Comparison

ISO 37001 vs FCPA: anti-bribery standard vs US anti-corruption law

Comparison between ISO 37001 (anti-bribery management system) and the FCPA (Foreign Corrupt Practices Act). Nature, scope, requirements, sanctions, and complementarity in anti-corruption compliance programs.

ISO 37001 is a certifiable international standard establishing requirements for an anti-bribery management system. The FCPA (Foreign Corrupt Practices Act) is a US federal law prohibiting bribery of foreign officials. Although they operate on different planes — voluntary standard vs. mandatory legislation — both are pillars of any anti-corruption compliance program with international reach.

Detailed comparison

Aspect	ISO 37001:2016	FCPA (1977, amended)
Legal nature	Voluntary international standard published by ISO. Certifiable by accredited bodies. Its adoption is an organizational decision to demonstrate anti-bribery commitment.	US federal law with binding force. Applies to companies listed on US stock exchanges, US citizens and residents, and anyone facilitating a corrupt payment on US territory.
Geographic scope	Universal application. Designed for any organization in any jurisdiction, regardless of size, sector, or location. Not tied to any specific legal system.	Broad extraterritorial reach. Any company with a US nexus (publicly traded, with operations, or using the US banking system) can be reached. It has generated sanctions against Latin American companies.
Operational requirements	Requires a complete management system: anti-bribery policy, bribery risk assessment, due diligence, financial and non-financial controls, whistleblowing channel, training, independent compliance function, and continual improvement.	Two main components: (1) anti-bribery provisions prohibiting corrupt payments to foreign officials, and (2) accounting provisions requiring accurate books and records and adequate internal controls. Does not prescribe a specific management system.
Consequences of non-compliance	Not certifying does not carry direct legal sanctions. However, the absence of a robust anti-bribery system can result in greater legal risk exposure, lost contracts, and reputational damage.	Severe sanctions: corporate fines up to double the gain obtained, individual fines up to USD 250,000, prison sentences up to 5 years, and independent monitoring imposed by the DOJ.

Auditor's verdict

ISO 37001 and the FCPA are not alternatives: they complement each other. The FCPA defines what is prohibited and its consequences; ISO 37001 provides the management framework to prevent violations. For Latin American organizations with a US commercial nexus, implementing ISO 37001 constitutes demonstrable evidence of anti-corruption due diligence that DOJ prosecutors consider as a mitigating factor.

Frequently asked questions

It does not grant immunity, but the DOJ and SEC consider the existence of a robust compliance program as a mitigating factor when determining sanctions.

Yes, if the company has any US nexus: listing on US stock exchanges, dollar transactions through the US banking system, US subsidiaries or business partners. The FCPA's extraterritorial reach has generated multiple enforcement actions against Latin American companies.

Guide

Available now

Ready to act on these findings?

Need an assessment in this area?

Request diagnosis→View research→

Loading content…

Aspect

ISO 37001:2016

FCPA (1977, amended)

Legal nature

Voluntary international standard published by ISO. Certifiable by accredited bodies. Its adoption is an organizational decision to demonstrate anti-bribery commitment.

US federal law with binding force. Applies to companies listed on US stock exchanges, US citizens and residents, and anyone facilitating a corrupt payment on US territory.

Geographic scope

Universal application. Designed for any organization in any jurisdiction, regardless of size, sector, or location. Not tied to any specific legal system.

Broad extraterritorial reach. Any company with a US nexus (publicly traded, with operations, or using the US banking system) can be reached. It has generated sanctions against Latin American companies.

Operational requirements

Requires a complete management system: anti-bribery policy, bribery risk assessment, due diligence, financial and non-financial controls, whistleblowing channel, training, independent compliance function, and continual improvement.

Two main components: (1) anti-bribery provisions prohibiting corrupt payments to foreign officials, and (2) accounting provisions requiring accurate books and records and adequate internal controls. Does not prescribe a specific management system.

Consequences of non-compliance

Not certifying does not carry direct legal sanctions. However, the absence of a robust anti-bribery system can result in greater legal risk exposure, lost contracts, and reputational damage.

Severe sanctions: corporate fines up to double the gain obtained, individual fines up to USD 250,000, prison sentences up to 5 years, and independent monitoring imposed by the DOJ.

Auditor's verdict

Frequently asked questions

It does not grant immunity, but the DOJ and SEC consider the existence of a robust compliance program as a mitigating factor when determining sanctions.

ISO 37001 vs FCPA: anti-bribery standard vs US anti-corruption law

Detailed comparison

Auditor's verdict

Frequently asked questions

Related content

How to implement ISO 27001 in your organization

How to implement ISO 42001 for AI management

Risk management

ISO 37001

Shadow AI: artificial intelligence use without formal governance

Failed certification audit: nonconformity diagnosis and recovery plan

Ready to act on these findings?

ISO 37001 vs FCPA: anti-bribery standard vs US anti-corruption law

Detailed comparison

Auditor's verdict

Frequently asked questions

Related content

How to implement ISO 27001 in your organization

How to implement ISO 42001 for AI management

Risk management

ISO 37001

Shadow AI: artificial intelligence use without formal governance

Failed certification audit: nonconformity diagnosis and recovery plan

Ready to act on these findings?