international regulatory enforcement
The OECD Issues Updated Good Practice Guidance on Internal Controls, Ethics and Compliance
By Corinne Lammers, Nisa Gosselink-Ulep, Josh Christensen, and Ker Medero
On November 26, 2021, the Organisation for Economic Co-operation and Development adopted a revised Recommendation of the Council for Further Combating Bribery of Foreign Public Officials in International Business Transactions. Paul Hastings previously detailed all of the revisions, noting that the revised Recommendation includes important new guidance on enhancing anti-corruption compliance programs and internal controls. In this post, we will expand on the details of the updates to Annex II, the Good Practice Guidance on Internal Controls, Ethics and Compliance, with a focus on Section A, Good Practice Guidance for Companies (“Updated Guidance”).
- Risk Assessment: The Updated Guidance includes an expanded list of factors for evaluating foreign bribery risk. While the previous version of the guidance encouraged companies to consider their geographical and industrial sector of operation in assessing foreign bribery risks, the Updated Guidance encourages companies also to consider the “regulatory environment, potential clients and business partners, transactions with foreign governments, and the use of third parties.” With respect to regular monitoring and re-assessing these risk factors, the Updated Guidance notes that these measures can help “to determine the allocation of compliance resources” as well as ensure the effectiveness of a compliance program.
- High-Level Commitment: The Updated Guidance includes a revised good practice that, in addition to senior management, the board of directors show strong, explicit, and visible support and commitment to the compliance program. This is to ensure companies are “implementing a culture of ethics and compliance.” The Updated Guidance also adds that a company’s “clearly articulated and visible corporate policy prohibiting foreign bribery” should be “easily accessible to all employees and relevant third parties, including foreign subsidiaries, where applicable and translated as necessary.”
- Autonomy and Resources: To ensure effective oversight of a company’s compliance program, the Updated Guidance notes that authority to report matters to an independent monitoring board or the board of directors should lie with “one or more senior corporate officers, such as a senior compliance officer, with an adequate level of autonomy from management and other operational functions, resources, access to relevant sources of data, experience, qualification, and authority.”
- Policies and Procedures: The Updated Guidance expands the areas for which companies should design adequate compliance measures. The previous version listed the following areas: “gifts; hospitality, entertainment, and expenses; customer travel; political contributions; charitable donations and sponsorships; facilitation payments; and solicitation and extortion.” The Updated Guidance broadens “customer travel” to “travel, including customer travel” and adds the following: “conflicts of interest; hiring processes; risks associated with the use of intermediaries, especially those interacting with foreign public officials; and processes to respond to public calls for tender, where relevant.”
- Third Party Management: The Updated Guidance contains a list of “essential elements” to evaluate risks associated with business partners, including agents, consultants, representatives, distributors, contractors, suppliers, consortia, and joint venture partners. The Updated Guidance encourages “regular continued oversight of business partners throughout the business relationship,” not just at onboarding. The Updated Guidance also adds three new essential elements: mechanisms to ensure payment terms are appropriate; inclusion (and exercise) of audit rights; and mechanisms to address incidents of foreign bribery by business partners (e.g., contractual termination rights). In describing the importance of training on the company’s compliance program, the Updated Guidance now states that, in addition to employees at all levels of a company, “business partners” should receive training, where appropriate.
- Incentives and Disciplinary Measures; Investigation of Misconduct: The Updated Guidance recommends that companies should “incentivize,” in addition to encouraging and supporting, employee observance of the company’s ethics and compliance program “at all levels of the company including by integrating ethics and compliance in human resources processes, with a view to implementing a culture of compliance.” The Updated Guidance also contains a new section identifying specific “measures to address cases of suspected foreign bribery.” These measures include:
i. processes for identifying, investigating, and reporting the misconduct and genuinely and proactively engaging with law enforcement authorities;
ii. remediation, including inter alia, analyzing the root causes of the misconduct and addressing identified weaknesses in the company’s compliance programme or measures;
iii. appropriate and consistent disciplinary measures and procedures to address, among other things, violations, at all levels of the company, of laws against foreign bribery, and the company’s ethics and compliance programme or measures regarding foreign bribery; and
iv. appropriate communication to ensure awareness of these measures and consistent application of disciplinary procedures across the company.
The Updated Guidance also encourages companies to adopt “measures to ensure there is no retaliation against any person within the company who is instructed or pressured, including from hierarchical superiors, to engage in foreign bribery and chooses not to do so.”
Furthermore, the Updated Guidance strengthens prior recommendations relating to reporting mechanisms. Whereas the previous guidance required confidential reporting “where possible,” the Updated Guidance requires confidential reporting “and, where appropriate, anonymous reporting.” The Updated Guidance also adds that reporting procedures be “visible [and] accessible” and that reporting channels be “diversified.”
- Continuous Improvement, Periodic Testing, and Review: The Updated Guidance recommends that companies periodically “test” (not just review) their internal controls and compliance programs, “including training . . . both on a regular basis and upon specific developments.” The Updated Guidance also includes three new factors to “tak[e] into account [when evaluating] the company’s evolving risk profile.” The previous version encouraged companies to consider “relevant developments in the field and evolving international and industry standards.” The Updated Guidance supplements that guidance by encouraging companies to consider “changes in the company’s activity structure, and operating model; results of monitoring and auditing; [and] lessons learned from a company’s possible misconduct and that of other companies facing similar risks based on relevant documentation and data.”
- New Good Practices – Internal Control Systems, Mergers & Acquisitions, and External Communications: Finally, the Updated Guidance includes three new good practices for companies that did not appear in the previous guidance.
The first new good practice is using “internal control systems to identify patterns indicative of foreign bribery, including as appropriate by applying innovative technologies,” suggesting that companies should incorporate data analytics into their compliance programs.
Second, with respect to “cases of mergers and acquisitions,” the new guidance urges “comprehensive risk-based due diligence of acquisition targets; prompt incorporation of the acquired business into its internal controls and ethics and compliance programme; and training of new employees and post-acquisition audits.”
The third new good practice recommends “external communication of the company’s commitment to effective internal controls and ethics and compliance programmes.”
As described by Nicola Bonucci and Nathaniel Edmonds in their recent Client Alert, A Revitalization of Global Anti-Corruption Enforcement: The OECD Issues New Recommendations Likely to Increase Multijurisdictional Enforcement and Spur Additional Investments in Compliance, these changes to Annex II of the OECD Good Practice Guidance are likely unsurprising for anti-corruption compliance practitioners, and largely track previously published guidance from U.S., UK, French, and other regulators and international organizations. Collectively, this reflects a heightened awareness of the types of policies and controls that companies can put in place to prevent and detect bribery. This also signals an increased sophistication in regulators from OECD countries.
As the Good Practice Guidance serves as a benchmark of what the larger international community views as generally accepted best practices, even though it is not legally binding for companies, companies would be well served to evaluate carefully how their ethics and compliance programs compare and take steps to ensure their programs satisfy these standards for internal controls and compliance programs. Part of that evaluation should include addressing one of the key themes throughout these revisions: development and enhancement of a compliance program is an ongoing exercise, not a one-time issuance of policies and procedures that create a “paper” program. It requires continuous risk analysis and testing, ongoing monitoring of third parties, and enhancement of identified gaps and weaknesses. The OECD, as well as national regulators, have made clear this message of the need for continued enhancement, dedication of resources, and a “feedback loop” that incorporates lessons learned. This consistency in messaging should be welcomed by compliance practitioners.