On 14 October 2017, the International Organization for Standardizations published new standards for anti-bribery management systems. The new ISO 37001 contains measures and controls that represent global anti-corruption good practice. The standard was developed to help companies and other organisations establish, operate and improve their anti-bribery compliance programmes. Authorities are increasingly willing or even eager to prosecute corporate misconduct. They are excluding individuals from settlements with companies and are prosecuting those individuals directly. In line with the development of the ISO standard and recent enforcement trends in the US, UK and the Netherlands, it is crucial that companies implement effective anti-bribery compliance programmes. We monitor these developments closely and in this article, we summarise recent developments.

The new ISO standard

The ISO 37001 was drafted by an ISO committee composed of advisory groups from 37 countries. It is a tool, not legislation, which aims to guide both public and private sector organisations of any size on how to prevent and detect bribery. Applying the ISO standard does not guarantee that bribery won't occur at a company, nor does it shield the company from investigations or liability. Nevertheless, the new standard may be useful, for instance, in:

  • developing and improving existing anti-bribery programmes
  • enabling companies to evaluate anti-bribery programmes of business partners and target companies in M&A transactions
  • obtaining certification to demonstrate that reasonable steps are being taken to prevent bribery

To comply with ISO 37001, an organisation must meet specific requirements. We highlight a few:

  • Carry out bribery risk assessments and due diligence on projects and business associates (for example, monitor gifts, donations, etc. given by the organisation)
  • Implement anti-bribery policies, procedures and controls
  • Monitor and review compliance with the anti-bribery policy by identifying a compliance function
  • Communicate anti-corruption policies to associated persons (joint venture partners, sub-contractors, suppliers, consultants, etc.)
  • Ensure the governing body's or top management's commitment and demonstrate leadership
  • Verify that employees comply with the anti-bribery policy and provide training
  • Create reporting channels and whistleblower protection
  • Set up investigation procedures: investigate and deal appropriately with any actual or suspected bribery

Recent enforcement developments in the US

The current anti-bribery and anti-corruption (ABC) regime in the US is included in the Foreign Corrupt Practices Act (FCPA). It prohibits both legal entities and individuals from bribing public officials and for failing to keep accurate accounting records. Recent developments in anti-corruption enforcement include:

In September 2015, the Yates Memorandum was issued, outlining new standards that companies must follow before they are eligible to enter into a settlement (see also In context October 2015). Companies that want to receive credit for cooperating with the authorities need to hand over all relevant facts on individuals involved in the misconduct, regardless of their position at the company. This information should be provided before a settlement is reached.

In April 2016, the DOJ announced an enhanced strategy for FCPA enforcement, including a one-year pilot (see also the In context May 2016). The Akamai and Nortek, Inc settlements were among the first cases in which the DOJ publicly acknowledged its decision not to prosecute under the FCPA Pilot programme. And recently on 29 September 2016, the DOJ released two letters to two Texas companies that will not be prosecuted for violating the FCPA, but will each have to disgorge all profits they made from the alleged bribery. Both Texas companies allegedly paid bribes in Venezuela and China which generated profits of USD 2.7 million and USD 335,000 respectively. However, the DOJ closed its investigations into the two companies because of several factors, including: timely and voluntary self-disclosure of the violations, thorough and comprehensive global investigations of the violations, and enhancement of compliance programmes and internal accounting controls.

Monetary incentives were introduced in the US for individuals who report security law violations under the SEC Whistleblowing Programme. In line with this, the SEC Office of the Whistleblower published a "risk alert" on 24 October 2016 in connection with Section 21F-17 of the Dodd-Frank Act (Securities Whistleblower Incentives and Protection). According to the risk alert, recent enforcement actions had identified certain provisions of confidentiality or other agreements that prevented employees and former employees from communicating with the SEC about possible securities law violations (see also In context May 2015). This potentially chilling effect can be especially pronounced when documents (for example, severance agreements) provide that an employee may forfeit all benefits if he or she violates any terms of the agreement. The SEC is currently reviewing a variety of documents (compliance manuals, codes of ethics, employment agreements and severance agreements) to assess whether these documents contain provisions that could stifle whistleblower activity. By issuing its risk alert, the SEC is advising companies (registrants) to evaluate whether their compliance manuals, codes of ethics, employment agreements, severance agreements, and other documents comply with Rule 21F-17. They should make sure that the language, although serving a legitimate purpose, does not impede any communication that frustrates the purpose of the whistleblower provisions of the Securities Exchange Act. After all, as the Act states: "No person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement [...] with respect to such communications."

Recent enforcement in the United Kingdom

The UK Bribery Act criminalises both active and passive bribery, and covers both public and commercial organisations.

In November 2015, the first ever Deferred Prosecution Agreement and the first offence investigated under the UK Bribery Act between the Serious Fraud Office and Standard Bank was announced. In February 2016, the first UK Bribery Act conviction for foreign corruption took place. Bribes had been paid to win a contract in Dubai. The company admitted guilt and was fined GBP 2.25 million. The SFO director stated "Acts of bribery by UK companies significantly damage this country's commercial reputation. This conviction and punishment, the SFO's first under section 7 of the Bribery Act, sends a strong message that UK companies must take full responsibility for the actions of their employees and in their commercial activities act in accordance with the law." In July 2016, the second Deferred Prosecution Agreement for a corporate offence was announced. The charges related to a number of company employees and agents involved in offering and paying bribes to secure contracts in foreign jurisdictions.

In October 2016, the UK Financial Conduct Authority sanctioned Sonali Bank (UK) Limited and its former compliance officer after failures in the anti-money laundering system. Sonali is the biggest bank in Bangladesh with three UK branches, in London, Birmingham and Bradford. The bank's former compliance officer was fined GBP 17,900 (about USD 22,000) and banned from AML or other compliance oversight functions at regulated firms. According to the FCA, it had found "serious and systemic weaknesses" at almost all levels of Sonali UK's AML program in senior management, in the money laundering reporting function, the oversight of branches and in AML policies and procedures."

Each of these enforcement developments show the need to have good and adequate compliance in place. Failing to do so could cause severe reputational damage and high penalties.

Recent enforcement in the Netherlands

The current ABC Regime in the Netherlands is the Dutch Criminal Code, which criminalises active and passive bribery in the private sector, relating to a government official, a judge, telecommunications and during elections. Just like the FCPA and UKBA, the Dutch Criminal Code has a broad extra-territorial reach.

On 20 July 2016, the Amsterdam District Court ordered the Gibraltar-based company Takilant Ltd (Takilant) to forfeit EUR 123 million and pay a EUR 1.6 million fine. This was the first time a legal person was prosecuted for foreign corruption in the Netherlands. Vimpelcom and Telia, both Netherlands-based companies, were involved. In February 2016, VimpelCom reached a settlement with the Dutch and US authorities. According to the SEC "VimpelCom made massive revenues in Uzbekistan by paying over USD 100 million to an official with significant influence over top leaders of the Uzbek government." Investigations of Swedish, Swiss, Dutch and American authorities into Telia (formerly TeliaSonera) remain ongoing. We will share more details on the Telia case in this month's settlement in brief.

With this upcoming settlement, the Dutch authorities are boosting their record of seriously addressing foreign bribery.

Take away

These developments show how effective a compliance programme can be. Even though the new ISO 37001 standard does not release companies from liability for anti-corruption law violations and cannot be used as a defence, we advise companies to implement the specific requirements as mentioned above. Although implementation does not guarantee that bribery won't occur at your company, corruption issues are less likely to arise when a company has a compliance programme in place.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.