d-bis/the_order
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8649ad41242e8aa5e73c5a026a43ea7762b4db2e
the_order/docs/legal/ABAC_POLICY.md
defiQUG 2633de4d33 feat(eresidency): Complete eResidency service implementation 
- Implement credential revocation endpoint with proper database integration
- Fix database row mapping (snake_case to camelCase) for eResidency applications
- Add missing imports (getRiskAssessmentEngine, VeriffKYCProvider, ComplyAdvantageSanctionsProvider)
- Fix environment variable type checking for Veriff and ComplyAdvantage providers
- Add required 'message' field to notification service calls
- Fix risk assessment type mismatches
- Update audit logging to use 'verified' action type (supported by schema)
- Resolve all TypeScript errors and unused variable warnings
- Add TypeScript ignore comments for placeholder implementations
- Temporarily disable security/detect-non-literal-regexp rule due to ESLint 9 compatibility
- Service now builds successfully with no linter errors

All core functionality implemented:
- Application submission and management
- KYC integration (Veriff placeholder)
- Sanctions screening (ComplyAdvantage placeholder)
- Risk assessment engine
- Credential issuance and revocation
- Reviewer console
- Status endpoints
- Auto-issuance service
2025-11-10 19:43:02 -08:00

19 KiB
Raw Blame History

The Order — AntiBribery & AntiCorruption Policy

Owner: Chief Compliance Officer (CCO)
Approved by: Board of Directors
Effective: [insert date]
Applies to: All directors, officers, employees, temporary staff, and anyone acting on behalf of the Order (consultants, agents, distributors, intermediaries, JV partners, and subsidiaries—collectively, "Associated Persons"). UK law treats anyone "performing services for or on behalf of" the organization as an associated person. (UK Legislation)

1) Policy statement (tone from the top)

The Order has zero tolerance for bribery or corruption in any form. No one may directly or indirectly offer, promise, give, request, agree to receive, or accept anything of value to improperly influence any act or decision or to secure an improper advantage. This policy applies worldwide, without exception.

2) Purpose & legal framework this policy is designed to satisfy

  • UK Bribery Act 2010 (UKBA) — creates four offenses: (1) bribing, (2) being bribed, (3) bribing a foreign public official, and (4) failure of a commercial organisation to prevent bribery by associated persons. Corporate liability for (4) is strict unless the organization proves adequate procedures based on six principles (proportionate procedures; toplevel commitment; risk assessment; due diligence; communication/training; monitoring & review). Facilitation (grease) payments are not exempt under UKBA. Penalties include up to 10 years' imprisonment for individuals and unlimited fines for organizations. (GOV.UK)

  • U.S. Foreign Corrupt Practices Act (FCPA) — two pillars: antibribery (prohibits corrupt payments to foreign officials to obtain/retain business) and accounting provisions (booksandrecords + internal controls for SEC issuers). The FCPA recognizes a narrow exception for facilitating payments for routine governmental action and affirmative defenses for bona fide, directly related promotional/contract expenses—but local law may still prohibit them (and UKBA does). Penalties include criminal fines and imprisonment (with alternative fines up to 2x gain/loss). (SEC)

  • Global benchmarks — UNCAC (comprehensive treaty) and OECD Good Practice Guidance inform bestpractice programs (riskbased controls, due diligence, training, monitoring). (UNODC)

3) Key definitions

  • Public/Government Official: Any officer/employee of a government, stateowned/controlled entity, public international organization; any person acting in an official capacity; candidates/party officials. (See UKBA s.6 and FCPA guidance.) (UK Legislation)

  • Anything of value: Cash, gifts, hospitality, travel, per diems, favors, internships, donations, sponsorships, discounts, inkind support, or other benefits. (Department of Justice)

  • Associated Person: Anyone performing services for or on behalf of the Order (employees, agents, subsidiaries, certain JV partners). (UK Legislation)

  • Facilitation (grease) payment: A small payment to expedite routine, nondiscretionary action by a public official. Strictly prohibited by this policy (even though FCPA provides a narrow exception). (GOV.UK)

4) Prohibited conduct

  • Bribery in any form (offering, giving, requesting, accepting).
  • Facilitation payments worldwide (safetyoflife exception below). (GOV.UK)
  • Offbook accounts, false invoices, misrecording, or other booksandrecords violations. (Issuers must keep accurate books and maintain internal controls.) (Legal Information Institute)
  • Indirect bribery via third parties, charitable or political donations, sponsorships, or community investments. (GOV.UK)

5) Gifts, hospitality & expenses (G&E)

Principle: modest, infrequent, transparent, never to influence or appear to influence a decision. UK guidance emphasizes "reasonable and proportionate." (GOV.UK)

Global baseline rules (the Order may set stricter local limits in country addenda):

  • Cash or cash equivalents (gift cards, vouchers): Prohibited.
  • Public officials: No gifts; modest refreshments or logo items of nominal value only, with written Compliance preapproval for any hospitality/expenses. (GOV.UK)
  • Privatesector counterparts: Up to US$100/£80 per person per event, US$200/£160 annual aggregate with the same person; preapproval above these limits. (These are policy thresholds, not legal thresholds.)
  • Travel/hosting of public officials: allowed only if (a) directly related to product demos, training, or contract execution; (b) economy class; (c) itineraries/agendas documented; (d) pay vendors directly (no perdiems/cash); (e) no family/side trips; and (f) Compliance preapproval. (This aligns with the FCPA "reasonable and bona fide" defense.) (SEC)
  • Registers & documentation: All G&E must be logged in the G&E Register with purpose, attendees, value, approvals, and receipts.

6) Facilitation payments & safety exception

  • Absolute ban on facilitation payments worldwide to satisfy UKBA and OECD expectations. (GOV.UK)
  • Imminent threat to health/safety: If a payment is extorted to remove an immediate threat to health or safety, the employee must comply to stay safe, then report within 24 hours to Compliance and record fully (amount, recipient, circumstances). (Note: FCPA's exception is narrow; relying on it is discouraged and may breach local law.) (Department of Justice)

7) Charitable & political contributions; sponsorships; community investments

  • Prohibited where intended to influence a decision or requested by/for the benefit of a public official.
  • All such payments require due diligence (recipient identity/beneficial owners, link to any official, purpose, need), written agreement, and public disclosure where feasible.
  • Corporate political contributions are prohibited unless expressly permitted by law and approved by Legal/Compliance in writing. (GOV.UK)

8) Conflicts of interest

Employees must disclose personal, financial, or family interests that could influence business decisions. Compliance will determine mitigation (recusal, divestment, or reassignment).

9) Thirdparty management (agents, distributors, customs brokers, consultants, lobbyists, JV partners)

Because organizations are liable for associated persons, the Order applies a riskbased lifecycle: screening → due diligence → contracting → training → controls → monitoring → renewal/termination. (UK Legislation)

Minimum requirements

  • Risk rating (country, sector, role, government touchpoints, compensation type).
  • Due diligence: identity & beneficial ownership, sanctions/adverse media checks, references; when highrisk, enhanced checks and inperson interviews.
  • Contractual protections: ABAC reps/warranties, audit rights, booksandrecords clause, right to terminate for breach, no successbased commissions in governmentfacing roles without CCO approval.
  • Payment controls: pay only against detailed, verifiable invoices; no cash; bank accounts in the name/country of performance; splitinvoicing prohibited.
  • Ongoing oversight: performance reviews, spot audits, certifications, and targeted training.

10) Books, records & internal controls

  • All transactions must be recorded accurately and in reasonable detail; no offbook accounts; maintain internal accounting controls appropriate to the risks. (For SEC issuers, these are statutory obligations under Exchange Act §13(b)(2)(A)(B).) (Legal Information Institute)
  • Controls to enforce this policy include: multilevel approvals; segregation of duties; vendor onboarding checks; G&E and donations registers; data analytics for redflag detection; periodic internal audit testing. (These align with DOJ expectations for effective compliance programs.) (Department of Justice)

11) Training & communications

  • Mandatory onboarding within 30 days; annual refresher thereafter.
  • Enhanced training for highrisk roles (sales, procurement, government relations, logistics, finance) and for highrisk third parties.
  • Track completions and comprehension; repeat until passed. (DOJ ECCP looks at design, implementation, and effectiveness.) (Department of Justice)

12) Speakup, reporting & nonretaliation

  • Report concerns to [hotline / email / portal]. Anonymous reports are permitted where lawful.
  • The Order prohibits retaliation against anyone who raises a concern in good faith. All reports are assessed promptly and investigated under Legal/Compliance oversight; confidentiality is protected consistent with law and due process.

13) Investigations & discipline

  • Employees must cooperate with internal investigations. Obstruction, destruction of records, or false statements are policy violations (and may breach law).
  • Violations may result in disciplinary action up to termination, termination of thirdparty relationships, disclosure to authorities, restitution, and other remedies permitted by law. (UKBA and FCPA impose serious criminal/civil penalties.) (UK Legislation)

14) Mergers, acquisitions & joint ventures

  • Preacquisition due diligence for bribery/corruption risks; contractual protections; 100day integration (policy rollout, training, controls, remediation, and audit) after closing. (OECD/DOJ emphasize riskbased M&A diligence and postdeal integration.) (Department of Justice)

15) Governance, monitoring & review

  • CCO owns this policy, reports at least quarterly to the Audit/Compliance Committee.
  • Annual risk assessment and program review, including testing of controls and improvements based on incident learnings. (Consistent with UK MoJ Principle 6 and DOJ ECCP.) (GOV.UK)

16) Exceptions

No exceptions to this policy except the safetyoflife scenario described above; any such exception must be reported immediately and documented.

Quickuse appendices

Appendix A — Gifts/Hospitality quick matrix

Scenario Allowed? Preapproval Documentation
Coffee/working meal with privatesector customer (<US$50/£40) Yes if legitimate business purpose No Receipt + entry in G&E Register
Logo pen or notebook to public official Yes if nominal No (unless local addendum requires) Entry in G&E Register
Match tickets/travel for public official No (unless directly related to legitimate demo/training and preapproved) CCO approval Agenda, invite list, receipts, register
Cash/gift cards to anyone Never

(UK guidance stresses "reasonable and proportionate" hospitality; anything intended to influence is prohibited.) (GOV.UK)

Appendix B — Common red flags

  • Requests for unusual commissions, success fees, or payment in cash/offshore accounts.
  • Third party lacks experience, is suggested by a public official, or refuses audit clauses.
  • Excessive G&E, travel unrelated to business, family members invited, side trips.
  • Vague scopes, overinvoicing, or split invoices; pressure to speed approvals.
  • Frequent interaction with customs, licensing, or procurement officials in highrisk countries.

(These reflect patterns highlighted across UKBA/FCPA guidance.) (SEC)

Appendix C — Thirdparty due diligence (DD) checklist (riskbased)

  1. Identity/beneficial ownership; sanctions & adverse media; litigation; government links.
  2. Business need, capability, commercial rationale; references.
  3. Compensation structure (no success fee for governmentfacing roles unless CCO approves).
  4. Contractual ABAC clauses & audit rights; training commitment.
  5. Postonboarding monitoring plan and renewal cadence. (GOV.UK)

Appendix D — Accounting & control reminders (for Finance)

  • Record transactions accurately and in reasonable detail; prohibit sideletters/offbook arrangements.
  • Maintain controls for approvals, vendor setup, G&E, donations/sponsorships, and thirdparty payments.
  • Periodically test and document control effectiveness (SEC §13(b)(2) standards for issuers; good practice for others). (Legal Information Institute)

Appendix E — Required minimum trainings

  • All staff: annual ABAC fundamentals (policy, reporting channels).
  • Highrisk teams: scenariobased modules (G&E, thirdparty oversight, customs/government interactions).
  • Third parties (high risk): annual certification + targeted training. (Tracked to satisfy "communication & training" under UK MoJ and DOJ ECCP expectations.) (GOV.UK)

Country addenda (templates to localize)

Create short addenda for each country where the Order operates to address:

  • Local definitions of "public official," gift taxes/limits, and lobbying rules.
  • Any stricter local law (e.g., UK: no facilitation payments; strict corporate "failure to prevent" liability and "adequate procedures" defense). (GOV.UK)
  • U.S.: FCPA's accounting provisions for SEC issuers; narrow facilitatingpayments exception under antibribery (still prohibited by this policy). (Legal Information Institute)

Implementation checklist (90 days)

  1. Board & CEO endorsement memo ("tone from the top").
  2. Risk assessment (business lines, geographies, government touchpoints).
  3. Stand up G&E and Donations/Sponsorships Registers and a single intake form.
  4. Launch thirdparty DD workflow (risk tiering, questionnaires, screening tools).
  5. Train employees and highrisk third parties; track completion.
  6. Configure financial controls (vendor onboarding, approval thresholds, audit flags).
  7. Establish speakup channels and investigation SOPs; antiretaliation notice.
  8. Define metrics (training rates, DD cycle time, exception rates, hotline KPIs) and a quarterly report to the Audit/Compliance Committee. (All consistent with UK MoJ Principle 6 and DOJ ECCP.) (GOV.UK)

Why this policy maps to the law

  • UK Bribery Act 2010: Addresses s.12 (bribing/being bribed), s.6 (bribing foreign public officials), and s.7 (failure to prevent bribery by associated persons); embeds the six "adequate procedures" principles; recognizes no facilitationpayments exemption; notes penalties and extraterritorial reach. (GOV.UK)

  • U.S. FCPA: Covers antibribery prohibitions and the booksandrecords / internal controls provisions (Exchange Act §13(b)(2)); acknowledges the narrow facilitatingpayments exception and reasonable and bona fide promotional/contractrelated expenses; emphasizes accurate records and effective controls. (Legal Information Institute)

  • OECD/UNCAC: Aligns with international norms emphasizing preventive measures, criminalization, cooperation, and asset recovery; promotes riskbased controls and due diligence. (Department of Justice)

Ready-to-use templates

1. Employee annual ABAC certification (one page)

"I certify that I have read the Order's ABAC Policy, completed required training, disclosed any conflicts, recorded all gifts/hospitality provided or received, and will promptly report suspected violations. Signature / Date."

2. G&E preapproval form (for public officials or anything above thresholds)

Purpose, attendee list & roles, agenda, estimated value per attendee, funding source, business rationale, confirming no family/side trips, approvals (Line Manager, Finance, CCO), and commitment to log all expenses.

3. Thirdparty DD questionnaire (short form)

Legal name, ownership, government ties, services, geographies, references, compensation/terms, prior compliance issues, acceptance of audit/ABAC clauses, training commitment.

Key sources used for this policy

  • UK MoJ Bribery Act Guidance incl. six principles; last updated Jan 22, 2025. (GOV.UK)
  • Bribery Act 2010 (sections 68 & 11) and explanatory notes (associated persons; penalties). (UK Legislation)
  • DOJ/SEC FCPA Resource Guide and SEC §13(b) materials (books & records; internal controls). (SEC)
  • DOJ Evaluation of Corporate Compliance Programs (latest public version). (Department of Justice)
  • UNCAC & OECD Good Practice Guidance. (UNODC)
  • FCPA facilitationpayments exception (narrow) vs. UKBA prohibition. (Department of Justice)

References

Reference in New Issue View Git Blame Copy Permalink