While much attention is paid to the U.S. Foreign Corrupt Practices Act and the U.K. Bribery Act, an array of other anti-corruption laws apply to multinational companies.
For example, the so-called “BRIC” countries — Brazil, Russia, India and China — all recently enacted, and have begun taking initial steps to enforce, more stringent anti-corruption laws.
Meanwhile, 40 countries have signed the OECD Anti-Bribery Convention, which requires criminalizing the bribery of foreign public officials and prescribes measures for the implementation of domestic legislation.
Designing an effective anti-corruption compliance program that meets the requirements of many different jurisdictions seems like a daunting task. Multinational companies should take note of the broad global consensus that has developed around what governments and international organizations expect of corporate anti-corruption compliance programs. While there is no one-size-fits-all program — and a company must bear in mind applicable local laws — this global standard is welcome news.
The most appropriate starting place may be the “Good Practice Guidance for Companies,” published by the Organisation for Economic Co-operation and Development’s Working Group on Bribery in International Business Transactions (the “OECD Guidance”).
Many countries around the world have at least implicitly endorsed these guidelines. The DOJ’s and SEC’s Resource Guide to the U.S. Foreign Corrupt Practices Act (FCPA Guide) identifies “hallmarks” of an effective anti-corruption compliance program that bear striking resemblance to the good practices set forth in the OECD Guidance. National authorities in the United Kingdom, Canada, Brazil, Japan and South Africa have encouraged many of the same good practices, and the World Bank, International Chamber of Commerce and Transparency International have recommended them as well.
The commonly accepted core components of an effective anti-corruption program include:
- Support and commitment from the top. Senior management and boards of directors should create a “tone at the top” that promotes a culture of compliance. In evaluating a company’s compliance, U.S. authorities say they will consider “whether senior management has clearly articulated company standards, communicated them in unambiguous terms, adhered to them scrupulously, and disseminated them throughout the organization.
- A clearly articulated and visible corporate policy. According to the FCPA Guide, written anti-corruption policies and/or codes should be clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.
- Making compliance the duty of individuals at all levels of the company. While “tone at the top” and written policies are necessary components of a compliance program, they are not sufficient in and of themselves. A commitment to compliance must be reinforced by middle-management and others throughout the organization, as the OECD Guide and World Bank Guidelines emphasize.
- Oversight by the senior corporate officers with autonomy, resources and authority. The responsible corporate officer (or officers) “must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively,” the FCPA Guide states. Indeed, Russian law requires the designation of an officer and a department or structural unit responsible for the prevention of corruption and related offenses. In other countries, like Canada, companies are expected to establish “direct reporting obligation to independent monitoring bodies,” which oversee compliance with applicable standards of conduct.
- Generally applicable compliance measures focused on high-risk areas. The OECD Guidance recognizes there is no standard compliance program: an effective program, “should be developed on the basis of a risk assessment addressing the individual circumstances of a company.” High-risk areas, the OECD says, include: “gifts; hospitality, entertainment and expenses; customer travel; political contributions; charitable donations and sponsorships; facilitation payments; and solicitation and extortion.” The FCPA Guide similarly underscores that companies should design a compliance program that takes into account relevant risk factors.
- Ensuring the compliance of third parties. A compliance program should not be limited to mitigating risks presented by a company’s direct employees. The OECD advises multinational companies to perform documented due diligence of business partners, inform business partners of the company’s commitment to compliance, seek a reciprocal commitment, and monitor compliance.
- Financial and accounting procedures, including a system of internal controls. Brazil’s new Clean Company Act, when applying penalties, considers the existence of internal controls, including audits, that ensure the integrity of a company’s operations. The FCPA Guide emphasizes that internal controls are especially important where corruption risks are high — so a financial services company would be expected to devise and employe different internal controls than a manufacturer.
- Periodic communication and documented training. Anti-corruption training is not a one-time event, and, as the The FCPA Guide suggests, training sessions include hypothetical situations that are specific to the trainee’s day-to-day work experiences.
- Encouragement and positive support for compliance. Companies also should reward their employees for good behavior. For example, the FCPA Guide recommends incorporating adherence to compliance as a “significant metric for managements” bonuses.
- Appropriate disciplinary procedures to address violations. Just as carrots are important to an anti-corruption compliance program, so are sticks. Anti-corruption rules are only effective is they are enforced.
- Guidance, advice, confidential reporting and whistleblower protections. An effective program must provide resources for company employees and relevant third parties to obtain compliance information, help answer questions, and be able to report potential or actual misconduct.
- Periodic reviews. A compliance program that remains static is likely to become ineffective as risks shift. The FCPA Guide therefore suggests that companies may: (1) use “employee surveys to measure their compliance culture and strength of internal controls, identify best practices and detect new risk areas and/or (2) “targeted audits to make certain that controls on paper are working in practice.”
This post is a shortened version of an article that appeared in Bloomberg BNA’s Corporate Law & Accountability Report on April 25. That version can be found here.
Keith M. Korenchuk is a partner in the Washington, D.C. office of Arnold & Porter LLP; Samuel M. Witten is counsel in the firm’s Washington, D.C. office and Daniel Bernstein is an associate in the firm’s New York office.