Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
The International Organization for Standardization (ISO) introduced a new standard for anti-bribery compliance, known as “ISO 37001,” in September. This represents a significant step toward the continued development and standardization of international anti-bribery compliance. By the end of the year, companies can obtain an independent certification from a third-party auditor, attesting to the fact that their internal compliance programs conform to ISO 37001 requirements. So is it worth your time? It depends.
Introduction to ISO 37001
ISO 37001 (also known as ISO's Anti-Bribery Management Systems Standard or “Standard”) is designed to provide standards and guidance for establishing, implementing, maintaining, reviewing and improving an anti-bribery management system. The Standard has very broad applicability and can be adopted by a wide range of organizations. In addition to large corporations, small- and medium-sized enterprises (SMEs), public- and private-sector organizations, and non-governmental organizations may want to consider the ISO Certification. The ISO does not conduct certification of its standards. Rather, companies may seek certification by hiring a third-party auditor, most preferably one that is accredited and that uses the ISO's CASCO standards, to issue an assurance that the company is compliant with ISO 37001.
The Standard includes a series of measures and controls for an organization to establish, maintain and improve its anti-bribery compliance program. The draft ISO 37001 consists of two parts: the actual text of the Standard, and an informative guidance on its use. The text has 10 sections covering requirements on the context of the organization, leadership, planning, support, operation, performance evaluation, and improvement of anti-bribery compliance. The following are some material requirements:
For U.S. companies dealing with the Foreign Corrupt Practices Act (FCPA) regularly, the content of the Standard should sound familiar because most of ISO 37001's content should already be incorporated in a U.S. company's anti-bribery compliance program following the FCPA's requirements. However, since this Standard is derived from the UK Bribery Act (which I personally consider the global standard and “best practice”), it has two major differences with the FCPA: facilitation payments and commercial bribery.
Facilitation payments, which are allowed under the FCPA, are prohibited under the ISO Standard, which is consistent with the UK Bribery Act. Under the FCPA, facilitation payments are those made to foreign officials in order to expedite or secure the performance of a routine governmental action. The FCPA explicitly states that its anti-bribery provisions shall not apply to such activity. However, ISO 37001 Annex A makes it clear that “facilitation payments … are treated as bribes for purposes of this International Standard, and therefore should be prohibited by the organization's anti-bribery management system.” Therefore, U.S. companies cannot engage in facilitation payments if they plan to apply for ISO 37001 Certification. Of course if the U.S. company is doing global business already, it is hopefully well aware of the UK Act and its prohibition on facilitation payments. Nevertheless, failure to comply with the facilitation payments prohibition under the ISO Standard cannot serve as the basis for an FCPA cause of action. The Standard in no way alters the requirements of the FCPA.
The other major difference between the ISO Standard and the FCPA is that the latter only regulates bribery of government and political party officials Although ISO 37001 does not provide an international definition of “bribery,” the compliance standard it sets forth prohibits bribes paid to private sector actors as well. But it is important to note that, despite not being covered in the FCPA, bribes paid to private sector actors may result in violations of the accounting provisions of the FCPA. Further, bribes paid to private-sector actors may also fall within reach of other federal and state anti-bribery laws, and in the instance that a bribe is unlawful and involves any interstate or foreign travel or communication (e.g., a simple e-mail), it may be pursued under the Travel Act. Therefore, several companies have already realized the importance of tailoring anti-corruption compliance programs to cover bribes paid to private- as well as public-sector actors. However, to the extent that gaps still exist, the new ISO may provide a useful tool to aid in efforts to prevent the bribery of private sector actors, too.
Significance of the New Standard
The principal significance of ISO 37001 is that it provides an internationally applicable, detailed and more objective standard for anti-corruption compliance that goes beyond what has ever been articulated at the international level, including in the Organization for Economic Co-operation and Development's Anti-Bribery Convention. While the ISO had previously addressed anti-corruption compliance in ISO 19600, this was a Type B standard that was not capable of certification. Unlike Type B ISO standards, which provide only guidance, ISO 37001 is a Type A standard, meaning it articulates objective criteria that allow independent auditors to render a yes or no determination as to a particular company's compliance. Certification of ISO 37001 compliance by a third-party auditor can make an anti-corruption compliance program more credible. Further, and especially for companies that do not already have a robust anti-corruption compliance program, the procedures contained in ISO 37001 may serve as a blueprint.
ISO 37001 is also expected to be a significant step toward creating a uniform international anti-bribery compliance standard. By the end of September, 37 participating countries and 22 observing countries had joined the project committee for the Standard, indicating a great degree of international participation. This also means there is a greater likelihood of global acceptance as experts from different countries and sectors are contributing their thoughts and experience to the project as it continues to develop.
Moreover, the implementation of requirements in ISO 37001 may help companies to mitigate anti-corruption risks and serve as an indicator of an company's efforts to maintain a global compliance program. The ISO Standard includes anti-bribery measures that are already internationally considered to be “best practices” for minimizing corruption risk and establishing a management system that appropriately addresses anti-bribery concerns. Thus, if implemented and followed by personnel, the risk of bribery for the company will be reduced and it will serve as an assurance to management, shareholders, customers and potential investors that the company is taking steps necessary to minimize bribery risks.
Although adoption of ISO 37001 is not mandatory, companies that comply with this Standard are more likely to gain the trust of potential business partners. Also, the Standard will help legitimize businesses in countries that are known for corruption and/or inadequate anti-bribery regulations. This will further promote global expansion in regions with corruption risks. The local companies with the Certification may be considered as better partners in the local market.
Though this Standard is a milestone for the development of anti-bribery compliance, its immediate influence may be limited for the following reasons:
1. In order to ensure that the Standard is broadly applicable, the ISO applies a “reasonable and proportionate” risk-based approach to implementing compliance. This means that organizations are given discretion to implement anti-bribery measures in a manner which is reasonable and proportionate to a number of relevant factors, such as the size and structure of the organization, the locations and sectors in which it operates, and the specific bribery risks it faces. Thus, it does not offer a specific set of procedures upon which companies may rely.
2. The ISO, in order to conform to existing national laws, does not define “bribery.” Organizations have to be aware of the laws in each country where they are doing business in order to be compliant.
3. Violations of this Standard are not offenses under U.S. law, and compliance with the Standard does not constitute a defense. At most, an ISO 37001 Certification may serve as a mitigating factor to the extent that it serves as evidence that an organization made a reasonable effort to implement a satisfactory anti-bribery compliance program. So, the Standard is more of an international indicator of suggested “best practices.”
4. The actual influence of this Standard on companies' actual international anti-corruption practices is unknown. Unlike international treaties that bind their signatories, this Standard is just a set of recommended rules made by non-official representatives from different countries that have been brought together by the ISO. No teeth, as they say.
Conclusion
For U.S. companies, it is worth being aware of ISO 37001 as it is one of many efforts to further the development of a worldwide uniform anti-bribery compliance standard. However, there are no direct legal consequences from violations of the ISO Standard. Companies are still bound to the FCPA, the Travel Act, and all other applicable national, regional and international anti-bribery laws. Further, it is still unclear how much weight the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC), the two government agencies charged with enforcement of the FCPA, will give to a company's independent Certification of ISO 37001 compliance in the instance of an enforcement action. That said, whether to obtain an ISO 37001 Certification depends on an organization's own needs and how the Standard is viewed in the coming years. Remember, the FCPA was signed into law in 1977. It took years for the global community to take the law seriously and follow suit. Thus, I wouldn't discount this Standard yet. I see a place for it in many parts of the world.
*****
Doreen M. Edelman is a shareholder in Baker Donelson's Washington, DC, office and co-leader of the firm's Global Business Team. She may be reached at 202-508-3460 or by email at [email protected].
The International Organization for Standardization (ISO) introduced a new standard for anti-bribery compliance, known as “ISO 37001,” in September. This represents a significant step toward the continued development and standardization of international anti-bribery compliance. By the end of the year, companies can obtain an independent certification from a third-party auditor, attesting to the fact that their internal compliance programs conform to ISO 37001 requirements. So is it worth your time? It depends.
Introduction to ISO 37001
ISO 37001 (also known as ISO's Anti-Bribery Management Systems Standard or “Standard”) is designed to provide standards and guidance for establishing, implementing, maintaining, reviewing and improving an anti-bribery management system. The Standard has very broad applicability and can be adopted by a wide range of organizations. In addition to large corporations, small- and medium-sized enterprises (SMEs), public- and private-sector organizations, and non-governmental organizations may want to consider the ISO Certification. The ISO does not conduct certification of its standards. Rather, companies may seek certification by hiring a third-party auditor, most preferably one that is accredited and that uses the ISO's CASCO standards, to issue an assurance that the company is compliant with ISO 37001.
The Standard includes a series of measures and controls for an organization to establish, maintain and improve its anti-bribery compliance program. The draft ISO 37001 consists of two parts: the actual text of the Standard, and an informative guidance on its use. The text has 10 sections covering requirements on the context of the organization, leadership, planning, support, operation, performance evaluation, and improvement of anti-bribery compliance. The following are some material requirements:
For U.S. companies dealing with the Foreign Corrupt Practices Act (FCPA) regularly, the content of the Standard should sound familiar because most of ISO 37001's content should already be incorporated in a U.S. company's anti-bribery compliance program following the FCPA's requirements. However, since this Standard is derived from the UK Bribery Act (which I personally consider the global standard and “best practice”), it has two major differences with the FCPA: facilitation payments and commercial bribery.
Facilitation payments, which are allowed under the FCPA, are prohibited under the ISO Standard, which is consistent with the UK Bribery Act. Under the FCPA, facilitation payments are those made to foreign officials in order to expedite or secure the performance of a routine governmental action. The FCPA explicitly states that its anti-bribery provisions shall not apply to such activity. However, ISO 37001 Annex A makes it clear that “facilitation payments … are treated as bribes for purposes of this International Standard, and therefore should be prohibited by the organization's anti-bribery management system.” Therefore, U.S. companies cannot engage in facilitation payments if they plan to apply for ISO 37001 Certification. Of course if the U.S. company is doing global business already, it is hopefully well aware of the UK Act and its prohibition on facilitation payments. Nevertheless, failure to comply with the facilitation payments prohibition under the ISO Standard cannot serve as the basis for an FCPA cause of action. The Standard in no way alters the requirements of the FCPA.
The other major difference between the ISO Standard and the FCPA is that the latter only regulates bribery of government and political party officials Although ISO 37001 does not provide an international definition of “bribery,” the compliance standard it sets forth prohibits bribes paid to private sector actors as well. But it is important to note that, despite not being covered in the FCPA, bribes paid to private sector actors may result in violations of the accounting provisions of the FCPA. Further, bribes paid to private-sector actors may also fall within reach of other federal and state anti-bribery laws, and in the instance that a bribe is unlawful and involves any interstate or foreign travel or communication (e.g., a simple e-mail), it may be pursued under the Travel Act. Therefore, several companies have already realized the importance of tailoring anti-corruption compliance programs to cover bribes paid to private- as well as public-sector actors. However, to the extent that gaps still exist, the new ISO may provide a useful tool to aid in efforts to prevent the bribery of private sector actors, too.
Significance of the New Standard
The principal significance of ISO 37001 is that it provides an internationally applicable, detailed and more objective standard for anti-corruption compliance that goes beyond what has ever been articulated at the international level, including in the Organization for Economic Co-operation and Development's Anti-Bribery Convention. While the ISO had previously addressed anti-corruption compliance in ISO 19600, this was a Type B standard that was not capable of certification. Unlike Type B ISO standards, which provide only guidance, ISO 37001 is a Type A standard, meaning it articulates objective criteria that allow independent auditors to render a yes or no determination as to a particular company's compliance. Certification of ISO 37001 compliance by a third-party auditor can make an anti-corruption compliance program more credible. Further, and especially for companies that do not already have a robust anti-corruption compliance program, the procedures contained in ISO 37001 may serve as a blueprint.
ISO 37001 is also expected to be a significant step toward creating a uniform international anti-bribery compliance standard. By the end of September, 37 participating countries and 22 observing countries had joined the project committee for the Standard, indicating a great degree of international participation. This also means there is a greater likelihood of global acceptance as experts from different countries and sectors are contributing their thoughts and experience to the project as it continues to develop.
Moreover, the implementation of requirements in ISO 37001 may help companies to mitigate anti-corruption risks and serve as an indicator of an company's efforts to maintain a global compliance program. The ISO Standard includes anti-bribery measures that are already internationally considered to be “best practices” for minimizing corruption risk and establishing a management system that appropriately addresses anti-bribery concerns. Thus, if implemented and followed by personnel, the risk of bribery for the company will be reduced and it will serve as an assurance to management, shareholders, customers and potential investors that the company is taking steps necessary to minimize bribery risks.
Although adoption of ISO 37001 is not mandatory, companies that comply with this Standard are more likely to gain the trust of potential business partners. Also, the Standard will help legitimize businesses in countries that are known for corruption and/or inadequate anti-bribery regulations. This will further promote global expansion in regions with corruption risks. The local companies with the Certification may be considered as better partners in the local market.
Though this Standard is a milestone for the development of anti-bribery compliance, its immediate influence may be limited for the following reasons:
1. In order to ensure that the Standard is broadly applicable, the ISO applies a “reasonable and proportionate” risk-based approach to implementing compliance. This means that organizations are given discretion to implement anti-bribery measures in a manner which is reasonable and proportionate to a number of relevant factors, such as the size and structure of the organization, the locations and sectors in which it operates, and the specific bribery risks it faces. Thus, it does not offer a specific set of procedures upon which companies may rely.
2. The ISO, in order to conform to existing national laws, does not define “bribery.” Organizations have to be aware of the laws in each country where they are doing business in order to be compliant.
3. Violations of this Standard are not offenses under U.S. law, and compliance with the Standard does not constitute a defense. At most, an ISO 37001 Certification may serve as a mitigating factor to the extent that it serves as evidence that an organization made a reasonable effort to implement a satisfactory anti-bribery compliance program. So, the Standard is more of an international indicator of suggested “best practices.”
4. The actual influence of this Standard on companies' actual international anti-corruption practices is unknown. Unlike international treaties that bind their signatories, this Standard is just a set of recommended rules made by non-official representatives from different countries that have been brought together by the ISO. No teeth, as they say.
Conclusion
For U.S. companies, it is worth being aware of ISO 37001 as it is one of many efforts to further the development of a worldwide uniform anti-bribery compliance standard. However, there are no direct legal consequences from violations of the ISO Standard. Companies are still bound to the FCPA, the Travel Act, and all other applicable national, regional and international anti-bribery laws. Further, it is still unclear how much weight the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC), the two government agencies charged with enforcement of the FCPA, will give to a company's independent Certification of ISO 37001 compliance in the instance of an enforcement action. That said, whether to obtain an ISO 37001 Certification depends on an organization's own needs and how the Standard is viewed in the coming years. Remember, the FCPA was signed into law in 1977. It took years for the global community to take the law seriously and follow suit. Thus, I wouldn't discount this Standard yet. I see a place for it in many parts of the world.
*****
Doreen M.
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
A novel legal self-help technique to secure artificial intelligence data and programs is known as Poisoning AI. This technique involves modifying the AI algorithm to intentionally produce specific erroneous results.
In a recent decision, the U.S. Court of Appeals for the Ninth Circuit addressed the issue of whether purchasing market competitors’ search engine keyword terms, known as “conquesting,” constitutes trademark infringement.
The DOJ has proposed a rule that would regulate certain transactions involving bulk sensitive personal data. The rule would implement a complex regulatory framework, with civil and criminal enforcement, that is similar to sanctions and export licensing regimes. It also implicates federal cybersecurity requirements, government contracting and CFIUS actions.
The legal industry is at an inflection point, grappling with challenges that range from rising client demands to technological disruption. There are five critical areas where firms can take a proactive, strategic approach, including actionable insights and recommendations for navigating 2025 and beyond.
The Second Circuit’s decision is notable in that it signals a reversal of the recent trend of dismissals of VPPA claims in courts across the country and could trigger a significant increase in VPPA lawsuits. Although organizations have grappled with VPPA claims for several years, this decision is another red flag to organizations to take immediate steps and ensure compliance with privacy laws to mitigate the risks of VPPA claims.