ISO 37001– a new standard for anti-bribery management systems — slated to be published in late 2016, is expected to be more detailed and internationally recognized than similar guidance published to date.
A draft version of ISO 37001 states that conducting background checks of current and prospective third parties as well as other business associates is a key component of anti-bribery due diligence.
It goes beyond the OECD Anti-Bribery Convention and the DOJ/SEC FCPA Resource Guide on the question of what kind of due diligence on business associates is appropriate and expected.
Some key takeaways:
1. Due diligence must be weighted according to risk. ISO 37001 takes a strong stance in opposition to a “one-size-fits-all” approach to due diligence. Low-risk business associates, such as retail customers or suppliers, may not require in-depth screening. Medium-or high-risk associates, include companies or people that conduct business in a jurisdiction known for a high bribery risk, maintain decentralized operations and management, act as an intermediary or agent, or engage in transactions with public officials. The higher the assessed risk, the deeper the level of due diligence required.
2. “Red flags” can be more than just negative findings. There is no universally accepted definition for what issues meet the standard of a red flag. An organization may mistakenly assume that red flags are generally limited to explicit negative findings, such as a criminal conviction or prior bribery investigation.
A reputation for bribery or fraud remains a top area of focus for due diligence research. But the ISO 37001 draft clarifies that red flags can come in many other forms.
The absence of verifiable evidence that a business associate is properly registered — and thus a legitimate business entity — could indicate that something is amiss. If a business associate does not have a clear track record of successfully completing a similar project or transaction could suggest preliminarily, that bribery is a possibility. Any link to a politically exposed person (PEP) is a potential red flag as well.
3. “Watch list” screenings are necessary, but not sufficient, for effective due diligence. Watch lists and global compliance databases, such as Interpol’s list of “wanted persons” and OFAC’s list of Specially Designated Nationals (SDNs), have long been mainstays of basic due diligence work. For many companies, it is standard practice to screen large volumes of names against the lists and databases, upgrading to more exacting due diligence only upon a hit or match.
The ISO 37001 draft does not specifically comment on this practice but suggests that a watch list-centric approach is unlikely to pass muster. Without specifying exactly what must be included in any given case, the draft states that due diligence “may include” a questionnaire, search engine research, “government, judicial and international resources,” debarment lists, and reputational inquiries. Considering this list of methods and sources, a program based purely on watch list screening may face difficulty achieving ISO 37001 certification.
4. A third party’s direct and indirect shareholders, and top management, cannot be ignored. The section of the draft on due diligence research emphasizes that a business associate’s managers and shareholders (including ultimate beneficial owners) are key factors. Their identities, reputations, backgrounds, and potential direct and indirect links to PEPs are critical to the due diligence process.
This aspect of due diligence can be a special challenge, with research requirements quickly multiplying and becoming cost-prohibitive. When researching a small business, this may entail adding only two or three additional names to the due diligence queue. But for larger companies, sometimes dozens of individuals can be reasonably considered “top managers” or “significant direct or indirect shareholders.”
Companies seeking to comply with ISO 37001 will likely fall back on arguments about what is “reasonable and proportionate.” That’s the overarching standard of ISO 37001. And the compliance industry will itself, over time, develop expectations for due diligence on shareholders and managers. For example, it may make sense to perform deeper levels of due diligence on only shareholders with a 25-percent stake or above. Whatever the solution, new ideas and best practices will surely arise, ensuring that this potentially challenging aspect of ISO 37001 is met in a consistent and defensible manner.
* * *
As mentioned, the ISO 37001 draft currently allows each company to make its own subjective judgment about what is “reasonable and proportionate.” The points outlined above, combined with additional specific guidance in the ISO 37001 draft, provide a sound framework for an independent certifying agency to use for a compliance audit. Whether companies will be willing to make the adjustments and investments in their due diligence programs needed to meet these expectations is an open question.
___
Daniel Greenberg is an Associate Research Director at Exiger Diligence, where he performs global research and due diligence for financial institutions and multinational corporations.
3 Comments
ISO37001 is a good place to start with. The name ISO will have the board and some investors feeling they did ok and their corporation is doing good or " above the average", probably. But in my organization's experience, this standard is not enough in Mexico, Central and some jurisdictions in South America or Africa. Red flags need a thorough review and description in jurisdictions where money Laundering, fake invoicing, tax sham transactions, bribery and extortion are everyday risks.
ISO is a vert good start but not enough, at least not in Mexico and Central America or Central African. When in any nearby future case in these countries is reviewed by SEC or DOJ, top management will have a hard time exploring arguments to defend ISO "was enough" or "did the job". Best regards to FCPA BLOG team!
To be more to the point: Will ISO 37001 be sufficient to the District Court for the purposes of a reduction in points for the US Sentencing Guidelines.
Excellent article Daniel which gets to the point. An organisation has to ask itself if the due diligence checks that it undertakes would stand up to scrutiny in a court. If the client cannot provide a reasonable defence to an informed questioner, then they have not done enough due diligence. A competent cross examination should be able to establish 'plausible deniability' or 'wilful blindness' . The audit can be seen as a rehearsal of what would happen in court under rigorous conditions. If a client cannot provide an adequate defence, then they will not meet the requirements of the standard and they may be exposed to board level prosecution (in UK law at least) under corporate liability as well as individual liability.
Luis Ortiz makes a good practical point. ISO37001 is a start regarding bribery only. I appreciate the difficulties in establishing due diligence in some supply chains or avoiding some form of bribery in others.
To Michael Deal's point, it would be reasonable to expect a reduction in points for ISO37001 certification since it shows an organisation is establishing controls and validating them. This does not help a rogue individual who decides to bribe/accept bribes but is does distance the organisation from the briber/bribee. If certification is shown to be a sham under court conditions, then the organisation cannot provide an adequate defence and the certifying body would lose all credibility in this sphere.
Comments are closed for this article!