ISO 37001 Prompts Review of FCPA-Based Anti-Corruption Policies
By Patty P. Tehrani
Lawyer and Founder of Policy Patty Toolkit
Not surprisingly, most U.S. organizations base their anti-corruption policies on the U.S. Foreign Corrupt Practices Act (“FCPA”). At first, the FCPA was designed to combat bribery by U.S. companies conducting business worldwide. Over time its reach has extended beyond just U.S. companies. With the expansion of the FCPA and anti-corruption laws coming out of other countries, organizations that operate globally must now contend with various and possibly conflicting anti-corruption requirements.
Some good news may be on its way. Last month, the International Organization for Standardization (ISO) finalized and approved ISO 37001 (click here). ISO is an international standard-setting body that issues standards that are designed to meet expectations of enforcement authorities around the world. ISO 37001 outlines requirements for anti-bribery management systems using a risk-based approach that specifies required procedures and controls. By defining global minimum requirements for such systems, the new standard should help organizations with their policies. How? Organizations can use ISO 37001 to either assess their anti-corruption policies and related programs or review existing ones to make sure they meet these new standards.
To help with this review, consider the following key points:
• What’s the purpose of ISO 37001? It was developed to help organizations establish, operate, and improve their anti-bribery compliance programs. It does this by outlining requirements and guidance for establishing, implementing, maintaining and improving an anti-bribery management system.
• Why take notice? ISO 37001 will most likely serve as the global standard for anti-bribery management systems.
• Who is subject? The requirements of ISO 37001 are intended to apply to all organizations in all sectors across all jurisdictions and covers public, private and not-for-profit sectors. Since it is a risk-based standard, organizations can adapt the requirements based on size, structure, location, industry, scale and complexity of its activities as well as the risks it faces.
• What are the requirements? ISO 37001 outlines global practices for preventing, detecting, deterring, and remediating corruption risks. Key measures and controls include:
o anti-bribery policies and procedures communicated to employees and third parties;
o vetting and training employees;
o management and leadership commitment and support (“tone at the top”);
o risk assessments;
o third party compliance certifications, due diligence and contractual controls including termination rights;
o reporting, monitoring, investigation and whistleblower protections; and
o periodic review and improvement of anti-corruption compliance controls.
• What are the possible outcomes? ISO 37001 provides organizations with:
o a checklist for their existing anti-corruption policies or those to be established;
o context to help make more informed decisions about third parties through ISO 37001 certifications;
Note: Third parties can certify compliance with the standard in the same way they do for other ISO standards.
o potential leverage with regulators during reviews, investigations and possible enforcement actions; and
Note: It remains to be seen whether U.S. enforcement authorities will rely on ISO 37001 as a checklist to evaluate compliance programs. But organizations with anti-corruption programs that achieve ISO 37001 certification will most likely be better positioned during regulatory reviews.
o basis to promote and strengthen brand and reputation by sending a strong message to both internal and external stakeholders about an organization’s commitment to internationally recognized anti-bribery controls and measures that it has instituted to prevent bribery.
In conclusion, make sure you review ISO 37001 against your anti-corruption policies and controls as it will most likely play an important role in the future regarding anti-corruption efforts.