Your Enterprise Client Just Asked for Your Anti-Bribery Programme. Do You Have One?

You are mid-negotiation with an enterprise client — a GLC subsidiary, a large private group, or a government-linked procurement team. The contract looks good. Then their vendor onboarding form lands in your inbox. Buried in section 4: "Please provide evidence of your organisation's Anti-Bribery and Corruption (ABC) programme, including your policy document and risk assessment."

You stare at the form. You do not have a policy document. You do not have a risk assessment. You have never heard of an Adequate Procedures framework.

You lose the contract.

This is happening right now to SME Sdn Bhds across Malaysia — not because they are corrupt, but because they never built the compliance infrastructure that enterprise and GLC procurement teams have started requiring as table stakes. And there is a second problem running underneath the commercial one: under Section 17A of the MACC Act 2009, your company could be held criminally liable for corruption committed by a third party acting on your behalf — even if you never knew it happened.

This article tells you exactly what s.17A means for your Sdn Bhd, what the penalty looks like in ringgit terms, and what a defensible Adequate Procedures file actually contains. It also gives you a 30-day action plan to get there.

Why Every Sdn Bhd Is Already in Scope

Section 17A of the MACC Act 2009 came into force on 1 June 2020. It introduced a form of corporate liability that most Malaysian SME founders have never encountered: strict liability for corruption by associated persons.

Here is the plain-language version of s.17A(1):

If any person associated with your commercial organisation corruptly gives, offers, or promises a gratification to obtain or retain business or a business advantage for your organisation — your organisation has committed a criminal offence.

The words that should stop you in your tracks: your organisation need not have known, authorised, or directed the act. The director does not need to have been in the room. The company does not need to have benefited. The offence is committed the moment the associated person acts.

s.17A(2) defines "commercial organisation" as any body corporate or partnership incorporated in Malaysia or carrying on business in Malaysia. There is no revenue threshold. There is no employee headcount carve-out. Every Sdn Bhd — from a two-person consultancy to a RM50m turnover manufacturer — is squarely in scope.

Enforcement is live and escalating. The first prosecution under s.17A was filed in 2021 against Pristine Offshore Sdn Bhd (Sessions Court, still pending as of the time of writing). In 2023, Hydroshoppe Sdn Bhd was charged — and in April 2025, a director was personally arraigned. The MACC has signalled that a Deferred Prosecution Agreement (DPA) mechanism is expected to reach Parliament in mid-2026, which will make it easier, not harder, to pursue corporate targets. The enforcement posture is tightening. SMEs remain dangerously under-prepared.

Who Counts as an "Associated Person"?

This is where most SME founders get blindsided. Under s.17A(4), an "associated person" includes:

• A director or partner
• An employee
• An agent acting for the organisation
• An intermediary — anyone performing services for or on behalf of the organisation
• A subsidiary
• Any contractor or subcontractor delivering services on the company's behalf

The key exposure for SMEs is the third-party agent. Consider the most common scenario: your company engages a commission-based sales agent to help you win a government procurement contract or secure a licence renewal. The agent, without your knowledge, pays a government officer a "facilitation fee" to expedite the process. Under s.17A, your company has committed a criminal offence.

The same logic applies to your customs broker, your logistics subcontractor, your procurement intermediary, or any third party you have authorised to act on your behalf in dealings that touch regulators, government bodies, or business partners.

And do not assume that "we don't deal with government" means you are safe. The s.3 definition of gratification is deliberately broad: it includes cash, loans, commissions, employment, services, favours, and gifts. Gratification flowing to a private-sector buyer — to secure a preferred-supplier contract, for example — is equally caught.

The Penalty: What It Looks Like in Ringgit

s.17A(3) sets the corporate penalty at: a fine of not less than 10 times the value of the gratification OR RM1,000,000 — whichever is the higher — plus imprisonment of up to 20 years, or both.

Work through a realistic SME scenario. Your sales agent slips a "commission" of RM50,000 to a procurement officer to win a RM2,000,000 contract. The gratification value is RM50,000. Ten times that is RM500,000. That is less than RM1,000,000, so the mandatory minimum fine is RM1,000,000 — plus the imprisonment exposure for individual officers.

That fine does not include legal costs, reputational damage, or the very likely debarment from government procurement for years.

Under s.17A(6), director and officer personal liability runs in parallel. A director is deemed guilty of the same offence as the company unless they can prove: (a) the offence was committed without their knowledge, and (b) they took all reasonable precautions and exercised all due diligence to prevent it. "I didn't know" is not enough on its own — you have to show you built a system to prevent it.

The One Legal Defence: Adequate Procedures

s.17A(5) provides the only statutory defence available to the commercial organisation: the company can escape liability if it proves that, at the time the offence was committed, it had adequate procedures in place to prevent associated persons from engaging in corruption.

Three things to understand about this defence:

1. Burden is on the company. You must prove you had the procedures. The prosecution does not have to prove you lacked them.
2. It must exist before the offence. Drafting a policy the week after MACC knocks on your door is not a defence. The framework must be live and documented before the act.
3. It is the company's shield, not the individual's. s.17A(6) still runs for directors and officers separately.

The Malaysian Government published the Adequate Procedures Guidelines 2018 (via the Prime Minister's Department / GIACC) to define what "adequate procedures" actually means in practice. The framework is structured around the acronym TRUST.

The TRUST Framework — What an SME Version Actually Looks Like

The TRUST framework is not designed exclusively for large corporates. Scaled to an SME Sdn Bhd, here is what each pillar requires in practice.

T — Top-Level Commitment

The board of directors formally adopts an Anti-Bribery and Corruption Policy. This is a signed board resolution — not an email, not a verbal agreement — establishing the company's zero-tolerance position. The policy is reviewed at least annually. All directors sign the acknowledgement.

For a two-director SME, this takes a morning. You draft the policy (or use a template), hold a board meeting (even if it is just the two of you), sign the resolution, and file it in your company records. The point is that it is documented and dated.

R — Risk Assessment

A periodic, written assessment of where your company's operations touch government bodies, regulators, agents, gifts, and procurement decisions. For most SMEs, this is a one-page matrix: list your key business activities down one axis, list your stakeholders (customers, suppliers, government contacts, agents) across the other, and score each intersection for corruption risk.

The risk assessment does not need to be complicated. It needs to be honest, documented, dated, and updated when your business changes materially.

U — Undertake Control Measures

This is where your written policies live. At minimum for an SME:

• Anti-Bribery and Corruption Policy (the board-adopted document above)
• Gifts and Entertainment Policy — sets a monetary threshold (typically RM100–300), requires all gifts above threshold to be logged in a register, prohibits cash gifts entirely
• Conflicts of Interest Policy — requires directors and staff to declare conflicts; covers procurement decisions, hiring decisions, and business referrals
• Agent and Third-Party Due Diligence Checklist — before you engage any agent, intermediary, or commission-based sales partner, you run them through a structured check: who are they, who do they know in government, what is their reputation, do they have their own ABC policies
• Segregation of duties on payments — the person approving a payment should not be the same person making the payment; even in a small team, this control matters

S — Systematic Review, Monitoring and Enforcement

Your procedures need a heartbeat — someone checking that they are being followed and that incidents are captured. For an SME this means:

• At least one internal review checkpoint per year (an audit of your gifts register, your agent DD files, your payment approvals)
• A whistleblower channel — an external email address or anonymous reporting form that staff and third parties can use to raise concerns without fear of retaliation; it does not need to be expensive
• An incident register — if a concern is raised, it is logged with date, nature of concern, and action taken

T — Training and Communication

Every employee, and every agent or intermediary you engage, must be trained on your anti-bribery policy. For staff, this means a structured briefing at onboarding and at least once annually thereafter — with signed attendance records. For agents and intermediaries, it means a written acknowledgement of your policy as part of their engagement letter.

The attendance record is not administrative overhead. It is the evidence you need if you are ever asked to prove that staff were trained.

The Minimum Viable Adequate Procedures File

When a GLC client asks for evidence of your ABC programme — or when MACC comes asking — here are the five documents you need to be able to produce:

1. Board-adopted Anti-Bribery and Corruption Policy — signed, dated, with the board resolution
2. Gifts and Entertainment Register — a running log of all gifts given and received above your policy threshold
3. Agent / Third-Party Due Diligence Checklist — one completed form for every agent or intermediary you engage
4. Training Attendance Records — signed, dated, per session
5. Risk Assessment Memo — your one-page risk matrix, dated and signed off by a director

This is not an exhaustive compliance programme. It is the minimum defensible file — what you need to satisfy a vendor questionnaire AND what your s.17A defence rests on.

Five Mistakes SMEs Make

1. "We are too small for this to apply to us." There is no size threshold in s.17A. The first prosecution filed was against a company operating well below GLC scale. MACC has made clear that SMEs are not exempt.

2. Drafting the policy after the investigation starts. The Adequate Procedures defence only works if the framework was in place before the offence. A policy you draft in response to an MACC inquiry is not a shield — it may actually underscore that you had no procedures at the relevant time.

3. Worrying only about cash. The s.3 definition of "gratification" covers cash, loans, commissions, employment, services, favours, and gifts. A complimentary hotel stay, a referral arrangement, a discounted service — all of these can constitute gratification depending on context.

4. Forgetting third-party agents in your due diligence. The biggest SME exposure under s.17A comes from commission-based agents and intermediaries. If you have not run your agents through a structured due diligence process and had them acknowledge your ABC policy in writing, you are exposed regardless of what your internal staff do.

5. Never documenting training attendance. You may have briefed your staff. Without a signed attendance record, you cannot prove it. The record is the evidence.

Your 30-Day Action Plan

Building a defensible Adequate Procedures file does not require a Big Four engagement. Here is a realistic 30-day sprint for a Malaysian SME Sdn Bhd.

Days 1–7: Board resolution and policy adoption.

Adopt an Anti-Bribery and Corruption Policy. Hold a documented board meeting. Pass the resolution. Have all directors sign the acknowledgement. File the resolution in your statutory records.

Days 8–15: Risk assessment workshop.

Spend two to three hours mapping your company's corruption exposure. Where does your business touch government, regulators, and agents? What are the highest-risk transactions or relationships? Document it in a one-page matrix. Date it. Have a director sign it.

Days 16–22: Controls suite.

Draft and adopt your Gifts and Entertainment Policy (with a register). Draft your Conflicts of Interest declaration form. Build your Agent Due Diligence Checklist. Review your payment approval process and introduce a simple segregation of duties if it does not already exist. Set up a whistleblower email address.

Days 23–30: Training, acknowledgements, and lock the file.

Brief all staff on the policy. Get signed attendance records. Send your current agents and intermediaries an acknowledgement form. Compile all five documents into a single file (a shared drive folder or a Notion page). Date and version-stamp it. You now have a live Adequate Procedures file.

One More Thing: The Commercial Upside

The conversation so far has been about defence — avoiding a fine, protecting directors, satisfying a vendor questionnaire. There is also an upside.

Malaysian enterprise and GLC procurement teams are increasingly using anti-bribery compliance as a vendor selection criterion. A documented Adequate Procedures file puts you ahead of most SME competitors who have never thought about s.17A. It signals to enterprise clients that you are a serious, governable organisation. In a competitive bid, that distinction closes contracts.

Muchen Can Build This With You in 30 Days

Muchen Corp Services helps Malaysian Sdn Bhds go from zero to a defensible Adequate Procedures file in 30 days — board resolution, full policy suite, risk assessment memo, agent due diligence templates, training delivery, and a single organised file your GLC clients can review on request.

If a vendor questionnaire just landed in your inbox, or if you want to get ahead of the exposure before it becomes urgent, reach out to us. We will tell you exactly where you stand and what the 30-day sprint looks like for your specific business.

Always confirm your specific compliance position with qualified legal counsel before acting on the above.

Statutory References

• MACC Act 2009, s.3 — definition of gratification
• MACC Act 2009, s.17A(1) — corporate liability for associated person corruption
• MACC Act 2009, s.17A(2) — definition of commercial organisation
• MACC Act 2009, s.17A(3) — penalty: 10× gratification or RM1,000,000, whichever higher; up to 20 years imprisonment
• MACC Act 2009, s.17A(4) — definition of associated person
• MACC Act 2009, s.17A(5) — Adequate Procedures defence
• MACC Act 2009, s.17A(6) — director/officer personal liability
• Adequate Procedures Guidelines 2018 (Prime Minister's Department / GIACC): https://pulse.icdm.com.my/wp-content/uploads/2019/12/Prime-Ministers-Department-Guidelines-on-Adequate-Procedures.pdf
• Pristine Offshore Sdn Bhd — first s.17A prosecution, Sessions Court, filed 2021
• Hydroshoppe Sdn Bhd — charged 2023; director personally arraigned April 2025
• Global Legal Insights — Bribery and Corruption: Malaysia 2026: https://www.globallegalinsights.com/practice-areas/bribery-and-corruption-laws-and-regulations/malaysia/