Vendor Anti-Bribery and Corruption Questionnaire

Your vendor just disclosed they operate in three countries ranked in the bottom quartile of Transparency International's Corruption Perceptions Index. Standard security questionnaires won't capture the bribery risks that could trigger FCPA violations and seven-figure penalties.

Anti-bribery and corruption questionnaires serve as your primary control for identifying corruption exposure in your supply chain. Unlike general compliance DDQs, ABC questionnaires probe specific risk indicators: government touchpoints, gift policies, third-party agent usage, and facilitation payment protocols. They transform vague corruption concerns into quantifiable risk scores that drive tier assignments and monitoring cadences.

For TPRM managers juggling hundreds of assessments, ABC questionnaires provide structured evidence collection that satisfies both regulatory requirements and internal audit scrutiny. The questionnaire outputs feed directly into your risk register, control mapping exercises, and determines which vendors require enhanced due diligence procedures.

Core Sections of an ABC Questionnaire

Corporate Structure and Ownership

Start with ownership transparency. Your questionnaire must identify:

• Ultimate beneficial ownership (25% threshold per FATF guidelines)
• Government ownership or control percentages
• Politically exposed persons (PEPs) in leadership positions
• Parent/subsidiary relationships in high-risk jurisdictions

Request evidence: Corporate registration documents, ownership charts, and annual reports. For Tier 1 vendors, require notarized ownership declarations.

Anti-Corruption Policies and Training

Policy existence means nothing without implementation evidence. Structure questions to capture:

Policy Component	Required Evidence	Red Flag Indicators
Written ABC policy	Policy document with approval date	No policy or >3 years old
Employee training	Training records, completion rates	<80% completion or no refresher training
Third-party codes	Supplier code of conduct	No downstream requirements
Investigation procedures	Process documentation	No whistleblower protections

Government Interactions

This section determines your exposure to public corruption risks. Key assessment areas:

Direct Government Business

• Percentage of revenue from government contracts
• Types of government agencies engaged
• Frequency of regulatory inspections
• Permits and licenses required for operations

Indirect Touchpoints

• Use of customs brokers or freight forwarders
• Employment of former government officials
• Lobbying activities or political contributions
• Participation in public tenders

Vendors with >some government revenue automatically trigger enhanced due diligence.

High-Risk Transaction Screening

Focus on transactions that historically correlate with corruption:

Gifts and Entertainment

• Maximum value thresholds
• Pre-approval requirements
• Gift registers and reporting
• Government official restrictions

Third-Party Intermediaries

• Use of sales agents or consultants
• Commission structures (flag >15% rates)
• Due diligence on intermediaries
• Written agreements with ABC clauses

Facilitation Payments

• Explicit prohibition policies
• Exception handling procedures
• Payment recording requirements
• Employee guidance and training

Industry-Specific Applications

Financial Services

Banks and financial institutions face heightened ABC scrutiny under AML regulations. Customize questionnaires to address:

• Correspondent banking relationships
• Trade finance operations
• Know Your Customer (KYC) procedures for vendor's customers
• Suspicious activity reporting mechanisms

Add sections on OFAC screening procedures and beneficial ownership verification processes.

Healthcare and Pharmaceuticals

Healthcare vendors interact with government healthcare systems globally. Critical additions:

• Healthcare professional (HCP) engagement policies
• Clinical trial payment transparency
• Charitable contribution controls
• Sample distribution tracking

Reference the FCPA Healthcare Guidance and industry codes like PhRMA and AdvaMed.

Technology and Telecommunications

Tech vendors often provide infrastructure to government agencies. Essential elements:

• Data localization requirements creating government touchpoints
• Licensing dealings with state telecommunications authorities
• Government surveillance or data access protocols
• Export control compliance affecting corruption risk

Regulatory Framework Alignment

Your ABC questionnaire must map to multiple compliance requirements:

FCPA Requirements

• Books and records accuracy
• Internal accounting controls
• Third-party due diligence documentation
• Training and certification programs

UK Bribery Act Adequate Procedures

• Proportionate procedures based on risk
• Top-level commitment evidence
• Risk assessment documentation
• Due diligence on associated persons
• Communication and training records
• Monitoring and review processes

ISO 37001 Alignment Map questionnaire sections to ISO 37001 clauses:

• Clause 4.5: Bribery risk assessment
• Clause 7.2: Competence and training
• Clause 8.5: Anti-bribery controls
• Clause 8.9: Raising concerns procedures

Implementation Best Practices

Risk-Based Deployment

Not every vendor needs the full ABC questionnaire. Create deployment criteria:

Mandatory ABC Assessment Triggers:

• Operations in CPI score <50 countries
• Government revenue >10%
• Industry codes: Defense, extractives, construction
• Annual spend >$500K in high-risk jurisdictions
• Access to your government contracts

Evidence Collection Standards

Move beyond checkbox attestations for critical vendors:

1. Tier 1 Vendors: Require documentary evidence for all sections
2. Tier 2 Vendors: Sample documentation for high-risk areas
3. Tier 3 Vendors: Attestation with selective validation

Build an evidence library: Policy documents, training certificates, audit reports, certification letters.

Integration with TPRM Workflow

Your ABC questionnaire should feed your broader risk management process:

Risk Scoring Integration

• Weight ABC responses in overall vendor risk scores
• Create automatic flags for enhanced due diligence
• Link responses to control requirements
• Generate risk treatment plans from gaps

Continuous Monitoring Triggers

• Annual reassessment for high-risk vendors
• Adverse media monitoring for corruption keywords
• Geographic expansion notifications
• Ownership change alerts

Common Implementation Mistakes

Mistake 1: One-Size-Fits-All Approach Generic questionnaires miss industry-specific risks. A pharmaceutical vendor needs different questions than a logistics provider.

Mistake 2: Accepting Vague Responses "We comply with all applicable anti-corruption laws" provides zero assurance. Require specific policy excerpts and procedural documentation.

Mistake 3: Ignoring Red Flags Document your response to concerning answers. If a vendor admits to facilitation payments, your risk acceptance must be explicit and justified.

Mistake 4: Set-and-Forget Deployment ABC risks evolve with business changes. Build reassessment triggers: Geographic expansion, ownership changes, new service lines, regulatory actions.

Mistake 5: Siloed Assessment ABC questionnaires should inform broader vendor governance. High corruption risk might require payment controls, audit rights, or contract termination clauses.

Frequently Asked Questions

How do I determine which vendors need an ABC questionnaire versus standard due diligence?

Apply risk-based criteria: vendors operating in countries with CPI scores below 50, those with government touchpoints, or in high-risk industries (extractives, defense, construction) require ABC questionnaires. Also trigger for any vendor handling your government contracts.

What evidence should I require to verify ABC policies are actually implemented?

Request training completion reports (>the majority of completion), gift registers from the past 12 months, investigation case logs (sanitized), and internal audit reports on ABC controls. For critical vendors, require annual ABC compliance certificates from senior management.

How often should ABC questionnaires be refreshed for existing vendors?

High-risk vendors need annual reassessment. Medium-risk vendors every 2-3 years. Trigger immediate reassessment for: geographic expansion into high-risk countries, M&A activity, regulatory enforcement actions, or adverse media coverage.

Can I rely on ISO 37001 certification instead of a detailed questionnaire?

ISO 37001 certification provides baseline assurance but doesn't replace targeted due diligence. Use certification to streamline questionnaires, focusing on implementation evidence and your specific risk areas rather than policy existence.

How do I handle vendors who refuse to complete ABC questionnaires citing confidentiality?

Establish ABC assessment as a contractual requirement. For resistance, offer: NDAs, summary versions focusing on yes/no attestations, or third-party certification options. Document refusals as high-risk indicators requiring additional controls.