Impact of UK Bribery Act, 2011 on Best Practices in Global Sourcing
The package of documents for outsourcing contracts has grown to include a copy of the customer’s “code of conduct.” The service provider contractually agrees to respect the customer’s code of contract. Such codes of conduct pose tricky legal issues for both global business organizations and their service providers.
Such codes of conduct have immediate and compelling roots in the U.S. Sarbanes-Oxley Act of 2002. The “anti- bribery” component has roots in the U.S. Foreign Corrupt Practices Act of 1974 (“FCPA”), the United Nations’ Code of Conduct for Multinational Corporations and the OECD Convention on Combating Bribery of Public Officials in International Business Transactions. Like the U.S. FCPA, the U.K. Bribery Act, 2010, prohibits businesses from bribing foreign officials. The Bribery Act becomes effective July 1, 2011.
This article provides a brief overview of the core, generic principles of such legislation and recommends “best practices.” For enterprise customers hiring service providers, such practices should apply regardless whether the immediate services are to be rendered outside the customer’s country. For service providers, such practices will not only facilitate getting hired, but also avoiding painful surprises.
Business Compliance Mandates. Both the FCPA and the Anti-Bribery Act make it illegal to bribe a public official. The U.K. law goes farther than the U.S. law because the U.K. law also prohibits “private-to-private” commercial bribery (such as kickbacks and undisclosed payments to gatekeepers).
Bribery. There are different definitions of “bribery.”
- Under the FCPA, it involves the “corrupt” payment (money or any thing of value) to a foreign governmental official for the exercise of judgment. Illegal bribery does not include payments that are:
- “facilitation” payments (“grease” payments) that merely accelerate governmental approval of a right to which the service provider is entitled under local law; and
- not also illegal under foreign local law; and
- made in good faith for “promotion, demonstration or explanation of products or services” or “execution or performance” of a contract with a foreign government
- Under the UK Bribery Act, “bribery” offense include:
- “the bribery or attempted bribery” of a foreign public official to obtain business or to obtain an advantage in the conduct of business,” where such an “advantage” could include any inducements to secure business or to “help” the business; and
- The failure of a commercial organization to prevent bribes being paid by anyone “associated with” the organization, creating vicarious criminal liability for executives of UK companies for deeds of anyone performing services “for” the organization, including outsourcers, unless the business organization has adopted “adequate procedures” in a compliance program to escape strict vicarious liability for such deeds.
Bribable Persons. The Bribery Act defines a “bribable” person more broadly than the FCPA. In the US, a bribable public official must have sufficient authority to exercise discretion in the grant or denial of governmental action. In the UK, any level of public official is a bribable target.
Organizations Covered by the Laws; Extraterritoriality. Both laws cover foreign companies having a jurisdictional nexus within the UK or US borders, as applicable. Each law has extraterritorial conduct.
- For US purposes, the law applies to foreign companies with U.S.-listed securities. The 2010 Dodd-Frank law grants enforcement jurisdiction to the SEC and promotes whistleblowing. For monetary penalties over $1.0 million, a whistleblower can be entitled to a reward from 10% to 30% of the monetary sanctions actually recovered.
- For UK purposes, the law applies to any company that does business in the U.K., even if its securities are not listed on UK exchanges or if it conducts business there, regardless whether that UK business has any relationship to the non-UK bribery activity.
Lobbying Expenses. The entertainment and lobbying of governmental officials raises the most difficult issues. Hospitality in one setting might be considered bribery in another.
Penalties for Business Executives. Penalties under the UK Bribery Act exceed the penalties under the FPCA. Under the Bribery Act, executives are subject to criminal (with jail time of up to 10 years) but not civil liability. Under the FCPA, the liability is either civil or criminal. The amount of organizational liability is unlimited under the Bribery Act.
Best Practices in Global Sourcing after the UK Anti-Bribery Act. The UK’s Secretary of State for Justice has issued interpretative “guidance,” but the UK’s Serious Fraud Office has announced its commitment to fully enforce the new law. Such guidance adopts best practices under FCPA and Sarbanes-Oxley. All such laws do not specify specific tests but start with a culture of transparency, accountability and compliance. For the UK, such guidance includes:
- Tone at the Top: Liability of Leadership. Anti-bribery programs begin with the “tone” in the executive suite. Business executives (including the Board of Directors, officers and owners) must set that tone to assist subordinates in making appropriate decisions. A clear policy statement (Code of Conduct) must be communicated to all internal and external “resources.”
- Transparency and Enforcement. The procedures adopted by a business organization must be clear, practical, accessible, effectively implemented and enforce. This enforcement process imposes new burdens on global enterprise customers since merely adopting a Code of Conduct will not suffice.,/li>
- Risk-Assessment and Risk-Adjusted Proportional Procedures. The commercial organization should first identify the risks and then adopt anti-bribery procedures that are proportional to the risks. A balance must take into account the nature, scale and complexity of the commercial organization’s normal business operations.
- Risk Assessments – General. The risk-assessment process needs to be periodically re-done by persons having extensive understanding of the business organization’s risk profile. Risk reports are recommended. Such risk assessments should consider specific areas where bribery might be a problem. These include situations for obtaining governmental permits for new facilities, governmental certificates of compliance with local building, zoning and fire codes, obtaining new telecom circuits from governmentally owned telecom providers and other cases where “facilitation” or “grease” payments.
- Risk Assessments – Due Diligence. To mitigate bribery risks identified in the general risk assessments, the business organization must apply due diligence procedures to its internal and external resources and supply chain. It remains somewhat unclear how deep into the supply chain one must delve, since the “associated” business organization supplying goods or services may have its own issues.
- Risk Assessment – Compliance Officers. Risk assessment requires an ongoing role for a compliance officer.
- Implementation of Policies.
- Communication and Training. As with any other corporate policy, anti-bribery policies must be communicated to all employees. Periodic refresher training is suggested to update the policies and attune the employees (and external resources) to newly identified risks of bribery. As with the other forms of vigilance, the communications and training need not be exhaustive, but should be designed to be proportionate to the risks of bribery occurrences.
- Continuous Process Improvement. The business organization must engage in continuous review of the bribery risks, the anti-bribery policies and the procedures to prevent bribery by employees and others “associated with” the organization. In short, this invites a continuing dialogue with service providers, who should have answers and demonstrable programs that provide risk-adjusted assurances to the enterprise customer.
Examples of Some Best Practices. The critical path to compliance starts with steps to identify the business’s legal and social responsibilities that flow from doing business with, or in, the United States and/or the United Kingdom. These are key markets for any global services provider.
The “compliance checklist” will require policies, procedures and governance in the following areas, both for enterprise customers and for their service providers who wish to be “world class” in a world that includes serving U.S. and U.K. business organizations (or entities that are subject to such laws even if they are not based in such countries):
- Code of Conduct. “World class” companies need codes of conduct to embody the compliance component of their business mission.
- Contract Terms for the Supply Chain. Master services agreements need to include anti-bribery clauses that resonate with both US and UK laws.
- Managerial Guidelines. Bribery issues are now on a par with human resources and labor laws. Managers need effective guidelines.
- Chain of Command: Compliance Officers. World-class businesses need to designate individuals who have compliance roles for risk assessment, policy design and internal audit and enforcement. Governance models for relationship management in all sourcing contracts should reflect such roles.
- Financial Transparency and Controls. The FCPA requires companies with securities listed on the U.S. stock market to implement U.S. accounting principles. Such principles require accurate classification of payments including whether the payments are validly deductible for income tax purposes. (Under the U.S. tax code, bribes of government officials are not deductible). The FCPA’s legal requirements relating to “books and records” are easy to implement and enforce since there is no component of “criminal intent” (scienter).
- Audits of Service Providers. Remember SAS 70, Type II audits? The anti-bribery auditing business has just begun. The author and the publishers of this article can advise on how to identify and hire such new auditors, how to develop and implement effective, compliant audit programs (both for global enterprises and for world-class service providers).