ISO 37001– a new standard for anti-bribery management systems — slated to be published in late 2016, is expected to be more detailed and internationally recognized than similar guidance published to date.
A draft version of ISO 37001 states that conducting background checks of current and prospective third parties as well as other business associates is a key component of anti-bribery due diligence.
Some key takeaways:
1. Due diligence must be weighted according to risk. ISO 37001 takes a strong stance in opposition to a “one-size-fits-all” approach to due diligence. Low-risk business associates, such as retail customers or suppliers, may not require in-depth screening. Medium-or high-risk associates, include companies or people that conduct business in a jurisdiction known for a high bribery risk, maintain decentralized operations and management, act as an intermediary or agent, or engage in transactions with public officials. The higher the assessed risk, the deeper the level of due diligence required.
2. “Red flags” can be more than just negative findings. There is no universally accepted definition for what issues meet the standard of a red flag. An organization may mistakenly assume that red flags are generally limited to explicit negative findings, such as a criminal conviction or prior bribery investigation.
A reputation for bribery or fraud remains a top area of focus for due diligence research. But the ISO 37001 draft clarifies that red flags can come in many other forms.
The absence of verifiable evidence that a business associate is properly registered — and thus a legitimate business entity — could indicate that something is amiss. If a business associate does not have a clear track record of successfully completing a similar project or transaction could suggest preliminarily, that bribery is a possibility. Any link to a politically exposed person (PEP) is a potential red flag as well.
3. “Watch list” screenings are necessary, but not sufficient, for effective due diligence. Watch lists and global compliance databases, such as Interpol’s list of “wanted persons” and OFAC’s list of Specially Designated Nationals (SDNs), have long been mainstays of basic due diligence work. For many companies, it is standard practice to screen large volumes of names against the lists and databases, upgrading to more exacting due diligence only upon a hit or match.
The ISO 37001 draft does not specifically comment on this practice but suggests that a watch list-centric approach is unlikely to pass muster. Without specifying exactly what must be included in any given case, the draft states that due diligence “may include” a questionnaire, search engine research, “government, judicial and international resources,” debarment lists, and reputational inquiries. Considering this list of methods and sources, a program based purely on watch list screening may face difficulty achieving ISO 37001 certification.
4. A third party’s direct and indirect shareholders, and top management, cannot be ignored. The section of the draft on due diligence research emphasizes that a business associate’s managers and shareholders (including ultimate beneficial owners) are key factors. Their identities, reputations, backgrounds, and potential direct and indirect links to PEPs are critical to the due diligence process.
This aspect of due diligence can be a special challenge, with research requirements quickly multiplying and becoming cost-prohibitive. When researching a small business, this may entail adding only two or three additional names to the due diligence queue. But for larger companies, sometimes dozens of individuals can be reasonably considered “top managers” or “significant direct or indirect shareholders.”
Companies seeking to comply with ISO 37001 will likely fall back on arguments about what is “reasonable and proportionate.” That’s the overarching standard of ISO 37001. And the compliance industry will itself, over time, develop expectations for due diligence on shareholders and managers. For example, it may make sense to perform deeper levels of due diligence on only shareholders with a 25-percent stake or above. Whatever the solution, new ideas and best practices will surely arise, ensuring that this potentially challenging aspect of ISO 37001 is met in a consistent and defensible manner.
* * *
As mentioned, the ISO 37001 draft currently allows each company to make its own subjective judgment about what is “reasonable and proportionate.” The points outlined above, combined with additional specific guidance in the ISO 37001 draft, provide a sound framework for an independent certifying agency to use for a compliance audit. Whether companies will be willing to make the adjustments and investments in their due diligence programs needed to meet these expectations is an open question.