legal issue of this type.) Without rehashing my earlier posts here, I raised questions both about how these certifications were supposed to work in practice, and about what they were for. I raised but dismissed the possibility that law enforcement might treat ISO/BS certification as an adequate indicator that a firm had a satisfactory compliance program (or that absence of ISO/BS certification as an indicator the compliance program was inadequate). I dismissed the possibility because lots of people (including those who work in the compliance certification business and those involved with the development of the ISO standard), assured me that such certification was not intended to have that kind of dispositive legal significance (even if it might be relevant to the law enforcement agency’s inquiry).

I would have left the matter there, and probably not written about it again, but for some remarks at last December’s World Bank International Corruption Hunters Alliance meeting. On a panel about “Fighting Transnational Bribery,” Detective Inspector Roger Cook, with the Operations area in the City of London Police’s Economic Crime Directorate, spoke with great enthusiasm about BS 10500, the model for the proposed ISO 37001. (This is perhaps unsurprising given that, as I just learned from his City of London police bio, he “contributed to the development and implementation of … BS 10500 and the developing ISO 37001.”) I don’t have a transcript or a video, nor am I a trained stenographer, but I tried to copy down Detective Inspector Cook’s remarks on this topic as close to verbatim as possible, and they went (according to my notes) more or less like this:

[If you’re a company, the BS 10500 standard] is going to give you a lot of comfort. Simply by getting accredited, then you have those adequate procedures that the UK Bribery Act requires companies to have [(that is, to satisfy the affirmative defense to the strict liability offense of failure to prevent foreign bribery)]. If the company has BS 10500 [certification], we’re not going to look much further, as long as they’re applying it properly. And an ISO standard [ISO 37001] is also in the works, about 18 months away. Think how good that would be, if every company going for a public contract were accredited. [We should] make that [certification] a condition for public contracts.

Now, Detective Inspector Cook was speaking in his personal capacity, not on behalf of the City of London Police or the British government. And he is not affiliated with the Serious Fraud Office (SFO), which has principal responsibility for bringing enforcement actions under the UK Bribery Act. But I nonetheless found these remarks quite troubling, so perhaps it’s worth restating the reasons why private anti-bribery certification or accreditation, according to something like the proposed ISO standard, should not be considered necessary or sufficient to establish the compliance defense under the UK Bribery Act, and should not be considered necessary or sufficient to engage in government contracting. Continue reading