Since the UK Bribery Act 2010 came into force in July 2011, standards and scope of anti-bribery and corruption (ABC) compliance programmes have evolved significantly in many jurisdictions.

Norton Rose Fulbright recently carried out a global survey to assess how companies’ ABC compliance programmes compare against current global best practice expectations, as documented in guidance from the US[1], UK[2], and French[3] authorities, and other bodies including the World Bank[4].

Such public guidance provides a valuable tool in setting out how compliance programmes will be assessed by the authorities, and what defences or mitigation may apply. It therefore warrants close analysis from in-house legal and compliance professionals at a time when regulators around the globe are becoming increasingly sophisticated in their scrutiny of ABC compliance programmes.

We have set out below a summary of where companies are doing well, and where enhancements may commonly be advisable.

If you have any questions, or if you would like to discuss the findings of the survey or how to put in place or test an ABC compliance programme, please do not hesitate to get in touch.

Please see here for the full results of our survey.

What are organisations doing well?

We found that some organisations have relatively mature ABC compliance programmes, including risk-based policies and procedures, tailored training and substantive due diligence. For example:

1. 68 per cent of respondents had conducted documented ABC risk assessments within the last three years (and 51 per cent in the last 12 months);
2. 62 per cent took a values-based approach or a combined values and rules-based approach to ABC compliance;
3. 66 per cent of respondents noted that ABC compliance is discussed in a board sub-committee and 57 per cent of respondents monitor key compliance programme metrics as part of their senior management of ABC compliance within the overall corporate strategy.

Where can enhancements be made?

1. Post-acquisition due diligence: only one third of respondents conduct any form of regular or scheduled post-acquisition DD reviews following acquisitions or JVs.

This bears out our experience: while most companies are alive to the need to conduct pre-acquisition due diligence, fewer go the extra step of seeking to conduct post-acquisition due diligence as part of integration once the deal has been completed.

Post-acquisition due diligence is crucial: companies need to get under the hood of newly acquired subsidiaries and new JVs to ensure that ABC risks are being managed appropriately, and any issues can be remediated quickly. Many bribery investigations start following a site visit to, or speak up report from, a subsidiary bought years earlier that has not been properly integrated into the group. The extent to which a company can subject its newly acquired subsidiaries and JVs to appropriate scrutiny to track and remediate misconduct is indicative of a company’s overall effectiveness of its compliance programme.[5]

2. Oversight in relation to joint ventures and subsidiaries

Over half of respondents said that there was only a small/some degree of oversight of joint ventures (JVs) and subsidiaries in relation to ABC.

This is surprising given that the actions of subsidiaries and JVs[6] give rise to a significant proportion of bribery cases globally (for example as associated persons under the UK Bribery Act). While the degree of centralisation that is appropriate varies between corporate groups, it is important that there is sufficient oversight and management of ABC risks – many ABC issues occur a long way from “home”.

3. 49 per cent of companies are not building into their risk assessments issues faced by their peers

Respondents said that when performing their risk assessment process they focused mainly on addressing risks relating to (i) the involvement of third parties; (ii) specific transactions; and (iii) the geographical location of their business activities.

Whilst those areas are important, an evaluation of issues facing peer organisations in similar industries and/or regions should also inform the risk assessment (and this is emphasised in the DOJ guidance[7]).

In our experience, this is crucial because many peer companies face similar issues in particular markets (see for example the issues faced by telecoms companies in a number of jurisdictions).

4. Only half of respondents (51 per cent) could provide evidence that resources are deployed in accordance with their risk assessment

Risk-tailored resource allocation is important for two reasons.

First, and most importantly, it gives a company the best chance to ensure that its finite resources are deployed efficiently in order to make the compliance programme as effective as possible.

Second, authorities across the world expect to see a risk-based compliance programme.[8] This will be difficult to show if resources are not utilised to address key risks identified by the company.

5.  Lack of ongoing third party monitoring

Only 34 per cent of respondents indicated that ongoing monitoring of third parties is conducted on a regular (i.e. annual) basis. While we can see that for lower risk third parties less frequent monitoring may be appropriate, regular monitoring is crucial for medium and high risk third parties. This is borne out by respondents having indicated that ongoing third party monitoring is a key area resulting in the identification of instances of non-compliant behaviour in relation to ABC.

Third parties are at the heart of ABC risk; in most companies if third parties are not appropriately monitored then ABC risks will not be appropriately monitored. The DOJ expects organisations to engage in ongoing monitoring through various methods, such as updated due diligence, training, audits and/or annual compliance certifications.[9] The MOJ expects appraisals and continued monitoring of a company’s associated persons proportionate to the identified risks.[10]

[1] U.S. Department of Justice Criminal Division, “Evaluation of Corporate Compliance Programs” (Updated June 2020), https://www.justice.gov/criminal-fraud/page/file/937501/download (the DOJ Guidance).

[2] UK Ministry of Justice, “The Bribery 2010 Guidance about procedures which relevant commercial organisations can put into place to prevent persons associated with them from bribing”, https://www.justice.gov.uk/downloads/legislation/bribery-act-2010-guidance.pdf (the MOJ Guidance).

[3] Agence Française Anticorruption, “The French Anti-Corruption Agency Guidelines”, https://www.agence-francaise-anticorruption.gouv.fr/files/files/French%20AC%20Agency%20Guidelines%20.pdf.

[4] World Bank Group, “Summary of Work Bank Group Integrity Compliance Guidelines”, https://thedocs.worldbank.org/en/doc/06476894a15cd4d6115605e0a8903f4c-0090012011/original/Summary-of-WBG-Integrity-Compliance-Guidelines.pdf.

[5] See page 9 (I. Is the Corporation’s Compliance Program Well Designed? F. Mergers and Acquisitions) of the DOJ Guidance.

[6] See further our article: Bribery and money laundering considerations for joint ventures.

[7] See “Lessons Learned” as an indicator of risk-tailoring of a corporate compliance programme, as outlined on page 3 of the DOJ Guidance.

[8] See pages 2-3 (Is the Corporation’s Compliance Program Well Designated?, A. Risk Assessment) of the DOJ Guidance; and page 7 (paragraph 5) and page 22 (Principle 1.5) of the MOJ Guidance.

[9] Page 7-8 of the DOJ Guidance.

[10] See page 28 (Principle 4.5) of the MOJ Guidance.