Publication | U4 Helpdesk Answer

Legal incentives for compliance in the private sector


Please provide an overview of legal provisions or mechanisms that incentivise compliance and compliance programmes and/or disincentivise corruption in the private sector. If possible, please provide an overview of different types of incentives, their respective functioning mechanisms and experiences of them in terms of their effectiveness.


The literature on how to get companies to comply with domestic and international anti-corruption laws and regulations has gained traction over the last few decades (UNODC 2019). Many of the biggest corruption investigations involve legal persons instead of focusing on natural persons.38b8d0f2178b The responsibility of legal persons, such as corporations, is also known as corporate liability and is a key feature of global measures to counter corruption (UNODC 2019).

One of the chief legal mechanisms that incentivises compliance in companies is enforcement based on corporate liability (Jimenez 2019). Disincentives in the forms of fines, paying compensation for damages and harm to reputation remain the major motivations to apply compliance programmes to the private sector (Rummel 2016). Awards such as access to state benefits, as a form of incentive, for example, are among some of the tools that may be considered when designing strategies meant to curb corruption through behavioural changes (Kukutschka 2019).

Although incentives stemming from corporate liability are a crucial component of compliance and ethics programmes, as compared to other elements such as codes of conduct, helplines, training and risk assessment, this topic has received limited attention in anti-corruption legislation (Murphy 2019).

When it comes to understanding legal mechanisms for incentivising compliance programmes a two layered approach is used in this answer. The first interaction includes the state’s enforcement agency and business, while the second focuses on laws that call for the use of incentives within compliance programmes operating in the private sector. The first case explores the mechanisms that the state uses to incentivise compliance by companies, whereas the second layer explores directives for incentive structures to regulate compliance within companies.

An emerging notion is that both productivity and compliance should be remunerated since employees are expected to be productive and act compliantly (Transparency International 2020). By only paying them for productivity, employees may seek non-compliant ways to increase their output. In this context, current incentive systems focused solely on productivity may even encourage employees to break compliance rules (Teichmann 2018). The EY Global Fraud Survey 2018 found that significant levels of unethical conduct with regard to employee behavior remain despite many businesses having reached a certain level of maturity in their compliance programs.

Incentives that reward a company for good practice are useful complements to enforcement sanctions. They recognise that significant commitment to and investment in anti-corruption programmes and other measures that strengthen corporate integrity are largely voluntary, and can be encouraged through incentives (UNODC 2013a).

According to the United Nations Convention against Corruption (UNCAC’s) resource guide for strengthening corporate integrity (2013) the main categories of legal incentives that may be designed are as follows:

Penalty mitigation

It is the most prevalent form of a good practice incentive. Companies that have made a significant effort to detect and deter corruption may be rewarded with a reduction in fines, reduced charges or even a defence against liability for the misconduct of an employee or agent. In a settlement context, the perception that a company is serious about countering corruption can substantially ease the conditions for resolving an investigation (UNODC 2013a).

Article 37 of the UNCAC deals with penalty mitigation. Corporate self-reporting has been a major source of information for investigations by law enforcement authorities in several states,a61f10f01596 particularly in cases involving the bribery of foreign public officials by multinational enterprises. Penalty mitigation and leniency programmes have been an important motivation for this self-reporting (UNODC 2013a).

Procurement incentives

The simplest form of this incentive is a requirement that companies meet certain minimum good practice standards as a condition for doing business with state agencies. Mandatory programme requirements can be an effective way to strengthen corporate integrity practices. Also, preferences in public procurement that rewards voluntary measures that an enterprise has taken to strengthen its integrity are often referred to as “genuine” incentives, which offers a counterpoint to suspension and debarment for corrupt acts (UNODC 2013a). For example, Georgia has both a blacklist of debarred companies, as well a whitelist of companies meetings good practice standards set by the state procurement agency (State Procurement Agency Georgia 2020).

Preferential access to government benefits

Acting as the counterpart to the sanction of the denial of benefits (as evidence of bribery or that a company is not conducting business with integrity may be grounds for the denial or withdrawal of export support or other business benefits). Such benefits may be made available on a preferential basis to individuals and companies that are able to demonstrate a commitment to good practice. As with a procurement preference, this incentive may take the form of an eligibility requirement, for example, that an applicant for government benefits meets specified minimum programme standards. Preference may also be given for voluntary measures taken by an enterprise to strengthen its integrity (UNODC 2013a).

While preferential access is most commonly associated with government procurement opportunities, as mentioned previously, it may also be applied, however, to other categories of government benefits or services. For example, a company able to demonstrate a commitment to ethical practice might be given “fast-track” access to customs services or preference in export credit support. Investments in quality anti-corruption systems and controls can also be rewarded through targeted corporate tax benefits, mirroring the kind of expense deductions and credits widely available for business generating activities. It can send a message to the private sector that investments in quality prevention programmes are as important as these other business investments (UNODC 2013a).

Reputational benefits

Through public acknowledgement of a company’s commitment to good practice and countering corruption, reputational benefits may also serve as a tool for encouraging corporate integrity. States can reinforce this positive market signal through measures of their own that encourage and reward good practice. For example, the “pro ethics list” made by Ethos Institute and Office of the Comptroller General in Brazil, is a form of whitelist that recognises a company for good practice, as a counterpart to traditional debarment or blacklist (UNODC 2013a).

Whistleblower awards

While preventive incentives are essentially aimed at encouraging good practice in anti-corruption programmes, incentives can also be used to encourage reporting of potential violations by individuals. Such a system of incentives has been used in the United States to encourage and reward reporting on procurement fraud, breaches in government contracting and law violations by public companies, including the failure to properly record and report instances of bribery (UNODC 2013a).

Recently, the Securities and Exchange Commission (SEC) announced a nearly US$50 million whistleblower award to an individual who provided detailed, first-hand observations of misconduct by a company that resulted in a successful enforcement action that returned a significant amount of money to harmed investors. This is the largest amount ever awarded to one individual under the SEC’s whistleblower programme (SEC 2020).

Other than these categories, in some cases incentives may take the form of:

Mitigating civil damages claims

In several jurisdictions, companies and individuals who have violated anti-corruption provisions can be held civilly liable, with affected parties claiming damages against the violating entity. Under German law, for example, management can be held personally responsible for damages suffered by corporations based on corruption offences in business. In a 2013 case, a German court based the damage claim of a company against its former Chief Financial Officer (CFO) citing failure of the CFO to manage an “efficient compliance system that would have prevented bribery offenses” (Funk & Boutros 2019). Thus, an incentive, for companies and individuals operating them is that may mitigate legal risks by having adequate compliance procedures in place.

Mandatory provisions

Mandatory compliance provisions are legal requirements in certain jurisdictions which apply to specific types of companies. In France, for example, compliance programmes are mandatory for certain companies under Sapin II (discussed further in the following section) (Journal Officiel de la République Française 2016).

Moreover, stock listed companies are often by law (as per the jurisdiction in which they operate) required to adhere to certain compliance policies. The Securities and Exchange Board of India (SEBI), for example, requires all publicly listed companies in India to “makeperiodicand event based disclosures which are price sensitive in nature and which will have bearing on the performance/operations of the company” (SEBI 2013).

Incentives should have an appropriate balance between the potential investigative benefits that result from the cooperation of offenders and the administration of justice (UNODC 2013). The basic minimum criteria for an effective anti-corruption programme are visible and active leadership, risk-based operational guidelines and training, channels for seeking advice and reporting concerns, and systems and controls for oversight and periodic refinement of the programme. Companies are also expected to manage risks related to their third-party relationships and to establish an organisational culture that encourages ethical conduct and a commitment to compliance (UNODC 2013a).

According to the recommendations from the G20 Germany 2017 Business Dialogue group, G20 members have been advised to be supportive of companies’ proactive engagement by providing positive recognition of effective anti-corruption and compliance systems (B20 RBC&AC Cross-thematic Group 2017). A few B20 Group’s proposed incentives include:

  • Compliance efforts may be taken into consideration when providing public benefits and awarding public contracts. The existence of an adequate and robust compliance programme should be a requirement for being eligible to be awarded public contracts or receive public subsidies, licences and contracts funded by official development assistance.
  • A sound compliance programme should also be a requirement for officially supported export credits and trade insurances.
  • Recognition of compliance efforts to be used as a mitigating factor in sentencing or as a complete or partial legal defence.

Compliance programmes, as mentioned earlier, exist as a form of mitigating corporate criminal or administrative liability. The decision whether or not and to what extent a company is prosecuted usually depends on two questions:

  1. Did the company (or its management) benefit from the misconduct?
  2. Did the company (or its management) not attempt to prevent the misconduct?

If the answer to either of these is yes, a prosecution becomes possible/likely. If the answers are no, prosecutors might refrain from bringing charges or reduce possible sanctions. Few jurisdictions have official legal defences, so that, if certain measures are in place, companies can use them as a defence if a case is brought against them. Other jurisdictions which do not have an official legal defence in place nonetheless look at the company’s processes and behaviour prior to and during the misconduct when determining the size of sanction or whether to bring a case at all. Thus, often, a well-implemented compliance programme can be used to mitigate a sanction (Schöberlein 2019).

In the, UK, for example, adequate internal measures may be used as a legal defence for companies in the event of misconduct occurring (OECD 2017a; Rahman 2020). The UK Ministry of Justice provides guidance (2010) on what would be considered adequate preventive measures. While the guidance does not prescribe a specific set of measures, it does lay out principles to follow to allow them to take their specific circumstances into account (Schöberlein 2019). The principles are:

  • proportionate procedures
  • top-level commitment
  • risk assessment
  • due diligence
  • communication (including training)
  • monitoring and review

The first time a UK court considered the adequate procedures defence was in 2018.

Taking the example of Malaysia, a new section introduced in 2019 to the Malaysian Anti-Corruption Commission Act 2009 provides for corporate criminal liability for corruption offences as well as for personal liability of persons involved in the management of a commercial organisation (Alagaratnam and Leong 2019). Similarly, as in the case of the UK, the sole statutory defence available to a commercial Malaysian organisation against corporate liability is that it had in place adequate procedures to prevent associated persons from committing corruption (Alagaratnam & Leong 2019). The adequate procedure principles are:

  • top-level commitment
  • risk assessment
  • undertaking control measures
  • systematic review
  • monitoring and enforcement
  • training and communication

In Italy, companies may be exempted from liability if they have adopted and appropriately implemented an effective compliance programme (Clifford Chance 2019). Such a programme is referred to as “model of organisation, management and control” (Baker McKenzie 2017). In the Netherlands, having appropriate internal measures in place may lead to a legal entity not being held criminally liable or having their sanctions reduced if it is found that the misconduct does not seem to reflect the usual business culture, that adequate preventive measures were in place and the company generally is not deemed accepting of such behaviour (Clifford Chance 2019).

Other countries with compliance defence concepts in their laws include: Australia, Chile, Germany, Hungary, Ireland, Italy, Japan, Korea, Poland, Portugal, Singapore, Spain, Sweden and Switzerland (Koehler 2015).

While there is no specific legal defence for an existing compliance programme in the German legal framework, “a company may be subject to a corporate administrative fine, or a forfeiture order, if a representative or manager of the company has intentionally or negligently refrained from taking appropriate preventive measures (i.e. the administrative offence of violation of supervisory duties)” (Clifford Chance 2019). Nevertheless, whether or not a company has implemented strong preventive measures influence the decision to prosecute and determine sanctions in the country (OECD 2018b; Schöberlein 2019).

In other jurisdictions, such as France, Sapin II makes the existence of a compliance programme mandatory for certain companies (headquartered in France, over 500 employees and over €100 million in annual turnover). A compliance programme is thus not just a mitigating factor if a violation occurs but is a general requirement, and its absence can constitute an offence (Journal Officiel de la République Française 2016; Clifford Chance 2019). To be considered adequate under Sapin II, a compliance programme must include the following elements:

  • a code of conduct defining and illustrating the different types of prohibited behaviours
  • an internal reporting system enabling employees to report misconduct
  • a documented risk assessment
  • a process for due diligence on third parties
  • internal financial controls training for managers and employees
  • a sanction regime for employees who violate the code of conduct
  • evaluation procedures to assess the efficiency of the programme

Failure to comply with the requirement can result in a fine of up to €200,000 for individuals and €1 million for legal persons (Journal Officiel de la République Française 2016; Clifford Chance 2019; White & Case LLP 2019).

Whistleblower protection is also essential for the proper functioning of compliance procedures. “According to a 2016 OECD study, of the 43 parties to the Anti-Bribery Convention, only 14 had adopted measures that satisfactorily meet the 2009 Anti-Bribery Recommendation’s provisions on private sector whistleblower protection ... [which] recommend that countries ensure that ‘appropriate measures are in place to protect from discriminatory or disciplinary action public and private sector employees, who report in good faith and on reasonable grounds to the competent authorities suspected acts of bribery’” (OECD 2017b). In 2019, the European Union adopted a directive on the “protection of persons reporting on breaches of Union law” (Whistleblower Protection Directive) (Transparency International 2019).

Sapin II in France, for example, guarantees the protection of whistleblowers’ identity by requiring a guarantee of strict confidentiality of the reporting individual’s identity. “Elements that could identify the whistleblower may not be disclosed except to law enforcement authorities and only with the consent of the whistleblower and once the report has been substantiated” (OECD 2017b). Disclosure of confidential information is punishable with up to two years imprisonment and €30,000 fines (Journal Officiel de la République Française 2016).

To encourage whistleblowing, many OECD countries have put in place reward systems (which may include monetary recompense). In the US, for example, the False Claims Act allows individuals to sue on behalf of the government to recover lost or misspent money. They can receive up to 30% of the amount recovered. Korean Anti-Corruption and Civil Rights Commission (ACRC) may reward whistleblowers with up to US$2 million if their claims contribute directly to recovering or increasing public agencies’ revenues or reducing their expenditures. The ACRC may also grant or recommend awards when whistleblowing served the public interest. Rewards systems, however, remain controversial in most countries with an organisational culture that values efforts to improve organisations, especially by identifying and correcting wrongdoing (OECD 2013).

The use of incentives in compliance procedures within businesses also finds mention in a variety of legal standards.


OECD’s Convention on Combating Bribery of Foreign Public Officials in International Business Transactions (Anti-Bribery Convention) of 1999 requires the ratifying countries to have legislation that criminalises the bribery of foreign public officials. Annex II of the convention is “addressed to companies for establishing and ensuring the effectiveness of internal controls, ethics, and compliance programs or measures for preventing and detecting the bribery of foreign public officials in their international business transactions”. Annex II’s Good Practice Guidance for Companies lays out 12 steps which act as “non-legally binding guidance to companies in establishing effective internal controls, ethics, and compliance programs or measures for preventing and detecting foreign bribery”.

While the standard does not use the word “incentives”, the direction to “encourage and provide positive support” may be understood in the light of rewarding anti-corrupt behaviour (Murphy 2019).

United States

According to the 2004 revisions to the Federal Sentencing Guidelines standards “The organisation’s compliance and ethics program shall be promoted and enforced consistently throughout the organisation through (A) appropriate incentives to perform in accordance with the compliance and ethics program” (Sandford 2015).

Moreover, prosecutors and judges look to specific criteria enumerated in published Organisational Sentencing Guidelines when deciding whether to charge a company for employee misconduct and when determining sanctions (USSC 2013). Given that compliance is now taking an extensive importance within legal prosecution and that the definition of compliance has now been broadened to the concept of organisational integrity, these guidelines list both aggravating and mitigating factors, that is, factors that can raise or reduce the charges and penalties for an organisation. Mitigating factors relate to the quality of a company’s internal programme for preventing and detecting criminal conduct, self-policing, reporting of potential violations, cooperation with law enforcement and remedial action in response to a violation (UNODC 2013b).

References to incentive systems have also appeared in settlement agreements reached by the government with companies. For example, in the 2006 deferred prosecution agreement with Mellon Bank, the US Attorney’s Office for the Western District of Pennsylvania included the following provision: “Performance evaluation criteria and compensation should also be linked to specific steps taken by [substantial authority] personnel to support the compliance and ethics program (e.g. briefing ‘direct reports’ on the code’s application and the importance of raising compliance and ethics issues; ensuring that ;direct reports’ have completed required training)” (McGonegle & Roach 2011)

The Criminal Division of the US Department of Justice (DOJ) and the Enforcement Division of the US SEC published FCPA: A Resource Guide to the U.S. Foreign Corrupt Practices Act in 2012, which presents insight into the DOJ’s and SEC’s FCPA enforcement approach and priorities. The guide states that “positive incentives can also drive compliant behaviour” and that “rewarding good behaviour…reinforces a culture of compliance and ethics throughout an organisation”. The agencies also assert that they will “consider whether such incentives are fairly and consistently applied across the organisation” (Murphy 2019).

In the US, the guidance on compliance systems relates to corporate liability for federal crimes. The DOJ produced a guidance document in 2017 on the Evaluation of Corporate Compliance Programs (updated in 2019). This references two other documents that incentivise effective compliance programmes (US DOJ 2020). The first of these is the Principles of Federal Prosecution of Business Organizations in the US Justice Manual, which includes the factors to consider in conducting an investigation of a corporation, the “adequacy and effectiveness of a company’s compliance program at the time of an offense and charging decision” US DOJ 2020).

The second document is the US Sentencing Guidelines chapter on organisations, which says that consideration should be given to “whether the corporation had in place at the time of the misconduct an effective compliance (and ethics) program for purposes of calculating the appropriate organizational criminal fine”. The consideration of compliance programmes in the context of investigations and sentencing provides a strong incentive to companies (US DOJ 2020).

The DOJ Evaluation of Corporate Compliance Programs document is intended to assist prosecutors in making informed decisions as to whether, and to what extent, the corporation’s compliance programme was effective at the time of the offence, and is effective at the time of a charging decision or resolution. It covers a number of areas including risk assessment, training and communications, confidential reporting structure and investigation process, and third-party management (USDOJ 2020). Its section on third-party management says that:

“[a] well-designed compliance program should apply risk-based due diligence to its third-party relationships. Although the degree of appropriate due diligence may vary based on the size and nature of the company or transaction, prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions.”

The line is drawn at direct third-party partners, albeit with some flexibility. There is no reference to the management of supply chains (US DOJ 2020).


Standards Australia, the national standards organisation, identifies the role of incentives in several passages. Section 4.1.4(i) charges managers with responsibility for including compliance performance in evaluations; 4.3.2 notes that culture is affected by personnel evaluations that include compliance behaviour and meeting compliance obligations. It also calls for rewarding such behaviour in a way that is “highly visible”. 5.2.3(d) specifies that incentives and managing for performance should be tied to compliance. Finally, under 6.1.2(c) companies are called upon to recognise this behaviour for “teams, work units, and individuals”.

United Kingdom

The UK Office of Fair Trading (OFT), which is the country’s principal enforcer of competition law, issued a guidance document on compliance programmes indicating that such programmes may be taken into account when assessing penalties. In describing what could be included in a creditworthy programme, the OFT stated: “A business is likely to benefit if it links its scheme of incentives and disincentives to its compliance objectives” (Murphy 2019).

Approaches in compliance incentives/disincentives

The focus of sound compliance systems should be on strengthening the business case to counter corruption. If incentives and sanctions applied to a company are not adequately passed on to relevant representatives through internal policies (for example, loss of bonuses or penalties), then sanctions, especially, may be seen as mere costs of doing business. They may also be passed on to third parties, such as shareholders, creditors or customers. In such cases, sanctions applied solely to a company have only a limited effect on the financial cost considerations of individual representatives and may, therefore, fail to motivate business to counter corruption. Thus, targeting executives with both sanctions and incentives is vital when seeking to motivate business to counter corruption (Wegner, Schöberlein & Biermann 2013).

Former SEC Director of Enforcement, Stephen M. Cutler, said, “make integrity, ethics and compliance part of the promotion, compensation and evaluation processes as well. For at the end of the day, the most effective way to communicate that ‘doing the right thing’ is a priority, is to reward it” (Fox 2015).

Compliance incentives range from “soft” to “hard”. The former category generally consists of non-tangible encouragement/recognition, such as commendations (public or not, as appropriate) from a senior business leader for an employee’s/group’s exemplary compliance-related conduct. The latter generally consists of tangible rewards, often monetary, which may be useful but also runs the risk of occasionally offending those who feel that doing what is right is part of everyone’s job (Kaplan 2011).

Former Director, Office of Compliance Inspections and Examinations, SEC, Lori Richards notes (2008) a few ways of incentivising compliance:

  • Being clear about expectations: managers and employees should be aware that compliance with the firm’s internal risk management and compliance policies is expected, and performance expectations should be explicit on this point.
  • Reward managers who achieve compliance: managers could be compensated in part based on their branch’s or unit’s compliance activities (results of surveillance reviews, internal reviews, customer satisfaction levels). Positive results get higher compensation.
  • Reward managers who cultivate a culture of compliance: for example, using surveys to measure employees’ attitudes towards ethics and compliance. Some firms then tie a component of their senior managers’ compensation to the attitudes expressed by their unit’s employees. Positive results get higher compensation.
  • Reward employees for considering compliance issues: employees could be incentivised to approach compliance staff early with questions about compliance, well before the deal, or the product or the transaction is launched.
  • Incentives impact risk: since incentives drive behaviour, an organisation’s risk assessment process could consider the incentives that encourage and reward compliance, and could identify areas and employees who do not operate with these incentives. Firms could include the latter as areas that may present a higher risk and may warrant closer review. In addition, when organisations conduct special reviews or inquiries of compliance breakdowns, they could include an evaluation of the role that incentives played.

A few good practices in strengthening whistleblowing challenges to mitigate disincentives in compliance structures include (Wegner, Schöberlein & Biermann 2013):

  • having strong policies and procedures against retaliation (for example, a record of discipline for retaliation)
  • publicising internally the results of investigations and discipline (while protecting the privacy of individuals) to demonstrate that calls are taken seriously and appropriate action is taken
  • rewarding those employees who use reporting systems to report defects in the compliance system. Those reporting actual violations are thanked and recognised, but not necessarily paid.
  • giving compliance and ethics programmes sufficient empowerment and independence to be effective in conducting investigations and protecting whistleblowers (including a sufficiently independent and empowered chief ethics and compliance officer at the executive level)

Further reading

The Complete Compliance and Ethics Manual 2019

The manual provides an overview of compliance and ethics practices in the private sector, covering topics such as implementing a programme (including the use of incentives), measuring effectiveness and select compliance risks.

Motivating Business to Counter Corruption: A Practitioner Handbook on Anti-Corruption Incentives and Sanctions

Intended for anti-corruption practitioners, change agents and policymakers, the handbook examines how anti-corruption measures may effectively be applied, to enable all stakeholders to achieve a sustainable impact on business behaviour.

International Commitment to Compliance Programs

The document contains data from governments across the globe on the need for corporate compliance programmes for companies operating within their borders. It is a comprehensive list of countries’ compliance legislation.

Prosecuting Corporate Corruption in Europe

Comparing the legal compliance frameworks from France, UK, Germany, Italy and the Netherlands, it provides insight into corporate liability mechanisms.

Compliance and Covid: Moving to a New Normal

COVID-19 has created unprecedented business and regulatory disruption in a condensed period. There are massive changes to how financial institutions operate, what regulators and supervisors expect in addition to significant economic impacts on society, businesses and individuals. This paper explores how compliance can adapt to understand the new circumstances and address the risks in a holistic way.

A few resources on setting up anti-corruption compliance standards:

  1. A person is juridically classified in two groups: natural persons and juridical/legal persons. The first group refers to a human being, who is an individual being capable of assuming obligations and capable of holding rights. The second group refers to those entities endowed with juridical personality who are usually known as a collective person, social person or legal entity (Adriano 2015).
  2. For example, the Standard Bank case wherein the company self-reported and was eventually given a delayed prosecution agreement (DPA) (Rahman 2019).