Since its release in October 2016, the International Standards Organization’s ISO 37001 Anti-Bribery Management System has generated debate among anti-corruption compliance professionals as to whether the standard represents a meaningful contribution to compliance best practices or much ado about nothing. As we approach 18 months since the issuance of the standard, it is a good time to revisit this debate.
Developed over a three-year period by a working group that included representatives from dozens of countries and liaison organizations, ISO 37001 is a voluntary set of standards for what the standard describes as an “anti-bribery management system,” subject to voluntary independent third-party certification and periodic audits. It seeks to provide a single set of harmonized guidelines to allow companies and regulators to develop, improve, and monitor anti-bribery compliance systems. While ISO may be best known for technical standards in areas such as information security, ISO 37001 is not the first compliance-related standard developed by the organization; in December 2014, it released a standard for Compliance Management Systems (ISO 19600).
ISO 37001 is not specific to any single anti-corruption legal regime. However, the standard is generally consistent with international regulatory guidance, including guidance issued by DOJ and the SEC, and the UK Ministry of Justice. ISO certification does not provide a safe harbor against regulatory enforcement but is intended to be evidence that a certified company has taken meaningful steps toward effective anti-corruption compliance.
In 2017, several multinationals announced that they would seek certification from ISO or had received certification in certain regions. Nevertheless, we continue to see a lot of U.S. and U.S.-listed companies taking a wait-and-see approach to ISO certification.
Below are some of the key questions about ISO 37001 on which companies should focus.
Will regulators give ISO 37001 certification any weight when assessing a corporate compliance program?
U.S. regulators have said little about whether they view ISO 37001 as a meaningful compliance tool or if certification will be seen as evidence of an effective compliance program. Our recent experience dealing with U.S. regulators in FCPA investigations, as well as the few public statements made by DOJ prosecutors, suggests that DOJ and the SEC will continue to exercise their own independent assessments of the compliance programs of companies that are under investigation, irrespective of whether a company has been certified. For example, DOJ’s former compliance counsel, Hui Chen, has expressed skepticism about the effectiveness of the standard and the certification process. Unless and until the standard gains more traction with U.S. regulators, we expect that most companies exposed to FCPA risk will continue to be well served by focusing on prevailing DOJ and SEC guidance. Additionally, as we have previously noted, we believe that before a company embarks on the ISO 37001 certification process, it should consider conducting a privileged assessment of the health of its program, informed by DOJ and SEC guidance.
Will accredited U.S. certifying organizations emerge?
Not all ISO certifications are created equal: the third party audits required to obtain ISO 37001 certification may be carried out by accredited and non-accredited auditors. The market for accredited U.S.-based certifying organizations for ISO 37001 has yet to mature. There are two bodies in the U.S. capable of certifying organizations: ANAB and IAS. To date, ANAB has not accredited any U.S.-based organizations as ISO 37001 certification bodies; IAS has accredited a Canadian company as the first North American certifier.
Thus far, the large accounting firms, to which business organizations often turn to support anti-corruption controls assessments and audits, have not entered the market, perhaps because of restrictions on management consultancy services to which they would be subject by becoming a certification body.
We expect that until the market matures for accredited certifying organizations, many business organizations will continue to take a wait-and-see approach rather than seeking certification.
Will smaller companies and third-party representatives (including distributors in markets outside the U.S.) see ISO 37001 as a market differentiator and/or means of managing competing compliance efforts pushed out by business partners?
Major multinationals operating in higher-risk industries and higher-risk markets increasingly focus on the compliance programs of their sales agents, distributors, regulatory consultants, lobbyists, customs brokers, and other government-facing representatives. Often, companies collect compliance documentation as part of their integrity due diligence process, and follow up by pushing out anti-corruption training, conducting compliance audits, and imposing other compliance measures on their highest-risk business partners. Representatives that work with many multinationals can find themselves on the receiving end of such efforts from multiple companies. It is not uncommon for employees at such companies to find themselves taking numerous anti-corruption trainings each year or responding to compliance audit requests from more than one business partner.
We will be interested to see whether such representatives seek ISO certification, either because they view it as a competitive advantage to winning business with major multinationals or as a strategy for avoiding multiple, overlapping compliance efforts by business partners. Conversely, we will be interested to see whether multinationals begin requiring their highest-risk business partners to obtain ISO 37001 certification.
Will organizations make use of the ISO 37001 standard without obtaining certification?
We often advise clients that when it comes to their anti-corruption compliance programs, they cannot “set it and forget it.” Given U.S. and other regulator focus on continuous monitoring, reviewing, and updating of a company’s compliance program, companies must continue to evolve their anti-corruption compliance programs, and the ISO 37001 standard provides another data point against which to benchmark. While ISO 37001 aligns on many fronts with existing guidance from the DOJ, SEC, and UK Ministry of Justice, it includes certain specific requirements that do not appear as part of the hallmarks of an effective compliance program in the U.S. regulators’ Resource Guide to the FCPA or the six principles in the UK Ministry of Justice’s Bribery Act 2010 Guidance.
For example, ISO 37001 requires organizations to (i) conduct diligence on certain employees before they are transferred or promoted within the organization, and (ii) have certain employees, top management, and the board or other government body file periodic declarations confirming compliance with the organization’s anti-bribery policy. The standard also requires organizations to “wherever practical” require higher-risk business partners to “implement anti-bribery controls in relation to the relevant project or activity” and in certain circumstances to withdraw from the relationship if a business partner cannot or does not wish to implement anti-bribery controls. (While U.S. issuers subject to the FCPA’s accounting provisions must make “good faith” efforts to use their influence to cause minority-owned subsidiaries or affiliates to devise and maintain a system of adequate internal accounting controls, the ISO requirement is broader.) Organizations conducting periodic reviews of their compliance programs may consider these and other specific ISO 37001 requirements when they reassess and update their compliance programs, although some organizations will find particular prescriptive requirements in the ISO standard may not make sense for their organization.
FCPA Institute - Denver (May 4-5)
A unique two-day learning experience ideal for a diverse group of professionals seeking to elevate their FCPA knowledge and practical skills through active learning. Learn more, spend less. CLE credit is available.