Avoiding Corporate Criminal Liability for Corruption Offences

Selvamalar Alagaratnam and Caroline Leong explain Malaysia’s Guidelines on Adequate Procedures.
The new section 17A which was introduced into the Malaysian Anti-Corruption Commission Act 2009 (“MACC Act”) in May 2018 provides for corporate criminal liability for corruption offences as well as for personal liability of persons involved in the management of a commercial organisation.
Section 17A(1) provides that a commercial organisation commits an offence if a “person associated” with the organisation corruptly gives, agrees to give, promises or offers to any person any gratification, whether for the benefit of that person or another person, with intent to obtain or retain business for the organisation, or to obtain or retain an advantage in the conduct of business for the organisation. 
For the purposes of section 17A, “commercial organisation” includes companies and partnerships (including limited liability partnerships), whether incorporated or formed in Malaysia or elsewhere,  provided that the organisation concerned carries on business, or part of its business, in Malaysia; and a “person associated” refers to a director, partner, employee or any person who performs services for or on behalf of a commercial organisation.
Pursuant to section 17A(3) when a commercial organisation is convicted of an offence under section 17A, a director, controller, officer, partner or member of the management of the organisation is deemed to have committed the offence unless he proves that the offence was committed without his consent or connivance, and that he had exercised due diligence to prevent the commission of the offence, having regard to the nature of his function and to the circumstances.
The penalties that can be imposed against a commercial organisation found to have committed an offence under section 17A are severe. The organisation can be subject to a fine of not less than 10 times the sum or value of the gratification or RM1.0 million, whichever is higher, or to imprisonment for a term not exceeding 20 years, or to both.
It has been announced that section 17A will come into force in 1 June 2020. In light of this, we will discuss the measures that commercial organisations can adopt to mitigate the risk of corporate liability for corruption offences. The measures that individuals may adopt to mitigate the risk of personal liability fall outside the scope of our discussion.
The sole statutory defence available to a commercial organisation against corporate liability is that it had in place adequate procedures to prevent associated persons from committing corruption. This is similar to the position under the UK Bribery Act. 
It is therefore patently clear that adequate procedures must be put in place but what are such “adequate procedures” and how does one ensure that they are sufficiently adequate?
The Prime Minister’s Department issued the Guidelines on Adequate Procedure (“Guidelines”) dated 4 December 2018 pursuant to section 17A(5) of the MACC Act. These Guidelines were formed on the basis of five principles which may be used as reference points for any anti-corruption policies, procedures and controls which commercial organisations may choose to implement. The adequate procedure principles are: Top Level Commitment, Risk Assessment, Undertake Control Measures, Systematic Review, Monitoring and Enforcement, and Training and Communication.
Top level commitment
The Guidelines emphasise the primary responsibility on top management to ensure that commercial organisations practice the highest level of integrity and ethics, comply fully with the applicable laws and regulatory requirements on anti-corruption, and effectively manage the key corruption risks.
The effectiveness of any anti-corruption effort requires the buy-in and commitment of top-level management, setting the tone from the top and spearheading its effort in fighting corruption. Clear communication internally and externally from the board of directors and the highest level of management that the organisation has zero tolerance for corruption is imperative. Besides corporate statements or charters reciting the anti-corruption values, a culture of integrity must be instilled at all levels, including through proper procedures and reporting channels.
Risk Assessment
A risk assessment forms the basis of a commercial organisation’s anti-corruption efforts. This will assist in understanding and identifying where the risks exist, the extent of such risks and to identify the required processes, systems and controls to minimise, if not eliminate, those risks.
The Guidelines recommend that a comprehensive risk assessment be done every three years, with intermittent assessments conducted to ensure integrity levels are not compromised. This may be on a stand-alone basis, but it is further recommended that the assessment be incorporated into the organisation’s general risk register. The assessment process should be tailored to the commercial organisation’s business and culture, keeping in mind factors such as its size, location, nature of business and organisation structure.
Undertake Control Measures
Control and contingency measures that are reasonable and proportionate to the risks of corruption and the nature, scale and complexity of the commercial organisation’s activities should be implemented. The Guidelines identify two items that should be included, namely due diligence on any relevant parties or personnel and reporting channels that are accessible, confidential and prohibit retaliation.
The application of section 17A of the MACC Act is far-reaching. It extends to any person who performs services for or on behalf of a commercial organisation, meaning that a commercial organisation may be liable for the corrupt acts of its agents or even suppliers. It is hence important that before entering into commercial relationships, due diligence is carried out on potential business associates, partners and/or agents. Due diligence here refers to the process of investigating, analysing and researching a company to ensure that the company is run in a manner which is consistent with the standards of the commercial organisation. Due diligence tools may be crafted to serve this purpose. The due diligence process should be fully documented as such documentation may prove useful if there is an investigation by the authorities into the dealings of the commercial organisation with its business partners. As an additional step of vigilance, due diligence should also be carried out periodically while the commercial relationship is ongoing to ensure constant compliance.
The Guidelines also recommend that policies and procedures of the commercial organisation should deal with areas where higher risks of corruption lie as identified by the risk assessment process, which could include, among others, gift receiving and giving, movement of moneys, bribery, fraud, and influence peddling. These should be clear and precise and be crafted in a way that is effective in deterring corrupt practices within or on behalf of the organisation. While not specified in the Guidelines, it is suggested that written policies clearly set out the prohibited acts which may amount to an offence under the MACC Act, while bearing in mind that the list should not and cannot be exhaustive.
The bare minimum that a commercial organisation should have in place are: (a) anti-bribery and corruption policy or statement; (b) code of business conduct and ethics; (c) standard operating procedures for due diligence; (d) written confirmation and undertakings in contractual documents; (e) whistleblowing policy; (f) written limits of authority; and (g) internet and communication policy. 
These policies and procedures must be endorsed by top level management, kept up to date, communicated to and remain easily and readily accessible by all associated persons at all times. Employment agreements should include a requirement for all employees to abide by the policies and procedures as and when established by the commercial organisation. Ideally, employees should be required to sign-off on all policy documents issued.  
Systematic Review, Monitoring and Enforcement
A commercial organisation’s duty in preventing bribery and corruption does not end with the implementation of policies and procedures. Continuous or regular monitoring and review of its and its associated persons’ practices in relation to the control measures, policies and procedures is key to avoid or minimise risks. Such reviews may be conducted via an internal audit or an audit carried out by external independent parties such as the MS ISO 37001 auditors.
The Guidelines recommend procedures which in effect would monitor, review and ensure that policies and procedures put in place by the commercial organisation are effective and complied with. As a prudent step, reviews could extend to internal procedures such as accounting, record keeping, and internal audit to ensure and heighten effectiveness.
Vigilance is required to avoid condonation of breaches of policies and procedures. A commercial organisation must insist on strict adherence to its policies and procedures, including taking disciplinary action for what might otherwise be minor non-compliance or a cultural norm.
Training and Communication
A commercial organisation is expected to conduct trainings and communicate its policies and charter on anti-bribery and corruption through the right modes, within and outside the organisation so that there is no doubt as to its stance in respect of this matter. It should cover policy, training, reporting channel and consequences of non-compliance. Based on each commercial organisation’s structure and culture, the best mode of communication should be considered, including the format, medium and language to be used.
Training, guidance, and courses should be undertaken within the commercial organisation for its employees and associated persons to ensure thorough understanding of the anti-corruption position and the effectiveness of the measures put in place, including alerting employees of their roles within and outside of the commercial organisation and on the consequences of non-compliance.
In anticipation of section 17A coming into force, commercial organisations are encouraged to prepare themselves for the inevitable.