5 Core Principles under the ‘Guidelines on Adequate Procedures Pursuant to Subsection (5) of Section 17A Under the Malaysian Anti-Corruption Commission Act 2009’

[Photo by Jo Szczepanska on Unsplash]

[Jointly written by Bryan Boo with Richard Wee of Messrs Richard Wee Chambers]


In our previous article, we presented a general overview of Section 17A of the Malaysian Anti-Corruption Commission Act 2009 (“MACC Act”), of which came into force on 1 June 2020.

Section 17A does provide for statutory defences, one of which is under Section 17A(4), which reads:

If a commercial organization is charged for the offence referred to in subsection (1), it is a defence for the commercial organization to prove that the commercial organisation had in place adequate procedures to prevent persons associated with the commercial organisation from undertaking such conduct.

In gist, Section 17A(4) provides that where a commercial organisation is charged under Section 17A of the MACC Act, that commercial organisation may raise a defence if it had in place adequate procedures to prevent such corruption. However, Section 17A is silent as to what amounts to ‘adequate procedures’. The only guidance at the time of writing is the ‘Guidelines on Adequate Procedures Pursuant to Subsection (5) of Section 17A Under the Malaysian Anti-Corruption Commission Act 2009’ (“the said Guidelines”) issued by the Prime Minister’s Department.

‘Guidelines on Adequate Procedures Pursuant to Subsection (5) of Section 17A Under the Malaysian Anti-Corruption Commission Act 2009’

Paragraph 4 of the said Guidelines lists 5 core principles of which commercial organisations should adhere to in order to satisfy the requirement of “adequate procedures” under Section 17A(4). Simply put, these 5 principles may be encapsulated using the acronym T.R.U.S.T, which stands for:-

T – Top Level Commitment

R – Risk Assessment

U – Undertake Control Measures

S – Systematic Review, Monitoring and Enforcement

T – Training and Communicaion

Core Principle #1: Top-Level Commitment

Primarily, the first core principle involves assurance at the top-level management to practice a paramount level of integrity and ethics in running the business. It must be noted that the top-level management also holds a responsibility to ensure compliance with all laws, regulations and policies so as to combat corruption. Indirectly, such practice will raise the level of confidence of both internal and external stakeholders when there is such commitment in combatting corruption both internally as well as in the commercial organisation’s business dealings.

Under this core principle, commercial organisations should develop policies and standards of practice so as to minimise the risk of corruption. These policies include:

  1. establish, maintain, and conduct a periodical review on anti-corruption policy compliance;
  2. promote a culture of integrity; 
  3. communication and practice of anti-corruption policies in dealings with internal and external stakeholders; 
  4. encourage whistleblowing in relation to corruption incidents; 
  5. allow for feedback regarding inadequacies in the anti-corruption compliance policies;
  6. appoint a competent person in handling matter of anti-corruption, which including advising and providing proper guidance to personnel and business associates in relation to corruption policies; 
  7. ensure that the lines of authority for personnel tasked with the responsibility to oversee the anti-corruption compliance policies are clear and open; and 
  8. ensure that the results of any audit, reviews of risk assessment, control measures and performance are reported to each and every top-level management, including the full Board of Directors, and acted upon. 

Core Principle #2: Risk Assessment

Risk assessment is a term that is very often used to identify potential risk. This usually is a systemic process. Risk assessment is highly important in evaluating the internal and external corruption risk of the organisation. It must be carried out periodically and the risk assessment result and/or report must be fully utilised to implement appropriate processes and policies, systems and controls in order to minimise the corruption risk of the organisation. 

The risk assessment should identify the following, amongst other things: 

  1. opportunities for corruption and fraud activities resulting from weaknesses in the organisation’s governance framework and internal systems/ procedures; 
  2. financial transactions that may disguise corrupt payments; 
  3. business activities in countries or sectors that pose a higher corruption risk; 
  4. non-compliance of external parties acting on behalf of the commercial organisation regarding legal and regulatory requirements related to anti-corruption; and 
  5. relationships with third parties in its supply chain (e.g. agents, vendors, contractors, and suppliers) which are likely to expose the commercial organisation to corruption.

It is also suggested that such risk assessment be undertaken at least once every three years with intermittent assessments conducted whenever necessary.

Core Principle #3: Undertake Control Measures

Commercial organisations should that there are appropriate controls and contingency measures in place that addresses any corruption risk arising from weaknesses in the organisation’s framework of governance, processes and procedures. These measures include establishing key considerations and/or criteria for conducting due diligence on any relevant party or personnel before entering into any formalised relationship.

Further to that, the commercial organisation should ensure that a reliable and trustworthy whistleblowing channel that can be utilised anonymously by anyone to raise any concerns regarding corruption practice in the organisation is effective and in place.

It is also suggested that such anti-corruption policies must be easily available and referred to whenever needed. These policies and procedures should address and/or include the following:

  1. a general anti-bribery and anti-corruption policy or statement; 
  2. conflicts of interest;  
  3. gifts, entertainment, hospitality and travel; 
  4. donations and sponsorship, including political donations; 
  5. facilitation payments; 
  6. financial controls, such as separation of duties and approving powers or multiple signatories for transactions; 
  7. non-financial controls, such as a separation of duties and approving powers or a pre-tendering process; 
  8. managing and improving upon any inadequacies in the anti-corruption monitoring framework; and 
  9. record-keeping for managing documentation related to the adequate procedures

Core Principle #4: Systematic Review, Monitoring and Enforcement

Top-level management should hold regular reviews to assess the performance, efficiency and effectiveness of the anti-corruption policies. This may be done through internal and/or external audit. The outcome of such review/audit conducted should result in improvement of the existing anti-corruption controls, measures and policies.

For the purpose of improvement through regular reviews, the commercial organisation should consider the following suggestions: 

  1. plan, establish, implement and maintain a monitoring programme, which covers the scope, frequency, and methods for review; 
  2. identify the competent person(s) and/or establish a compliance function to perform an internal audit; 
  3. conduct continual evaluations and improvements on the organisation’s policies and procedures in relation to corruption; 
  4. considering an external audit such MS ISO 37001 certified auditor to certify at least every three year once to ensure the organisation is running in line with the policies and procedures of anti corruption policies and procedures of the organisations 
  5. monitoring the performance of each and every personnel in relation to any anti-corruption policies and procedures; and  
  6. take disciplinary proceeding against any personnel that does not comply with the anti-corruption policies and procedures

Core Principle #5: Training and Communication

A commercial organisation should also develop and disseminate training programmes as well as establish constant communication with personnel in relation to the anti-corruption. Such training and communication should cover anti-corruption policies, training, reporting channels and also the consequences of non-compliance with anti-corruption policies.

Specifically, regarding communication of policies and training, the commercial organisation should make its anti-corruption policy publicly available and it must be communicated to all stakeholders. Besides that, the commercial organisation should also consider how such communication should be communicated, to whom such communication should be communicated to as well as the timeframe for conducting communication plans. Such communication may be made in various forms and mediums inter alia via messages, emails, newsletters, webinar, code of business conduct, employee handbook etc.

Similarly, the commercial organisation should organise and have in place adequate training facilities for their employees and business associates to acquire a deeper and thorough understanding of the commercial organisation anti-corruption policies. Such training may be conducted in various forms such as having an induction programme that includes anti-corruption issues, role-specific training that is tailored to corruption risks the position is exposed to, and in-house training and seminars.

Conclusion

What amounts to ‘adequate procedures’ under Section 17A(4) of the MACC Act is still open to interpretation. While this article explored ‘adequate procedures’ based on the said Guidelines, our next article will survey the meaning of ‘adequate procedures’ according to decided cases in jurisdictions with a similar provision as the Malaysian Section 17A(4) of the MACC Act.