Latin America Compliance Requirements
This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
The past decade has brought into sharp focus the anti-corruption enforcement risk for companies in Latin America, and with it the growing importance of building an effective corporate compliance programme, both to avoid potential misconduct and regulatory scrutiny in the first place and to receive mitigation credit if misconduct nonetheless occurs and triggers a government investigation. Designing, implementing and maintaining a risk-based compliance programme that prevents and detects misconduct, and that will garner the most favourable outcome from government regulators, has become paramount not only under US law but more recently under newly enacted statutes in Latin America.
This chapter first provides an overview of the guiding principles relating to anti-corruption liability and compliance, including the relevant statutes and policies. It then sets out best practices for designing, implementing and maintaining an effective corporate anti-corruption compliance programme that complies with those requirements and principles, helps companies avoid and identify misconduct, and mitigates liability where a violation occurs.
Compliance-related policies and statutes in Latin America
The past decade has seen the emergence of new, more aggressive legal frameworks to combat corruption in Latin America. From recent local laws that establish corporate criminal liability for anti-corruption offences to the increased international focus on compliance as a proactive measure to detect and prevent corruption, there are a number of Latin American and international authorities that companies can look to as signposts for corporate compliance programmes.
Latin American authorities
A number of Latin American countries now have laws establishing corporate criminal liability for bribery and corruption offences, many of which were enacted within the past few years. For example, Argentina, Chile, Mexico, Venezuela and Peru each have some form of corporate criminal liability for corruption-related offences. The penalties for corporate criminal liability in these countries range from fines to commercial suspension or dissolution, loss or suspension of government benefits, and publication of the conviction imposed on the legal entity.
Although other Latin American countries do not have direct corporate criminal liability, many do have civil, regulatory or administrative anti-corruption regimes that allow for virtually identical sanctions or even hold a company jointly and severally liable with employees who have committed corruption-related crimes.
Importantly, a growing number of these statutes in Latin American provide guidelines for corporate anti-corruption compliance programmes in one form or another, from requiring companies to maintain such programmes to offering companies leniency if they have implemented an effective compliance programme, to including an affirmative defence to companies that have engaged in corruption. Although exact guidance on what constitutes an effective compliance programme differs from country to country, most laws relating to or requiring compliance programmes share common substantive themes.
Brazil’s Decree No. 8,420 provides that an effective compliance programme may be a mitigating factor to reduce fines for anti-corruption violations. Under Decree No. 8,420, compliance programmes must be tailored to the risks of the particular corporation and updated to ensure continuous improvement and effectiveness. The Decree outlines several components of an effective compliance programme, including the commitment of senior management and board members, the implementation of internal and third-party policies (e.g., a code of conduct and third-party due diligence procedures), periodic training and risk assessment, accurate and precise internal controls, and the establishment of remediation and disciplinary measures.
Although Decree No. 8,420 does not make a compliance programme mandatory, Law No. 14,133 does require certain companies participating in public tenders to have robust compliance programmes. Law No. 14,133, which came into effect on 1 April 2023, requires companies that win public bids valued at over 200 million reais to develop an effective compliance programme within six months of the underlying contract’s execution. In addition, the law states that the presence of such a compliance programme will serve as a tie breaker – assuming all else is equal – between two bids for a contract.
Colombia’s Transnational Corruption Act similarly establishes that an effective compliance programme may reduce administrative fines for anti-corruption violations. On 1 January 2021, the Colombian Corporations Commission (the Superintendencia) adopted Resolution 100-006261, which expanded the sphere of companies that are required to implement compliance programmes (i.e., business transparency and ethics programmes). Now, the vast majority of companies that operate in Colombia and abroad, or engage in international transactions and are otherwise supervised by the Superintendencia, must implement such a programme.
To qualify for a fine reduction, a compliance programme must contain a number of features, including that it is tailored to the particular risks of the corporation, is endorsed by senior management and imposes effective control mechanisms, such as third-party due diligence procedures and periodic audits, among other things, to ensure effective detection of violations and the undertaking of remedial actions.
A compliance programme may be a mitigating factor to liability for anti-corruption violations so long as the programme meets certain minimum requirements under Mexico’s General Law of Administrative Responsibility. Under this Law, an effective compliance programme must have a clear and complete organisational and procedures manual, a published code of conduct, adequate and effective internal controls, adequate whistleblowing systems and disciplinary processes, effective training programmes and human resources policies, and adequate mechanisms to ensure transparency and avoid conflicts of interest.
Companies in Peru that have effective compliance programmes (i.e., prevention models) at the time of an alleged corruption offence are completely immune from corporate liability for the conduct. To qualify for an exemption from liability, compliance programmes must, at a minimum:
- appoint a person to be in charge of the prevention functions;
- take measures to identify, evaluate and mitigate risks to prevent crime;
- disseminate periodic compliance training;
- implement internal complaint proceedings (e.g., a whistleblower hotline); and
- undertake continuing evaluation and monitoring of the programme.
Notably, if a company implemented a compliance programme after the alleged offence but before the start of trial – or if the company proves that it has partially implemented a compliance programme with the minimum elements described above – the company may still be entitled to a reduction in fines.
Chile likewise exempts companies from criminal liability if they have adopted an effective compliance programme before the commission of an alleged corruption offence. To qualify as a ‘prevention model’, Chilean law sets out minimum requirements for a compliance programme that generally mirror those of Peru.
Under Argentina’s Corporate Criminal Liability Law (Law No. 27,401), the existence of an effective compliance programme – which is not required unless contracting with the Argentine federal government – can reduce or even exempt an entity from penalties for corruption violations. To qualify, the programme must meet certain minimum requirements, including the implementation of a code of conduct, specific policies or procedures to prevent criminal offences in dealings with public administration, and periodic compliance training.
In addition to these mandatory requirements, Law No. 27,401 sets forth recommended components of compliance programmes, including periodic risk analyses, a clear anti-corruption tone from senior management and supervisors, whistleblower reporting channels, a whistleblower protection policy, internal investigation protocols, third-party and merger and acquisition due diligence policies, and the appointment of a compliance officer.
In addition to Latin American authorities that are directly applicable to companies in the region, there are also a number of regulatory and other bodies outside Latin America that provide helpful guidance on corporate compliance programmes. Some of these authorities may likewise be directly applicable to Latin American companies, for example if companies are listed on a US stock exchange and, therefore, are subject to US anti-corruption enforcement.
Enforcement authorities in Latin America have increasingly collaborated with regulators around the world to investigate and prosecute allegations of corruption, which may expose Latin American corporations to cross-border liability. Additionally, foreign and international regimes laying out guidelines for effective corporate compliance programmes have increasingly influenced the passage of new compliance-related laws in Latin America or may simply serve as additional signposts for designing, implementing and maintaining corporate compliance programmes.
US anti-corruption law and policy is an integral framework for any corporate compliance programme, given the broad jurisdiction of the US Foreign Corrupt Practices Act (FCPA) and its robust influence on international anti-corruption enforcement. In general, the anti-bribery provisions of the FCPA prohibit both US companies and foreign companies that are either listed on a US exchange or have employees or agents who act while in the territory of the United States, from making corrupt payments to foreign officials to obtain or retain business. Although the FCPA’s anti-bribery provisions do not impose an affirmative duty to implement a compliance programme, its accounting provisions require publicly traded companies to maintain a system of internal controls sufficient to provide reasonable assurances that transactions are executed and assets are accounted for in accordance with the law. Although a company’s internal accounting controls are not synonymous with its compliance programme, an effective compliance programme contains a number of components that may overlap with integral components of an issuer’s internal accounting controls under the FCPA.
Moreover, under US law, corporate compliance is an integral part of anti-corruption (as well as other corporate) enforcement. In fact, it affects every component of a corporate criminal resolution:
- it is one of the factors that prosecutors consider in determining whether a corporate enforcement action is appropriate, and if so what form it should take;
- it affects the fine that would be called for under the US Sentencing Guidelines, as well as any reduction from that amount that prosecutors may conclude, at their discretion, is appropriate; and
- it is the driving factor in determining whether the company must retain an independent compliance monitor or whether the company can self-monitor during the term of the resolution agreement.
US regulators have increasingly expanded incentives for companies to develop and maintain robust compliance programmes over the years. For instance, the US Department of Justice (DOJ) recently updated its Corporate Enforcement Policy (CEP) to expand companies’ eligibility for declinations – even in the face of ‘aggravating’ misconduct (e.g., egregious or pervasive wrongdoing) where, among other things, the company had an effective compliance programme and system of internal controls that enabled the identification of the misconduct and led to voluntary self-disclosure.
Additionally, under the revised CEP, companies that voluntarily self-disclose, cooperate and remediate (which depends on, among other things, the ‘[i]mplementation of an effective compliance and ethics program’) – but do not receive a declination –will still benefit from DOJ ‘accord[ing] or recommend[ing] to a sentencing court’ a fine reduction of at least 50 per cent and up to 75 per cent off the low end of the US Sentencing Guidelines fine range, except in the case of a criminal recidivist.
Likewise, the DOJ’s Principles of Federal Prosecution of Business Organizations instruct prosecutors to consider a compliance programme’s design, implementation and effectiveness in determining whether to bring charges against a company as well as in negotiating plea or other agreements. The adequacy of a corporation’s compliance programme may influence the DOJ’s decision as to whether charges should be resolved through a guilty plea, a deferred prosecution agreement (DPA) or a non-prosecution agreement, as well as the appropriate length of any such agreement or the term of corporate probation. Further, the DOJ will generally not require the appointment of a monitor if a company voluntarily self-discloses, fully cooperates, timely and appropriately remediates, and has, at the time of resolution, implemented and tested an effective compliance programme.
The US Sentencing Guidelines similarly take into account whether a company has an effective compliance and ethics programme, which may lead to a three-point reduction in an organisation’s culpability score under Section 8C2.5 and affect the fine calculation under the Guidelines. The Guidelines lay out the minimum criteria for an effective corporate compliance programme, under which an organisation must:
- establish standards and procedures to prevent and detect crime;
- provide oversight by high-level management, typically the board of directors;
- exercise due care in delegating substantial discretionary authority;
- establish effective communication and training for all employees;
- monitor, audit and report suspected wrongdoing, and periodically evaluate the effectiveness of the ethics and compliance programme;
- promote and consistently enforce the corporate compliance programme by incentivising use of the established mechanisms, and disciplining employees who commit crimes or fail to take reasonable steps to prevent or detect criminal conduct; and
- take reasonable steps to respond to criminal conduct once it has been detected and to prevent further criminal conduct.
Perhaps most notably, the DOJ’s Criminal Division (which oversees all criminal enforcement of the FCPA) has published and recently updated the ‘Evaluation of Corporate Compliance Programs’ (ECCP), which provides companies with detailed guidance concerning the design, implementation and maintenance of an effective corporate compliance programme. The ECCP comprises 21 pages of questions organised by topic, which prosecutors use with respect to compliance programmes in making charging decisions, deciding whether a resolution is appropriate, formulating monetary penalties, if any, and determining whether compliance obligations are necessary for any corporate criminal resolution (e.g., monitorship or reporting obligations). Although not prescriptive, the ECCP provides valuable insight into how the DOJ will measure and judge a company’s compliance programme.
This guidance is often used by other domestic and foreign enforcement authorities in their evaluation of corporate compliance programmes. In February 2023, the DOJ announced a new corporate voluntary self-disclosure policy that requires all 94 US attorney’s offices across the United States and its territories to consider the ECCP in determining whether to impose an independent compliance monitor as part of a corporate resolution.
Latin American regulators also sometimes collaborate with European authorities to enforce anti-corruption laws. For instance, the Rolls-Royce plc resolution involved coordination between Brazilian, US and UK authorities. As with the United States, European laws and policy can serve as a helpful benchmark for Latin American companies.
Under the UK Bribery Act, an effective compliance programme is a defence to the offence of failing to prevent bribery and is also a significant consideration in the Serious Fraud Office’s determination of whether to enter into a DPA. To qualify for a compliance defence, corporate compliance programmes must adhere to six principles:
- implement procedures proportionate to the bribery risks that an organisation faces;
- ensure top-level management is committed to preventing bribery;
- undertake a risk assessment of the extent of the company’s exposure to bribery risks;
- implement proportionate due diligence procedures;
- communicate compliance training, policies and procedures; and
- monitor, review and improve compliance procedures.
Similarly, France’s Sapin II anti-corruption law contains provisions requiring the implementation of corporate compliance programmes under certain circumstances. On 22 December 2017, the French Anti-Corruption Agency published recommended guidelines for compliance programmes, which are similar to those issued by the United States and the United Kingdom.
In May 2023, the European Commission proposed a new directive that would require EU Member States to incorporate uniform anti-bribery measures into their laws. The proposed directive seeks to provide more consistency and enforce minimum standards across the European Union with respect to anti-bribery issues. If the directive is adopted by the European Parliament and the Council, EU Member States would be required to enact its framework into national law within 18 months. Under the proposed directive, effective internal controls and anti-corruption compliance programmes are considered a mitigating factor, as well as the rapid and voluntary disclosure of misconduct to regulators.
International conventions and multilateral development banks
Latin American countries have also been heavily influenced by international compliance guidelines, including those issued by the Organisation for Economic Co-operation and Development (OECD). As of May 2023, the OECD’s Anti-Bribery Convention – which establishes legally binding standards to criminalise bribery of foreign public officials in international business transactions – has seven Latin American countries as signatories: Argentina, Brazil, Chile, Colombia, Costa Rica, Mexico and Peru. In November 2021, the OECD updated its Good Practice Guidance on Internal Controls, Ethics and Compliance and called on its member countries to incentivise the development of compliance programmes. Its enhanced compliance guidelines share many similarities with US requirements for an effective anti-corruption compliance programme.
Similarly, multilateral development banks (MDBs), such as the World Bank, have the ability to debar companies and individuals for corrupt practices. The World Bank’s Sanctioning Guidelines provide for mitigation credit of up to 50 per cent (and more in ‘exceptional circumstances’) for companies that have taken voluntary corrective action and can demonstrate that they have implemented an effective corporate compliance programme. The World Bank’s Integrity Compliance Guidelines describe a number of guidelines from compliance programmes, including a comprehensive and periodic assessment of risk, robust policies and procedures to detect and remediate misconduct, effective internal controls and efficient reporting standards.
In addition, in March 2023, the World Bank and five other major multilateral development banks (the African Development Bank, the Asian Development Bank, the European Bank for Reconstruction and Development, the European Investment Bank and the Inter-American Development Bank) agreed to and published new General Principles for Business Integrity Programmes, which provide the participating MDBs with a ‘harmonized’ approach to considering a company’s ‘business integrity programme’ in connection with investigations and potential sanctions for fraud and corruption.
Designing, implementing and maintaining an effective compliance programme
As the authorities above demonstrate, although there is no ‘one-size-fits-all’ approach to implementing an effective compliance programme, regulators have articulated hallmarks that are common to effective compliance programmes. At its core, a compliance programme should be grounded both in preventing and mitigating the company’s unique risks and in documenting the process through which those risks are identified, monitored and addressed.
Creating a ‘well-designed’ compliance programme
A common theme for the authorities cited above is that companies should take a risk-based approach to compliance. It is recognised that companies have a limited set of resources and cannot devote endless time, money and compliance professionals to addressing and preventing every compliance risk that might exist, and that companies, therefore, should allocate resources to those risks that pose the greatest threats. As a result, the starting point for designing any compliance programme is an analysis of a company’s unique risk profile. Regulators will look to whether compliance programmes are ‘designed to detect [and prevent] the particular types of misconduct most likely to occur in a particular corporation’s line of business’ and ‘complex regulatory environment’ in order to determine whether the programme is crafted for ‘maximum effectiveness in preventing and detecting wrongdoing’.
In undertaking their risk analysis, companies should fundamentally endeavour to (1) understand their geographical and operational footprint and how that footprint interfaces with relevant regulatory regimes, and (2) identify areas of their business that pose a higher likelihood of possibly violating applicable laws. Although the analysis can take many forms, companies may start by using a questionnaire or survey, or by interviewing employees, to identify and assess from the company’s own employees’ perspectives the risks presented by their location of operations, industry, market competitiveness, regulatory landscape, potential clients and business partners, transactions with foreign governments, payments to foreign officials, use of third parties, gifts, travel and entertainment expenses, and charitable and political donations. In addition, companies can look to enforcement actions involving their competitors and enforcement actions against others involving the same region or regions in which the companies operate. These enforcement actions can provide valuable insights into the types of risks that the company may be facing.
Once a company has defined and assessed its risk profile, that assessment should become the ‘North Star’ of its compliance programme, and the design and implementation should flow from it. Most often, the next step involves setting up a code of conduct, policies and procedures that are aimed at (1) addressing and reducing identified risks, and (2) incorporating a culture of compliance in the company’s day-to-day operations. The policies and procedures should address, among other things, gifts, hospitality, entertainment and expenses, customer travel, political contributions, charitable donations and sponsorships, and solicitation and extortion. The policies and procedures should contain all necessary information, but should be accessible to the relevant employees.
Functionality is much more important than form, both from the perspective of preventing and detecting misconduct as well as impressing regulators: if employees do not understand the rules, they will not be able to follow them. Moreover, if policies are not practical, employees will seek to ignore or circumvent them. The best way to ensure that policies are comprehensible and practical is to consult with the business in developing the company’s policies and procedures. Regulators will likewise react more favourably to policies that are practical and where the business has had an active role in their development.
In March 2023, the ECCP was updated to provide new guidance with respect to establishing policies and procedures concerning the use of personal devices, communications platforms and messaging applications, including ephemeral messaging applications. This signals an increased focus by the DOJ on those devices and the role they play in corruption investigations. The ECCP explains that a company’s policies regarding personal devices and communications should be tailored to its risk profile and business needs and designed so that communications are being preserved to the fullest extent possible. It provides examples of areas that companies should analyse to ensure that those policies and procedures are appropriately tailored and risk-based, including assessing what electronic communication channels the company’s employees actually use and determining what preservation or deletion settings are in place and why those settings have been implemented.
Once effective policies and procedures are developed, it is important to then train the relevant employees on those policies and procedures, and risks more generally. The company’s training and communications programmes should be tailored to ensure effective integration of the company’s compliance policies throughout the organisation. Compliance training need not, and often should not, be developed and conducted for every employee of the company; rather, training should be tailored to the relevant group of employees who are exposed to the particular risk addressed by the training. Likewise, the company should give thought to how best to conduct the training – whether in person, pre-recorded, or virtual but live. Often, in-person training allows for more feedback and constructive dialogue about issues that are arising but may not be feasible because of the number and locations of employees and company resources. Training should also evolve over time to incorporate lessons learned from issues that have occurred within the company as well as from enforcement actions involving competitors or companies operating in the same geographical region.
Companies should also incorporate an efficient and trusted mechanism by which employees can anonymously and confidentially report alleged misconduct and breaches of the company’s code of conduct and policies. The ECCP specifies that an effective compliance regime includes, in particular, the use of mechanisms for confidential internal reporting of suspected misconduct as well as processes for conducting prompt internal investigations of allegations and incorporating lessons learned from those investigations.
Another key component of a compliance programme is a system that ensures appropriate risk-based due diligence and controls around the hiring, retention and use of third parties. Third parties continue to be the most significant risk for companies because, unlike with its own employees, a company does not have nearly as much transparency into the activities of third parties and what the third parties do with the money they receive. Regulators, therefore, will look for companies to design a programme that:
- examines the business rationale for needing the third party in the transaction;
- analyses the risks posed by third-party partners, including the third-party partners’ relationships with foreign officials;
- endeavours to understand whether the third party is actually doing the work it has been engaged to perform; and
- analyses whether the third party’s compensation is commensurate with work being provided relative to the industry and geographical region.
Regulators have increasingly referred to the use of data analytics to identify third parties that are engaged in aberrant, and potentially problematic, behaviour. For example, data analytics can be used to identify whether there has been a spike in the frequency of payments or the amount of money that a third party is paid relative to other third parties engaging in similar activity. Companies without sufficient resources to engage in data analytics across its third parties will not be held to the same standard as companies that have those resources, but regulators will still want evidence that the company is taking seriously the risk that third parties pose, including by setting up appropriate controls around the payment of invoices (such as approval by someone outside the business unit who is responsible for hiring and using the third party).
Similarly, companies should ensure comprehensive due diligence of any acquisition targets as well as a process for timely integration of the acquired entity into the company’s existing compliance programme, structure and internal controls. As with the rest of the compliance programme, such diligence and integration should be tailored to the specific risks posed by the acquisition. The integration of the company’s compliance programme onto the acquisition company should not be conducted without first understanding the unique risks facing that newly acquired entity. It may be that not all the policies and procedures are applicable or right-sized for the newly acquired entity; therefore, both for the purposes of implementing the most effective programme and to demonstrate to regulators that the company is being thoughtful about its approach to compliance, the company should assess the risk and integrate its compliance programme and controls, and conduct training as appropriate.
Ensuring the compliance programme is adequately resourced and empowered to function effectively
Although a well-designed compliance programme is necessary to prevent and detect misconduct and to receive mitigation credit from regulators, companies must also ensure that their compliance programmes are adequately resourced and empowered to function effectively. In fact, regulators look closely at whether a company’s compliance programme is a ‘paper programme or one implemented, reviewed, and revised, as appropriate, in an effective manner’.
A well-resourced and effective compliance programme includes a strong commitment by senior and middle management to implement a culture of compliance from the top down. The DOJ, for example, has shifted from emphasising the tone at the top and now focuses on conduct at the top and shared commitment by senior and middle management. Regulators will look to whether senior and middle management clearly articulate the company’s ethical standards, demonstrate rigorous adherence by example, and encourage employees to abide by those standards.
Likewise, DOJ guidance addresses the need for a company’s board of directors to be equipped with appropriate expertise and oversight, including over any areas in which misconduct has occurred. Examples that demonstrate such a commitment to regulators could include a certain amount of time at board meetings devoted to proactive compliance discussions (e.g., developments in the programme, lessons learned from enforcement actions against competitors or companies operating in similar regions) or instances where the board identified or addressed compliance risks associated with a particular transaction or deal.
Along the same lines, regulators evaluate whether companies ensure that their compliance programmes are structured with sufficient resources, personnel and funding to enable accurate and independent auditing, documentation and analysis. This includes tailoring attention and resources on a risk-weighted basis, which can be critical not only to monitoring for misconduct but also to defending the programme before various regulatory authorities when misconduct does occur.
In the United States, prosecutors may ‘credit the quality and effectiveness of a risk-based compliance program’ that devotes resources and attention in a risk-appropriate manner, ‘even if it fails to prevent an infraction’. The analysis also includes ensuring that those responsible for compliance have sufficient autonomy from management, such as direct access to the board of directors or the board’s audit committee. In fact, when the DOJ resolves a financial fraud or FCPA case, it routinely includes an attachment to the resolution that details requirements to be met in connection with the resolution of the case (often referred to as Attachment C). Attachment C clarifies that responsibility for the implementation and oversight of a company’s compliance code, policies and procedures – including those inherent in conducting a risk assessment – should be assigned to one or more senior executives with authority to report directly to independent monitoring bodies, such as the audit committee or the board.
Regulators assess whether companies implement clear consequence management procedures (i.e., procedures to identify, investigate, discipline and remediate any-compliance issues) and incentives for compliance and whether they enforce them consistently across the organisation. Among other things, regulators will look into whether a company’s ‘communications convey to its employees that unethical conduct will not be tolerated and will bring swift consequences, regardless of the position or title of the employee who engages in the conduct’. For example, regulators ask whether companies publicise disciplinary actions internally.
Similarly, regulators assess whether companies provide positive incentives for improving and developing compliance and demonstrating ethical leadership, including designing and implementing compensation schemes that foster a culture of compliance. Regarding compensation, the ECCP’s March 2023 update contains a significant amount of new guidance concerning the establishment of financial incentives for compliance and disincentives for non-compliance in a company’s compensation structure. For instance, it provides that prosecutors may consider whether companies have designed compensation systems that delay certain compensation until an employee has demonstrated conduct consistent with company values and policies, or have recouped or reduced compensation if an employee engages in misconduct
Regulators may also look for a company’s use of positive incentives to support compliance from a compensation perspective, such as by setting compliance as a significant metric for promotions and bonuses. In line with the ECCP’s new guidance with respect to compensation structures, the DOJ also announced ‘The Criminal Division’s Pilot Program Regarding Compensation Incentives and Clawbacks,’ under which companies resolving cases with the DOJ will be required to implement compliance-promoting criteria within their compensation and bonus system, and the DOJ will reduce fines for companies that claw back or attempt to claw back compensation from wrongdoers.
Measuring, monitoring and improving the compliance programme
Finally, companies should ensure that their compliance programmes actually work in practice. As most regulators acknowledge, ‘no compliance programme can ever prevent all criminal activity by a corporation’s employees’. Accordingly, regulators will focus on ‘the adequacy and effectiveness of the corporation’s compliance program’ during the relevant period and at the time of the resolution, both in making charging decisions as well as in determining penalties. It is, therefore, important for a company to be able to show that its compliance programme was working effectively at the time of an alleged offence, but also that it has continued to evolve to address new risks and incorporate lessons learned from instances of misconduct.
Ensuring compliance programmes actually work in practice, therefore, involves investing in continuous improvement, testing and review. Regulators will look at whether a company periodically engages in monitoring, measuring and testing its compliance programme. This can take the form of a review by internal audit, or by an outside vendor or law firm, and often includes a renewed risk assessment, review of existing policies and procedures, interviews with compliance personnel and employees in various business units, surveys of employees, controls testing, and evaluation and analysis of instances of misconduct or hotline reports that have occurred since the last review.
In addition to formal, set periodic reviews of a compliance programme, companies can also engage in informal continuous evaluation and measurement of it. For example, when a company conducts training for its employees, steps can be taken to evaluate the effectiveness of a particular training session. Likewise, the company can examine how its hotline is operating, and whether the third-party due diligence process is identifying risky or problematic third parties.
In addition to testing and measuring, it is important to adequately address potential misconduct when it does occur. Regulators will evaluate whether companies have in place a process for adequately investigating, addressing and remediating misconduct, but also for understanding the underlying root cause of the misconduct and adapting the compliance programme to prevent recurrence. Regulators will want to see that a company properly scopes its investigations and that those investigations are ‘independent, objective, appropriately conducted, and properly documented’. In conducting a root cause analysis, regulators will expect a company to analyse whether systemic issues or control weaknesses were involved, and what was done to address these issues.
With respect to personal devices – given regulators’ increased focus on them – companies should take care to ensure that they are enforcing and measuring the effectiveness of their communications-related policies. For example, under the ECCP, prosecutors will ask whether employees have been disciplined for violating the policies, whether compliance or investigations have been impaired because data was not recoverable, whether the company actually exercises control over communication channels subject to the policies, and whether the company has assessed the continued reasonableness of its policies and procedures in the context of its evolving business needs and risk profile.
Finally, but importantly, to enable a company to measure the effectiveness of its compliance programme, and also to demonstrate that effectiveness to regulators, it is imperative that compliance events be documented. Regulators expect not simply to hear about the effectiveness of a compliance programme but also to see evidence of it. Some examples of information categories that regulators often seek when evaluating the effectiveness of a company’s compliance programme are third parties that are rejected as a result of the company’s due diligence process, transactions or deals that are modified or rejected because of compliance risk; discipline that is imposed and remediation that is implemented as a result of misconduct; and responses to hotline reports. If the company is not tracking this and other information, regulators may be sceptical that it is in fact happening and will question how the company can measure the effectiveness of its compliance programme without that information.
With an intensified focus on corporate wrongdoing and enforcement across Latin America, an effective compliance programme has become a critical component of a company’s operations. Although there is not a one-size-fits-all approach to compliance by either regulators or companies, there are important steps that companies can take to put themselves in the best position to avoid, or at least limit, misconduct and, when a company comes under regulatory scrutiny, to secure mitigation credit for the effectiveness of its compliance programme:
- understand the risks that face the company as a result of its geographical and operational footprint and the regulators’ expectations around compliance;
- use that risk assessment to design and implement a compliance programme with policies and procedures that are appropriately tailored to address the issues identified in the guidance documents cited herein;
- take a risk-based approach to resourcing the compliance programme and ensure that there are individuals with appropriate experience and expertise within the compliance function and on the board;
- incorporate compliance into the culture of the company, including through the examples provided in this chapter;
- respond to allegations of misconduct through properly scoped investigations and undertake a root cause analysis to understand and remediate the cause of the issues; and
- document compliance processes and rationales. This documentation is necessary to evaluate a company’s compliance programme and, if misconduct occurs, will be critical in defending the company or securing mitigation credit (or both).
 Daniel S Kahn is a partner and Brooke Theodora is an associate at Davis Polk & Wardwell LLP. The authors would like to thank associate Alicia Hoke and law clerk Alex McNamara, who were instrumental in the research and drafting of this chapter.
 Law No. 27,401 of 2 March 2018 (Law 27,401) (Argentina) (establishing corporate criminal liability for certain corruption offences).
 Law No. 20,393 of 2 December 2009, Article 1 (Chile) (establishing corporate criminal liability for crimes, including active bribery and active bribery of a foreign public official). Unlike some other Latin American countries, Chile does not have a specific corporate anti-corruption law. Law No. 20,393 broadly proscribes crimes, including money laundering, terrorism financing and bribery.
 National Criminal Procedure Code, Article 421 (Mexico) (establishing corporate criminal liability for certain white-collar crimes, including bribery, when the offences are committed in an entity’s name, on its behalf, for its benefit or using means provided by it, or when the entity did not have proper controls in place); Federal Official Gazette, 16 June 2016, www.dof.gob.mx/nota_detalle.php?codigo=5441763&fecha=17/06/2016 (accessed 7 August 2023).
 Eugenio Hernández-Bretón, ‘Venezuela’, in Thomas Gruetzner, Ulf Hommel and Klaus Moosmayer (eds.), Anti-bribery Risk Assessment: A Systematic Overview of 151 Countries, C H Beck; Hart Publishing; Nomos, 2010, pp 455–64: ‘if the commission of a crime is established by a court of law, legal entities may be subject to monetary fines, confiscations of profits and/or barring of contract awards depending on the circumstances of the case’.
 Law No. 30,424 of 1 January 2018 (Peru) (establishing corporate criminal liability for offences, including public bribery and money laundering, committed in the name or on behalf of the entity for its direct or indirect benefit).
 See, e.g., Law 27,401 (Argentina); Federal Criminal Code, Article 222 bis (Mexico).
 Law No. 12,846 of 1 August 2013 (Brazil) (the Clean Company Act); Federal Decree No. 8,420 of 18 March 2015 (Decree 8,420), Official Gazette (Brazil) (establishing strict civil and administrative liability for companies when acts of corruption are committed in their interest or for their benefit by directors, officers, employees or agents). In Brazil, corporations may only be criminally liable for environmental crimes. See also Law No. 1778 of 2 February 2016 (Law 1778) (Colombia) (establishing administrative liability for corporations engaged in transnational bribery). In Colombia, legal entities cannot be independently liable for criminal charges; however, a legal entity can be held jointly and severally liable for any damage caused by its employees.
 For instance, under the Clean Company Act, violating corporations may be liable for administrative and civil fines, debarment from contracting with government entities and required public disclosure of violations. See Decree 8,420.
 Law No. 599 of 24 July 2000, Article 96, Official Gazette (Colombia); Law No. 2195 of 18 January 2022, Official Gazette (Colombia).
 See also Chapter 3 on ‘US Compliance Requirements’, Chapter 4 on ‘US Compliance Enforcement’ and Chapter 8 on ‘Latin America Compliance Enforcement’ of this Guide.
 Law No. 14,133 of 1 April 2021 (Brazil) (making a compliance programme mandatory as a condition for hiring major public contracts and a tie-breaker criterion for other contracts).
 Law 1778, Article 7.
 La Superintendencia de Sociedades (Superintendencia).
 Previously, only companies that conducted international business through intermediaries, contractors and subsidiaries, as well as companies engaged in specific industries such as pharmaceuticals, construction and energy, were required to have business transparency and ethics programmes. See Superintendencia, Resolution No. 200-000558.
 See Law No. 30,424 of 21 April 2016, Article 17 (Peru).
 Teresa Tovar Mena and Viviana Chávez Bravo, ‘Peru’, in Mark F Mendelsohn (ed.), The Anti-Bribery and Anti-Corruption Review, 10th edn., Law Business Research, 2021, pp. 214–227.
 Law No. 20,393 (Chile).
 In particular, to qualify for an exemption from criminal liability, the compliance programme must include (1) the appointment of a prevention supervisor with sufficient means, powers and independence for performing its duties, (2) the establishment of a compliance programme that helps prevent crime and identifies any areas of risk, (3) the establishment of specific protocols, rules and procedures to prevent crimes and to administer and audit the financial resources of the company, and (4) protocols for reporting the wrongdoing and steps for correction of failures in compliance.
 See Law No. 27,401, Articles 9, 23 and 24.
 For further details, see Chapter 3 on ‘US Compliance Requirements’.
 15 U.S.C. § 78dd-1, et seq.
 15 U.S.C. § 78m(b)(2)(B).
 DOJ and US Securities and Exchange Commission, ‘A Resource Guide to the U.S. Foreign Corrupt Practices Act’, 2nd edn., July 2020 (the FCPA Resource Guide), at 40.
 US Sentencing Commission, Guidelines Manual, November 2018 (the US Sentencing Guidelines), Chapter 8.
 DOJ, ‘Assistant Attorney General Kenneth A. Polite, Jr. Delivers Remarks on Revisions to the Criminal Division’s Corporate Enforcement Policy’, 17 January 2023, www.justice.gov/opa/speech/assistant-attorney-general-kenneth-polite-jr-delivers-remarks-georgetown-university-law (accessed 9 August 2023) (the Polite Remarks). The policy also requires that the company voluntary disclose the misconduct immediately upon becoming aware of it and engage in ‘extraordinary’ cooperation.
 DOJ, ‘Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy’ (updated January 2023) at 5.
 Polite Remarks.
 See Justice Manual (JM), § 9-28.300.A; JM § 9-28.700.B (explaining benefits of cooperation for both government and corporation); see also FCPA Resource Guide at 57.
 FCPA Resource Guide at 57.
 ibid. at 52.
 US Sentencing Guidelines.
 DOJ Criminal Division, ‘Evaluation of Corporate Compliance Programs’, updated March 2023 (ECCP).
 See generally ECCP; see also FCPA Resource Guide at 67.
 DOJ, Press Release No. 17-074, ‘Rolls-Royce plc Agrees to Pay $170 Million Criminal Penalty to Resolve Foreign Corrupt Practices Act Case’, 17 January 2017, www.justice.gov/opa/pr/rolls-royce-plc-agrees-pay-170-million-criminal-penalty-resolve-foreign-corrupt-practices-act (accessed 9 August 2023).
 For further details, see Chapter 1 on ‘UK Compliance Requirements’.
 UK Bribery Act 2010, Section 7; see also Tim Bowden, Roger A Burlingame, Matthew L Mazur, Tom Stroud and Sum Kaur, ‘England & Wales’, in Mark F Mendelsohn (ed.), The Anti-Bribery and Anti-Corruption Review, 11th edn., Law Business Research, 2022, pp. 35–50.
 Guillaume de Rancourt, ‘France’, in Mark F Mendelsohn (ed.), The Anti-Bribery and Anti-Corruption Review, 11th edn., Law Business Research, 2022, p. 63.
 European Commission, COM(2023) 234 final, Proposal for a Directive of the European Parliament and of the Council on combating corruption, replacing Council Framework Decision 2003/568/JHA and the Convention on the fight against corruption involving officials of the European Communities or officials of Member States of the European Union and amending Directive (EU) 2017/1371 of the European Parliament and of the Council, 3 May 2023.
 Organisation for Economic Co-operation and Development (OECD), Convention on Combating Bribery of Foreign Public Officials in International Business Transactions.
 OECD, ‘Recommendation of the Council for Further Combating Bribery of Foreign Public Officials in International Business Transactions’, amended 26 November 2021.
 World Bank Group, Integrity Compliance Guidelines, 2017.
 MDB General Principles for Business Integrity Programmes, 2023.
 ECCP at 2 (quoting JM § 9-28.800 (quotation marks omitted)).
 ibid. at 6.
 ibid. at 9 (quoting JM § 9-28.800 (quotation marks omitted)).
 ibid. at 3.
 ibid. at 12.
 DOJ, ‘The Criminal Division’s Pilot Program Regarding Compensation Incentives and Clawbacks’, 3 March 2023.
 ibid. at 14 (quoting JM § 9-28.800 (quotation marks omitted)).
 id. (citing JM § 9-28.300).
 ibid. at 6.