INSIGHT

Understanding 'adequate procedures' – a key element in Australia's foreign bribery law reforms

By Christopher Kerrigan, James Campbell, Andrew Wilcock, Ingrid Bennett, Orian Ibraheim
Anti-bribery & AML Corporate Crime Risk & Compliance

The time to assess your company's exposure to bribery and corruption risk is now 11 min read

In the wake of the new 'failure to prevent' offence, the Commonwealth Attorney-General is required to publish guidance on the steps that can be taken to prevent an associate from bribing foreign public officials, to assist companies to implement appropriate measures to stop bribery. In this Insight, we unpack the new draft adequate procedures guidance1 and explain what you need to do to prepare for the foreign bribery reforms taking effect in early September.

Key takeaways

  • The 'failure to prevent offence' takes effect from 8 September 2024. Companies need to ensure that they have in place adequate procedures to prevent foreign bribery by associates before that date. That means it's time to consider what uplifts your company needs to make.
  • The draft guidance released by the Attorney-General's department makes it clear that a robust bribery and corruption risk assessment is the foundation on which strong anti-bribery and corruption compliance programs are built.
  • Senior management will be expected to play a key role in establishing a culture of compliance, and must be engaged with anti-bribery and corruption issues.
  • Adequate procedures to address foreign bribery risk must be proportionate and effective, and check-box compliance programs will not meet the Attorney-General's Department's expectations.

Background

In March 2024, the Federal Parliament passed the reforms to Australia's foreign bribery laws that will take effect from 8 September 2024. As discussed in our previous Insight, they include a new 'failure to prevent' offence under which Australian companies will be liable for foreign bribery committed by their associates. The offence will be one of absolute liability; however, a company will have a defence if it can show that it had adequate procedures in place to prevent the commission of the offence.

The Attorney-General's consultation draft guidance on the steps that companies can take to prevent an associate from bribing foreign public officials was released on 29 April 2024.

What are the key principles underpinning strong anti-bribery and corruption compliance systems?

Proportionality and effectiveness underpin the notion of 'adequate' anti-bribery and corruption compliance systems. 'Proportionality' means that compliance measures should be appropriate and tailored to the actual risks faced by an organisation, considering its size, nature, geographical reach and complexity of operations. Proportionality requires companies with higher foreign bribery risk to put in place more extensive measures than companies with a low-risk profile.

'Effectiveness', on the other hand, means that the implemented procedures should work in practice and not just on paper. The five primary indicators of 'effectiveness' are:

  • a robust culture of integrity within the company;
  • a clear tone from the top, including demonstrated pro-compliance conduct by senior management and boards;
  • a strong anti-bribery compliance function or functional equivalent;
  • effective risk assessment and due diligence procedures; and
  • careful and proper use of third parties, including suppliers or consultants.

What are the key features of anti-bribery and corruption compliance systems?

Responsibilities of top-level management

Top-level management in a company are expected to play a key role in the development, implementation and promotion of an anti-bribery compliance program. They are responsible for establishing and promoting an anti-bribery culture within the company, by providing leadership on policies, selecting senior managers to lead anti-bribery work, endorsing prevention publications and overseeing corruption risk assessments. They must also communicate the corporation's anti-bribery stance through visible statements and codes of conduct that emphasise integrity and zero tolerance towards corruption. Additionally, they should oversee responses to breaches of policies, promote the benefits of preventing bribery, eliminate inappropriate incentives leading to increased risk, and raise awareness about the compliance program among associates where there is a foreign bribery risk.

Risk assessment

Assessing risk is foundational to a company's anti-bribery compliance program, as understanding the risks that a company faces allows it to identify what controls need to be put in place. The ultimate aim is to target those risks that are most likely to occur and have the greatest business impact, therefore enabling resources to be directed accordingly. Conducting a risk assessment involves three main stages:

  1. Identify exposure to bribery risks based on various factors, such as the regulatory environment, sector of operation, jurisdiction, interaction with third parties and existing controls. Red flags associated with high-risk locations or sectors, dealings with foreign officials, large contracts in state-run economies and requests for political donations should be identified. Risks tied to third-party agents also need careful scrutiny. Consultations with employees and external stakeholders can provide valuable insights into specific risks.
  2. Rate the risk according to its probability and potential impact, in order to identify the company's inherent risk.
  3. Document these processes and findings. Periodic review of risk is necessary as circumstances change over time; documenting risk assessments (eg in a risk register) allows companies to revisit and reassess risk as appropriate.
Due diligence

Due diligence refers to the process of research, investigation and assessment that companies use to manage business relationships and mitigate bribery risks. Due diligence should be a continuous procedure that begins before a business relationship is established and continues throughout its duration.

The level of due diligence required should be consistent with the risks associated with each individual relationship. That is, high-risk situations may necessitate direct inquiries, background checks or consultation with experts. Relationships that may require a higher level of due diligence are those involving third-party intermediaries, instances where termination would be challenging, or cases involving mergers and acquisitions.

Communication and training

Communication and training are essential tools for a company to ensure that its employees and associates understand its anti-bribery compliance program and its practical applications. The intensity and content of both communications and training should be in proportion to the bribery risks faced.

Training should be provided to directors, managers and employees, and be required for other associates. It should cover general and sector-specific bribery risks, use relevant case studies, and undergo periodic review for contemporary relevance. Further, training ought to be adjusted according to the needs identified through risk assessments, be offered in various formats and languages, and be tailored to specific roles with higher corruption risks.

Internal communication aims to keep compliance front of mind for all employees by demonstrating management's commitment to anti-bribery measures. Companies can encourage engagement through focus groups, meetings or online training. The controls or their practical implementation should be communicated in way that is accessible for all associates – eg through handbooks, guidelines and intranet notices.

Externally communicating the anti-bribery compliance program helps convey the corporation's ethics from a top-down perspective. By publicly stating their commitment to combating foreign bribery in high-level mission statements or dedicated announcements, companies exhibit their dedication to upholding anti-bribery laws and fostering a culture of integrity.

Confidential whistleblowing reporting mechanisms

Companies regulated by the Corporations Act 2001 (Cth) must comply with whistleblower protection provisions in that Act. However, all companies should have in place an appropriate reporting mechanism. Effective reporting mechanisms are visible, secure, confidential, accessible and provide adequate protections for those making reports. Further, effective reporting mechanisms should be accompanied by systems that appropriately consider and investigate reports.

Having in place an effective reporting mechanism also allows companies to self-report suspected foreign bribery incidents. Self-reporting, while not explicitly required by the adequate procedures guidelines, would be considered by the Commonwealth Director of Public Prosecutions in determining whether a prosecution is appropriate.

Monitoring and review of compliance programs

Companies must monitor their anti-bribery compliance program over time, to ensure it remains effective. Regular review and adjustment of these programs allow companies to test their performance and adapt to changes in the business environment. Review processes could be triggered by several events, such as entering new markets, changes in corporate activities or governance, bribery incidents, or feedback from employees or associates. However, the scope and frequency of review will depend on the results of a company's risk assessments.  

Mechanisms that can aid in monitoring and reviewing the compliance program include internal audits and financial controls, staff surveys to gauge awareness of the anti-bribery program, confidential reporting channels for raising concerns about bribery risks, feedback from training sessions, periodic reviews conducted by experts that are reported to top-level management, industry information, and third-party verification or certification of the program's effectiveness.

How is the 2024 draft guidance different from the 2020 draft guidance?

As we have previously reported, failed attempts were made to reform Australia's foreign bribery laws during the last two Parliaments. In connection with the first effort, in 2020, the Attorney-General's Department released a prior version of the draft guidance for consultation. Some Australian companies have considered the 2020 draft guidance – which until now represented the Federal Government's clearest regulatory statement of its anti-bribery compliance expectations – in developing their compliance systems.

Companies that have done so should note that the 2024 Draft Guidance is generally closely aligned with the 2020 draft guidance but there are some different points of emphasis. Key among these are the following.

The 2024 draft guidance:

  • places a stronger emphasis on the importance of conducting a robust risk assessment;
  • provides more robust guidance on how anti-bribery and corruption compliance functions should be structured and resourced, and how reporting lines should operate. For instance, the 2024 guidance indicates that risk and compliance functions should have sufficient resourcing to put in place mechanisms to monitor the behaviour and compliance of senior leadership, and does not contemplate that compliance functions could be outsourced (which was a feature of the 2020 guidance). Further, the 2024 guidance indicates that top-level management (including boards) should receive regular and direct reporting from the compliance function;
  • provides greater clarity around board and senior management's respective roles in overseeing a corporation's anti-bribery and compliance function. The 2024 guidance establishes a clear expectation for top-level management to oversee a corporation's anti-bribery compliance function and for senior management to initiate conversations, which includes asking questions to promote their own knowledge. This is a clear departure from the 2020 guidance, which drew less of a distinction between the roles of top-level management (such as boards) and senior management, by giving them common responsibilities for a company's anti-bribery compliance function. By contrast, the 2024 guidance takes a more realistic review of the division of responsibilities between top-level and senior management. It gives top-level management the responsibility to set anti-bribery controls; and day-to-day responsibilities, including the design, implementation and monitoring of controls, to senior management;
  • has greater emphasis on documenting and reporting on due diligence procedures;
  • provides increased detail around training and communication; and
  • contains a significant expansion of requirements relating to whistleblowing, reporting and self-reporting procedures – even for companies not subject to the Corporations Act requirements. This may be one aspect of the draft guidance that is refined through the consultation process.

How and when will the draft guidance be finalised?

The consultation closes on 9 June 2024. We anticipate that there will not be fundamental changes to the draft guidance as a result of the consultation process. The final guidance will be released by the Attorney-General's Department later in the year.

What you should do to prepare for the foreign bribery reforms taking effect

The significance of a comprehensive risk assessment process cannot be overstated. We recommend conducting risk assessments now, to ensure you have a solid foundation to align your controls with regulatory expectations before the failure to prevent offence commences. It is important that companies critically engage with the risks they face, and review current controls to confirm they are appropriately designed, tailored to relevant risks and appropriately resourced.

A key takeaway from the draft guidance is that senior management needs to be engaged with anti-bribery and corruption issues. We recommend promptly commencing discussions with senior management about these reforms, so they have time to adjust to the clear expectations regarding their responsibilities and roles in fostering a culture of compliance. Moreover, we recommend that you consider taking this opportunity to uplift related adjacent compliance areas, such as fraud prevention, human rights adherence and sanctions compliance. This holistic approach not only aligns with best practice but offers key efficiencies by addressing related areas of compliance concurrently.