A goal of FCPA Professor has always been to foster a forum for critical analysis and discussion of the Foreign Corrupt Practices Act and related topics.
Bell was a member of the U.S. team involved in the negotiation and drafting of ISO 37001, has been involved in the negotiation and implementation of various ISO standards since the mid-1990s, and has decades of experience advising companies around the world on the evaluation and implementation of compliance systems.
Last fall, the International Organization on Standardization (ISO), with great fanfare, released the ISO 37001(2016) standard on anti-bribery management systems. Thus far, the reception to ISO 37001 amongst leading FCPA practitioners here in the U.S. has been less than overwhelming, with observations to the effect that it does not include all of the available “best practices” and that it does not contain anything “new.” While there is some truth to those observations, they don’t fairly convey what ISO 37001 is about.
To understand ISO 37001, a bit of background might be in order. ISO was created post-WW2 to harmonize national standards, with the goal of creating international standards to avoid (or at least decrease) barriers to trade. ISO is generally not in the “invention” business to create “new” requirements. Otherwise, it would not be “standardizing.” Also, the goal of ISO is not to create “leading edge” documents that collect the “best practices” reflecting what is achieved by the best and most sophisticated companies. Creating such documents may be an invigorating intellectual exercise for the participants and provide interesting reading for leading edge practitioners, but they may not be particularly useful or practical for vast majority of organizations that have limited resources. ISO takes into account that everyone cannot be above average.
ISO standards generally reflect multi-stakeholder international agreements on what can be successfully implemented by organizations large and small, across all sectors. Further, ISO standards must be “globally relevant” which, among other things, means that they must be capable of being applied around the globe and not favor one region over another. ISO is not a mechanism for imposing the legal regime of one country on the rest of the world. Thus, ISO 37001 cannot focus solely on the FCPA; it has to be useful to the tens of thousands of organizations around the world that do not fall within even the most expansive interpretations of the scope of FCPA jurisdiction.
It is in this context that ISO 37001 was negotiated. All of the well-known anti-bribery documents were in play, whether they were from specific countries (e.g., FCPA documents and the Sentencing Guidelines or the UK’s Bribery Act) or international guidance (e.g., OECD’s guidance). The participants were from around the world (38 participating countries), and included consultants, lawyers, companies, academics, government officials, NGOs, and the OECD. What to leave in and take out, what kind of resources and time might be necessary to implement various provisions, etc. were all debated at great length and in great detail. While the FCPA and other U.S. documents were major inputs to ISO 37001, so was input from other countries with their own laws and experiences. Indeed, the initial “seed document” for ISO 37001 was a standard developed by the British Standards Institute aimed at satisfying the due diligence provisions of the Bribery Act.
Thus, compromises had to be reached taking into account different perspectives. For example, there were differences of opinion on “facilitation” payments (with some advocating outright prohibition while others advocated a more nuanced approach), while countries with tough privacy law and due process concerns were very concerned about the extent to which anonymous complaints should be an integral part of internal compliance systems. As in any negotiation, everyone did not get everything that they wanted.
Bringing this all back to the U.S., it is fair to say that ISO 37001 does not say much that is new to the advanced FCPA practitioner. However, that may not be the only yardstick. Many (maybe even most?) companies in the U.S. probably do not have sophisticated FCPA compliance systems of the sort with which readers of FCPA Professor are probably familiar, and they probably don’t have the resources that the Fortune 500 that have put into their systems or regular access to the leading practitioners. Therefore, some companies might find the business-oriented approach of ISO 37001 a useful starting point (but only a starting point) for an FCPA compliance system, particularly if they have already implemented other ISO management systems such as ISO 9001 (quality systems) or 14001 (environmental management systems) that share certain components.
The “global relevance” of ISO 37001 may also make it useful in global FCPA compliance programs. A major challenge faced by multi-nationals is managing what goes on in the value chain outside the U.S. (i.e., distributors, vendors, suppliers, etc.). Non-U.S. entities (and even the non-U.S. operations of U.S. companies) sometimes resist (either explicitly or quietly) efforts by U.S.-based companies to impose FCPA-based procedures that may be perceived as not being a “good fit” by non-U.S. operations. ISO 37001 presents an opportunity of using an internationally recognized system that is consistent with other well-accepted ISO standards, such as the ISO 9001 quality management system standard that is in place in millions of facilities around the world. For example, rather than trying to impose a U.S.-style compliance program on non-US entities, a company could decide to require that certain tiers of suppliers/distributors implement ISO 37001. It might also be worth considering where more anti-bribery legal requirements than just the FCPA are in play, such as the UK’s Bribery Act (at which the first draft of ISO 37001 was aimed). Further, from a practitioner’s perspective, it may be counterproductive when working on global anti-corruption matters to be dismissive of an agreed upon international standard and convey the impression that the only relevant guidance is what is generated in the U.S.
So, what are some of the downsides? First, since it is a “globally relevant” voluntary international standard, it does not necessarily hit every necessary element of every potentially relevant anti-bribery law to which an organization might be subject. So any company using ISO 37001 should view it as a framework or foundation and recognize that “add-ons” will be necessary depending on the context, applicable laws, etc. (e.g., FCPA, Bribery Act). Second, implementing companies will have to fight the tendency to create excessive red tape, taking advantage of the flexibility in the standard and resist mechanistic approaches or interpretations not based on the actual text of the standard. Third, it is important to recognize the limitations of third-party certification. ISO does not require third-party certification: a company can implement the standard without certification. Further, they are not compliance certificates. The certification process verifies that the system design conforms to the standard and that it has been implemented, but does not certify that the organization is in 100% compliance with applicable laws.
Summing up, I think it is fair to conclude that many organizations around the world, including those subject to the FCPA, will find ISO 37001 a useful addition to the anti-bribery compliance systems “toolkit.” That does not mean it is the best tool for every organization (each organization needs to select the collection of resources/models that best fit its needs) or that it represents the leading edge of what the best companies can do. Nor can it guarantee compliance (what can?). However, if implemented seriously and in good faith, it may help a broad swathe of companies in the U.S. and around the world improve their performance . . . which is nothing to yawn at.
Stay Informed About FCPA Current Events
This approximate two hour engaging video tutorial provides a summary of all 2016 corporate FCPA enforcement actions and enforcement agency policy developments; various issues to consider; and compliance take-away points.