Demystifying Anti-Bribery Certifications 1

Over the past few weeks, we here at TRACEblog have noticed a few interesting critiques of anti-bribery certifications. Harvard Law Professor Matthew Stephenson writes on his blog that he holds “a fair amount of skepticism” regarding anti-bribery certifications and believes that they “might in some cases prove counterproductive.” As British poet William Blake once wrote, “opposition is true friendship,” and we think that the same holds true here. So, in that spirit, we’ve taken Professor’s Stephenson’s blog posting as an opportunity to address head-on some common assumptions and misunderstandings that we believe surround anti-bribery certifications.

Full disclosure at the outset: TRACE Inc., an independent compliance firm working alongside TRACE International, offers a third party compliance certification to SMEs that involves a due diligence review, analysis and approval process. The TRACE certification differs from most in that it’s confirmation of a rigorous due diligence process, rather than confirmation that a company’s program is adequate.

  1. Certifications falsely promote a definitive judgment on the adequacy of a company’s compliance program

This is probably the most common misperception that we hear at TRACE. Critics of certification programs all too often obsess over the word “certification”: how can any compliance program ever be ‘certified’?” The word seems duplicitous, adding a pretense of certainty in an uncertain world. Of course, it is universally recognized that no compliance program, no matter how sophisticated, guarantees against wrongdoing. So to those critics of anti-bribery certifications, we would suggest focusing less on the form of the word and more on the substance of the review. A certification, at least as that term is used by TRACE, is an attestation that a company has successfully completed certain discrete steps aimed at combating corruption.

Certification by TRACE does not mean that the company is problem-free. In fact, each TRACE certificate explicitly states that it is not a guarantee against past or potential wrongdoing by the certified entity or a guarantee against potential liability, and goes on to explain that a summary of any red flags identified during the TRACE certification review is included in the report. In the end, what we at TRACE are certifying is that the entity has completed a rigorous review and that no unresolvable red flags were uncovered . But risk factors vary by company. Ownership of a consulting company by the Minister of Defense, even if legal under local law, will matter more to an aerospace and defense companies than it will to a medical device company. Companies must request and read the reports in the context of all facts known to them, their business and their appetite for risk.

  1. Certifications rely on methodologies that are non-standardized and opaque

Another common misperception is that certifying organizations make up an unfettered industry. In fact, TRACE is heavily committed to efforts aimed at standardizing anti-bribery compliance certifications. We are active participants in the ISO’s efforts to create a standard to evaluate anti-bribery management systems. This is a three-year process aimed at creating a set of best practices for companies to establish systems to mitigate, identify, and handle bribery-related issues. The standard will be a central part of an eventual ISO certification regime.

What about methodology? During a TRACE certification review, the candidate is asked to provide a predefined package of information and documentation that is then verified by TRACE, to a large extent using public domain sources and PEP/Sanctioned and Denied Parties databases. The review is fact-intensive, requiring the active participation and collaboration of a candidate, and also involves an anti-bribery training component for key employees and assistance in the adoption of an appropriate Code of Conduct. And while we cannot speak with regard to other certifying organizations, TRACE has always been transparent about the methodology it uses to review entities interested in TRACEcertification. The result is not a simple pronouncement by TRACE, but a hefty report with all relevant documentation included. Below is the description of the TRACEcertification process, as described in our public, marketing material:

To complete a review successfully, you must provide responses to a comprehensive anti-bribery questionnaire and disclose the following information:

›› Detailed company information, including information on subsidiaries and affiliated entities
›› Business registrations, as applicable
›› Corporate literature or a company description
›› Beneficial ownership (except for shareholders owning less than 5% of publicly-traded companies)
›› Identification of directors and key employees
›› Curriculum vitae for owners, directors and key employees
›› Additional ownerships, directorships and employment of all owners, directors and key employees
›› Current government employment of owners, directors and key employees
›› Previous government employment of owners, directors and key employees
›› Three business references
›› One financial reference or audited financial statement

TRACEcertification involves a media search dating back ten years and denied party screening. Candidates are required to adopt a code of conduct and to complete a mandatory anti-bribery training course (administered by TRACE utilizing our online training module) as part of the certification process. TRACEcertification requires certified parties to update their verified due diligence information on an annual basis.

  1. Certifications are mistakenly aimed at seeking protection from US, UK and other state enforcement agencies, yet are not recognized by these agencies.

Another common misperception is that certifications promise a false defense against government investigators located in the US and UK. The reality, as we’ve observed, is that most certified companies are not looking for a defense from US investigators, but rather are looking for a defense against bribe-seekers, that is, the government officials who extort bribes from them.

The uncomfortable reality that we here at TRACE are trying to address is that Western-focused anti-bribery compliance is a nonfactor for the vast majority of global business transactions. In the Philippines, small and medium sized companies constitute an estimated 99% of all business. How can we reach these SMEs who are, by default, not subject to the FCPA or UK Bribery Act, yet just as vulnerable to bribery demands? The fact that SMEs are a very easy target for low level government officials seeking to supplement their incomes is rendered even worse by the fact that so little effort has been made to reach these organizations and provide them practical tools with which to defend themselves.

Conspicuous certifications backed by internationally-recognized organizations like TRACE are tangible tools that SMEs can proudly display on their websites, in their offices or on the back of their contracts — and often do — to show that they will not acquiesce to bribe demands. It is an open, public display that they are committed to responsible business dealings and provides a solid foundation (policies, training, etc.) with which to resist government graft. Certification also builds strength in numbers. It allows SME to take matters into their own hands to create a better business environment for themselves. Certifications also play an important role for those SMEs seeking a competitive advantage in their business dealings by demonstrating their commitment to commercial transparency. And while we do not, as described above, certify a company’s reputation, we do certify their successful completion of the due diligence process followed by daily screening against media and denied party lists, which itself can be an important factor for multinational companies in vetting their smaller business partners.

  1. Certification companies have a conflict of interest that prevents them from providing independent judgment regarding the adequacy of a company’s compliance program.

The thought here is that because companies pay to be certified, certifying organizations have a conflicting incentive to overlook faults in a compliance program in order to grant certification. As already mentioned above, at TRACE we do not certify the adequacy of compliance programs, but rather are certifying whether the entity has been sufficiently transparent in the due diligence process. This distinction means that the decision to certify is based on objective measures, like whether the third party has produced the requisite documentation, not on the discretion of the person reviewing the entity’s compliance program. Less discretion means less possibility of conflicting interests.

Moreover, entities seeking TRACEcertification must agree that a decision to grant or deny certification will be solely within TRACE’s discretion. TRACE does deny certification to those entities that are insufficiently transparent during the review period or fail to provide required documentation. Payments made to TRACE are non-refundable, however, regardless of the outcome of the certification. This means that TRACE has zero financial interest in the outcome of the review.

Finally, because TRACEcertification reports are typically provided to multiple companies, we believe that there is a considerable incentive to the entities undergoing the process to be scrupulous in their responses.   While it may be possible to mislead a single company about ownership or past misconduct, more eyes on the report mean a greater likelihood of being caught, — and so of having the certification revoked.

And so, while we at TRACE hold Professor Stephenson in high regard, we would respectfully point out that in this instance he is wrong. We see TRACE’s anti-bribery certification program as an exciting new way to include small and medium sized businesses in the anti-bribery discussion. These are companies that might otherwise have no other resources to build a compliance program on their own. For those interested in finding out more about TRACEcertification, we encourage you to read a recent case study by S3 International, a Milwaukee-based repairer of military and commercial spare parts.

Research Call for Case Studies to Advance Third Party Due Diligence Reply

Until now, if ten companies all work with the same ten distributors, these relationships generated a total of 100 due diligence reports.   Each company paid ten times and each distributor completed ten labor-intensive reviews.   This has become ruinously expensive and very slow, all without enhancing the protection to any party.

TRACE is changing the way the business community approaches third party due diligence.   Our new model shifts the expense to the intermediaries, but relieves them of duplicative demands from different companies.  Third parties are required to complete only one process per year, which includes an extensive questionnaire, online training, collection of business registrations, adoption of a code of conduct and ongoing daily media and denied party screening.

These due diligence reports are completed to the same exceptionally high standard as TRACE’s other due diligence reports, but they are “portable”.   That is, they are owned by the third party, which can – after our rigorous review, verification and approval –provide the report to as many companies as they choose and advertise the fact of their certification on their websites.  (Their control over the distribution of the report also enables companies to avoid data privacy concerns about the transmission of personal data across borders.)


Biggest Compliance Stories for July 2014 Reply

Take a moment to read our poll and vote for which headline you think was most newsworthy this month:

  1. UK’s Serious Fraud Office Charges Alstom Network UK with Corruption: The investigation, which commenced as a result of information provided to the SFO by the Office of the Attorney General in Switzerland, concerns large transport projects in India, Poland and Tunisia in the early 2000s. None of the charges fall, however, under the UK’s 2010 Bribery Act.
  1. China Launches Formal Investigation of Zhou Yongkang for Graft: China put an end to years of speculation when it brought charges this month against Mr. Zhou, who was formerly in charge of the country’s entire state security, courts, police and paramilitary forces until retiring two years ago.
  1. U.S.-based Firearms Manufacturer to Pay $2 million to Settle SEC Corruption Charges: Smith & Wesson Holding Corporation agreed to pay $2 million to the U.S. Securities and Exchange Commission to settle charges that it violated the U.S. Foreign Corrupt Practices Act, after last month receiving a declination from the U.S. Department of Justice for its role in the Africa Sting Operation.
  1. U.S. Corruption Trial of Former Virginia Governor Bob McDonnell Begins: McDonnell and his wife were indicted in January on federal corruption charges following a months-long federal investigation into gifts McDonnell received from a political donor.  The former Governor has adopted a unique defense strategy, claiming that his marriage was too unhappy and disjointed for either partner to have conspired with the other to accept bribes.
  1. More Whistleblowers Come Forth in GSK Bribery Investigation: Starting in China, bribery claims against British drug maker GlaxoSmithKline have surfaced in other countries as well over the past year, including Poland, Iraq, Jordan and Lebanon. This month, allegations emerged that the company paid bribes to Syrian doctors, dentists, pharmacists and government officials to win tenders and to obtain improper business advantages.


A Royal Mess, Pt. 2: Non-Profits, Charitable Contributions and the FCPA 1

In our previous post, we discussed the ongoing corruption case against Princess Cristina of Spain and her husband, Duke Iñaki Urdungarin. Urdangarin, a former

[Courtesy of Flickr]

[Courtesy of Flickr]

Olympian, is accused of using his position to skim money from government contracts.  Princess Cristina, for her part, has been charged with tax fraud and money laundering.

Look past the headlines and you will see a risky scenario faced by many companies doing business abroad: contributing to foreign charities. The organization at the center of the Spanish case, Instituto Nóos, is a not-for-profit organization with extensive ties to public officials – including Spain’s Royal Family. Allegedly, Urdungarin channeled funds from corporations bidding on government contracts through the non-profit.  Charities and not-for-profits with connections to public officials raise significant concerns under the U.S. Foreign Corrupt Practices Act (FCPA), as donations to these organizations can be used to buy influence – for example, by funneling funds or donating to an officials’ favorite charity or cause.

Key Cases

The cases of Schering-Plough and Eli Lilly show that the risk of a FCPA violation is not limited to charities that funnel money to public officials, but extends to bona fide, legitimate charities as well. Both companies, while negotiating product sales with Polish government officials, made donations to the Chudow Castle Foundation, allegedly at the request of the foundation’s founder and president, who was also the Director of the Silesian Health Fund and in a position to influence the negotiations. The SEC alleged that the donations had been made to influence the public official and win contracts.

As detailed in the SEC’s complaint, Schering-Plough donated approximately USD 76,000 and notably lacked a policy requiring due diligence of charitable entities. In 2004, in an agreement with the SEC, Schering-Plough agreed to increase their due diligence efforts and pay a USD 500,000 civil penalty for their actions. According to the SEC Complaint regarding Eli Lilly, the company donated USD 39,000 and failed to properly oversee and investigate the relationship between the foundation, the negotiations, and the contributions. It’s notable, however, that in both cases it was not alleged that any money was transferred to the public official, or that the non-profit was illegitimate. Rather, the donations allegedly violated the FCPA because they were made to influence an official by donating to a cause the official was associated with and apparently cared about.

How Companies Can Protect Themselves

There are several practices companies can employ to protect themselves from the risk of violating the FCPA while making charitable donations.  As outlined in More…