Are your company's anti-bribery controls fit for purpose?
28 August 2024
On 29 February 2024, the Australian parliament enacted legislation which introduced a new corporate offence of failure to prevent foreign bribery. The new laws take effect from 8 September 2024. We provided an overview of the new failure to prevent foreign bribery offence in an earlier update.
Under section 70.5A of the Criminal Code, a company will be criminally liable where an 'associate' of the company (meaning its officers, employees, agents, contractors, other service providers, or other associates) has committed foreign bribery for the profit or gain of the company. The company does not need to have been involved in or to have authorised the offending conduct for it to be liable.
However, a company will have a defence if it can show that it had ‘adequate procedures’ in place to prevent the commission of foreign bribery by its associates.
Following a consultation period, on 28 August 2024 the Attorney General's Department issued final guidance on what constitutes 'adequate procedures'. Below, we provide an overview of what the guidance says about steps companies can take to ensure their anti-bribery controls are adequate. It is important to bear in mind, however, that the guidance is just that. What represents 'adequate procedures' for any given company needs to be assessed on a case-by-case basis.
The guidance adopts a principles-based approach to anti-bribery controls, rather than a checklist for companies to comply with. It includes case studies and scenarios throughout to provide practical examples of the specific topics being discussed.
The guidance is organised so that it fits under six principles that should underpin an effective anti-bribery compliance program. Each of the six principles is discussed below.
The two key factors underpinning the first principle of fostering a control environment to prevent foreign bribery are proportionality and effectiveness. In summary:
The guidance recognises that the fact that foreign bribery has occurred does not, in itself, mean that adequate procedures were not implemented. This mirrors the language in the Explanatory Memorandum on this topic, as recommended by Ashurst during the consultation process.
'Top level management' (including the executive team and board of directors) should take the lead in developing, implementing and promoting an effective anti-bribery program. The guidance stresses that small and large companies will likely take different approaches to achieving buy-in from top level management.
The guidance suggests that top level management's role:
Central to the recommendations in the guidance is having companies adopt a 'risk-based approach' to developing their anti-bribery compliance program, with three key steps:
A company should also undertake due diligence in relation to new and existing business relationships, ensuring the level of due diligence is proportionate to the risk posed by the relationship.
It is important to manage any risks identified in the due diligence process, including any risks involving non-controlled associates (such as joint venture partners or contractual counterparties) who may not have reasonable anti-bribery compliance programs in place.
Where there is a foreign bribery risk associated with a non-controlled associate, the company may consider taking measures such as:
Companies should undertake communication and training that ensures employees and other associates have a thorough understanding of their anti-bribery compliance programs and how controls are practically applied. The communication and training needs to be proportionate to the risks posed.
Internal communications about the company's anti-bribery compliance program should convey senior leadership's dedication to the program, make the program front of mind, and illustrate how it is relevant to day to day activities. The guidance also suggests creating opportunities for employees to engage in the program by holding anti-bribery meetings, online training and focus groups, and going beyond simply asking employees to acknowledge they have read and understood the anti-bribery compliance program.
External communications should convey the company's 'tone from the top', how the anti-bribery program operates and the company's expectations for its business relationships in that regard.
Relevant considerations for training include offering it in different modes (online, in person) and different languages as necessary; tailoring the training for sector-specific bribery risks for employees who work in higher risk functions like purchasing and contracting; using real-life examples relevant to the business; and ensuring that the training undergoes periodic review and is continuous. As 'associates' extends to non-controlled associates, agents, contractors and suppliers, companies need to consider whether those associates also have access to relevant training, at least for those who are considered to be at risk of foreign bribery.
The guidance recommends that companies adopt mechanisms to encourage the reporting of suspected bribery or bribery solicitation. It recognises that some companies will already have whistleblower regimes in place as required by the Corporations Act and that a whistleblower policy implemented in compliance with that Act is a sufficient confidential reporting mechanism.
The guidance otherwise describes the hallmarks of an effective reporting mechanism – that it is visible, secure, confidential and accessible to all employees (regardless of location), and that companies communicate the protections available to those who make a report, and how the company will address those reports.
The reporting mechanisms should have response systems to allow investigation of allegations of bribery. Those investigations should be 'properly scoped, objective, timely, appropriately conducted, and properly documented'. Companies should also ensure appropriate action is taken to address investigation findings.
The guidance also states that in addition to establishing adequate procedures, companies should consider voluntarily self-reporting actual or suspected incidents of foreign bribery to the Australian Federal Police.
Companies should regularly review, monitor and adjust their anti-bribery compliance programs to test their effectiveness and to adapt controls to changes in the business environment. Evaluations may need to be conducted when a company enters a new market; changes its activities; has a bribery incident; has changes to its regulatory or governance environment; or in response to employee or associate feedback.
The guidance lists a number of mechanisms for a company to consider adopting in monitoring its compliance program, including internal audit and financial control mechanisms; staff surveys; confidential and anonymous reporting channels for staff and associates to raise concerns regarding bribery risks; training feedback; expert reviews; information from industry bodies; and verification of the effectiveness of its anti-bribery program by an external provider.
If you'd like assistance in assessing whether your anti-bribery controls are fit for purpose, please get in touch.
Authors: Rani John, Partner; Phimister Dowell, Senior Associate; and Jacqui Turner, Lawyer.
The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.
Ashurst Australia (ABN 75 304 286 095) is a general partnership constituted under the laws of the Australian Capital Territory.
Ashurst Risk Advisory Pty Ltd is a proprietary company registered in Australia and trading under ABN 74 996 309 133.
The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.
For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com.
This material is current as at 28 August 2024 but does not take into account any developments after that date. It is not intended to be a comprehensive review of all developments in the law or in practice, or to cover all aspects of those referred to, and does not constitute professional advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.