Anti-Corruption and Anti-Bribery

Anti-Corruption and Anti-Bribery Compliance Programs

By Marjorie Doyle, JD, CCEP-F, CCEP-I, and Diana Lutz, JD[1]

Introduction and Background

Intense enforcement activity by the United States government coupled with increasing activism, legislation, and enforcement globally is keeping the organizational risk area of anti-corruption/anti-bribery in the spotlight. It stands among top legal, ethics, and compliance risks for companies doing business in regions, projects, or industries that struggle with corruption and bribery. This is a global risk area with increasing enforcement activity and new or updated legislation in a number of countries. Due to the prevalence of corrupt practices in certain regions and the serious nature of consequences for individuals and companies caught in enforcement actions, there is an almost unlimited supply of information and resources available on this topic. In this article, we will review best practices and include other highlights. To understand relevant background and to stay up to date, you should also consider accessing additional key resources provided by government, nongovernmental organizations, and others. To help avoid information overload, here are a few places you may want to start when identifying select resources for review:

These efforts combined will help ensure you have the basic information you need to help identify and mitigate corruption and bribery risks through compliance program efforts.

US Foreign Corrupt Practices Act

The United States continues to show an especially strong commitment to investigating potential violations of and enforcing the United States law enacted in 1977 as the Foreign Corrupt Practices Act (FCPA). Briefly, the FCPA states that a company cannot, with corrupt intent, make an offer, promise, or payment of anything of value to a foreign government official or politician for (1) the purpose of influencing official actions, (2) inducing the official to act or omit to act in violation of the official’s duty, or (3) to obtain an improper advantage.[2]

In addition, the accounting provisions of the FCPA require issuers to have accurate books and records and an adequate system of internal accounting controls. The accounting provisions also prohibit individuals and businesses from knowingly falsifying books and records or knowingly circumventing or failing to implement a system of internal controls.

The law applies to US corporations or US nationals operating anywhere in the world. As of 1998, it also applies to foreign entities that further a bribe while in the United States. The law exists to promote sound foreign policy and the operation of businesses on their merits while encouraging competition based on quality of product and services rather than by corruptly trying to buy an advantage. As stated by then-Assistant Attorney General Leslie Caldwell at the 2015 Annual Association of Certified Fraud Examiners Global Fraud Conference,

The threats posed by international corruption cannot be overlooked. Corruption renders countries less safe and less stable. Corruption thwarts economic development, traps entire populations in poverty and undercuts credible justice systems. International corruption also inhibits the ability of American companies—and others—to compete overseas on a level playing field. Once bribery and corruption take hold, fair and competitive business practices are eliminated.[3]

The FCPA includes anti-bribery provisions and accounting provisions. Accordingly, the U.S. Department of Justice (DOJ) and the U.S. Securities and Exchange Commission share enforcement authority. The DOJ and the Securities and Exchange Commission work closely together to investigate and coordinate prosecutions.

When explaining the FCPA to an organization, there are five main elements to understand:

  1. It applies to any individual, organization, officer, director, or employee, or agent acting for the organization;

  2. Whoever makes the bribe or authorizes it must intend to make the foreign official misuse their position;

  3. The bribe is paying or authorizing the payment of anything of value—not just money;

  4. The receiver of the bribe is any foreign official, which may include candidates, party officials, and even family members of the official; and finally,

  5. The payment is made in order to help an organization obtain or retain business or to direct business to a specified person or organization.

The FCPA, unlike similar laws in other countries, allows a type of small “bribe,” which it calls “facilitation payments.” These are defined as payments needed to expedite the provision of routine, nondiscretionary, governmental actions. Examples of facilitation payments might include payments for more quickly processing government paperwork, scheduling inspections, and obtaining permits and licenses. Facilitating payments, while allowed under the FCPA, are disfavored and are almost always illegal under the law of the country where they occur. This, in addition to their illegality under the UK Bribery Act 2010, Brazil’s Clean Company Act 2014, and forewarned to be illegal under Canada’s Corruption of Foreign Public Officials Act, is another reason why companies should review their policies and practices and local risk in this area and ensure the matter is addressed.

Although the FCPA was enacted in 1977, well over 50% of all its enforcement actions have occurred since 1998. Enforcement continues to intensify and reach all industries. In a November 19, 2014, speech, then-Assistant Attorney General Caldwell states that “thanks to the expertise and knowledge we have acquired over the years, we are now able to investigate FCPA cases much more quickly. We also are better equipped to prosecute individuals who are actually making corrupt payments, as well as intermediary entities hired to serve as conduits for bribes. And now we also are prosecuting the bribe takers, using our money laundering and other laws.”[4] The consequences of noncompliance with the FCPA have, in fact, included criminal and civil fines, reduced stock price, disqualification from government contracts, costly government monitoring of future actions, civil litigation, damaged reputation, and delayed filings necessary for business continuity.

Global Perspective

While the FCPA has been the more widely known and enforced anti-corruption measure, corruption is increasingly being addressed through enactment or updating of laws, increased frequency and quality of international investigations and prosecutions, and by more robust looks at risk and compliance by businesses and nonprofit organizations around the world. The last decade has seen the increased public outrage over corruption and public demand for enactment of additional laws and agreements intended to bring about change. In the past, businesses may have considered paying bribes as a necessary, if not legitimate, way of conducting business in many countries. In fact, bribes were sometimes even treated as tax deductible. Businesses were nearly unregulated in this practice, as governments of those countries affected by bribery were relatively unconcerned with fighting corruption of public officials. However, following the enactment of the FCPA, legislators, executive branch leaders, and global businesses pushed to level the playing field and expand efforts to fight corruption globally. In addition, those who suffer the effects of corruption are more often raising protest and getting support for change. People have access to more information, are aware there are options and improvements within reach, and they are tired of seeing funds for vital infrastructure improvements siphoned off and projects never finished. As we have seen multiple examples of recently, people around the world are protesting their denial of basic necessities, abuse of human rights, and other social ills that corruption perpetuates.

While the FCPA has been the most often enforced anti-corruption law to date, when designing or evaluating your anti-corruption program, it is important to consider the UK Bribery Act and the existence and implications of other newer laws, global treaties, and other local laws of the many jurisdictions with which a global company will interact. Additionally, in this risk area, as with others, continuously monitoring for new laws and anticipating changes in the law and enforcement practices is a necessity. This practice should be part of your ongoing risk assessment (i.e., understanding how external factors affect your risk). While many of the global agreements and laws have origins in the FCPA, there are differences among them, and it is best to be aware of the differences among the laws and seek compliance with all applicable anti-corruption measures.

Today, governments, businesses, and individuals are increasingly recognizing that corruption, including bribery in any form, threatens society by hampering sustainable development, creating and perpetuating poverty, defeating fair business practices, and undermining the marketplace. The work of the Organisation for Economic Co-operation and Development (OECD) led to creation and multinational ratification of a key global anti-corruption agreement. The OECD has provided a forum for decades to bring together leaders committed to democracy and the market economy to share policy and address concerns through shared experiences and deep analysis of data.

In 1997, the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions [5] was signed, and then came into force in 1999.[6] The OECD Convention on Combating Bribery outlaws bribery of foreign officials, makes no exception for facilitating payments, and contains a books and records provision. The convention additionally requires countries to hold those individuals or companies who offer or pay bribes accountable. Additionally, signatory countries must implement the convention in an effective and enforceable way. The convention leaves room to recognize that there may be necessary differences in how the goal is accomplished in each county’s implementing legislation. The focus of the obligations imposed by the OECD convention is on results. The convention also obligates countries to cooperate with other countries in investigation of corruption, address corporate liability for bribery, and impose sufficient penalties for violations such that the conduct will be effectively deterred.

While the OECD has no authority to implement the convention, it does not merely offer an agreement for signature and stop there. Rather, it provides for self-analysis as well as mutual evaluation of all parties’ compliance with the convention and progress. Much of the evaluation work is carried out by the OECD Working Group on Bribery, which produces annual reports on progress as well as other specialized reports.[7] When countries sign the convention, they are agreeing to participate as assessors and also be the subjects of assessment. The OECD also supports business by providing helpful resources and tools, which can be accessed at http://www.oecd.org/corruption/bydate/. Part of the mission of the OECD is publication and sharing of information, and as a result, additional, up-to-date helpful information and guides can often be found on the OECD website.

United Nations Convention

Further highlighting the multi-national nature of anti-corruption efforts, it is not surprising that the United Nations began work on a coordinated global approach to the criminalization of bribery and prevention of corruption. After two years of negotiations, on October 31, 2003, the United Nations General Assembly adopted the United Nations Convention against Corruption (UNCAC).[8] The UNCAC is legally binding and requires members to prevent and criminalize corruption, cooperate with international investigations, recover assets, and collaborate to improve information exchange. While the UN has no enforcement authority, members are required to comply, and monitoring is a key part of the convention. The UNCAC is built on the earlier work of the FCPA and the OECD, but the UNCAC is broader, covering not only bribery of foreign government officials but also addressing corruption in its many forms. The UNCAC addresses domestic bribery and encourages criminalization of commercial bribery (such as was later embodied in the UK Bribery Act 2010). The additional scope of the UN convention would be covered by preexisting additional laws in many jurisdictions.

The impact of treaties on global companies means that when doing business in countries that have ratified such a treaty, there may be implementing laws or implementing laws may be under consideration. At a minimum, the UN signatory countries should be monitored for new developments in law and enforcement. With 140 signatories, there is a very high likelihood that global companies will be doing business in numerous signatory countries. Agreement on implementation of monitoring compliance with the agreement could also bring renewed interest and forward progress by member nations in implementing anti-corruption laws.

UK Bribery Act

The UK Bribery Act 2010 criminalizes making, receiving, or offering corrupt payments to both public officials and private parties anywhere in world. It also prohibits the payment of small bribes or facilitation payments paid to expedite the performance of routine government services. The act includes expansive applicability to individuals and organizations, and it criminalizes a broad range of activities.

The UK Bribery Act specifically prohibits:

  • offering, promising, or giving a bribe to another person;

  • requesting, agreeing to receive, or accepting a bribe from another person;

  • bribing a foreign public official; and

  • the corporate offense for failure to prevent bribery.

A company will be held strictly liable where an “associated person” performing services on its behalf bribes another person to obtain or retain business or a business advantage for the company. “Associated person” is broadly defined. A defense may be available if the company can prove it had “adequate procedures” in place designed to prevent bribery from being committed by those performing services on its behalf. The government has published guidance on what constitutes “adequate procedures.”[9]

The UK Bribery Act has a wide jurisdictional applicability. The government may prosecute bribery committed by a person in the UK or outside the UK by a British citizen or person closely connected with the UK. The corporate offense of failure to prevent bribery applies to UK-incorporated entities and to entities outside the UK that conduct business in the UK. The UK Bribery Act also increased the maximum penalty for certain offenses from seven to 10 years imprisonment, with an unlimited fine.

French Sapin II Law

France instituted this new anti-bribery law in 2017. Not only does it reinforce the criminality of bribery within and outside of France, like the FCPA and UK Bribery Act, it includes extraterritorial reach for bribery violations. The law recognizes the role of whistleblowers and provides protections for them.

The Sapin II law requires businesses to institute anti-bribery programs. These programs must include assessment of bribery risks and education of relevant staff involved in activities in which bribery is likely to occur. It also requires that businesses implement controls, such as a whistleblower channel and monitoring, to prevent bribery or quickly identify and address it should it occur.

Brazil’s Clean Company Act

More recently, Brazil has passed the Clean Company Act 2014. This act creates civil and administrative liability on Brazilian companies for both domestic and foreign bribery. International companies with a presence in Brazil are within the scope of the act if they engage in bribery in Brazil. The Clean Company Act is broad in that it prohibits direct and indirect bribery (or attempt) of Brazilian public or foreign public officials.

The prohibited acts include giving or offering of bribes as well as the giving of any financial or other support to the bribe activity or participating in its concealment. The use of third parties to execute or assist the bribe scheme is also outlawed. Additionally, the law forbids bid-rigging and fraud in the public procurement process, all issues with which Brazil has struggled. Finally, the law also prohibits government investigations. The potential fines for violation of the law range up to 20% of the responsible company’s prior year’s gross revenue (taxes excluded). There is the potential for fines to be reduced for companies that have implemented effective anti-corruption compliance programs.

Canadian Corruption of Foreign Public Officials Act

The Corruption of Foreign Public Officials Act (CFPOA) saw virtually no enforcement in its first ten years (since 1999). The act was amended 2013 by the Fighting Foreign Corruption Act in an effort to improve poor enforcement. Among the amendments was expanded jurisdiction, to include prosecution of Canadian individuals and companies, regardless of where the activity took place. A provision to address accurate books and records was also added. The amendment also increased criminal penalties and gave notice that the facilitation payments exception was being eliminated, but no effective date was placed on the change to facilitations payments portion of the law. In addition, the law removed the “for-profit” restriction and gave the Royal Canadian Mounted Police the exclusive right to charge violations of the CFPOA.

These amendments largely brought the CFPOA in line with the FCPA and the UK Bribery Act. Canada has been increasing active investigations and prosecutions with many cases under investigation since the amendment.

Anti-Corruption Anti-Bribery Programs

Understanding and staying up to date on the FCPA, UK Bribery Act, Brazil’s Clean Company Act, and other global anti-bribery and anti-corruption laws and enforcement activities sets the stage for the next step—creating and implementing an organizational program that effectively (1) assesses risk, (2) detects and prevents instances of bribery and corrupt schemes in the company, and (3) puts the organization in the best position possible if and when it becomes the focus of an investigation. The following is a discussion of the elements usually seen and expected to be present in a robust and effective anti-bribery/anti-corruption program. Many of these learnings come from the experiences of companies that have gone through difficult enforcement proceedings and have had to examine how to effectively repair the breaches in their companies in order to prevent future problems. No company is immune to these issues since the global economy and new global interactions among companies, countries, and a variety of cultural differences are constantly adding new experiences in this risk area.

Program Oversight and Framework

While bribery/corruption is one of various risk areas in an ethics and compliance program, it requires some extra focus regarding the normal framework of an overall ethics and compliance program. Because violations usually involve high levels within an organization and because of the strong enforcement focus, the board of directors and upper management must understand the nature of the risk and be knowledgeable about the company’s policies and program regarding the risk. This means that they should not only be trained themselves on the substance of the risk, but they should be very familiar with the anti-bribery program and its effectiveness. Reports should be made to them on a regular basis, and top leadership should be involved in some of the processes that require a decision on which third parties to hire in high-risk areas and regarding high-risk positions from an anti-bribery standpoint. Both the board and top management will be held accountable for making sure that sufficient resources are devoted to the anti-bribery program and whether consistent and sufficient discipline is given. As stated by Leslie Caldwell in May 2015 at the Compliance Week conference, the DOJ expects to see the following indicators from the board and senior management:[10]

  • “A company must ensure that its senior leaders provide strong, explicit and visible support for its corporate compliance policies. Corporate management must enforce compliance policies, not tacitly encourage or pressure employees to engage in misconduct to achieve business objectives.

  • “We look not just at the written policies, but to other messages otherwise conveyed to employees, including through in-person meetings, emails, telephone calls, incentives/bonuses, etc.; and will make a determination regarding whether the company meaningfully stressed compliance or, when faced with a conflict between compliance and profits, encouraged employees to choose profits.

  • “Senior executives should be responsible for the implementation and oversight of compliance. Those executives should have authority to report directly to independent monitoring bodies—for example, internal auditors or the board of directors.”

In addition to the genuine support of top management, in a global organization, a program should also have visible support through its operational regions, including provision of regional or local ethics and compliance officers and/or strong accountability by local management. Local employees and management can best understand and see on a daily basis the customs and local decisions and actions that might relate adversely to an anti-bribery program. Local management is also responsible for setting the tone and culture at their location and having a person with an ethics and compliance responsibility on-site. That individual needs to be included in key decision-making as part of setting that operational dynamic. Much of the hard work of a strong anti-bribery program is educating local management around the world and making sure they have the support of a strong corporate culture, resources, and understanding to answer questions and give advice correctly.

The anti-bribery program also calls for a close relationship with the local or regional auditors and sourcing/purchasing employees who bring additional skills and knowledge. These relationships are key to spotting problems and potential red flags regarding bribery and corruption. These two positions should figure prominently in the framework of the anti-bribery program.

Finally, creation of a written strategy for the program and record keeping of all elements of the anti-bribery program is essential from the very beginning. In dealing with the DOJ, for example, one could expect to hear that if there is no record of the actions of the program, “they didn’t happen.” Evidence for enforcement, though, is not the only reason. Good records help the compliance officer and staff examine the program to determine whether it is effective. Decide early on what records to keep and how. Make sure that all records of the program are kept in a safe and secure place with knowledge of who has access. Ensure that you also have written descriptions of the processes and procedures used to implement the program elements. Make sure that someone is given responsibility for the proper recording of the program. It is a best practice to keep a record of the program electronically and as a hard copy, or at least in a way through which hard copies can be quickly produced.

The more independent the chief compliance and ethics officer (CECO) and their organization is, the better—especially for this risk area. Many of the bribery situations occur at high levels in the organization, and they are more likely to be detected and reported if the ethics and compliance organization is at a high level and can easily report directly to the board of directors when needed. You will find that most companies that have had anti-bribery enforcement issues end up changing the role of the CECO so that it is higher and more independent in the overall corporate structure.

Risk Assessment

Every organization should include the bribery/corruption risk as it conducts its regular ethics and compliance risk assessment. During that process, there are specific factors to consider and analyze when doing a deep-dive look at this particular risk. Despite a growing concern for fighting corruption, some countries’ corruption challenges are greater than others. A good vehicle for obtaining initial information about the status of the countries where you do business is the annual Corruption Perceptions Index.[11] When conducting a risk assessment, examine local risk in the regions where your company does business—especially if in the BRICs (Brazil, Russia, India, China, and South Africa)—and how the entity there does business (customers, industry, products, sales channels, etc.). Focus also on the business processes in those areas that are more likely to have a higher frequency of corrupt acts.

When reviewing the risk factors, you must research and understand how each of the business markets in which you operate are or have been susceptible to corruption. Enforcement is often targeted by industry, including enforcement examples seen in the oil and gas industry, healthcare, pharmaceuticals, and infrastructure construction. Also look at business units that depend on large public contracts or sales to government.

Regarding mergers and acquisitions, the July 2020 FCPA Guide[12] stresses the importance that a business looks at any of its joint ventures and recent mergers and acquisitions where there might not be as much oversight or where it may have absorbed employees who do not have the same culture of compliance and require additional attention and resources after integration or when working in the joint venture. A business that quickly identifies and discloses bribery following a post-merger/acquisition review can obtain benefits that it may not receive if it waits to conduct this assessment and disclosure.

There are also particular jobs within an organization that should be highly aware of the risk of corruption, such as upper management, since they are usually involved in the larger deals that a company might make. Also consider the risk posed by distributors, lobbyists, consultants, and other third parties who may not be aware or educated on anti-bribery policies or law or who may follow local practices that may be otherwise illegal and implicate your company.

Subsidiaries and remote locations of a company are places to look for potential risky activities since they are further away from headquarters and are often “running their own show.” This could be empowering from a business standpoint but deadly from a bribery standpoint, especially if they do not have the staff and resources locally to have a robust program.

One of the most important groups to focus on is the sourcing/purchasing function. This group is usually tasked with hiring third parties and purchasing services and products for the enterprise as a whole. This group may be more likely to encounter the risk of bribery since they handle large amounts of money and make decisions that can affect the monetary well-being of many vendors.

You should also analyze which jobs have the responsibility for obtaining critical licenses, government approvals, and certifications. This becomes a pressure position to be successful and might result in actions that are illegal in order to make it happen.

When evaluating your company for the severity of this risk, there are many other red flags to look for, including, but not limited to, no transparency in entertainment, expenses, and gifts; requests for false invoices; payments with petty cash; agents’ commissions higher than the market; requests from outside the country where services are performed; an agent’s close family connection to a government official; and third parties who are not qualified to perform the stated task. A more complete list of examples is included in Appendix 5-D, “Common Red Flags Indicating Heightened Potential for Corruption.”

The risks uncovered in the assessment as related to bribery and corruption are the basis on which a plan to mitigate those risks should be developed. This becomes a road map for what policies and procedures are needed, what education needs to be done, what additional staff and resources are needed, and which parts of the business need to be audited and monitored more frequently. The risk assessment should result in a prioritization of what you need to focus on in the bribery area. Be especially aware of enforcement activity in your industry.

Policies and Procedures

A company’s written policies and procedures form the core of a comprehensive anti-corruption, anti-bribery program. Having a written set of policy documents creates a framework for consistently informing employees and others of the applicable standards for compliance and sets the tone for the program. The policies, and the accompanying more detailed procedures and processes, provide guidance in the form of a ready reference for employees and affected third parties. The central feature of the anti-corruption, anti-bribery policy set must be a clear policy statement prohibiting corruption, including the payment of bribes. This strict, nonnegotiable statement may be issued in the words of the company leadership via a letter, may be a stand-alone position statement, or may be an integrated statement prominently placed within the code of business conduct. A simple but unequivocal statement might begin as follows, “As a company, we prohibit directly or indirectly offering, paying, or accepting bribes of any kind, for any purpose, in any location in the world.”

While there are several good alternatives for issuing the anti-corruption, anti-bribery policy statement, extra attention should be paid to ensure the “no bribes” principle is communicated in a way that is proven effective for the particular company or organization. Additional measures to enhance effectiveness include using clear and compelling language, translating the statement into local languages for easier understanding—including

frequently asked questions and answers as well as examples—and widely circulating the statement (and policies) and making them centrally available without delay.

In addition to the statement prohibiting bribery, the company must also have a detailed corporate anti-corruption policy. The policy needs to be applicable to officers, directors, employees, agents, and other third parties. The policy will need to define bribery so that all affected parties are working from the same understanding of the issue. Bribery is not only an offering or payment of cash. Employees and others putting your company at risk must be aware that bribery can take many forms (jobs, discounts, free products, travel, entertainment, gifts, contributions, etc.), and troublesome practices can vary by region and industry. Even the nomenclature and social context for bribes will vary from region to region. Some commonly heard terms for bribes can include “gazoso,” “grease,” “good-will money,” “tea money,” “baksheesh,” “red envelope,” “refresco,” “mordida,” and countless other local names, all meaning some form of corrupt payment.

Employees and others subject to the policy should receive specific and interactive training with examples and not be left guessing about what constitutes a bribe and which behaviors are prohibited. Those with financial oversight and audit functions both locally and centrally must also be trained in detail to recognize and detect improper payments, which may masquerade as gifts, travel and expense payments, petty cash expenses, donations, marketing funds, rebates and refunds, discounts, commission, etc.

The policy must also detail specific legal requirements (stemming from the FCPA and other relevant laws) and identify the prohibited acts under those requirements. The policy should be written in language that is clear and simple, and the policy should offer examples as needed to clarify requirements. The policy also should identify red flags, state potential penalties for noncompliance, and identify where to go for help (e.g., legal department, compliance officer, or hotline).

The company must also provide specific policy guidance regarding facilitation payments. While facilitation payments are allowed under the FCPA, due to the requirements of the UK Bribery Act and local laws, they are best prohibited by company policy. If an organization determines it will allow facilitation payments, the policy should detail narrow, allowable circumstances and procedures.

Approval processes routed through the legal or compliance department should be well documented, and accurate book-keeping of the payments must be ensured.

As noted above, the payment of bribes can take many forms. To avoid the appearance of outright bribes, corrupt parties may try to conceal a bribe by offering to make payments in a variety of forms using multiple layers of third parties to obfuscate the true nature of the transaction. In creating a policy strategy for preventing bribery, a company must work with its management, financial, audit, compliance, legal groups, and others to create, audit, and enforce effective controls around these types of activities.

Company policies should set appropriate regional limits on expense amounts, require receipts, and compliance officer approvals should be featured. The policies should explain the risk and provide examples of how the risk may be encountered. Gifts of cash and cash equivalents should be prohibited, and allowable gifts should be of nominal value. Entertainment, events, and meals should have a well-documented legitimate business purpose, be approved by a manager, be centrally tracked, and neither frequency nor amount should be excessive. Travel expenses for customers should be reasonable and bona fide expenditures made in connection with product demonstration, training, or another permissible purpose. Where government officials are to be involved, written preapproval by legal or compliance should be required and documented. Policy guidance on these topics may begin with language such as, “Gifts, travel, and entertainment of public officials do not constitute a bribe if made transparently and without expectation or reciprocation, as a gesture of esteem, provided that they are not prohibited by law. Gifts must be of modest value and shall not exceed the limits established by law, generally accepted local custom, or company policy.”

The specific guidance on limits and approvals would then follow. In creating its anti-corruption and anti-bribery policy set, a company should also ensure it addresses anti-retaliation. A strong statement prohibiting such actions is needed. The statement may begin as, “The Company strictly prohibits retaliation against any person by another employee or by the Company for using available channels to seek assistance, make complaints or reports, or assist or participate in any manner in any internal investigation or other proceeding, whether internal or conducted by or on behalf of a governmental enforcement agency. Employees will not be retaliated against even if their complaints are proven unfounded by an investigation unless the employee knowingly made a false allegation or otherwise acted in bad faith. Any person who is found to have engaged in retaliation is subject to disciplinary action up to and including discharge from employment.”

Capping off the policy set, there must also be a well-documented set of internal controls addressing issues such as cash handling, petty cash, accounting and financial controls, record keeping and documentation requirements, segregation of duties, and authority and approval requirements.

Training and Communication

Effective training and communication require understanding the risks being addressed, as well as the use of a well-coordinated, strategic approach to communicate your company’s position, policies, and resources.

Delivering effective training in complex or global businesses can be a challenge, and even more so in lean times. While many companies will have training and communication programs in place, ongoing evaluation and adjustment of these programs can also lead to enhanced effectiveness. If your company has a global presence, addressing some of your challenges may lead to different answers in different regions, but careful planning will help make or increase the effectiveness of your training. Companies should avoid just putting training out there or perpetuating existing training without understanding the need and planning for maximum effectiveness.

A company can have comprehensive policies, procedures, and guidelines, but if it doesn’t effectively communicate and deliver information on those materials in a way that facilitates understanding and retention, the materials will fail to accomplish their goals and objectives.

Many ethics and compliance risk topics can be introduced and policy awareness created using online training to reach wide audiences quickly and cost effectively. Anti-corruption is a specialized area where some form of additional, live, in-person training is often considered essential to driving effectiveness. When developing and implementing your anti-corruption program, live training approaches and topics typically being covered may vary based on:

  • The severity of the risk and exacerbating or mitigating factors (history of violation, etc.),

  • The experience and risk profile of the attendees,

  • Availability of experienced presenters or need to create supporting materials and train new presenters,

  • The depth of the content and number and complexity of the scenarios and other interactive materials to be used,

  • Participation of leadership and leadership messaging at the event, and

  • Existence of new policies requiring more detailed initial coverage.

Content included in live anti-corruption training should address the company’s highest priority risks and educate, engage, and inspire your audiences. Topics typically covered may include:

  • Leader message—tone at the top;

  • FCPA, UK Bribery Act, other laws, OECD, treaties;

  • Prohibited payments;

  • Money laundering;

  • Investigations and enforcement;

  • Company/industry challenges;

  • Transparency International Corruption Index where company does business;

  • Policies and procedures (code of conduct, anti-corruption statement, facilitation payments, travel, gifts, entertainment, political and charitable contributions, red flags);

  • Third parties’ suppliers, consultants, due diligence, contracting, payments; and

  • Reporting and nonretaliation.

In creating a training plan for anti-corruption, in addition to using a variety of localized materials and delivery methods, companies should consider that language and culture affect understanding and relevance. Cultural and language differences require materials and presentations tailored to the region. Creating and using scenarios derived from real company or industry issues and risks, appropriate to the audience and region, will enhance the understanding of the topic and allow attendees to practice problem-solving. The live training event should wrap up with an interactive quiz and the opportunity to provide feedback on the event to allow for future enhancement and adjustment and to document success.

Monitoring and Auditing

Wrapped around the anti-corruption, anti-bribery program, staff, framework, ad requirements is the culture of a company and its effect on the ability of employees to address concerns. Compliance program measures and controls will be even more effective when implemented in a company that has a culture of transparency. A culture that encourages and rewards employees doing the right thing and supports employees’ ability to question or challenge that which is concerning without fear of reprisal will multiply the protections of a robust compliance program.

In creating and supporting an ethical and transparent culture, companies must provide well-advertised, secure, and accessible channels for seeking help. Such measures include the creation, advertisement, and monitoring of an open-door policy and a helpline or hotlines for raising concerns and reporting violations. Once these systems are established, those who seek assistance or report wrongdoing must be protected from retaliation. Providing these outlets and ensuring that those raising concerns do not face retaliation will contribute to a culture of prevention where employees and third parties can proactively seek advice, solving concerns before they become major issues or violations.

While helplines or hotlines are relatively easy to acquire and operate either internally or via third parties, in order to provide a benefit and help a company with prevention or detection of wrongdoing, a hotline system must operate well and inspire confidence in its use. In reviewing effectiveness, some items to consider are how well the lines are staffed globally, whether toll-free access is available, how availability of the lines are communicated, whether they are getting the usage that is expected, how items are assigned once they are through the intake process, and the speed and accuracy of responses, as well as how the loop is closed with feedback to the caller.

Cultural sensitivity and appropriate implementation in accordance with local laws must also be ensured. As with other program elements, coordination of implementation with unions and other organizations representing employee interests will enhance success.

As an additional means of prevention and detection of wrongdoing, an experienced compliance and audit team must be actively engaged in home office and field activities to ensure that financial controls and policy provisions are routinely complied with and that remedial measures for violations or gaps are tracked, implemented, and rechecked.

The 2020 FCPA Guide[13] provides stronger guidance regarding a business’s opportunity to avoid prosecution if the business voluntarily and promptly discloses bribery it identifies through monitoring and auditing and provides assistance with any investigation. Similarly, this guidance places a higher burden on businesses that do not take such action.

Third-Party Risk and the Role of Due Diligence

Managing third-party relationships to mitigate ethics and compliance risks has become a priority for leading companies. Almost every business engages third parties, such as contract employees, agents, distributors, representatives, consultants, suppliers, lobbyists, etc. Businesses are increasingly entering new markets and expanding the global reach of their products and services.

To meet this growing business demand and more quickly achieve broad geographical reach, new business partnerships and relationships are continuously increasing in popularity. Initially, some companies may assume that third parties do not introduce any new legal or compliance risk to their business—that outsourcing meant limiting their risks and responsibilities. Currently, use of third parties expands well beyond outsourcing and includes contracting for specialized and local products, services, and expertise, supporting faster growth and a greater impact in new markets.

Today, with more defined accountability placed on companies, the reputation of your organization, for better or worse, is often placed in the hands of these third parties. When agents and other third parties engage in misconduct or violate the law, they put your company at risk for compliance and legal violations and financial and reputational harm. The best defense a company has when a third party has violated the law on its behalf is the absence of authorization combined with the company’s well-documented best efforts to prevent and detect such misconduct.

Types of third parties that businesses commonly encounter include suppliers, vendors, distributors, resellers, consultants, industry experts, advisory services, contractors, temporary services, agents, sales representatives, marketing, intermediaries, and joint venture partners. Each third-party type and individual third party will carry unique risk, but all are able to be screened for their risk using due diligence practices and risk profiling. Risk can be mitigated through due diligence. While varying levels of diligence are appropriate for most third parties, conducting due diligence should be a priority for third-party representatives or business partners operating outside the US and interacting with government officials.

In addition to due diligence, there are other key steps that, when taken together, can help identify and reduce the risk of dealing with third parties. It may be necessary to approach these steps by committee, as several areas of responsibility likely need to be involved (in addition to compliance, participation in this approach by legal, supply chain, procurement, audit, regional managers, etc. may enhance ease of the process and reliability of the results).

Key steps for undertaking a third-party management process would include:

  • Identifying third parties that are likely to present the highest risk;

  • Assigning risk profiles or ratings. In creating the ratings, consider factors such as the Transparency International Corruption Perception Index of locations for business to be conducted, identifying whether there is any interaction with government, contract size, history and experience of parties, and industry concerns;

  • Using due diligence and background investigative processes to mitigate risk and eliminate those third parties that present unmanageable levels of risk;

  • Ensuring third parties are educated and agree to company’s ethics and compliance program standards;

  • Ensuring own company staff are well trained and able to spot red flags and address them; and

  • Since third parties are not your employees, all obligations related to risk with their performance obligations should be in a written contract.

Sample third-party contract topics include:

  • Anti-corruption clause;

  • Identification of all relevant laws related to their goods or service;

  • Right to terminate for ethics or compliance violations;

  • Right to audit contract for compliance with terms;

  • Requirement of proper record keeping;

  • Requirement of adoption, compliance, certification of your code of conduct (or their own, if it meets standards);

  • Clear information on how questions or reports of violations are to be addressed (e.g., hotlines); requirement of reporting on change in third-party status relevant to reputation, business ownership, legal violations, etc.;

  • Identification of training and education requirements;

  • Inclusion of terms in third-party contracts that require compliance and audit rights and provide for contract termination if noncompliance situations arise;

  • Assurance of ongoing monitoring and requalification of third parties; and

  • Continuous oversight of third-party activities and payments.

Management of third-party risk does not end with due diligence and contracting. Working with third parties requires ongoing management and continued awareness of the necessity for qualification and review of actions of the third parties and oversight of invoices and payment to third parties. Some ongoing internal responsibilities after a third party is hired include:

  • Each third party must be actively managed by someone in the company;

  • This person maintains the documentation on the third party and updates it when necessary;

  • Degree of supervision depends on degree of risk with the third party, its tasks, and its geography;

  • Audit schedule needs to be created and implemented;

  • Evaluations of adherence to the contract and periodic analysis for compliance must be conducted;

  • Requirement to stay current on changes in ownership and changes in the business model of third party;

  • Company managers of third parties need to be monitored and evaluated on their performance of third-party management;

  • Third party’s failure or success is an added responsibility of the company’s manager for that entity;

  • Third parties are a necessity in today’s business world; business leaders must understand that they are not necessarily a cheaper alternative;

  • The same rigor in ensuring an effective ethics and compliance program for the company applies to its third parties;

  • Third parties that have effective ethics and compliance programs have a competitive advantage with their customers—they engender trust; and

  • Risk assessments, due diligence processes, programs addressing and mitigating particular risks, strong contracts, and ongoing internal management and monitoring are essential.

Also note from the “Risk Assessment” section earlier the enhanced expectation in the 2020 FCPA Guide regarding mergers and acquisitions. The guide[14] clarifies that businesses should conduct proper and timely due diligence reviews following a merger or acquisition (that may not be able to be completed as thoroughly prior to the event). This is important so that the business can disclose any findings of bribery early when it can seek benefit from this disclosure that is not available later on.

Assessment and Continuous Improvement

While no one—including the government—expects that there will be no bribery or corruption failures ever in an organization, it is expected that organizations investigate failures or near failures as quickly as possible and continue to improve the program so at the least the same failures will not be repeated. Since enforcement of this risk area continues to grow and new best practices in building and maintaining a good program are being born with every new enforcement, assessment of your own program in this area should be ongoing. There are several steps needed to make sure that this happens. There should be a formal assessment or audit of the anti-bribery program on a periodic basis. While once a year might be too often, it probably should occur no less than every two years. This might be an internal or external audit and might be enterprise-wide or of certain high-risk businesses or positions. If the board is knowledgeable, it is expected that they, as well as the CECO, would want an external assessment at least every other time. An assessment would include an examination of the record of the program, audits of the policies to see whether they are up to date and are followed, interviews to see whether the employees are aware of the basics of the program and know that it exists, review of the hotline, and investigations to see whether improvements have been made.

Probably just as important as these periodic and formal assessments is a process that exists to make sure that an improvement response is made after every anti-bribery failure or near miss. The US government now places greater importance on a business’s efforts to remediate bribery misconduct; it evaluates businesses that come before regulators for bribery violations based on how well they have taken steps to correct their mistakes. Lessons should be learned from every situation and used as an educational opportunity as well as an opportunity to improve policies and procedures or whatever part of the program needs to be improved. It is important that a record is kept of the improvement and metrics showing response time so that shareholders, customers, the government, the board, and management can see a clear process of constant improvement.

A very important part of the improvement process is to not only look internally, but to look outward and see what other companies are doing. If you are in an industry with heavy anti-bribery enforcement focus, then learn from your competitors’ mistakes and learn what improvements they have made. These are probably the new standards that the government will start expecting other companies to institute. For example, there is much to learn from Siemens. While it holds the record for the largest bribery fines, it has also developed many best-in-class elements to its program based on experience.

 
215 U.S.C. § 78dd-1 et seq.
3 U.S. Department of Justice, “Assistant Attorney General Leslie R. Caldwell Delivers Remarks at the 26th Annual Association of Certified Fraud Examiners Global Fraud Conference,” June 15, 2015, https://www.justice.gov/opa/speech/assistant-attorney-general-leslie-r-caldwell-delivers-remarks-26th-annual-association.
4 U.S. Department of Justice, “Assistant Attorney General Leslie R. Caldwell Speaks at American Conference Institute’s 31st International Conference on the Foreign Corrupt Practices Act,” November 19, 2014, https://www.justice.gov/opa/speech/assistant-attorney-general-leslie-r-caldwell-speaks-american-conference-institute-s-31st.
5 Organisation for Economic Co-operation and Development, OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions, December 17, 1997, https://www.oecd.org/corruption/oecdanti-briberyconvention.htm.
6 As of August 2021, there are a total of 44 countries (all OECD countries and countries) have ratified the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions. These countries include Argentina, Australia, Austria, Belgium, Brazil, Bulgaria, Canada, Chile, Colombia, Costa Rica, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Israel, Italy, Japan, Korea, Latvia, Lithuania, Luxembourg, Mexico, Netherlands, New Zealand, Norway, Peru, Poland, Portugal, Russian Federation, Slovak Republic, Slovenia, South Africa, Spain, Sweden, Switzerland, Turkey, United Kingdom, United States.
7 OECD Working Group on Bribery, Annual Report 2014, accessed September 27, 2021, https://www.oecd.org/daf/anti-bribery/WGB-AB-AnnRep-2014-EN.pdf . Check for updates at https://www.oecd.org/corruption/oecdworkinggrouponbribery-annualreport.htm. See also, Organisation for Economic Co-operation and Development, OECD Foreign Bribery Report: An Analysis of the Crime of Bribery of Foreign Public Officials, December 2, 2014, https://www.oecd.org/corruption/oecd-foreign-bribery-report-9789264226616-en.htm.
8 United Nations Office on Drugs and Crime, “United Nations Convention against Corruption,” accessed September 28, 2021, https://www.unodc.org/unodc/en/corruption/uncac.html.
10 U.S. Department of Justice, “Assistant Attorney General Leslie R. Caldwell Delivers Remarks at the Compliance Week Conference,” May 19, 2015, https://www.justice.gov/opa/speech/assistant-attorney-general-leslie-r-caldwell-delivers-remarks-compliance-week-conference.
11 Transparency International, “Corruption Perceptions Index,” 2020, https://www.transparency.org/en/cpi/2020/index/nzl.
12 Department of Justice and Securities and Exchange Commission, FCPA: A Resource Guide to the U.S. Foreign Corrupt Practices Act, Second Edition.
13 Department of Justice and Securities and Exchange Commission, FCPA: A Resource Guide to the U.S. Foreign Corrupt Practices Act, Second Edition.
14 Department of Justice and Securities and Exchange Commission, FCPA: A Resource Guide to the U.S. Foreign Corrupt Practices Act, Second Edition.
1 Article updated by Jason L. Lunday. Marjorie Doyle, principal of Marjorie Doyle & Associates LLC, is an expert practitioner and leader in the field of ethics and compliance. Marjorie provides consulting to all organizational levels, including chief ethics and compliance officers, CEOs, boards of directors, and others responsible for the operation and implementation of effective ethics and compliance programs. In working with boards, Marjorie also provides in-person board training and presentations and assistance with compliance program strategy and oversight upon discovery of a potential gap or violation. Diana Lutz is an experienced ethics and compliance officer and attorney admitted to practice in Colorado, Florida, and Massachusetts. In her more than 15 years of practice, Diana has worked as an ethics and compliance consultant to leading global companies across several industries. Diana has also worked as an attorney for the states of Florida and Colorado and has held senior, in-house, legal, ethics. and compliance positions at companies that were working to recover from significant challenges. Among those positions were vice president at Vetco International and director at Qwest Communications. Diana is currently working in-house with a multinational manufacturing conglomerate to help create and enhance an effective ethics and compliance program.

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings