The Malaysian Anti-Corruption Commission Act 2009 (MACC Act) Amendment section 17A introduces corporate liability and makes an organisation’s management potentially personally liable for any corrupt acts committed by their staff, third-party vendors and any other parties acting on their behalf - even if the company is unaware of the act. The amendment is expected to come into force on 1 June 2020 and is a strict liability offence i.e. no fault needs to be proved. Organisations and management have a defence available to them under law by demonstrating that they have a programme in place to prevent corruption from happening in the first place. This anti-corruption programme is commonly referred to as ‘adequate procedures’. The Government has published its “Guidelines on Adequate Procedures” (Guidelines), and this article will discuss three of the multiple elements of the Guidelines: risk assessments; managing third-party risk; and maintaining a speak-up culture.

1. A corruption risk assessment must be regular (at least once every three years), documented, and the results must be used to develop your anti-corruption programme.
2. You should conduct sufficient pre-engagement and ongoing due diligence on your third-parties (i.e. vendors, agents, contractors and sub-contractors acting on your behalf) to satisfy yourself that they are and will continue to act for you in a compliant way. Your contracts with your third-parties must have anticorruption clauses. It is advisable to also consider training and educating your third-parties on your anticorruption expectations.
3. Encouraging and enabling your staff, business partners, and the wider public to tell you when they have a concern about corruption is crucial. Providing the means to raise concerns through a strong speak-up programme will help you spot and respond to corruption issues quickly.

Introduction

Transparency International has a simple definition of corruption - it is the abuse of entrusted power for private gain. Corruption harms society, impedes development, wastes resources, distorts markets and destroys trust. Corruption hurts most those least able to fight it. The battle against corruption is everyone’s duty, and the Malaysian Government has made its expectations clear.

In May 2018, the MACC Act was amended. Among other changes, corporate liability for corruption offences has now been introduced through the new section 17A

In essence, section 17A extends the scope of the law. Now those who could or should have done something to stop a corrupt act from happening, i.e. directors and management, may be held responsible. This is regardless of whether or not they perpetrated the act themselves, or were even aware of it. No fault of the individual needs to be proved.

This means that anyone in a supervisory position1 of a commercial organisation2 may be personally liable for the actions of their distant subordinates. This personal liability even extends to the actions of employees of other organisations that act on their behalf.

To further emphasise the seriousness with which the Government is tackling corruption, the penalties for noncompliance have been drastically increased. The perpetrator who commits a corrupt act may still face a RM10,000 fine and/or up to two years in prison. However, those who could have done something to stop it, but didn’t, could potentially face the prospect of a minimum RM1 million fine and/or up to 20 years in prison, even if they did not know about the corrupt act.

1. Anyone who is a Director, controller, officer, partner, or any person(s) concerned in the management of an organisation’s affairs, MACC Act (Amendment) Section 17A paragraph 3
2. A company incorporated or partnership registered in Malaysia, carrying out business anywhere in the world; or a company incorporated or partnership registered outside Malaysia, carrying out business in Malaysia, MACC Act (Amendment) Section 17A paragraph 8

Commercial organisations and Directors cannot afford to sit back and adopt a laissez faire approach – the risks, whether reputational, financial or personal are just too great. The Government knows this and it’s driving the need for corporate Malaysia to embrace the adequate procedures defence offered by section 17A.

Adequate Procedures

The United Kingdom Bribery Act 2010 (UKBA) also introduced corporate liability for corruption offences. The purpose of this law was to combat corruption and drive change in the corporate world. The UKBA introduced stringent penalties for non-compliance. However, it also provided commercial organisations with the ability to avoid prosecution by demonstrating they had done everything that could be reasonably expected of them to stop corruption. This is known as adequate procedures.

Section 17A of the MACC Act draws heavily on the standards set by the UKBA, and offers organisations operating in Malaysia a similar defence. The only defence available in Malaysia to section 17A is for directors and management of the organisation to demonstrate that they (a) did not connive, consent to, or allow, the corrupt act, and (b) have exercised due diligence to prevent the corrupt act i.e. implemented adequate procedures.

The MACC is clear that only the courts can truly define what procedures are ‘adequate’. However, there is a wealth of guidance available to those looking to build or develop their anti-corruption programme. From the Malaysian Government’s own T.R.U.S.T. framework to Transparency International’s anti-bribery site and its anti-bribery checklist, there exists a wide range of adequate procedures-specific support materials.

Beyond the Malaysian Government’s Guidelines on Adequate Procedures, other organisations have released their own guidelines on fighting corruption. These include: the United States of America’s Department of Justice;the International Standards Organisation (ISO) Anti-Bribery Management System, ISO 37001:2016and intergovernmental organisations such as theOECDand theWorld Bank

With this wealth of guidance at your fingertips, it may be tempting to think designing and implementing a suitably robust anti-corruption programme is simply a matter of following the instructions. Unfortunately, the diversity and complexity of commercial organisations - along with the ability of corruption to strike when and where you least expect - combine to make building the right programme for your organisation a challenge.

As with the start of any project, the first step is to take stock and plan. We discuss corruption risk assessments as a first step below. Along with such an exercise it is worth reviewing your current compliance programme - your policies, procedures, controls, training, monitoring, etc. against what the T.R.U.S.T. framework requires. This review will, if done correctly, identify the gaps between what you have and what you need in order to be compliant with section 17A.

Take the highest risk areas from your risk assessment, and the largest or most pressing gaps from your gap analysis. The combination of these two will tell you where you need to start.

Where should you focus?

Corruption risk in its broadest sense needs to be owned by the Board. It is almost unique among risks in that it touches on virtually all business processes, departments, functions and activities. This makes effectively responding to corruption risk difficult. The corruption risk owner(s) in the business must be suitably empowered – and have a sufficiently broad remit – to effectively combat the risk. Such risk owners should be responsible for driving the anti-corruption compliance programme, with the Board setting the right tone and exercising proactive leadership.

Building an adequate anti-corruption compliance programme, especially for larger commercial organisations, is unlikely to be a small task. Top level commitment, corruption risk assessments, undertaking control measures, systematic monitoring review and enforcement, and training & communications must all be fully considered. This article alone cannot cover all the aspects that will be required to be compliant with section 17A, so will instead focus on the following three areas that will likely form part of the wider foundation of your anti-corruption programme:

1. Corruption risk assessment;
2. Managing third-party risk; and
3. Speak-up culture

Corruption risk assessment

A corruption risk assessment is no different from any other risk and opportunity assessment conducted by your business - except that it focuses on corruption, instead of operational or other specific risks. The approach remains the same:

1. Planning - Identify the team to run and conduct the assessment, and identify your other stakeholders. Agree the scope: this is where you can ensure no relevant part of your business is missed out. Ensure you define and have access to sufficient resources to run the assessment. These resources also must have the requisite experience to understand corruption risk. Clearly define and agree the actions necessary to conduct the assessment. This will help the assessment team to carry out the work comprehensively and efficiently
2. Data collection - Interview your divisional, department and functional heads; process owners; and higherrisk staff. Seek their views on corruption risk, because they will have the best insights. Review your policies and procedures for exposure to corruption risk. Consider running focus groups with your junior staff to understand the risks ‘on the ground’, especially how your group-level policies and expectations are actually understood by staff. There is often a gap between what a company expects from its staff in respect of anti-corruption and what is done in practice. Focus groups and employee surveys can help you to identify this gap
3. Risk identification - Although section 17A only discusses the giving of bribes, receiving bribes remains illegal under the MACC Act. You should consider both the risk of giving as well as receiving bribes. A common area of risk arises when there is a lack of awareness of what a bribe could be. Consider explaining to the people you interview that a bribe is not just cash, it is anything of value or even a promise to pay a gratification. It may prompt them to discuss broader areas of risk.
4. Control / mitigating factor identification -- Regardless of your organisation’s compliance maturity, you will likely have some existing controls mitigating corruption. However, without this risk assessment their application to corruption risk may not be immediately apparent. For example: the finance team’s checks and balances; procurement processes; gifts and hospitality review and approvals; and robust HR processes. In addition, training for your staff and communications from leadership help further mitigate the risks of corruption.
5. Net impact / likelihood assessment - Once you’ve identified the inherent risks and mitigating control activities in your business and operations you should be left with the residual risks. Review this residual risk and identify opportunities to improve mitigating controls. Repeat this process until the residual risk cannot be usefully reduced and is acceptable to the business.

Conducting a corruption risk assessment on its own is not enough. Companies must be able to demonstrate that the outputs from the assessment have been used to enhance their anti-corruption programme. The assessment must also be repeated. How frequently will depend on the size and complexity of your business, but listed companies are required include corruption risk in their annual risk assessment process. You may wish to conduct regular corruption risk assessments across your whole business; integrate corruption risk into your existing annual risk assessment programme; or run rolling assessments over different parts of your business, covering the entire company. Listing requirements have been amended to require that the Board ensures that this is done at least once every three years.

However, you choose to structure and conduct your corruption risk assessment, it must be documented. The scope, findings, and results must be recorded. The Board, or at least the Board Risk Committee should be kept informed of the identified risks. Act on the results of your risk assessment - use it to focus your adequate procedures implementation.

Managing third-party risk

A significant proportion of corruption cases involve third-parties.Under section 17A, and in the eyes of the law, corrupt acts undertaken by your agents and their third parties are regarded as your ‘own’ actions. If any of these third parties behave corruptly whilst working on your behalf, it is your responsibility and you may be prosecuted even if you have no knowledge of their corrupt actions.

There are four areas you should focus on to manage your third-party risk:

1. Due diligence - - Understand who you’re engaging, and who ultimately owns the business. Check the company, Directors, and owners against online databases and lists:the MACC’s websiteidentifies individuals who’ve been found guilty of corruption in the past; online governance, global risk and compliance databases, or sanctions screening databases; criminal records checks; and searches for adverse reputational issues in the news or social media can all be useful to build a picture of who you’re engaging.
2. Contracting - Use standard terms for all your third-party contracts. An anti-corruption clause requiring compliance with the law and your anti-corruption policies is almost a ‘must have’. A right-to-audit clause can help you monitor what your third parties are doing when working for you - and where the money you pay them goes. Contractual rights to terminate the contract in case corrupt acts are identified helps you to communicate how serious you take anti-corruption. Consider integrating some of these terms into your tender qualification process, if necessary
3. Monitoring - is not enough to conduct initial due diligence. You must monitor the activities of your thirdparties throughout your engagement with them. Internal audit should incorporate the review of higherrisk third parties into their annual audit plan. You should conduct supplemental due diligence when there is a material change in circumstances at your third-parties, or on a rolling basis for higher-risk third-parties. Consider investing in tools that can automatically spot corruption red flags or higher risk patterns of data - automated analytics - to identify higher-risk vendors or unusual patterns of behaviour. Risk rating your third parties is a good idea and lets you take a risk-based approach to third-party due diligence. Maintain and keep updated a vendor blacklist. If a vendor engages in a corrupt act (or breaches your policies in any other way), put them, their Directors, and if necessary their owners on the blacklist. Check the list when engaging new vendors
4. Education - vendors will have to comply with section 17A as well. Consider proactively engaging with them to educate them on your expectations and explain the changes you’re making. For your higherrisk vendors, you way want to run dedicated training sessions on how they can guard against corruption.

Engaging robustly with vendors you know and trust through a strong contracting process, and enabling them to continue to do business in a compliant way, can help you. It adds a further layer of defence for your organisation, in addition to your own anti-corruption procedures.

Speak-up culture

Finally, you must build a speak-up culture. No compliance programme can stamp out corruption completely. So if and when it happens, you want to be the first to know. If your staff and vendors know how to blow the whistle on corrupt acts - and they trust the speak-up process - you can get out ahead of corruption risk before it becomes unmanageable.

Offer multiple channels to report. Emails and online forms; postal letters; an open-door policy for your senior management; and/or a 24/7 phone line available in all applicable languages and with male and female respondents. Publicise these channels clearly, both internally and externally.

Make it known that reports made in good faith will always be dealt with, and treated suitably seriously. Commit to a policy of non-retaliation against reports made in good faith.

Don’t have disclosure reports coming in to only one person. Have in place a defined ‘triage’ process designed to identify the appropriate team to investigate the report - and ensure that there is no possibility of a conflict of interest. Such a team should be comprised of staff from a variety of functions, with a range of skills. For example, human resources, finance, ethics and compliance, legal and/or the CEO’s office. It may be appropriate to include representatives from internal audit. Consider escalating reports to the Board, or at least a consolidated summary of reports and actions taken, on a regular basis.

Encouraging speak-up reports helps you to spot and address potential corruption issues before they become regulatory issues. First hearing of allegations of corruption through a dawn raid is a very difficult and unpleasant position to be in!

Next steps

Corporate Malaysia is waking up to the change in the law, but 1 June 2020 is coming soon. The scale of the work required to conduct a corruption risk assessment and gap analysis against the T.R.U.S.T. framework - and address those gaps all before June 2020 – should not be underestimated.

Businesses should remember four things:

1. 1 June 2020 is not far away. If you are not well into your section 17A journey, then start now! The penalties for not being compliant are severe, not just for the organisation but also for individuals. Don’t risk a hefty fine or jail for acts that may be committed completely without your knowledge.
2. Everything you do must be documented. From the regulator’s perspective, if a process or activity is not documented, it may as well have not happened.
3. You are not doing this alone. Every commercial organisation in Malaysia must adapt to the change in law, and there are resources and experts available to help you. This is not about putting you at a business disadvantage.
4. Whatever programme you implement, it must be proportionate to your business. You may not need to do everything to a gold standard all at once.

Finally, one of the most important things to understand when thinking about anti-corruption is that it is not just an expectation of the Government and law. Fighting corruption will help our country grow and develop; it will help our society mature; it will make our institutions more effective, our markets more efficient, and our leaders more trusted. Fighting corruption is not just about the law - it’s about doing the right thing.

Author : PwC Consulting Associates (M) Sdn Bhd for Bursa Malaysia