Structure and content of anti-corruption compliance standards and guidelines
International standards and guidelines differ significantly in structure, scope, and level of detail. There are several comprehensive standards and guidelines that provide organizations with rather detailed recommendations on designing and implementing anti-corruption/anti-bribery compliance programs. The ISO Standard 37001, the OECD Guidance, the UNODC Guide, the World Bank Group’s Guidelines, and the Wolfsberg Group’s Guidance for financial institutions should be mentioned in this regard. Many others contain only general principles and brief descriptions of key components of an anti-corruption compliance program.
In general, international standards and guidelines contain recommendations on the following components of anti-corruption compliance:
- • Developing an anti-corruption compliance program, including risk assessment (risk mapping), defining applicable laws, principles and values, assessment of available resources, and communication on anti-corruption compliance program;
- • Code of Conduct;
- • Anti-corruption compliance management system;
- • Anti-corruption clause;
- • Third party due diligence;
- • Third party risk management;
- • Mergers and acquisitions;
- • Staff recruitment, promotion, and performance evaluation;
- • Conflict of interest;
- • Gifts and hospitality;
- • Charitable donations and sponsorship;
- • Political contributions;
- • Reporting misconduct and hot lines;
- • Internal investigations and addressing violations;
- • Cooperation with authorities;
- • Training and communication;
FATF, Mandate 2012-2020 FATF, Mandate2019 [3(f)].
• Monitoring, review, and evaluation of an anti-corruption compliance program.
There are several components of anti-corruption compliance that are most developed in international and domestic standards and guidelines: risk assessment as a background for designing an anti-corruption compliance program, third party due diligence and risk management, gifts and hospitality, charitable donations and sponsorship, political contributions, and reporting misconduct.
To bring other components to the same level of details, additional efforts of international organizations, and professional anti-corruption community are required. Surprisingly, international standards and guidelines only mention the importance of the Code of Conduct but do not provide organizations with recommendations on the structure and content of the Code. For a long time, the same situation was with conflict of interest management. The UNODC Guide was a rare exception. The ICC Guidelines on Conflicts of Interest in Enterprises were published in 2018 and filled this gap. The anti-corruption compliance requirements for mergers and acquisitions are presented only in the Wolfsberg Group’s Guidance for financial institutions and in a Resource Guide to the US Foreign Corrupt Practices Act. However, general recommendations regarding due diligence and risk management are also applicable to mergers and acquisitions.
International standards and guidelines sometimes use different terminology'. There are various terms, e.g., defining subjects that implement anti-corruption compliance. The ISO Standard 37001 is addressed to ‘organization.’ The OECD Guidance and the UNODC Guide use the term ‘companies.’ The Anti-Corruption Ethics and Compliance Handbook for Business published by OECD/UNODC/ World Bank uses the term ‘enterprise.’
Usually, standards and guidelines use the term ‘risk assessment.’ However, some guidelines, e.g., the French Anti-Corruption Agency’s Guidelines to Help Private and Public Sector Entities Prevent and Detect Corruption, Influence Peddling, Extortion by Public Officials, Unlawful Taking of Interest, Misappropriation of Public Funds and Favoritism, uses the term ‘risk mapping’ instead.
Some international standards and guidelines demonstrate a different understanding of the correlation between third party due diligence and risk management. According to the ISO Standard 37001, ‘where the organization’s bribery' risk assessment has assessed a more than low bribery' risk in relation to: b) planned or on-going relationships with specific categories of business associates, the organization shall assess the nature and extent of the bribery' risk in relation to
In the ocean of standards and guidelines 259 specific transactions, projects, activities, business associates and personnel falling within those categories. This assessment shall include any due diligence necessary to obtain sufficient information to assess the briber}' risk.’ According to the WEF Guidelines, third party risk assessment and risk mitigation are parts of the due diligence process.
In the ocean of standards and guidelines 259 specific transactions, projects, activities, business associates and personnel falling within those categories. This assessment shall include any due diligence necessary to obtain sufficient information to assess the briber}' risk.’ According to the WEF Guidelines, third party risk assessment and risk mitigation are parts of the due diligence process.The OECD Guidance use the term ‘risk-based due diligence.’
There is no doubt that due diligence and risk management are closely connected. At the same time, controversial provisions in various standards and guidelines can mislead employees responsible for the relevant functions. In the author’s view, conducting risk assessment is hardly possible without at least simplified or standard due diligence. Organizations should collect reliable data first to assess the risk. Based on the risk assessment, organizations can decide whether the enhanced due diligence is required to take a decision on entering into business relationships with a potential partner, and, if necessary, develop appropriate risk mitigation measures.
The definitions proposed by NAVEX Global may be considered to identify the scope of due diligence and risk management. According to NAVEX Global, third-party risk management is the process of assessing and controlling reputational, financial, and legal risks to the organization posed by parties outside the organization. Third party due diligence is the investigative process by which a third party is reviewed to determine any potential concerns involving legal, financial or reputational risks. Due diligence is a disciplined activity that includes reviewing, monitoring, and managing communication over the entire vendor engagement life cycle.
In addition to anti-corruption compliance standards and guidelines, the FATF Standards and guidelines can be considered for risk assessment, and for designing compliance policies on third party due diligence and risk management. They contain useful recommendations on identification of beneficial owners, politically exposed persons and sources of their incomes, high risk jurisdictions, and suspicious transactions.
A hierarchical system of international standards and guidelines does not exist. Organizations may select any general international standard of guidance for certification of compliance programs if service providers offer such an opportunity. We cannot argue that the UNODC Guide is more important than OECD Guidance or ISO Standard 37001.