Latin America Compliance Requirements

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

The last decade has brought into sharp focus the anti-corruption enforcement risk for companies in Latin America, and with it the growing importance of building an effective corporate compliance programme, both to avoid potential misconduct and regulatory scrutiny in the first place and to receive mitigation credit if misconduct nonetheless occurs and triggers a government investigation. Designing, implementing and maintaining a risk-based compliance programme that prevents and detects misconduct, and that will garner the most favourable outcome from government regulators, has become paramount not only under US law but more recently under newly enacted statutes in Latin America.

This chapter first provides an overview of the guiding principles relating to anti-corruption liability and compliance, including the relevant statutes and policies. It then sets out best practices for designing, implementing and maintaining an effective corporate anti-corruption compliance programme that complies with those requirements and principles, helps companies avoid and identify misconduct, and mitigates liability where a violation occurs.

Compliance-related policies and statutes in Latin America

The past decade has seen the emergence of new, more aggressive legal frameworks to combat corruption in Latin America. From recent local laws that establish corporate criminal liability for anti-corruption offences to the increased international focus on compliance as a proactive measure to detect and prevent corruption, there are a number of Latin American and international authorities that companies can look to as signposts for corporate compliance programmes.

Latin American authorities

A number of Latin American countries now have laws establishing corporate criminal liability for bribery and corruption offences, many of which were enacted within the past few years. For example, Argentina,^[2] Chile,^[3] Mexico,^[4] Venezuela^[5] and Peru^[6] each have some form of corporate criminal liability for corruption-related offences. The penalties for corporate criminal liability in these countries range from fines to commercial suspension or dissolution, loss or suspension of government benefits, and publication of the conviction imposed on the legal entity.^[7] Although other Latin American countries do not have direct corporate criminal liability, many do have civil, regulatory or administrative anti-corruption regimes^[8] that allow for virtually identical sanctions,^[9] or even hold a company jointly and severally liable with employees who have committed corruption-related crimes.^[10]

Importantly, a growing number of these statutes in Latin American provide guidelines for corporate anti-corruption compliance programmes in one form or another, from requiring companies to maintain such programmes to offering companies leniency if they have implemented an effective compliance programme, to including an affirmative defence to companies that have engaged in corruption. Although exact guidance on what constitutes an effective compliance programme differs from country to country, most laws relating to or requiring compliance programmes share common substantive themes.^[11]

Brazil

Brazil’s Decree No. 8,420 provides that an effective compliance programme may be a mitigating factor to reduce fines for anti-corruption violations. Under Decree No. 8,420, compliance programmes must be tailored to the risks of the particular corporation and updated to ensure continuous improvement and effectiveness. The Decree outlines several components of an effective compliance programme, including the commitment of senior management and board members, the implementation of internal and third-party policies (such as a code of conduct and third-party due diligence procedures), periodic training and risk assessment, accurate and precise internal controls, and the establishment of remediation and disciplinary measures. Although Decree No. 8,420 does not make a compliance programme mandatory, Brazil’s Federal Law No. 14,133 does require certain companies participating in public tenders to have robust compliance programmes.^[12]

Colombia

Colombia’s Transnational Corruption Act (Law 1778, Article 7) similarly establishes that an effective compliance programme may reduce administrative fines for anti-corruption violations. On 1 January 2021, the Colombian Corporations Commission (the Superintendencia)^[13] adopted Resolution 100-006261, which expanded the sphere of companies that are required to implement compliance programmes (i.e., business transparency and ethics programmes). Now, the vast majority of companies that operate in Colombia and abroad, or engage in international transactions and are otherwise supervised by the Superintendencia, must implement such a programme.^[14] To qualify for a fine reduction, a compliance programme must contain a number of hallmarks, including that it is tailored to the particular risks of the corporation, is endorsed by senior management and imposes effective control mechanisms, such as third-party due diligence procedures and periodic audits, among other things, to ensure effective detection of violations and the undertaking of remedial actions.

Mexico

A compliance programme in Mexico, likewise, may be a mitigating factor to liability for anti-corruption violations so long as the programme meets certain minimum requirements under Mexico’s General Law of Administrative Responsibility. Under this Law, an effective compliance programme must have a clear and complete organisational and procedures manual, a published code of conduct, adequate and effective internal controls, adequate whistleblowing systems and disciplinary processes, effective training programmes and human resources policies, and adequate mechanisms to ensure transparency and avoid conflicts of interest.

Peru

Companies in Peru that have effective compliance programmes (i.e., prevention models) at the time of an alleged corruption offence are completely immune from corporate liability for the conduct.^[15] To qualify for an exemption from liability, compliance programmes must, at a minimum:

appoint a person to be in charge of the prevention functions;
take measures to identify, evaluate and mitigate risks to prevent crime;
disseminate periodic compliance training;
implement internal complaint proceedings (e.g., a whistleblower hotline); and
undertake continuing evaluation and monitoring of the programme.

Notably, if a company implemented a compliance programme after the alleged offence but before the start of trial – or if the company proves that it has partially implemented a compliance programme with the minimum elements described above – the company may still be entitled to a reduction in fines.^[16]

Chile

Chile likewise exempts companies from criminal liability if they have adopted an effective compliance programme before the commission of an alleged corruption offence.^[17] To qualify as a ‘prevention model’, Chilean law sets out minimum requirements for a compliance programme that generally mirror those of Peru.^[18]

Argentina

Under Argentina’s Corporate Criminal Liability Law (Law No. 27401), the existence of an effective compliance programme – which is not required unless contracting with the Argentine federal government – can reduce or even exempt an entity from penalties for corruption violations. To qualify, the programme must meet certain minimum requirements, including the implementation of a code of conduct, specific policies or procedures to prevent criminal offences in dealings with public administration, and periodic compliance training. In addition to these mandatory requirements, Law No. 27401 sets forth recommended components of compliance programmes, including periodic risk analyses, a clear anti-corruption tone from senior management and supervisors, whistleblower reporting channels, a whistleblower protection policy, internal investigation protocols, third-party and merger and acquisistion due diligence policies, and the appointment of a compliance officer.^[19]

International authorities

In addition to Latin American authorities that are directly applicable to companies in the region, there are also a number of regulatory and other bodies outside Latin America that provide helpful guidance on corporate compliance programmes. Some of these authorities may likewise be directly applicable to Latin American companies, for example if companies are listed on a US stock exchange and, therefore, are subject to US anti-corruption enforcement. Enforcement authorities in Latin America have increasingly collaborated with regulators around the world to investigate and prosecute allegations of corruption, which may expose Latin American corporations to cross-border liability. Additionally, foreign and international regimes laying out guidelines for effective corporate compliance programmes have increasingly influenced the passage of new compliance-related laws in Latin America, or may simply serve as additional signposts for designing, implementing and maintaining corporate compliance programmes.

United States

US anti-corruption law and policy is an integral framework for any corporate compliance programme, given the broad jurisdiction of the US Foreign Corrupt Practices Act (FCPA) and its robust influence on international anti-corruption enforcement. In general, the anti-bribery provisions of the FCPA prohibit both US companies and foreign companies that are either listed on a US exchange or have employees or agents who act while in the territory of the United States, from making corrupt payments to foreign officials to obtain or retain business.^[20] Although the FCPA’s anti-bribery provisions do not impose an affirmative duty to implement a compliance programme, its accounting provisions require publicly traded companies to maintain a system of internal controls sufficient to provide reasonable assurances that transactions are executed and assets are accounted for in accordance with the law.^[21] Although a company’s internal accounting controls are not synonymous with its compliance programme, an effective compliance programme contains a number of components that may overlap with integral components of an issuer’s internal accounting controls under the FCPA.^[22]

Moreover, under US law, corporate compliance is an integral part of anti-corruption (as well as other corporate) enforcement. In fact, it affects every component of a corporate criminal resolution: it is one of the factors that prosecutors consider in determining whether a corporate enforcement action is appropriate, and if so what form it should take; it affects the fine that would be called for under the US Sentencing Guidelines,^[23] as well as any reduction from that amount that prosecutors may conclude, at their discretion, is appropriate; and it is the driving factor in determining whether the company must retain an independent compliance monitor or whether the company can self-monitor during the term of the resolution agreement. For instance, according to the US Department of Justice’s (DOJ) FCPA Corporate Enforcement Policy (CEP), ‘where a company voluntarily self-discloses misconduct, fully cooperates, and timely and appropriately remediates, there will be a presumption that DOJ will decline prosecution of the company absent aggravating circumstances’.^[24] This presumption of a declination will only be available to companies that implement ‘an effective compliance and ethics programme’ as defined under the CEP.

Likewise, the DOJ’s Principles of Federal Prosecution of Business Organizations instruct prosecutors to consider a compliance programme’s design, implementation and effectiveness in determining whether to bring charges against a company as well as in negotiating plea or other agreements.^[25] The adequacy of a corporation’s compliance programme may influence the DOJ’s decision as to whether charges should be resolved through a guilty plea, a deferred prosecution agreement (DPA) or a non-prosecution agreement, as well as the appropriate length of any such agreement or the term of corporate probation.^[26] Further, the DOJ will generally not require the appointment of a monitor if a company voluntarily self-discloses, fully cooperates, timely and appropriately remediates, and has, at the time of resolution, implemented and tested an effective compliance programme.^[27]

The US Sentencing Guidelines similarly take into account whether a company has an effective compliance and ethics programme, which may lead to a three-point reduction in an organization’s culpability score under Section 8C2.5 and affect the fine calculation under the Guidelines.^[28] The Guidelines lay out the minimum criteria for an effective corporate compliance programme, under which an organisation must:

establish standards and procedures to prevent and detect crime;
provide oversight by high-level management, typically the board of directors;
exercise due care in delegating substantial discretionary authority;
establish effective communication and training for all employees;
monitor, audit and report suspected wrongdoing, and periodically evaluate the effectiveness of the ethics and compliance programme;
promote and consistently enforce the corporate compliance programme by incentivising use of the established mechanisms, and disciplining employees who commit crimes or fail to take reasonable steps to prevent or detect criminal conduct; and
take reasonable steps to respond to criminal conduct once it has been detected and to prevent further criminal conduct.

Perhaps most notably, the DOJ’s Criminal Division (which oversees all criminal enforcement of the FCPA) has published the Evaluation of Corporate Compliance Programmes (ECCP), which provides companies with detailed guidance concerning the design, implementation and maintenance of an effective corporate compliance programme. The ECCP comprises 18 pages of questions organised by topic, which prosecutors use with respect to compliance programmes in making charging decisions, deciding whether a resolution is appropriate, formulating monetary penalties, if any, and determining whether compliance obligations are necessary for any corporate criminal resolution (e.g., monitorship or reporting obligations).^[29] Although not prescriptive, the ECCP provides valuable insight into how the DOJ will measure and judge a company’s compliance programme. This guidance is often used by other domestic and foreign enforcement authorities in their evaluation of corporate compliance programmes.

Europe

Latin American regulators also sometimes collaborate with European authorities to enforce anti-corruption laws. For instance, the Rolls-Royce plc resolution involved coordination between Brazilian, US and UK authorities.^[30] As with the United States, European laws and policy can serve as a helpful benchmark for Latin American companies.

Under the UK’s Bribery Act, an effective compliance programme is a defence to the offence of failing to prevent bribery and is also a significant consideration in the Serious Fraud Office’s determination of whether to enter into a DPA.^[31] To qualify for a compliance defence, corporate compliance programmes must adhere to six principles:

implementing procedures proportionate to the bribery risks that an organisation faces;
ensuring top-level management is committed to preventing bribery;
undertaking a risk assessment of the extent of the company’s exposure to bribery risks;
implementing proportionate due diligence procedures;
communicating compliance training, policies and procedures; and
monitoring, reviewing and improving compliance procedures.

Similarly, France’s Sapin II anti-corruption law contains provisions requiring the implementation of corporate compliance programmes under certain circumstances. On 22 December 2017, the French Anti-Corruption Agency published recommended guidelines for compliance programmes, which are similar to those issued by the United States and the United Kingdom.^[32]

International conventions and multilateral development banks

Latin American countries have also been heavily influenced by international compliance guidelines, including those issued by the Organisation for Economic Development (OECD). As of May 2022, the OECD’s Anti-Bribery Convention – which establishes legally binding standards to criminalise bribery of foreign public officials in international business transactions – has seven Latin American countries as signatories: Argentina, Brazil, Chile, Colombia, Costa Rica, Mexico and Peru.^[33] In November 2021, the OECD updated its Good Practice Guidance on Internal Controls, Ethics and Compliance and called on its member countries to incentivise the development of compliance programmes.^[34] The OECD’s enhanced compliance guidelines share many similarities with US requirements for an effective anti-corruption compliance programme.

Similarly, multilateral development banks, such as the World Bank, have the ability to debar companies and individuals for corrupt practices. The World Bank’s Sanctioning Guidelines provide for mitigation credit of up to 50 per cent (and more in ‘exceptional circumstances’) for companies that have taken voluntary corrective action and can demonstrate that they have implemented an effective corporate compliance programme. The World Bank’s Integrity Compliance Guidelines describe a number of guidelines from compliance programmes, including a comprehensive and periodic assessment of risk, robust policies and procedures to detect and remediate misconduct, effective internal controls and efficient reporting standards.^[35]

Designing, implementing and maintaining an effective compliance programme

As the authorities above demonstrate, although there is no ‘one-size-fits-all’ approach to implementing an effective compliance programme, regulators have articulated hallmarks that are common to effective compliance programmes. At its core, a compliance programme should be grounded both in preventing and mitigating the company’s unique risks and in documenting the process through which those risks are identified, monitored and addressed.

Creating a ‘well-designed’ compliance programme

A common theme for the authorities cited above is that companies should take a risk-based approach to compliance. It is recognised that companies have a limited set of resources and, therefore, cannot devote endless time, money and compliance professionals to addressing and preventing every compliance risk that might exist, and that, therefore, companies should allocate resources to those risks that pose the greatest threats. As a result, the starting point for designing any compliance programme is an analysis of a company’s unique risk profile. Regulators will look to whether compliance programmes are ‘designed to detect the particular types of misconduct most likely to occur in a particular corporation’s line of business’ and ‘complex regulatory environment’ in order to determine whether the programme is crafted for ‘maximum effectiveness in preventing and detecting wrongdoing’.^[36]

In undertaking their risk analysis, companies should fundamentally endeavour to (1) understand their geographical and operational footprint and how that footprint interfaces with relevant regulatory regimes, and (2) identify areas of their business that pose a higher likelihood of possibly violating applicable laws. Although such an analysis can take many forms, companies may start by using a questionnaire or survey, or by interviewing employees, to identify and assess from the company’s own employees’ perspectives the risks presented by their location of operations, industry, market competitiveness, regulatory landscape, potential clients and business partners, transactions with foreign governments, payments to foreign officials, use of third parties, gifts, travel and entertainment expenses, and charitable and political donations.^[37] In addition, companies can look to enforcement actions involving their competitors as well as enforcement actions against others involving the same region or regions in which the companies operate. These enforcement actions can provide valuable insights into the types of risks that the company may be facing.

Once a company has defined and assessed its risk profile, that assessment should become the ‘North Star’ of its compliance programme, and the design and implementation should flow from it. Most often, the next step involves setting up a code of conduct, policies and procedures that are aimed at (1) addressing and reducing identified risks, and (2) incorporating a culture of compliance in the company’s day-to-day operations. The policies and procedures should address, among other things, gifts, hospitality, entertainment and expenses, customer travel, political contributions, charitable donations and sponsorships, and solicitation and extortion. The policies and procedures should contain all necessary information, but should be accessible to the relevant employees. Functionality is much more important than form, both from the perspective of preventing and detecting misconduct as well as impressing regulators. If employees do not understand the rules, they will not be able to follow them. Moreover, if policies are not practical, employees will seek to ignore or circumvent them. The best way to ensure that policies are comprehensible and practical is to consult with the business in developing the company’s policies and procedures. Regulators will likewise react more favourably to policies that are practical and where the business has had an active role in their development.

Once effective policies and procedures are developed, it is important to then train the relevant employees on those policies and procedures, and risks more generally. The company’s training and communications programmes should be tailored to ensure effective integration of the company’s compliance policies throughout the organisation. Compliance training need not, and often should not, be developed and conducted for every employee of the company. Rather, training should be tailored to the relevant group of employees who are exposed to the particular risk addressed by the training. Likewise, the company should give thought to how best to conduct the training – whether in person, pre-recorded, or virtual but live. Often, in-person training allows for more feedback and constructive dialogue about issues that are arising but may not be feasible because of the number and locations of employees and company resources. Training should also evolve over time to incorporate lessons learned from issues that have occurred within the company as well as from enforcement actions involving competitors or companies operating in the same geographical region.

Companies should also incorporate an efficient and trusted mechanism by which employees can anonymously and confidentially report alleged misconduct and breaches of the company’s code of conduct and policies. The ECCP specifies that an effective compliance regime includes, in particular, the use of mechanisms for confidential internal reporting of suspected misconduct as well as processes for conducting prompt internal investigations of allegations and incorporating lessons learned from those investigations.^[38]

Another key component of a compliance programme is a system that ensures appropriate risk-based due diligence and controls around the hiring, retention and use of third parties. Third parties continue to be the most significant risk for companies because, unlike with its own employees, a company does not have nearly as much transparency into the activities of third parties and what the third parties do with the money they receive. Thus, regulators will look for companies to design a programme that (1) examines the business rationale for needing the third party in the transaction, (2) analyses the risks posed by third-party partners – including the third-party partners’ relationships with foreign officials, (3) endeavours to understand whether the third party is actually doing the work it has been engaged to perform, and (4) analyses whether the third party’s compensation is commensurate with work being provided relative to the industry and geographical region. Regulators have increasingly referred to the use of data analytics to identify third parties that are engaged in aberrant, and potentially problematic, behaviour. For example, data analytics can be used to identify whether there has been a spike in the frequency of payments or the amount of money that a third party is paid relative to other third parties engaging in similar activity. Companies without sufficient resources to engage in data analytics across its third parties will not be held to the same standard as those companies that have such resources, but regulators will still want evidence that the company is taking seriously the risk that third parties pose, including by setting up appropriate controls around the payment of invoices (such as approval by someone outside the business unit who is responsible for hiring and using the third party).

Similarly, companies should ensure comprehensive due diligence of any acquisition targets as well as a process for timely integration of the acquired entity into the company’s existing compliance programme, structure and internal controls. As with the rest of the compliance programme, such diligence and integration should be tailored to the specific risks posed by the acquisition. The integration of the company’s compliance programme onto the acquisition company should not be conducted without first understanding the unique risks facing that newly acquired entity. It may be that not all the policies and procedures are applicable or right-sized for the newly acquired entity. Thus, both for the purposes of implementing the most effective programme and to demonstrate to regulators that the company is being thoughtful about its approach to compliance, the company should assess the risk and integrate its compliance programme and controls, and conduct training as appropriate.

Ensuring the compliance programme is adequately resourced and empowered to function effectively

Although a well-designed compliance programme is necessary to prevent and detect misconduct and to receive mitigation credit from regulators, companies must also ensure that their compliance programmes are adequately resourced and empowered to function effectively. In fact, regulators look closely at whether a company’s compliance programme is a ‘paper programme or one implemented, reviewed, and revised, as appropriate, in an effective manner’.^[39]

A well-resourced and effective compliance programme includes a strong commitment by senior and middle management to implement a culture of compliance from the top down. The DOJ, for example, has shifted from emphasising the tone at the top and now instead focuses on conduct at the top and shared commitment by senior and middle management. Regulators will look to whether senior and middle management clearly articulate the company’s ethical standards, demonstrate rigorous adherence by example, and encourage employees to abide by those standards. Likewise, DOJ guidance addresses the need for a company’s board of directors to be equipped with appropriate expertise and oversight, including over any areas in which misconduct has occurred. Examples that demonstrate such a commitment to regulators could include a certain amount of time at board meetings devoted to proactive compliance discussions (e.g., developments in the programme, lessons learned from enforcement actions against competitors or companies operating in similar regions), or instances where the board identified or addressed compliance risks associated with a particular transaction or deal.

Along the same lines, regulators evaluate whether companies ensure that their compliance programmes are structured with sufficient resources, personnel and funding to enable accurate and independent auditing, documentation and analysis. This includes tailoring attention and resources on a risk-weighted basis, which can be critical not only to monitoring for misconduct but also to defending such a programme to various regulatory authorities when misconduct does occur. In the United States, prosecutors may ‘credit the quality and effectiveness of a risk-based compliance program’ that devotes resources and attention in a risk-appropriate manner, ‘even if it fails to prevent an infraction’.^[40] The analysis also includes ensuring that those responsible for compliance have sufficient autonomy from management, such as direct access to the board of directors or the board’s audit committee. In fact, when the DOJ resolves a financial fraud or FCPA case, it routinely includes an attachment to the resolution that details requirements to be met in connection with the resolution of the case (often referred to as Attachment C). This Attachment C clarifies that responsibility for the implementation and oversight of a company’s compliance code, policies and procedures – including those inherent in conducting a risk assessment – should be assigned to one or more senior executives with authority to report directly to independent monitoring bodies, such as the audit committee or the board.

Moreover, regulators assess whether companies implement clear disciplinary procedures for non-compliance, as well as incentives for compliance, and enforce them consistently across the organisation.^[41] Among other things, regulators will look into whether a company’s ‘communications convey to its employees that unethical conduct will not be tolerated and will bring swift consequences, regardless of the position or title of the employee who engages in the conduct’.^[42] For example, regulators ask whether companies publicise disciplinary actions internally. Similarly, regulators assess whether companies provide positive incentives for improving and developing compliance and demonstrating ethical leadership, such as making compliance a significant metric in bonuses or a means for career advancement.

Measuring, monitoring and improving the compliance programme

Finally, companies should ensure that their compliance programmes actually work in practice. As most regulators acknowledge, ‘no compliance programme can ever prevent all criminal activity by a corporation’s employees’.^[43] Accordingly, regulators will focus on ‘the adequacy and effectiveness of the corporation’s compliance program’ during the relevant period and at the time of the resolution, both in making charging decisions as well as in determining penalties.^[44] It is thus important for a company to be able to show that its compliance programme was working effectively at the time of an alleged offence, but also that it has continued to evolve to address new risks and incorporate lessons learned from instances of misconduct.

Ensuring compliance programmes actually work in practice thus involves investing in continuous improvement, testing and review. Regulators will look at whether a company periodically engages in monitoring, measuring and testing its compliance programme. This can take the form of a review by internal audit, or by an outside vendor or law firm, and often includes a renewed risk assessment, review of existing policies and procedures, interviews with compliance personnel and employees in various business units, surveys of employees, controls testing, and evaluation and analysis of instances of misconduct or hotline reports that have occurred since the last review.

In addition to formal, set periodic reviews of a compliance programme, companies can also engage in informal continuous evaluation and measurement of it. For example, when a company conducts training for its employees, steps can be taken to evaluate the effectiveness of a particular training session. Likewise, the company can examine how its hotline is operating, and whether the third-party due diligence process is identifying risky or problematic third parties.

In addition to testing and measuring, it is important to adequately address potential misconduct when it does occur. Regulators will evaluate whether companies have in place a process for adequately investigating, addressing and remediating misconduct, but also for understanding the underlying root cause of the misconduct and adapting the compliance programme to prevent recurrence. Regulators will want to see that a company properly scopes its investigations and that those investigations are ‘independent, objective, appropriately conducted, and properly documented’.^[45] In conducting a ‘root cause analysis’, regulators will expect a company to analyse whether systemic issues or control weaknesses were involved, and what was done to address these issues.

Finally, but importantly, to enable a company to measure the effectiveness of its compliance programme, and also to demonstrate that effectiveness to regulators, it is imperative that compliance events are documented. Regulators expect not simply to hear about the effectiveness of a compliance programme but also to see evidence of it. Examples of third parties that are rejected as a result of the company’s due diligence process, transactions or deals that are modified or rejected because of compliance risks, discipline that is imposed and remediation that is implemented as a result of misconduct, and responses to hotline reports are just a few categories of information that regulators often seek when evaluating the effectiveness of a company’s compliance programme. If the company is not tracking this and other information, regulators may be sceptical that it is in fact happening, and will question how the company can measure the effectiveness of its compliance programme without such information.

Conclusion

With an intensified focus on corporate wrongdoing and enforcement across Latin America, an effective compliance programme has become a critical component of a company’s operations. Although there is not a one-size-fits-all approach to compliance by either regulators or companies, there are important steps that companies can take to put themselves in the best position to avoid, or at least limit, misconduct and, when a company comes under regulatory scrutiny, to secure mitigation credit for the effectiveness of its compliance programme:

understand the risks that face the company as a result of its geographical and operational footprint and the regulators’ expectations around compliance;
use that risk assessment to design and implement a compliance programme with policies and procedures that are appropriately tailored to address the issues identified in the guidance documents cited herein;
take a risk-based approach to resourcing the compliance programme, and ensure that there are individuals with appropriate experience and expertise within the compliance function and on the board;
incorporate compliance into the culture of the company, including through the examples provided in this chapter;
respond to allegations of misconduct through properly scoped investigations and undertake a root cause analysis to understand and remediate the cause of the issues; and
document compliance processes and rationales. This documentation is necessary to evaluate a company’s compliance programme, and if misconduct occurs, will be critical in defending the company or securing mitigation credit (or both).

Footnotes

^[1]Daniel S Kahn is a partner at Davis Polk & Wardwell LLP. The author would like to thank associate Brooke Theodora, who was instrumental in the research and drafting of this chapter.

^[2]See Law No. 27,401 of 2 March 2018 (Argentina) (establishing corporate criminal liability for certain corruption offences).

^[3]See Law No. 20,393, Article 1 (Chile) (establishing corporate criminal liability for crimes including active bribery and active bribery of a foreign public official). Unlike some other Latin American countries, Chile does not have a specific corporate anti-corruption law. Law No. 20,393 (the Criminal Responsibility of Legal Entities Law), broadly proscribes crimes including money laundering, terrorism financing and bribery.

^[4]See National Criminal Procedure Code, Article 421 (Mexico) (establishing corporate criminal liability for certain white-collar crimes, including bribery, when the offences are committed in an entity’s name, on its behalf, for its benefit or using means provided by it, or when the entity did not have proper controls in place); see also Federal Official Gazette, 16 June 2016, www.dof.gob.mx/nota_detalle.php?codigo=5441763&fecha=17/06/2016 (last accessed 7 June 2022).

^[5]Eugenio Hernández-Bretón, Anti-bribery Risk Assessment: A Systematic Overview of 151 Countries: Venezuela, at 455–63 (Thomas Gruetzner et al. eds, 2008) (‘if the commission of a crime is established by a court of law, legal entities may be subject to monetary fines, confiscations of profits and/or barring of contract awards depending on the circumstances of the case’).

^[6]See Law No. 30,424 of 1 January 2018 (Peru) (establishing corporate criminal liability for offences, including public bribery and money laundering, committed in the name or on behalf of the entity for its direct or indirect benefit).

^[7]See, e.g., Law No. 27,401 (Argentina); Federal Criminal Code, Article 222 bis (Mexico).

^[8]See Law No. 12,846 (2014) (Brazil) (Clean Company Act); Federal Decree No. 8,420 of 18 March 2015, Official Gazette (Brazil) (establishing strict civil and administrative liability for companies when acts of corruption are committed in their interest or for their benefit by directors, officers, employees or agents). In Brazil, corporations may only be criminally liable for environmental crimes. See also Law 1778 (2018) (Colombia) (establishing administrative liability for corporations engaged in transnational bribery). In Colombia, legal entities cannot be independently liable for criminal charges. However, a legal entity can be held jointly and severally liable for any damage caused by its employees.

^[9]For instance, under Brazil’s Clean Company Act, violating corporations may be liable for administrative and civil fines, debarment from contracting with government entities and required public disclosure of violations. See Decree No. 8,420, op. cit. note 8, above.

^[10]See Law 599 of 24 July 2000, Article 96, Official Gazette (Colombia); see also Law 2195 of 18 January 2022, Official Gazette (Colombia).

^[11]See also Chapters 3, 4 and 8 of this Guide.

^[12]Federal Law No. 14,133 (2021) (Brazil) (making a compliance programme mandatory as a condition for hiring major public contracts and a tie-breaker criterion for other contracts).

^[13]La Superintendencia de Sociedades.

^[14]Previously, only companies that conducted international business through intermediaries, contractors and subsidiaries, as well as companies engaged in specific industries such as pharmaceuticals, construction and energy, were required to have business transparency and ethics programmes. See Superintendencia de Sociedades, Resolution No. 200-000558.

^[15]See Law No. 30424, Article 17 (21 April 2016) (Peru).

^[16]Teresa Tovar and Viviana Chávez Bravo, ‘The Anti-Bribery and Anti-Corruption Review: Peru’ (10 December 2021), https://thelawreviews.co.uk/title/the-anti-bribery-and-anti-corruption -review/peru (last accessed 7 June 2022).

^[17]See Law No. 20,393 (Chile).

^[18]In particular, to qualify for an exemption from criminal liability, the compliance programme must include (1) the appointment of a prevention supervisor with sufficient means, powers and independence for performing its duties, (2) the establishment of a compliance programme that helps prevent crime and identifies any areas of risk, (3) the establishment of specific protocols, rules and procedures to prevent crimes, and to administer and audit the financial resources of the company, and (4) protocols for reporting the wrongdoing and steps for correction of failures in compliance.

^[19]See Law No. 27401, Articles 9, 23 and 24.

^[20]15 U.S.C. § 78dd-1, et seq.

^[21]15 U.S.C. § 78m(b)(2)(B).

^[22]Criminal Division of US Department of Justice (US DOJ) and Enforcement Division of US Securities and Exchange Commission, ‘A Resource Guide to the U.S. Foreign Corrupt Practices Act’ (2d ed. July 2020), at 40, https://www.justice.gov/criminal-fraud/file/1292051/download (last accessed 7 June 2022) (FCPA Resource Guide).

^[23]US Sentencing Commission, Guidelines Manual, Chapter 8 (November 2018) (US Sentencing Guidelines), https://www.ussc.gov/guidelines/2018-guidelines-manual (last accessed 7 June 2022).

^[24]FCPA Resource Guide at 51 (citing 9-47.120 – FCPA Corporate Enforcement Policy, https://www.justice.gov/criminal-fraud/file/838416/download (last accessed 7 June 2022)).

^[25]See Justice Manual (JM), § 9-28.300.A; JM § 9-28.700.B (explaining benefits of cooperation for both government and corporation); see also FCPA Resource Guide at 57.

^[26]FCPA Resource Guide at 57.

^[27]ibid. at 52.

^[28]US Sentencing Guidelines, op. cit. note 22, above.

^[29]US DOJ, Criminal Division, ‘Evaluation of Corporate Compliance Programs’ (June 2020) (ECCP), https://www.justice.gov/criminal-fraud/page/file/937501/download (last accessed 7 June 2022); see also FCPA Resource Guide at 67.

^[30]See US DOJ press release no. 17-074, https://www.justice.gov/opa/pr/rolls-royce-plc -agrees-pay-170-million-criminal-penalty-resolve-foreign-corrupt-practices-act (last accessed 7 June 2022).

^[31]UK Bribery Act 2010, http://www.legislation.gov.uk/ukpga/2010/23/contents (last accessed 7 June 2022); see also Timothy Bowden, Roger A Burlingame, Matthew L Mazur and Tom Stroud, ‘The Anti-Bribery and Anti-Corruption Review: United Kingdom – England & Wales’, https://thelawreviews.co.uk/title/the-anti-bribery-and-anti-corruption-review/united-kingdom-england--wales (last accessed 7 June 2022).

^[32]Guillaume de Rancourt and Camille Martini, ‘The Anti-Bribery and Anti-Corruption Review: France’, https://thelawreviews.co.uk/title/the-anti-bribery-and-anti-corruption-review/france (last accessed 7 June 2022).

^[33]Organisation for Economic Co-operation and Development (OECD), Convention on Combating Bribery of Foreign Public Officials in International Business Transactions, https://www.oecd.org/daf/anti-bribery/oecdantibriberyconvention.htm (last accessed 7 June 2022).

^[34]OECD, ‘Recommendation of the Council for Further Combating Bribery of Foreign Public Officials in International Business Transactions’ (amended 26 November 2021), https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0378 (last accessed 7 June 2022).

^[35]World Bank Group, Integrity Compliance Guidelines (2017), https://wallensteinlawgroup.com/wp-content/uploads/2017/12/ WBG-Integrity-Compliance-Guidelines-full.pdf (last accessed 7 June 2022).

^[36]ECCP at 3 (quoting JM 9-28.800 (quotation marks omitted)).

^[37]id.

^[38]ibid. at 6–7.

^[39]ibid. at 9 (quoting JM 9-28.800 (quotation marks omitted)).

^[40]ibid. at 3.

^[41]ibid. at 13–14

^[42]ibid. at 13.

^[43]ibid. at 14 (quoting JM 9-28.800 (quotation marks omitted)).

^[44]id. (citing JM 9-28.300).

^[45]ibid. at 7.