Enlisting the Private Sector in the Fight Against Corruption — Part 2

Part 1 of this post lists 21 countries plus the Canadian province of Quebec that have taken measures to get corporations to join the fight against corruption.  Thanks to a bad case of jet lag, the post’s author ran out of steam before explaining what he meant by a company’s “joining the fight” or how countries got them to join it.  Herewith an explanation of both along with my apologies to readers puzzled by part 1.

To begin, a table summarizing the laws to which part 1 referred along with summaries of bills pending in the Irish and Vietnamese legislatures appears here: National Compliance Rules.  (Thanks to readers who caught errors in the part 1 list; similar scrutiny of the table solicited.)

As the table shows, the laws referenced require — or provide incentives for — companies under their jurisdiction to prevent their employees from paying bribes or engaging in other forms of corrupt conduct.  Some laws prescribe in detail the elements such an anticorruption compliance program should contain; others leave it to regulations or the courts to decide what companies must do.  With the October 2016 publication of ISO 37001 setting standards for corporate antibribery programs, most authorities will likely converge around the elements it recommends.   The recommendations are sensible and quite consciously track the experience of those countries that required corporate compliance programs, especially the United States, where guidelines on what constitutes an “effective” compliance program, drafted to help courts when deciding the culpability of corporations for the corrupt acts of employees and agents, have been in force since 2004.

Where national corporate compliance laws differ is in how countries “encourage” companies subject to their laws to institute a compliance program. The table reveals several approaches. Continue reading

Guest Post: The Draft ISO 37001 Anti-Bribery Standard’s Promise and Limitations

William Marquardt and David Holley, respectively Director and Managing Director at the Berkeley Research Group, LLC (a private management consulting firm) contribute the following guest post, which is written in their personal capacity and does not necessarily reflect the opinions, position, or policy of the Berkeley Research Group or its other employees and affiliates:

This past April, the International Organization for Standardization (ISO) released its draft standard on anti-bribery management systems (ISO 37001). The standard is tentatively scheduled to be finalized later this year. In substantive content, the draft ISO standard is similar to the FCPA Resource Guide provided by the U.S. Department of Justice and Securities and Exchange Commission, in that it provides a list of elements that an effective anti-bribery/corruption (“ABC”) program should contain. In terms of the specific elements listed, the proposed ISO standard provides a number of sound recommendations – such as a comprehensive, risk-based approach, as well as management commitment to promoting an ethical corporate culture—but with a few exceptions, the draft ISO 37001 standard is not much different from the guidance available from the DOJ/SEC and other sources in multiple jurisdictions.

That’s not to say that there is nothing whatsoever distinctive about ISO 37001. It does differ from the existing guidance in some ways, some good (such as the comprehensive focus on documentation, document retention, and document availability) and some not so good (such as the unrealistic recommendations regarding extension of management’s internal control systems to third-party vendors). The draft ISO standard also puzzlingly omits consideration of certain key issues –such as the labor law and data privacy issues that arise in connection with bribery investigations, questions regarding how to address anti-bribery concerns in connection with M&A or joint venture due diligence, and (most generally) the integration of ABC management systems into the firm’s wider financial, operational, and regulatory functions. But, again, in most respects the ISO 37001 draft standard closely resembles existing ABC guidance.

What makes the ISO 37001 standard distinctive, and the reason its finalization would be potentially such big news, is that ISO 37001 (like other ISO standards dealing with more technical matters) is intended to be subject to independent “certification” by third-party auditors. In other words, if and when the ISO 37001 standard is finalized, companies will be able to hire auditing firms to review their ABC programs and (if the auditor determines the firm meets the ISO 37001 criteria) to provide a formal certification that the company is ISO 37001-compliant. The question whether formal ISO 37001 certification of this sort will be a good thing (for firms, or for the world) has been hotly debated (for previous discussions on this blog, see here and here). Continue reading

Dear Governments: Please Don’t Make Private Certification the Touchstone of an Adequate Anti-Bribery Program!!!

A little while back, I posted a couple of critical commentaries (here and here) about the efforts underway to develop an International Organization for Standardization (ISO) standard for corporate anti-bribery programs (ISO 37001), modeled on the already-existing UK standard developed by the British Standard Institute (BS 10500). (For those unfamiliar with these organizations or what they do, these standards are developed by a private consortium, and then private firms conduct–for a fee–audits of companies and provide a “certification” that the company is in compliance with the standard. These standards in the past have dealt with technical or quality control issues — the proposed anti-bribery standard is, to the best of my knowledge, the first ISO standard to deal with a legal issue of this type.) Without rehashing my earlier posts here, I raised questions both about how these certifications were supposed to work in practice, and about what they were for. I raised but dismissed the possibility that law enforcement might treat ISO/BS certification as an adequate indicator that a firm had a satisfactory compliance program (or that absence of ISO/BS certification as an indicator the compliance program was inadequate). I dismissed the possibility because lots of people (including those who work in the compliance certification business and those involved with the development of the ISO standard), assured me that such certification was not intended to have that kind of dispositive legal significance (even if it might be relevant to the law enforcement agency’s inquiry).

I would have left the matter there, and probably not written about it again, but for some remarks at last December’s World Bank International Corruption Hunters Alliance meeting. On a panel about “Fighting Transnational Bribery,” Detective Inspector Roger Cook, with the Operations area in the City of London Police’s Economic Crime Directorate, spoke with great enthusiasm about BS 10500, the model for the proposed ISO 37001. (This is perhaps unsurprising given that, as I just learned from his City of London police bio, he “contributed to the development and implementation of … BS 10500 and the developing ISO 37001.”) I don’t have a transcript or a video, nor am I a trained stenographer, but I tried to copy down Detective Inspector Cook’s remarks on this topic as close to verbatim as possible, and they went (according to my notes) more or less like this:

[If you’re a company, the BS 10500 standard] is going to give you a lot of comfort. Simply by getting accredited, then you have those adequate procedures that the UK Bribery Act requires companies to have [(that is, to satisfy the affirmative defense to the strict liability offense of failure to prevent foreign bribery)]. If the company has BS 10500 [certification], we’re not going to look much further, as long as they’re applying it properly. And an ISO standard [ISO 37001] is also in the works, about 18 months away. Think how good that would be, if every company going for a public contract were accredited. [We should] make that [certification] a condition for public contracts.

Now, Detective Inspector Cook was speaking in his personal capacity, not on behalf of the City of London Police or the British government. And he is not affiliated with the Serious Fraud Office (SFO), which has principal responsibility for bringing enforcement actions under the UK Bribery Act. But I nonetheless found these remarks quite troubling, so perhaps it’s worth restating the reasons why private anti-bribery certification or accreditation, according to something like the proposed ISO standard, should not be considered necessary or sufficient to establish the compliance defense under the UK Bribery Act, and should not be considered necessary or sufficient to engage in government contracting. Continue reading

More on Compliance Program Certification/Verification: The Proposed ISO Standard

My last post, inspired by Transparency International USA’s recent publication of a report on verifying the effectiveness of corporate anti-bribery programs, talked a bit about the emergence of a set of private firms that provide “certifications” for such programs. I expressed some skepticism about the value of these certification services. Some of my concerns — also expressed in the TI-USA report — had to do the opacity and apparent inconsistency in the methodology that certification firms employ. One possible response to this concern might be to develop an “official” international standard for anti-bribery compliance, and to provide certification that firms meet that standard.

Such an effort is already underway, through an organization called the International Organization for Standardization (ISO), a consortium of national (generally private) standard-setting bodies in 163 different countries. Traditionally, the ISO promulgates international standards with respect to quality control, safety, and technical compatibility. External auditing firms then provide certifications that a firm meets the ISO standard(s) in the relevant areas. The ISO is now already in the process of developing an ISO standard (ISO 37001) for anti-bribery programs — which would be the first ISO standard to deal with a topic like bribery. The draft standard is supposed to be available for public comment by 2015.

Before proceeding further, I should disclose that I’ve been involved — very marginally — in the U.S. Technical Assistance Group that’s supposed to provide commentary on this developing standard. (Basically, I’ve listened in on a few phone calls and seen a few documents circulated to the group.) So I need to be careful what I say on this subject, so as not to disclose anything confidential. I actually think there’s little risk of that, because what I really want to do in this post is not to focus on specific features of the proposed standard, but rather to raise questions about the whole enterprise. The more I think about it, the less justification I can imagine for promulgating an international standard like this. Indeed, it strikes me as entirely the wrong way to go about promoting the very worthy cause of improved corporate anti-bribery compliance programs.

Continue reading