News

Shall we get certified?

SEA View, Article XI: July 2020

Image
Image

Our Investigations practice in Shanghai regularly pore over compliance systems in China, but with an atmosphere of increased local enforcement coupled with customary U.S. regulatory inspection, is certification a shortcut to effective compliance?

Introduction

U.S. law enforcement usually hogs the headlines for its focus on multiple Chinese state-owned businesses and reports of alleged Foreign Corrupt Practices Act (FCPA) violations. What's often missed is the increasing action taken by the Chinese government. The Chinese government is emboldened in combating bribery misconduct against Chinese companies, but also against multinationals too with a presence in China.

The infamous GlaxoSmithKline (GSK) bribery scandal was first investigated by the Chinese government and tried in 2014. British pharmaceutical GSK were convicted for bribery and received a fine of US$490 million for paying bribes to doctors and hospitals to promote its products. The U.S. Securities and Exchange Commission subsequently initiated its own investigation and settled with GSK with a US$20 million civil penalty in 2016. The United Kingdom Serious Fraud Office also initiated a criminal investigation in May 2014 but this was officially ended in 2019 with no result.

According to data from China Judgements Online website, the annual anti-bribery criminal judgments against companies have increased from 500 to over 1,000. We think that local enforcement creates an opportunity for Chinese companies, particularly the state-owned enterprises (SOEs), to become compliant and to focus on creating their own compliance systems.

This may read as nothing new

In 2016 the State-Owned Assets Supervision and Administration Commission (SASAC), as the government function that manages and supervises a group of the largest Chinese SOEs, selected five of them as pilot companies to establish compliance management systems. These five pilot companies were: China Merchants Group, China National Petroleum Corp., China Mobile Communications Group, China Railway Group, and China Dongfang Electric Corp.. Many of them issued anti-bribery or compliance handbooks and created headcounts for compliance supporting roles.

Later, at the end of 2018, SASAC issued the Guidelines for Central Enterprise Compliance Management (Trial) to emphasize the importance of compliance within the economy. SASAC proclaimed that central SOEs shall speed up the establishment and improvement of compliance systems. Since then, eight local governments in Shanghai, Chongqing, Jiangsu, Shandong, Inner Mongolia, Tianjin, Hebei, and Guangdong also issued compliance guidance for SOEs under their supervision.

So, how to improve…international certification anyone?

If you're reading this, you're likely aware of the International Organization for Standardization (ISO). ISO in its unabbreviated form spells its purpose. This international standard-setting body sets various standards that act as a benchmark of a company's commitment to various measures, for example, from supply chain to information security; from medical equipment to risk management. ISO 19600 and ISO 37001 are the applicable standards which animate those in the bribery and corruption space. GB/T 35770, a local Chinese variant of ISO 19600 has emerged too.

ISO 37001 is the first certifiable international standard, used by any organization, in the private or public sector, which is industry-neutral and that can be adapted based on the nature of the company, and its own bribery risk. China International Marine Containers (Group) Ltd. – Tianda Airport Support Ltd. was the first Chinese company that awarded ISO 37001 Anti-Bribery Management System certification in late 2017.

ISO guidance and similar Chinese standards on establishing a compliance system

ISO currently has two standards relating to compliance — ISO 19600 and ISO 37001. ISO 19600, released in 2014, offers general guidelines on what is required to build a compliance management system from the perspectives of context of the organization, leadership, planning, support, operation, performance evaluation, and improvement. It has been dwarfed by its younger sibling.

ISO 37001, released in 2016, provides comparatively more detailed requirements for an anti-bribery management system, with additional good practices on how to implement these requirements in, for example, due diligence, financial controls, gifts, and hospitality.

Unlike ISO 19600, which is a recommendatory standard, ISO 37001 contains compulsory requirements that can be verified and certified. Since ISO 37001 is applicable to all kinds of private and public entities as well as nonprofit organizations, all of them can seek to be certified to ISO 37001 by an independent external auditor that is recognized by a certification body. Once certified, an entity has to receive annual review in order to maintain the certification.

ISO is currently in the process of revising ISO 19600 into ISO 37301, a certifiable compliance management system following the successful example of ISO 37001, and expected to be released around late 2020 or early 2021.

Standardization Administration of China, together with the General Administration of Quality Supervision, Inspection, and Quarantine of China (reorganized to be the State Administration of Market Regulation in 2018), also released its own GB/T 35770, guidelines on compliance management systems in 2017. GB/T 35770 is drafted based on ISO 19600, but is certifiable only for companies that are registered in China with a minimum business registration period of three years.

These are not the only certifications possible, but attaining a fast-track or less stringent certification is only as worthwhile as the certifying body.

So should we get certified?

Generally speaking, the standards discussed above all provide some useful guidance on how companies can build a compliance system. As mentioned above, the ISO standards are not isolated recommendations for the structural designs that organizations can implement. Short of describing numerous advantages: there is a business rationale and a legal rationale.

On one hand, companies are now alert to losses that might be incurred by internal compliance risks, such as employee embezzlement and overpayment caused by collusion between employees and third-party vendors. Establishing a compliance system will help companies create a more compliant business culture and strengthen internal management.

On the other hand, Chinese SOEs and private companies that are eager to get certified often have a practical reason – their business principals want to use the certification as a proof of the establishment of compliance systems and then use it as defense against personal liability in FCPA and Chinese anti-bribery and corruption related investigations.

However, establishing a compliance system that meets the requirements set forth in these standards is only the first step, the key is how to implement one that could effectively prevent and detect compliance misconduct in order to reduce business and legal risk. Despite annual review or ongoing monitoring which have to be conducted in order for a company to maintain the certification, there is no guarantee that the company is implementing its compliance system effectively. One client asked us to "eliminate" risk. Sadly, that is never possible. An isolated act by a rogue employee is always possible, no matter the gold standard of a compliance system. We see exceptional compliance policies involving: risk assessments, accessible policies, localized to local and global operations, regular and interesting training with monitoring, and ad hoc spot checks, and yet they can still fall foul of noncompliance. However, they are primed to have sustainable business operations, rather than entities that ignore compliance or believe bribery is just the way of doing business.

In fact, many companies who have attained ISO standards have had high-profile bribery scandals. What we counsel is companies working to implement best practices, utilize numerous useful anticorruption guidance, such as, A Resource Guide to the U.S. Foreign Corrupt Practices Act and Evaluation of Corporate Compliance Programs released by the U.S. Department of Justice, and seek professional advice from anti-corruption practitioners on monitoring and evaluating its compliance system. We will not eliminate risk, but we will dramatically reduce it.

Certifications to ISO 37001 and GB/T 35770 are comparatively new to the anti-corruption regime, it is unclear whether law enforcement agencies in China and other jurisdictions would recognize them as a defense for anti-corruption violations. At present, People's Republic of China laws do not explicitly allow maintaining an effective compliance system to be a defense for bribery. One could argue that the certification serves as evidence in distinguishing the misconduct as one that offended by individual employee or organized at company management level, therefore, as a useful defense for corporate crime. Whilst the effectiveness of such a defense is still yet to be observed, and certification is not the only route to good compliance, having the conversation and implementing effective ethical business practices will be persuasive to any regulator, Chinese or overseas.

 

Authored by Phoebe Yan, Samon Sun, and Lucy Lu.

 

 

SEA View

Since April 2019, our monthly periodical has featured investigation, compliance, and regulatory developments in Southeast Asia (SEA). For a 12-month period, one monthly article will showcase our insights on particular developments in the region, liaising with our extensive global network. We draw on the firm's market-leading practices, including our assembled Global Regulatory team, to lead clients' businesses through challenges encountered in and out of SEA. SEA View is horizon spotting in practice.

Find our previous insights here.

Search

Register now to receive personalized content and more!