What are the Common Areas in Which ABC Compliance Programmes Should Be Enhanced?


Post By: Andrew Reeves (Partner, London), Wilson Ang (Partner, Singapore) and Stuart Neely (Counsel, London), Norton Rose Fulbright

We recently carried out a global survey on anti-bribery and corruption or anti-bribery and corruption (ABC) compliance programmes to mark ten years since the UK Bribery Act came into force. We wanted to understand how companies’ ABC compliance programmes have developed in light of increasing expectations of stakeholders including law enforcement agencies and regulators in the US, UK, France and many other jurisdictions.

So What Did We Learn?

There were plenty of positives. Notably, many companies reported that they have developed their ABC compliance programmes significantly in recent years, in line with evolving regulatory guidance (and increased enforcement) in relation to ABC across the globe.

It is clear from the survey responses that many companies have implemented relatively mature ABC programmes covering the key components required, including risk assessments, policies and procedures, training, due diligence, and monitoring.

We identified three key areas in which many companies could consider enhancements, both to make their compliance programmes more effective and to address authorities’ expectations.

  1. Oversight of Third Parties and Subsidiaries/Joint Ventures

Over half of respondents said that there was only a small or limited degree of ABC compliance oversight of JVs and subsidiaries. This is an important area in which enhancements should be considered because the actions of subsidiaries and JVs give rise to a significant proportion of bribery cases globally. While some compliance programmes are more ‘centralised’ than others given the nature of the company or corporate group in question, it is important that there is some degree of central oversight and management of ABC risks across the entire group. The parameters of when a parent company can be liable for the acts of JVs or subsidiaries in different jurisdictions are often misunderstood. At least without proper oversight, a decentralised compliance system across a multinational group may increase the risks, particularly if the parent exercises some operational control over its subsidiaries.

Surprisingly, only a third of respondents indicated that ongoing monitoring of third parties is conducted on a regular basis (although we often come across M&A targets who only put in place third party due diligence/monitoring in preparation for acquisition). While less frequent monitoring may be appropriate for lower risk third parties, regular monitoring is crucial for medium and high risk third parties (and it is well known that a significant number of ABC enforcement actions involve third parties). The importance of regular monitoring is also borne out by many respondents having indicated that ongoing third party monitoring is a key area resulting in the identification of ABC issues. Companies that fail to carry out such monitoring will not identify such issues, at least at an early stage, which in turn means they will not be remediated and may become systemic.

  1. Post-Acquisition Due Diligence

Only one third of respondents conduct any form of regular or scheduled post-acquisition due diligence reviews following acquisitions or JVs. We were not surprised: while most companies are alive to the need to conduct pre-acquisition due diligence, in our experience far fewer conduct post-acquisition due diligence and properly integrate the new business. This is quite often because momentum is lost once the deal has been completed, and priorities shift towards commercial integration.

Post-acquisition due diligence is crucial: companies need to get ‘under the hood’ of newly acquired subsidiaries and JVs to ensure that ABC risks are being managed appropriately, and any issues can be remediated quickly. This is even more crucial where the pre-acquisition due diligence process has been constrained by regulatory restrictions, limited disclosure or the nature of the deal (e.g. where the target is a public company). Many bribery investigations start in subsidiaries acquired previously that have not been properly integrated. Successor liability risk under the FCPA is well-documented. Under the UK Bribery Act, the longer any bribery issues remain latent in an acquired subsidiary, the more likely that liability will accrue to its new parent (where the subsidiary has become an ‘associated person’). Related issues arise in terms of money-laundering and dealing in ‘tainted profits’.

  1. Deployment of ABC Compliance Resources in Line with ABC Risks

Based on the responses to the survey, it appears many companies are only half way towards a risk-based compliance programme: while many companies conduct risk assessments, a significant number are not able to demonstrate that they deploy their resources (financial and human) in response to that risk assessment. This is a key concern for two reasons. Most importantly, deploying compliance resources in a manner which is proportionate to identified risks ensures that the resources are used efficiently in order to prevent ABC issues occurring. In addition, authorities across the world expect to see a risk-based approach when considering defences or mitigation that may be applicable. This will be difficult to show if resources have not been utilised to address key risks identified by the company.

Please get in touch if you have any questions or would like to discuss further.