On October 14, after four years of work involving the active participation of experts from 37 countries, the International Organization for Standardization issued ISO 3700, its standard for anti-bribery management systems.
To a large degree, the components of the standard mirror many of the steps set forth in the FCPA guidance (pdf) issued by the U.S. Department of Justice and the Securities and Exchange Commission and the Adequate Procedures (pdf) document issued by the UK Ministry of Justice.
Nevertheless, because it provides a globally accepted approach to anti-corruption compliance, ISO 37001 will likely be heralded as a significant step in the continued globalization of anti-corruption compliance, especially in countries where corruption could be considered part of the culture. Companies can now employ a tool that raises both the bar for compliance activities and the awareness of the risk of corruption.
For both U.S. enforcement authorities and the companies subject to their jurisdiction, the issuance of ISO 37001 should be seen as a positive development; it provides a single global standard for anti-corruption compliance. As such, it can facilitate a systematic review of FCPA-friendly compliance programs at businesses headquartered in the United States, especially those with outposts in developing countries.
The issuance of the new standard can also address one of the chief criticisms of aggressive FCPA enforcement — that it leaves U.S. companies at a competitive disadvantage by holding them to a higher standard than their international peers. Now there is one standard for all.
As is the case with other standards issued by the International Organization for Standardization, ISO 37001 includes a provision allowing for an independent third party to issue a certification (for a fee) stating that a company’s anti-corruption program complies with the standard. But is it worth it for U.S. corporations to get certified when their existing compliance programs are already held to the gold standard of the DOJ?
Yes, because the standard ensures a company’s efforts are up to or exceeding par and signals compliance equality to the global market, especially for individuals and entities in developing countries with which U.S. companies may wish to do business. Of course, the fact that a company’s anti-corruption program has received an ISO certification alone will not be a sufficient, standalone defense to shield it from prosecution, should the DOJ come knocking. But prosecutors typically do consider the state and effectiveness of a company’s compliance program when determining whether a company should be charged with crimes committed by those acting on its behalf.
For example, the U.S. Attorneys’ Manual lists the prior existence of an effective compliance program as a factor to be considered when determining whether to charge a business organization, and the U.S. Sentencing Guidelines list it as a mitigating factor to be considered at sentencing. While federal prosecutors will certainly continue to execute independent discretion, a company may be able to point to an ISO 37001 certification as evidence that it made every effort to implement an effective anti-corruption program, and therefore deserves lenient treatment. Of course, by the same token, the authorities may start to point to the absence of a certification as a basis for denying leniency.
Outside the United States, ISO 37001 is perceived as a tool that can create a globally competitive advantage and an effective mechanism to fight against corruption. For U.S. companies operating internationally, through a subsidiary, distribution center, or other representatives, ISO 37001 can be a key tool in markets where the risk of corruption is high or culturally “normal,” and it can be an equally powerful tool for locally based conglomerates. For example, if a government official asks for any type of extraordinary grant or special benefit, adopting ISO 37001 can empower local staff to refuse. Under the standard, they can reject the request on the grounds that by paying, they run the risk of losing their job, and their company risks losing its certification — and the trust it fosters with international partners. If bribe requests remain an ongoing challenge, ISO 37001 can guide the company in preparing the right processes and mechanisms to address these issues.
Latin American countries with significant economies are showing interest in the standard, and the result is an uptick in demand for skilled personnel in compliance markets. ISO 37001 requires executives to own anti-bribery and corruption (ABC) activities within corporations; U.S. companies often have compliance teams that could continuously monitor adherence to the standard. However, for suppliers, distributors or representatives in high-risk countries, depending on their size, compliance staffing can be a challenge, especially where the compliance professionals and market are not well developed or structured.
Due to its many corruption scandals, the number of compliance professionals in Brazil has been multiplying at a tremendous rate, and Brazil has taken the lead in sharing knowledge, experience, and capabilities in this area with other countries such as Mexico. As a result, international certifications and programs focused on Latin America have been launched in Mexico through prestigious universities and private institutions based in Brazil.
There is no doubt that the U.S. and the UK remain leaders in this sphere. They house mature markets with clear compliance laws and experienced enforcement bodies, which makes ISO 37001 a useful tool but not the critical opportunity for competitive evolution that it embodies in high-risk countries.
Emerging markets are adapting to the global trend of fighting against bribery and corruption in order to improve economic prospects. Latin American governments in particular are increasing efforts by allocating additional resources to ABC activities, but credibility is often still lacking due to low enforcement. There too, ISO 37001 can provide guidance on how to address bribery through reporting to local authorities and advise on how those authorities should address corruption. However, with ABC issues saturating Latin America’s business environments, it is good to remember that changing the business cultures will require significant communication and commitment from the public and private sectors. In the end, ISO 37001 is an international standard and an excellent certification, but it is not a magical recipe for success.
Keep in mind that companies that want to adopt ISO 37001 need to have the right experts to assist in both preparation and the execution. According to the standard, auditors are not to certify a company before its compliance program has operated under ISO 37001 for at least three months.
Additionally, if implemented successfully, companies may also utilize the ISO 37001 certification process as a way of managing the corruption risk presented by third parties. In a manner similar to what many large banks are doing with the anti-money laundering risk created by non-traditional financial institution clients, such as money services businesses, companies can require that a vendor obtain an ISO 37001 certification prior to being engaged.
There is still a lot of work to do before the potential effects of this standard are truly felt across regions. In the end, for enforcement authorities and businesses alike, the true test of ISO 37001 will be the extent to which is becomes a global standard adopted by large multinational corporations as well as mid- and small cap companies with global operations. If there is early proof that certification can deliver increased earnings due to improved international business relationships, widespread success over time may herald a new era of global business.
Fernando Cevallos the Director of Compliance, Forensics and Intelligence for Control Risks in Mexico City. He is also the global coordinator of the communications task group of ISO 37001 and a member of the Mexican technical advisory group. He can be contacted here.
Brian Mich is a Partner within the Compliance, Forensics, and Intelligence practice in Control Risks’ New York office. A former prosecutor, he has over 30 years of experience in the private and public sectors conducting fraud and corruption investigations. He can be contacted here.