Are you willing to be ISO 37001 certified?

Friday 29 October 2021

Emmanuel Moyne
Bougartchev Moyne Associés AARPI, Paris

Nathan Morin
Bougartchev Moyne Associés AARPI, Paris

The ISO 37001 standard for implementing an ‘Anti-Bribery Management System’ is increasing in popularity. As an internationally recognised tool for the prevention and detection of corruption, as well as the large disparity of applicable legislation in the fight against bribery, ISO 37001 provides a real solution for multinationals wanting to comply with the highest standards in the countries where they operate. It is, without doubt, a guarantee of ethics, which explains why an increasing number of companies choose to be certified by this standard. Nevertheless, although ISO 37001 certification is a commitment, it does not constitute ‘a blank cheque’ when it comes to dealing with administrative and legal authorities.

The drawbacks of the disparity

The huge worldwide disparity in regulations to fight corruption presents a massive disadvantage for multinational companies. Although some countries are good players in the fight against bribery, such as the United States with the US Foreign Practices Act of 1977, United Kingdom with the 2010 Bribery Act, and France through its Sapin II law of 2016, all this legislation requires from companies, directly or indirectly, is for them to have an anti-bribery system in place.

Many countries do not have similar regulations. Others do not criminalise, prosecute or hardly ever prosecute international corruption,[1] especially ‘influence peddling’.

Such a disparity is problematic in many ways. First, it goes without saying that corruption is a real problem for the global economy. In a 2016 study, the International Monetary Fund (IMF) estimated the cost of corruption at between US$1.5tn and US$2tn per year, or about two per cent of global gross domestic product (GDP).[2] On the other hand, the IMF has pointed out that countries that have succeeded in substantially curbing corruption in recent years have been rewarded with greater tax revenue as a share of GDP (eg, by 13 and six per cent in Georgia and Rwanda respectively).[3]

Second, it is problematic from a commercial standpoint, insomuch as companies established in countries which have chosen to implement strict regulations in the fight against corruption, who operate internationally, are competing unfairly with unscrupulous players subject to less stringent or even non-existent rules. Yet, it should be noted that the company evicted from a contract is the first victim of corruption.

Finally, at the organisational level, the disparity requires companies to adapt their systems to local specifications, making it difficult to set up a harmonised system at group level.

ISO 37001 certification

To be certified ISO 37001 means not only a guarantee of ethics and harmonisation, but above all, commitment. Approximately 1,000 companies have chosen ISO 37001 certification since 2016.

In the absence of common regulations, ISO 37001 puts companies, through the voluntary adoption of harmonised and internationally recognised standards, on an equal footing with their certified competitors. Such certification also gives them ethical recognition from customers, suppliers, partners and supervisory authorities.

That said, moving toward a sufficient harmonisation at international level would require more companies to comply with the standard. This would mean that an increasing number of players would make ISO 37001 certification a requirement for participation in a particular tender.

Above all, choosing ISO 37001 means complying with strict standards in terms of anti-bribery, which implies significant financial and organisational efforts in the long term.

The certification starts with an audit conducted by a certification body (such as Association Française de Normalisation or AFNOR), which will assess how the system set up by the company conforms to the ISO 37001 standard.

At the end of this audit, which can last several months, depending on the scope of the certification at the group level, the certification body will identify the system’s strong points, areas for improvement, sensitive points and minor and major non-conformities. If necessary, the company will be able to bring its system into conformity before the certification body decides whether or not to grant certification.

Obtaining certification is only the first step of a long process, as surveillance and refinement audits need to be carried out every year according to a predefined schedule. Furthermore, the certification, which has an initial duration of three years, can be withdrawn at any time if the company fails to meet its obligations. The company will then be required to publicise this withdrawal, which would of course, have severe consequences for the business.

Finally, while obtaining certification is a guarantee of the reliability of the company’s anti-bribery system, it should be noted that going beyond the law also creates obligations, so that third parties to the company could, if need be, take advantage of any failure in the said system which might be prejudicial to them.

Exemplarity is not synonymous with a blank cheque

ISO 37001 certification is a sign of worthiness, but it does not constrain the authorities in their fight against corruption, whether they are the US Department of Justice (DOJ), the US Securities and Exchange Commission (SEC), the UK Serious Fraud Office (SFO) or the French Anti-Corruption Agency (AFA).

With regard to France, Charles Duchaine, Director of the AFA, recently indicated that being ISO 37001 certified is not synonymous with a blank cheque, as the AFA remains free to control and, if necessary, to prosecute breaches of the Sapin II law with regard to ISO 37001 certified companies.

While it is true that the recommendations of this standard are close to the standards expected by the AFA, it was not designed for that purpose, so it does diverge from the Sapin II law in some respects, as interpreted by the AFA in its recommendations, dated 12 January 2021.

In this respect, it should be remembered that under the jurisprudence of the AFA’s Enforcement Committee, the structure of which is included in its new recommendations, an entity subject to the Sapin II Law ‘that decides not to implement all or part of the methods recommended in these recommendations cannot be considered a priori as not complying with the Law. However, in the event that the AFA challenges all or part of the measures taken by this organisation during an audit, it will be up to the organisation to demonstrate that the choices it has made enable it to meet the requirements of the law’.[4]

Finally, any potential areas for improvement, sensitive points and non-conformities identified by a certification body during the certification audit will undoubtedly receive special attention from the investigating authorities. This is why the launch of a certification process remains connected to the strength of the anti-bribery system to which the company commits.



[1] According to Transparency International, 19 of the 47 countries included in its recent study on international bribery, which together account for 36.5 per cent of global exports, had little or no prosecution of foreign bribery, 'Exploring Corruption, Transparency International, December 2020.

[2] IMF Annual Report 2016, ‘Corruption: Costs and Mitigation Strategies’, p116, see https://www.imf.org/external/pubs/ft/ar/2016/eng/pdf/ar16_eng.pdf, accessed 11 October 2021.

[3] IMF, ‘Curbing Corruption’, April 2019.

[4] AFA recommendations, 12 January 2021.