The World Bank Group Issues New Compliance Program Guidance

Overview 

The World Bank's Integrity Compliance Office (ICO), which is part of the Bank's Integrity Vice Presidency (INT), recently announced the first revisions in 15 years to its Integrity Compliance Guidelines, which the ICO uses when deciding whether to release companies from sanctions.  

While some of the new provisions are consistent with guidance documents from other authorities, such as the U.S. Department of Justice and the UK Serious Fraud Office, the Guidelines are tailored specifically to companies that bid and work on World Bank-financed projects. Therefore, it is important that all companies subject to INT's jurisdiction carefully review the updated Guidelines and consider a gap analysis as compared to their current compliance program.

The changes to the Guidelines are extensive and include a focus on preventing obstruction of World Bank investigations, mergers and acquisition due diligence, business development and the bidding process, requirements to address risks in the use of technology in a compliance program, such as AI, an expanded definition of a "politically exposed person," and consideration of heightened diligence with respect to political contributions and corporate sponsorships.

The World Bank has authority to investigate fraudulent, corrupt, collusive, coercive, and obstructive practices. These sanctionable practices are defined very broadly and investigations may result in suspension and/or debarment, which may have serious business consequences for multinational corporations. The public nature of debarments, the application of cross-debarment, and the informal recognition of sanctions by other global international financial institutions may seriously limit a company's ability to bid for projects from other international development organizations.

Key changes to the Integrity Compliance Guidelines 

The revised Integrity Compliance Guidelines are now organized under two themes – Core Principles and Internal Controls. We address the most significant changes below:

Obstructive practices 

The Guidelines now require that a compliance program address risk of obstructive practices in World Bank investigations.¹ Obstructive practices were already sanctionable conduct that INT investigates, but they are now included in the definition of misconduct for compliance programs that the ICO evaluates.

Therefore, it is important that the training, culture, and tone from the top and middle sufficiently address that employees should promptly and thoroughly respond to INT's inquiries during its investigations and be truthful in investigations. Companies may even consider providing a specific communication to any employee or contractor who has information responsive to a World Bank investigation to ensure they understand the conduct that would be considered obstructive and expressly prohibits such conduct.

Risk assessments

The Guidelines now specify that companies should risk assessments "ideally at least annually." Interestingly, other guidance, such as the DOJ's Evaluation of Corporate Compliance Programs, only require periodic risk assessments, without providing a specific, preferred cadence. Many companies conduct risk assessments on a biannual basis, and so those subject to the World Bank's audit and investigative process may consider a more frequent cadence.

In addition, the Guidelines now provide further description of the scope of risks that should be considered in a risk assessment—the entire workforce and business operations, controlled affiliates, transactions, partnerships (JVs and consortia), and technologies in use. The Guidelines also state that risk assessments should consider lessons learned from the entity's own experience and that of its peers.

Lastly, the Guidelines note that integrity risk assessments may be conducted internally or by outside experts, but that senior leadership, compliance personnel, and others responsible for the design, implementation, and oversight of the compliance program, are "actively involved" in the risk assessment.

Management responsibility for compliance

The Guidelines have always emphasized the importance of senior management's involvement in compliance programs and now the Guidelines emphasize the role of middle management. As Prince Nwanko, counsel at the ICO explained, "[w]hile senior leaders set the tone at the top, middle managers set the tone from the WhatsApp group."²

M&A due diligence

An entirely new provision in the Guidelines advises that newly acquired businesses should undergo an integrity risk assessment as a basis for their integration into the acquirer's compliance program. The risk assessment and due diligence findings should then guide the integration into the compliance program. The Guidelines advise companies to consider whether to add resources to the compliance function post-acquisition and whether to reserve the right to exit or cancel the transaction if material compliance problems are discovered.

Safeguards in business development 

Another new internal control focuses on having procedures around the sales process, to ensure that in the bidding process and other business development that all activities are based on accurate and complete disclosures and representations, comply with applicable laws, and do not otherwise involve misconduct. World Bank investigations have focused on the accuracy of descriptions of past work, whether CVs submitted inflate one's experience, and whether any misrepresentations were made in the often-extensive bidding process to secure World Bank funding. This internal control also reflects guidance previously provided to sanctioned entities.

The Guidelines add a segregation of duties component, stating that companies should consider segregating sales functions from those responsible for preparing, reviewing, or approving bid submissions and proposals, where appropriate. This would require a rather extensive compliance function to review such materials for inaccuracies, and it is unclear the extent to which companies would be required to essentially conduct due diligence on their own employees or independent contractors to ensure that CV information and prior similar work is as described in bidding documents. 

Given the number of World Bank investigations that focus on the bidding process, it is not surprising that this specific provision was added. Companies that are subject to the World Bank's sanctions process should consider whether their compliance program mitigates these risks in a manner that would satisfy the Bank's expectations.

Technology risk management

As mentioned above, risk assessments should include consideration of risks in technology use. In addition, the core principle related to providing timely advice and guidance has been updated to include that if a company uses chatbots or similar technology to provide advice and guidance, that the advice should be accurate and consistent with the compliance program, the system should be confidential and accessed only by authorized personnel, and the system should remind users of their reporting obligations, including through whistleblower channels.

Whistleblowers and retaliation 

The Guidelines previously required that company employees are required to report integrity concerns and now advises that external parties and business partners should "similarly" be required or encouraged to report such concerns. The entity should prohibit retaliation against employees and third parties, including those who support or assist in an investigation or audit. 

Politically Exposed Persons definition 

The new Guidelines expand the definition of Politically Exposed Persons to include current public officials – it covers individuals who are or have been entrusted with a prominent public or political function, as well as their immediate family members and close associates. This is broader than a typical "official" definition in many anti-corruption laws, which often only cover formal appointees, candidates or employees, not someone "entrusted with a prominent" function. This definition is relevant to conflicts of interest and ensures no inappropriate financial relationships with PEPs, including those currently affiliated with the government and not only those with a prior affiliation.

Political contributions, charitable donations, and corporate sponsorships 

The new Guidelines enhance the internal controls related to political contributions by adding risk-based diligence, and management and compliance review and approval, to ensure appropriate consideration of risks. This adds to the existing Guidelines that contributions should be made in accordance with applicable laws and should be publicly disclosed unless confidentiality is required by law.

Similarly, charitable donations and sponsorships should include risk-based diligence and may require a formalized written agreement that includes integrity expectations.

Lessons for Corporate Compliance Personnel 

For companies that have any role on projects funded by the World Bank, directly or indirectly, there are some proactive steps to take to ensure the revised guidance is integrated into their corporate compliance programs: 

• Re-evaluate your risk assessment standards to ensure consideration of lessons learned, technology risks, and ensure senior leadership is involved in the risk assessment process. Also consider whether the cadence of the risk assessment process should be more frequent.
• Whether as part of the risk assessment process or a separate assessment, consider the extent to which the current program has gaps when compared to the new WBG Guidance.
• Consider the safeguards around the use of technology in the compliance program, including whether most or all communications should include a statement that regarding reporting channels.
• Consider the current compliance program and internal controls as related to business and sales, specifically any review of written documents submitted in a pitch or bidding process.
• Consider the M&A due diligence and post-acquisition integration processes, as well as whether acquisition deal terms should include exit rights for compliance failures later identified and, if so, what thresholds or levels of evidentiary proof would be required to trigger the exit right
• Ensure all individuals involved in work related to World Bank projects are aware of the Bank's expectations and the company's relevant policies, including with targeted training and communications.

In light of the severity of potential sanctions available to the World Bank, it is important that all companies subject to its authority consider these revised Guidelines and map them against their existing compliance programs.

¹ An obstructive practice is defined as deliberately destroying, falsifying, altering or concealing evidence material to the investigation or making false statements to investigators to materially impede a World Bank investigation.

² Global Investigations Review, World Bank: debarment relief now depends on M&A compliance, Dec. 9, 2025.