As Managing Director of global business advisory firm AlixPartners, Rob Morris says he is seeing “a steady increase” in the number of companies in Asia that are taking action around preventative measures to counter bribery and corruption.
He credits the intensified enforcement of the US Foreign Corrupt Practices Act of 1977 (FCPA) and the implementation of the 2010 Bribery Act in the UK. And last year, the Dodd–Frank Wall Street Reform and Consumer Protection Act of 2010 enabled a whistleblower to win a US$104 million reward last year – despite being involved in a tax fraud case that resulted in his employer paying US$780 million in fines.
Morris spoke to CFO Innovation’s Cesar Bacani about the impact of the anti-bribery laws in the US and the UK on companies in Asia and what they can do protect themselves. Excerpts:
Should companies in Asia be concerned with Dodd-Frank, FCPA and the UK Bribery Act?
I think every company in Asia should assess their own position as to how [these laws] will affect them. It’s an overly simplistic view to just basically say: ‘This is US legislation, this is UK legislation, and therefore it really doesn’t apply to us.’ At the end of the day, this could be a costly, simplistic view to take.
I think people need to look at what their situation is, where they’re based and where their stakeholders are based, and make an assessment of their position. It may well be that, at the end of that process, the conclusion is there are no implications on them. But I think people need to be making that judgment call after they have done the research.
In general, though, we can say that many companies in Asia are likely to be affected?
I would say a large number of companies would be impacted one way or another. Obviously, there are companies that have the usual exposure to both US and UK legislation by virtue of their operations, or by virtue of the fact that they employ US or UK nationals. It’s pretty irrefutable that they would be exposed to anti-bribery legislation.
But there are also situations where you have companies that supply to or act as intermediaries for US or UK companies. It’s increasingly going to be the case that US and UK companies and their stakeholders will want to know whether [their suppliers and intermediaries] actually have policies and procedures to guard against bribery and corruption.
If you want to qualify as a supplier or distributor to these companies, you have to [put these policies and procedures in place] and inform and train your employees . . . There’s no direct exposure to these anti-corruption acts, but there is most definitely an economic indirect exposure.
So if I am part of a US or UK multinational’s supply chain, they will be legally liable if I bribe someone?
That’s absolutely right. For instance, just this morning, I was talking to a distributor who distributes on behalf of multinational companies, some of which are from the US. Very much part of their own policies and procedures and their statement of conduct is that they comply with a set of standards and anti-corruption procedures, and they train their people for that.
They know that they would be under scrutiny by the US companies, by the UK companies that use them as distributors. So they themselves basically have their own code of conduct, they have their own training, and they have their own contractual template which they use to make sure that they have the necessary building blocks in place for an adequate anti-corruption procedure.
What if I am vendor to a US MNC? Am I covered?
The exposure is less. What we’re talking about specifically are situations where companies are distributing upon your behalf. I think that’s where the principal exposure sits.
But it is still very much possible that, before selecting you as a supplier to them, the company will want to make sure that you have the necessary anti-bribery procedures in place. You may need to do this just to get on the beauty parade to supply to them.
If somebody bribes me, am I liable?
Under the FCPA, no. It’s the bribery of government officials [that is illegal]. The FCPA is still the main act that people look towards. The UK Bribery Act has been around a relatively short time and the enforcement action under this act has been very minor in nature. As yet, people are not necessarily focused on the UK Bribery Act [which covers both government and private individuals].
So under FCPA, if I receive the bribe, I will not be prosecuted, but if I give a bribe, my company will be liable?
Under the FCPA, yes, [the receiver of the bribe is not liable]. But you will have to be alert to local anti-bribery provisions. You [as the receiver of the bribe] could be liable in, say, Hong Kong and Australia.
What about the European Union? Do they have anti-bribery rules as well?
There’s a directive by the OECD [Organisation of Economic Cooperation and Development] that the OECD countries [including the US, UK, Germany, France, Japan, South Korea and Australia] signed up to in respect of implementing anti-bribery legislation. These countries are required to put on their statute books, if it’s not there already, anti-bribery legislation of a sufficient standard to meet OECD requirements.
Pretty much all of the  countries have actually done that. But there has been criticism from the OECD about certain countries [failing to enforce] the statutes. It’s all very well to have these laws on the books, but if they haven’t been actually enforcing them, then what’s the point?
Australia was one of those countries. It’s got a pretty good record in terms of anti-bribery [regulations]; as a country it’s pretty well regarded for transparency and anti-bribery provisions. But they did get criticism from the OECD in respect to enforcing its laws.
And non-OECD countries? China, for example?
I think in general a number of countries around Asia have been tightening up their anti-bribery provisions. China has been active in interpreting existing law. One of the higher courts in China has come out with a statement providing further detail around certain issues of PRC anti-corruption laws.
Either you’re seeing a situation where the legal framework around anti-bribery is being put in place in countries like Malaysia and Thailand, or situations where the framework exists but the authorities are now taking pains to make sure the people understand actually what it means.
In the US, the FCPA has been on the books since 1977. We haven’t really seen active enforcement until the last ten years.
And now with Dodd-Frank and the whistleblower rewards in it, we’re going to see a lot more cases, I imagine.
Dodd-Frank covers a lot of things. It is the whistleblower provisions and the incentivisation of whistleblowers that are somewhat controversial. They can be seen as encouraging employees to go straight to the authorities instead of reporting things internally, since they have the potential of picking up the reward.
The number of reported cases has been significant [since Dodd-Frank became law in 2010]. The vast majority is in the United States, but nonetheless there is about 10% that are non US-based.
So even if you’re not an American, you are eligible for the reward?
Correct. And it’s not necessarily just FCPA. The most celebrated case under Dodd-Frank is that of the UBS employee, Bradley Birkenfeld, who picked up a nice sum of money [US$104 million], and that was not under FCPA. It was for defrauding the US tax authorities.
Even if you have been sent to jail for an issue, if your whistleblowing gives rise to a successful settlement [or a fine] amounting to at least US$1 million, which is then collected, then you’re eligible for between 10% to 30% of the amount collected. Just going back to the Birkenfeld case, he picked up US$104 million despite the fact that he was sentenced to 40 months in jail [for participating in the tax fraud].
So what will prevent someone from committing fraud, report it to the authorities and then collect the reward under Dodd-Frank?
That’s a good question. At the end of the day, you can go to jail for 40 months, you actually get out of jail within about 10 months [on parole], you go home to US$104 million.
So what should companies do?
First of all, you have to look at what is your exposure. If you are a US company or if you are a UK company that is obviously right in the cross-hairs of the FCPA or the UK Bribery Act, then you need to be doing a complete risk assessment of your operations; find out how exposed you are to these pieces of legislation; where the touch point are in terms of where you have exposure; and then look at what policies and procedures you have in place and how those policies and procedures are being implemented and trained.
Then you do a gap analysis around that compared to best practice. Once you’ve done that, obviously you’ve got a map with regards to where you need to be focusing your efforts to improve your procedures, improve your documentation, improve your training and improve the ability of your people to actually blow the whistle.
One of the things around Dodd-Frank is that . . . there is that massive risk of people going directly to the authorities [instead of reporting internally] because of the incentives. Even so, a company has to be providing the best possible opportunity in allowing people the ability to report issues around fraud or around bribery.
And if you’re just part of the supply chain and otherwise only indirectly affected?
These companies need to be looking at how much business they have to do with US and UK companies, whether these companies are in highly regulated sectors like financial services, mining, oil and gas, pharmaceuticals, where the tolerance levels for graft and corruption are much lower [than in non-regulated industries].
They have to be looking at which countries they are operating in, and they need to be looking at their own legislation as well. That at the end of the day is obviously what they are exposed to. Then they have to make an assessment and make a decision around that as to what they need to do.
Is it the case that the presence of a policy and procedure guarantee that you will be let off the hook if bribery is alleged against you? Early this year, Garth Peterson, the former managing director of Morgan Stanley Real Estate Investment Division in Shanghai, pleaded guilty to bribing Chinese officials. Yet Morgan Stanley itself avoided prosecution by US authorities because they were able to show they had policies and procedures in place.
Just because you have a procedure you will be off the hook? I don’t think that’s right. In the case of Morgan Stanley, it wasn’t just the fact that they had a whistleblower procedure that got them off the hook. It’s because they had a very robust anti-corruption policies and procedures.
Having hotlines, having independent people at the end of those hotlines, having a well-established procedure to investigate whistleblower allegations to determine how serious they and what steps need to be done to investigate them – these will certainly act in your favour.
But they are just part of what the UK Bribery Act calls ‘adequate procedures’ that you have to have in place.
Not everybody needs to do all of these to the same high level, right? Not everyone needs to buy an elephant gun.
I wish they did, then we’d get a lot more business, but no, not everybody does. The UK Bribery Act actually acknowledges that. It says, in terms of adequate procedures, that they have to be proportional to the risks that you face.
You have to be making decision as to what sort of procedures you have to put in place based on an assessment, based on knowledge. Companies cannot ignore [the various anti-corruption initiatives], but they can take a measured assessment of what risks they actually face and then they can tailor their response accordingly.
So what would be the minimum response?
I would say the minimum response would be more of policy and procedure, such as putting into your contractual documentation – not just vendor and supplier but also employment – the fact that you are a zero-tolerance company for bribery and corruption, and that if you transgress this, you will be duly punished.
I think this sort of legalistic approach is the starting point, the bare minimum.
Then as you step up the ladder [of exposure], then you get into the whole basis of how you set up your policies and procedures, setting up whistleblower hotlines, setting up either internal audit or compliance type review of these processes, and putting in place the necessary remedial and disciplinary actions when you find that something has gone wrong.