by Veronica Root Martinez and Liz Carrasco

Governments have a responsibility to evaluate corporate compliance programs and an opportunity to design strong regulatory frameworks. To identify reforms and encourage implementation, they must first understand the state of compliance. The Organisation for Economic Cooperation and Development (OECD) report Governments’ Assessments of Corporate Anti-Corruption Compliance[1] provides a detailed look at how governments are approaching the assessment of corporate anti-corruption compliance programs. The report explains that clear, consistent standards for assessing these programs would improve both efficiency and credibility—but few governments have adopted such standards. This blog post explores governments’ roles in 1) guiding companies on compliance criteria, 2) enhancing oversight, and 3) the value of information sharing.

Guiding Companies on Anti-Corruption Compliance Criteria 

Governments are uniquely positioned to assess and incentivize compliance. The Recommendation of the OECD Council for Further Combating Bribery of Foreign Public Officials in International Business Transactions (referred to as the “OECD Anti-Bribery Recommendation”) directs governments to provide guidance, training and incentives for companies to establish effective compliance programs. Governments lacking guidance for these initiatives can look to OECD recommendations and the Guidelines for Multinational Enterprises on Responsible Business Conduct (“the MNE Guidelines”).

Risk Assessment 

Governments should provide clear standards for businesses to follow as they create and improve their anti-corruption compliance programs. Brazil, France, the United Kingdom and the United States are some of the only countries with detailed guidance on anti-corruption compliance. Just as companies should understand the corruptive risks specific to them, governments should be able to identify the obstacles to effective compliance specific to their countries. Table 1 shows that risk assessment is at the forefront of the countries’ anti-corruption compliance program frameworks, reflecting those countries’ recognition of the importance of risk-assessment. 

Tone From the Top 

As we discuss in our other blog post “A Reflection on the OECD’s report: Companies’ Assessments of Anti-Corruption Compliance,” managers set the tone in how employees will perceive compliance efforts. As seen in Table 3, all four countries have guidelines pushing managers to play an active role in promoting compliance efforts within their organizations. Brazil, France, and the United States provide questions that can further inform managers of government expectations in this area. 

Corporate Policy 

The four countries urge companies to provide a clear expression of their organizations’ anti-corruption policy and that that policy be easily accessible to employees. In addition to these suggestions, Brazil and France have passed legislation to ensure companies are promoting a corporate policy prohibiting corruption. Brazil’s Decree No. 11 129/2022 establishes standards for all companies, while France’s Sapin II Act exclusively applies to companies above a specified corruption threshold.

Oversight  

All four countries promote corporate compliance functions among individuals with authority, resources, and some degree of independence. The United Kingdom and United States view this as a responsibility of senior management, while Brazil and France allow for the delegation to a separate body that will facilitate anti-corruption compliance. 

Measures to Detect and Prevent Corruption 

These countries also recommend that companies implement measures to address areas of high corruption risk, such as gifts, hospitality, travel, and charitable contributions. Brazil’s guidelines direct companies to establish policies and procedures based on specific risks. In addition, Brazil’s decree requires risk-based due diligence to be part of program evaluation criteria. The French Anti-Corruption Agency (“AFA”) provides a detailed guide on high-risk areas and recommends that anti-corruption policies be part of companies’ codes of conduct. Similarly, the United Kingdom and the United States provide a list of risks companies may encounter and encourage companies to design their policies around identified risks. 

Measures Applicable to Third Parties 

All four countries also require companies to conduct risk-based anti-corruption diligence when working with third parties. Brazil calls on companies to engage in information sharing and risk-based due-diligence as part of the hiring and supervision of third parties. France’s Sapin II Act requires company compliance programs to have procedures for evaluating third parties. Similarly to Brazil, the United Kingdom’s guidelines stress the importance of risk-based due diligence as an assessment and risk mitigation technique. The United States’ Foreign Corrupt Practices Act (“FCPA”) also provides the business rationale for third-party assessments to understand third party qualifications. 

Financial and Accounting Procedures 

The four countries also require companies to maintain accurate financial records and robust financial controls to detect and protect corruption. To do so, Brazil mandates the maintenance of accounting records accurately documenting all an entity’s transactions. France’s Sapin II Act requires companies over a certain threshold to establish accounting control procedures, an internal control system, and an assessment system. Countries that are not above that threshold may follow a three-tier internal control system the French government provides to prevent and detect corruption. The United Kingdom takes a “looser” approach, suggesting that bribery prevention policy be based on identified risks. On the other hand, the United States’ Foreign Corrupt Practices Act (FCPA) has a section dedicated to accounting control requirements. 

Communication and Documentation 

Brazil, France, the United Kingdom, and the United States have agreed on periodic training tailored to the risk levels within different departments. Brazil promotes a multifaceted approach to training and example-based communication to increase awareness of what misconduct may look like. The French government provides objectives for awareness and training programs based on identified risks. The United Kingdom’s guidelines state that communication and training should be proportionate to the risks a company is exposed to. The United States’ guidelines encourage periodic training and certification as a means of communicating company policy.

Incentives 

The surveyed countries reported a positive correlation between incentives and compliance with anti-corruption measures. To encourage compliance, Brazil recommends that companies make goals related to the implementation of the integrity program part of their leadership evaluation criteria. Similarly, France encourages senior management to consider annual goals and assess management’s performance. The United Kingdom suggests that companies make due diligence part of their recruitment and human resources procedures. The United States expresses its recognition of the utility incentives provide and gives some examples: promotions, rewards for individuals who improve or develop a compliance program, and rewards for leaders promoting ethics and compliance. 

Addressing Suspected Corruption 

The governments of Brazil, France, the United Kingdom, and the United States expect companies to have clear procedures for reporting, investigating, and addressing corruption. Brazil’s decree includes disciplinary measures as an evaluation metric for its compliance programs. In addition, it encourages companies to internally disclose information regarding disciplinary measures. Likewise, France recommends that companies provide details regarding the implementation of their disciplinary system for misconduct to increase awareness of the different forms corruption may take. In addition, France requires companies above a certain threshold to establish a disciplinary system that punishes employees for breaches of the company’s code of conduct. The United Kingdom provides details regarding enforcement and disciplinary actions. The United States FCPA instead emphasizes the importance of disincentives for non-compliance and encourages companies to learn from reported violations to avoid those consequences. 

Protected Reporting Framework 

Companies are generally required to have strong reporting frameworks with clearly defined procedures and whistleblower protections. Brazil, the United Kingdom, and the United States stress the importance of all companies having secure reporting channels. Anonymous reports are part of France’s guidance on internal whistleblowing systems, but the Sapin II Act only requires certain companies to implement an internal whistleblowing system. 

Risk-based Due Diligence in M&A

Table 12 shows the four countries’ parameters surrounding due diligence in mergers and acquisitions. Brazil encourages companies to adopt a policy specific to mergers and acquisitions. The United Kingdom states that mergers and acquisitions have important due diligence implications. The United States and France take similar approaches that stress the liability associated with mergers and acquisitions. 

External Communication of Company Commitment

The four selected countries encourage the public communication of a company’s anti-corruption stance. France and the United Kingdom recommend that companies communicate their anti-corruption policy to external partners. The United States views training and communication as a means of integrating compliance policy into company operations. Brazil takes a different approach, encouraging companies to communicate their commitment to ethics, human rights, diversity, and environmental preservation. 

Periodic Testing and Reviews 

All four countries recommend periodic reviews and testing of anti-corruption compliance systems to ensure their effectiveness. Brazil’s decree calls for the continuous monitoring and improvement of integrity programs, which France also recommends. In addition, France’s Sapin II Act requires certain companies to establish an internal control and assessment system for measures of its anti-corruption program. Monitoring and review are a key component of the United Kingdom’s guidance, which also discusses the various review mechanisms companies can employ. The United States stresses the importance of constant improvement in compliance programs and encourages companies to regularly review their controls. 

Objective-Based Assessment Methodologies  

Government assessment efforts across countries differ in their 1) focus, 2) criteria, 3) timeframes, and 4) expected company involvement. The focus of assessments depends on their purpose—whether that be for sanction mitigation or public procurement eligibility. In addition, whether assessments are mandatory depends on their specific objectives. For example, participation in Brazil’s Pro Ethics initiative is voluntary, while non-compliance with AFA audits lead to significant fines. 

There is also significant variance in the consulted countries’ assessment criteria. While assessments in the United States and United Kingdom allow for flexibility in companies’ approaches to achieving desired outcomes, France has very detailed requirements for effective compliance programs. Brazil takes a “middle approach” that provides specific criteria while also scoring individual components of anti-corruption programs. 

Brazil, the United States, and the United Kingdom have a multi-timeframe approach to assessments, evaluating past misconduct and current improvements. In contrast, France only looks at breaches following AFA audits. 

These countries also have different expectations regarding companies’ roles in the assessment process. Some countries oversee companies’ self-assessments, while public authorities in other countries conduct the assessments themselves. Brazil, France, the United Kingdom, and the United States employ a hybrid model where public authorities assess compliance program components and review companies’ self-assessments. For example, France’s AFA conducts an audit, sends the preliminary version of the audit report to company management, allows management to provide written comments, and considers those comments in its final version of the audit report. 

Building Capacities and Expertise 

Recruiting compliance experts may enhance public authorities’ assessments of anti-corruption compliance program effectiveness. Both the United States and France have used individuals with private-sector compliance experience to improve their evaluation processes. External training and professional development tailored to public authority needs may also enhance assessment capabilities. However, authorities may face financial constraints limiting their ability to utilize external experts. To address this limitation, countries may instead turn to digital tools, which will be discussed in more depth below. 

Using Independent Experts 

Independent external experts may aid public authorities in their evaluation of anti-corruption compliance programs. They can take an active role through monitorships or build on their expertise to train public officials. Both the United Kingdom and the United States use monitorships, in which independent experts assess whether a company fulfills its obligation to improve its compliance efforts. 

Digital Tools (AI and Data Analytics) 

As previously mentioned, public authorities can leverage digital tools to bridge gaps in their regulatory capabilities. Artificial intelligence (“AI”) may improve law enforcement efforts and allow authorities to identify areas of weakness in nationwide compliance efforts by analyzing large datasets. The United Kingdom has reported using AI to sort through and remove documents subject to attorney-client privilege, saving both time and resources. 

Several countries use digital platforms to collect and analyze data that companies submit. For example, Brazil adopted the Integrity Programme Monitoring and Assessment System (SAMPI) to improve the consistency of their oversight measures and evaluations. Machine learning AI systems also have the potential to help governments identify patterns to identify areas of need and inform future compliance efforts. In addition, generative AI may help authorities develop questionnaires designed to efficiently collect complex data and analyze the patterns identified. 

While digital platforms and AI may improve governments’ assessment efforts, they create concerns surrounding data privacy, financial constraints, and informational technology. The creation and maintenance of AI systems requires significant resources. Additional resources are needed to train employees to operate and understand those systems. Other concerns are sampling and statistical biases, which stem from the data that is collected and processed in AI systems. Public authorities must recognize the risk of bias in AI systems and take steps to mitigate it. In addition, countries should devote adequate time and resources to mitigate data privacy and reliability concerns to maintain public trust in governments. 

Educating, Providing Feedback and Learning from Other Stakeholders 

Private sector engagement can improve a government’s understanding of proper assessment methods, raise awareness about government expectations for the private sector, and establish a feedback loop to further inform future compliance efforts. Governments sharing information about corruption can promote transparency and trust, which is explained in more detail in Box 3. 

Information sharing between governments and the private sector can help the private sector understand regulatory expectations and may lead to greater compliance. For example, Brazil’s Pro Ethics Initiative integrity standards are regularly updated to ensure that companies consistently have access to accurate compliance expectations. However, France is one of the few countries with a formal mechanism to give the private sector feedback. Countries with sufficient resources should consider developing similar practices to enhance compliance efforts in the private sector. Countries without adequate resources can look to international organizations, such as the OECD, to fill those gaps. 

Companies can also gain insights from within the private sector. Peer learning, benchmarking, and collective action can enhance anti-corruption efforts across the private sector. However, governments provide minimal guidance on how companies can engage in these collaborative efforts. 

What Companies Want 

Companies are calling on governments to take a more active, collaborative role in shaping effective anti-corruption compliance. They want clear, consistent guidance on what constitutes an effective compliance program and for entity size to be factored into that guidance. Companies are divided in their degree of desired government intervention, with larger companies desiring outcome-based flexibility and smaller ones seeking concrete guidance. Multinational companies highlight the challenges posed by inconsistent regulatory requirements and advocate for greater international harmonization of anti-corruption laws and enforcement. Small and medium-sized enterprises (“SMEs”) may require additional support to overcome challenges posed by limited resources and data. Lastly, the consulted companies requested that governments facilitate social change by investing in ethics education and multidisciplinary training. 

* * * *

In conclusion, governments have a pivotal role to play in shaping effective, practical anti-corruption compliance through clearer guidance, smarter oversight, and deeper engagement with the private sector. By leveraging digital tools, private-sector expertise, and international frameworks, public authorities can strengthen their assessment methods and credibility. Ultimately, a collaborative, well-informed approach will drive stronger compliance outcomes and foster a culture of integrity across borders and industries.

Footnotes

[1] OECD (2025), Governments’ assessments of corporate anti-corruption compliance, OECD Publishing, Paris, https://doi.org/10.1787/e798903c-en.

Veronica Root Martinez is the Simpson Thacher & Bartlett Distinguished Professor of Law at Duke University School of Law and Lead Consultant to the OECD on its Strengthening Compliance Assessments Initiative. Liz Carrasco is a J.D. student at Duke University School of Law, Anticipated Class of 2027. 

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).