Section 17A & Adequate Procedures, explained plainly
Corporate liability for bribery has been law in Malaysia since 2020. The only defence is adequate procedures. Here is what that means — and how ABMS helps you build one that holds.
Section 17A changed the question. It is no longer only whether an individual paid a bribe — it is whether your organisation had done enough to prevent it. If it had not, the organisation itself is liable.
What the law actually says
Under Section 17A of the Malaysian Anti-Corruption Commission Act, a commercial organisation commits an offence if a person associated with it — an employee, agent, or anyone performing services on its behalf — gives or offers a bribe to obtain or retain business or an advantage. Penalties are significant, and management can be deemed personally liable unless they exercised due diligence.
The ‘adequate procedures’ defence
The statute provides one defence: that the organisation had adequate procedures in place to prevent associated persons from undertaking the conduct. Malaysia's Guidelines on Adequate Procedures set out five guiding principles, often summarised as T.R.U.S.T:
- Top-level commitment. Leadership owns the anti-corruption stance — visibly, not on paper alone.
- Risk assessment. A documented, periodic assessment of your actual bribery and corruption exposure.
- Undertaking control measures. Proportionate controls over the risks you identified, including third parties.
- Systematic review, monitoring & enforcement. Evidence the system is used, tested, and enforced over time.
- Training & communication. People understand the rules and their obligations under them.
Why a one-off policy is not enough
A signed policy in a drawer is not adequate procedures. The defence rests on procedures that are risk-based, proportionate, used, monitored, and enforced — and on being able to evidence all of that. That is precisely what a properly implemented ISO 37001 management system produces.
FAQ
Section 17A — common questions
What is Section 17A of the MACC Act?
Section 17A, in force since June 2020, makes a commercial organisation criminally liable when a person associated with it commits bribery to obtain or retain business or an advantage. Directors and management can also be deemed liable.
What are 'adequate procedures'?
Adequate procedures are the defence available under Section 17A. If your organisation can show it had adequate procedures in place to prevent the bribery, that is a defence. Malaysia's official Guidelines frame these around five principles (T.R.U.S.T).
Who is exposed under Section 17A?
Any commercial organisation incorporated or carrying on business in Malaysia — and the directors, controllers, officers, partners, or managers associated with it. Size is not a shield; small and mid-size organisations are equally in scope.
How does ISO 37001 relate to Section 17A?
ISO 37001 is the most direct way to design, run, and evidence adequate procedures. Implementing it gives you a recognised, auditable framework that maps onto the five T.R.U.S.T principles.
Talk to a practitioner
Bring an active mandate, an open question, or a draft policy you want reviewed.
Whether you are facing the CIDB G7 deadline, building a Section 17A defence, or preparing for an ISO 37001 audit — start with a direct conversation, not a sales pitch.
