Background
On 8 March 2024, the Australian Parliament passed the Crimes Legislation Amendment (Combatting Foreign Bribery) Bill 2023, which introduced a new criminal offence under the Criminal Code Act 1995 (Cth). The offence was introduced as section 70.5A, titled “Failing to prevent bribery of foreign public officials”, where corporations can be criminally charged for not preventing foreign bribery.
Contravening this offence, can result in various penalties such as (1) a penalty of no more than 100,000 penalty units ($31,300,000 AUD), (2) three times the value of the benefit that was received, (3) 10% of the annual turnover of the corporation. This is governed under section 70.5A(6).
Under section 70.5A(5), there is a defence that can be raised if the corporation had ‘’adequate procedures” in place to prevent the foreign bribery.
For “adequate procedures”, section 70.5B required the Minister to publish guidance on steps that a corporation can take to prevent an associate from bribing foreign officials.
Subsequently, on 28 August 2024, the Attorney-General’s Department published the “Guidance on adequate procedures to prevent the commission of foreign bribery” that was required within six months of the Crimes Legislation Amendment (Combatting Foreign Bribery) Act 2024 passing.
Key Principles
There are six key principles that will assist corporations in establishing what would be “adequate procedures” that would serve as a defence in light of the introduction of the “failure to prevent” offence. This is intended to be an industry and size agnostic guide.
1. Fostering a control environment to prevent foreign bribery
A corporation should encompass two of the following elements that would foster a control environment in managing and preventing foreign bribery:
- Proportionality: A corporation should consider its size and industry that would allow for bespoke controls to suit its operational circumstances.
- Effectiveness: Effectiveness is demonstrated through factors such as a robust culture of integrity, pro-compliance conduct by top-level management, existence of an anti-bribery and compliance function, effective risk assessment and due diligence procedures and careful and proper use of third parties.
The guidance further outlines that if a bribery event does occur, it does not necessarily mean that the controls were inadequate, as it will depend on the circumstances of each case and that through examining the proportionality and effectiveness of the existing control in relation to the risk of the bribery happening is crucial in determining whether an adequate control environment existed in the first place.
2. Responsibilities of top-level management
There is an expectation that top-level management personnel at corporations of all sizes, should be developing, implementing and promoting the corporation’s anti-bribery compliance program.
In developing the anti-bribery compliance program, top level management should:
- Leadership: Provide leadership on anti-bribery policies and procedures, demonstrated by initiating or supporting policy and procedure development.
- Involvement: Involvement in critical decision-making where appropriate, but also oversight and assurance over risk assessments.
In implementation and promotion of anti-bribery compliance programs, top level management should:
- Oversight: Overseeing development of code of conduct, emphasis on applicable to all employees and relevant third parties.
- Promotion: Promoting and raising awareness of corporation’s anti-bribery compliance program and code of conduct, with emphasis on protection and procedures for confidential reporting of bribery.
Overall, there is an expectation that top-level management is informed and involved in development, implementation and maintenance of the anti-bribery compliance program.
3. Risk assessment
Corporations should engage in a risk assessment in order to design their anti-bribery compliance programs and understand their overall bribery risk. It is expected that a corporation should take a risk-based approach, through the performance of a risk assessment, identification of risk and documentation of that risk.
In conducting risk assessments, a corporation should identify its exposure to bribery risk through factoring in its environment, sector, customers, operations and existing controls. Further red-flag typologies such as high risk jurisdictions, engagement with foreign public officials, state-run economies, political donations and wide and frequent engagement with third parties are initial factors that corporations should consider in its initial risk assessment.
Once a risk assessment has been conducted, the corporation is expected to identify its risk through determining what their inherent risk would look like. The risk can be rated on a likelihood and impact scale. This will then produce what we call “inherent risk” which are risk factors, that have not been considered by controls.
Once the risk assessment is over, the corporation will then implement controls (policies and procedures) in order to minimise the inherent risk. The data collected will be documented in a risk register. The risk register contains details of each risk, what controls have been implemented and the last time that risk was assessed.
4. Communication and training
The expected level of communication and training that would be considered adequate would be the frequency and content should be proportionate to the risk faced by the corporation.
Training should be tailored based on the results of the risk assessment and that it should be offered through a variety of formats if applicable. Training should:
- Be provided to all directors, managers and employees, alongside with associates of the corporation;
- Be accessible in different formats and languages as necessary;
- Cover general and sector specific risk, alongside with tailored training for specific employees who face specific risk;
- Undergo periodic review to ensure it is up to date; and
- Be included as part of induction for all new employees.
Communication should have a strategy internally and externally to be adequate. For internal communication, it should be practical and readily available such as staff handbooks, guidelines, intranet, notices and training materials provided. For external, the corporation should make a statement and publish materials demonstrating its commitment to promoting a culture of integrity as an example.
5. Reporting foreign bribery
There is an expectation that all corporations irrespective of size and industry should have a mechanism that facilitates the reporting of actual or suspected instances of bribery.
For certain corporations that meet the statutory requirements by virtue of its size and sector, there is an obligation to have a whistleblower policy that ensures protection to whistleblowers. For corporations that do not meet the statutory requirements, it is still encouraged that they develop appropriate reporting mechanisms to manage their bribery risk.
The reporting mechanism will have to be proportionate and effective in order to ensure that it is visible, secure, confidential, accessible and provides adequate protections.
6. Monitoring and review
Corporations should monitor their anti-bribery compliance programs in order to assure its effectiveness and ensure that it remains adequate. There should be regular evaluations that look at the program on “systemic gaps” that it can adjust to address the issues.
The corporation should consider evaluation of its program if it enters into a new market, changes activities, has a bribery incident or if there are regulatory changes. The corporation can consider incorporating adequate internal and external audits, issue employee and associate surveys to rate its effectiveness, gather feedback on training, conduct periodic reviews by suitable experts and consider verification and certification of their programs by an external provider.
Expected Obligations
In terms of obligations, there is an expectation that organisations will put in place appropriate and proportionate controls to prevent bribery from occurring within their business. This should all be identified in risk assessments that corporations must consider, in order to understand and minimise their risk effectively.
In this case, corporations are expected to then understand their risk from a scale and location perspective, and the nature and level of risk that they are exposed to. The guidance is intended to cover all corporation sizes and industries.
As stated by the guidance document, that it is anti-bribery programs and controls cannot be used as a mere checkbox exercise and that there needs to be a degree of demonstration that the procedures implemented as part of the anti-bribery program is “adequate”. This will involve consistent internal and external audit and assurance from in-house and professional consultants, advisors and lawyers.
Key Takeaways
- Corporations should foster a bribery risk awareness environment, which is demonstrated from top-to-bottom.
- Corporations should conduct risk assessments in order to develop proportionate bribery controls through policy and procedures.
- Corporations should engage in consistent communication and training, develop a reporting line and monitor their bribery risk consistently.