Brazil: establishing effective compliance regimes
The past two years have seen corruption being taken far more seriously in Brazil. Although new legislation meeting or even exceeding the OECD Convention requirements was passed to curb inappropriate behaviour following the protests of June 2013, it remained uncertain whether it would be properly enforced.
There is no longer any uncertainty. The Federal Comptroller’s Office (CGU) was given powers to investigate and sanction offenders; the Federal Police and the Public Prosecutors Office have raided companies in the context of investigations of corruption in public tenders and tax evasion. Companies have been banned from public tenders of Petrobras (the Brazilian state oil company), which resulted in some of them having to file for Chapter 15 bankruptcy. But nothing had a more staggering effect than the pretrial detention of board members and shareholders of billion-dollar economic concerns that are among the largest contributors to political campaigns.
When arrests were announced in the press, the reaction of businessmen across all industry sectors was one of total disbelief. Lawyers were immediately called. This reaction was followed by a self-appraisal of their own conduct and the potential exposure for their companies.
It was a stern reminder about the importance of compliance programmes. It finally became clear that it was no longer about having a shiny compliance programme that looks good on paper. It has to work. Effectively.
What makes a compliance programme effective in Brazil?
Compliance programmes are not designed to make regulators happy. They are there to ensure people follow the legal rules of a certain jurisdiction while they preserve the company’s culture and values wherever they are doing business. Effective risk management is highly dependent on the company’s success in doing both.
A strong compliance programme allows people to identify when boundaries are crossed, alert management and respond to breaches appropriately. This is certainly a challenge in every jurisdiction and no less in a changing environment such as Brazil.
Brazilian laws and case law have not provided much guidance until very recently with respect to the satisfactory content of compliance and ethics programmes. Antitrust regulators had tried to introduce a certified compliance programme in 2004, which turned out not to be successful. More recently, compliance programmes have gained a lot of attention in light of the Clean Companies Act, which came into force on 29 January 2014, further regulated this year by Decree No. 8, 420 of 18 March 2015, which provided the minimum requirements for anti-corruption compliance programmes.
The Clean Companies Act
In response to both local and international demand, the Brazilian government enacted Law No. 12,846/13 (the Clean Companies Act), which came into force at the beginning of 2014. The new law imposes heavy fines on companies that offer or pay bribes to public officials and act fraudulently in public bidding process. It also offers benefits to companies that admit wrongful practices and collaborate in evidence gathering by means of leniency agreements that may reduce applicable fines.
The Clean Companies Act applies to any corporation, foundation, association that has its registered office, branch or representation in Brazil and engages in any harmful act against ‘public administration’. Both foreign governments and public international organisations are caught within the meaning of ‘public administration’.
The law also has extraterritorial reach, applying to any wrongdoing carried out by a national legal entity against a foreign public administration, even if the wrongdoing is committed abroad.
The administrative and civil liability of legal entities does not exclude the individual liability of its directors or officers or of any natural person who is a perpetrator, co-perpetrator or participant of the wrongdoing. Directors and officers shall only be held accountable in connection with wrongdoing to the extent of their culpability. However, under the new law a company is held objectively liable for the acts of its representatives, meaning that neither intent nor culpability needs to be proven for the legal entity to be liable.
In the event of a merger or amalgamation, the responsibility of the successor will be restricted to payment of a fine to the extent of the assets transferred. In addition, parent companies, subsidiaries, affiliates or members of a consortium, within the scope of the contract, may be jointly and severally liable for corruption practices established in the law, such liability being limited to the payment of penalty fines and full compensation of the damages caused.
The Clean Companies Act prescribes a broader definition of wrongful acts against public administration in Brazil and overseas. Accordingly, it is prohibited:
- to offer, promise or give an undue advantage to a national or foreign public official;
- to finance, pay, sponsor or by any other means facilitate such illegal acts;
- to use an intermediary individual or legal entity to conceal or dissimulate the real objective or the identities of the beneficiaries of the acts committed; and
- to hinder or interfere with the government’s investigations or hearings.
In the context of public bids, the law also prohibits:
- frustrating or defrauding the competitiveness of a public procurement procedure by means of an arrangement, agreement or any other method;
- preventing, disturbing or defrauding any act in a public procurement procedure;
- removing or attempting to remove a bidder in a public procurement procedure by means of fraud or offering any kind of advantage;
- defrauding a public procurement procedure or any related contract;
- creating a legal entity to defraud a public procurement procedure or to enter into a government contract;
- fraudulently obtaining an undue advantage or benefit from an amendment to or an extension of a government contract, without authorisation under the law, or from the notice of the public procurement procedure or the related contractual instruments; and
- rigging bids, manipulating or defrauding the economic-financial balance of a government contract.
Another controversial provision introduced by the new law concerns the possibility for the public administration to pierce the corporate veil, in cases where a legal entity is used abusively to facilitate or conceal conduct prohibited by the Act, or whenever it is intended to conceal asset ownership, thus extending the effects of the sanctions to managers and partners with administrative powers.
It is still too early to say, but these broad definitions of wrongful acts may lead to abuses on the part of the public administration in initiating investigations and proceedings against corporations. The Act’s provisions may lead to various interpretations, exposing companies to greater risks. These risks will be more easily measured when jurisprudence and case law evolve.
Under administrative law, companies held liable for wrongful acts under the law will have to pay a fine and the judgment will be published in the media. The amount of the fine will vary from 0.1 to 20 per cent of the gross revenue of the last fiscal year prior to the initiation of administrative proceedings. If it is not possible to apply such criteria, the competent authority may apply a fine ranging from 6,000 reais to 60 million reais.
To determine the fine, the competent authority will consider:
- the seriousness of the offence;
- the benefit earned;
- whether the offence was choate or inchoate;
- the degree of injury;
- the negative effect caused by the unlawful act;
- the cooperation in investigations of the legal entity (leniency agreements, for instance); and
- the existence of internal control mechanisms (effective compliance programme).
Under the civil law, the courts may order the following sanctions:
- forfeiture of property, rights or amounts representing advantage or profit directly or indirectly obtained from the infraction, subject to the right of the injured party or a third party acting in good faith;
- partial suspension or interdiction of the activities of the company;
- compulsory dissolution of the company; and
- prohibition from receiving incentives, subsides, grants, donations or loans from public agencies and public financial institutions or from financial institutions controlled by the government for a minimum of one year and a maximum of five years.
Compliance programmes – minimum legal standards
As pointed out above, effective internal compliance programmes are now factored in the calculation of the applicable fine. Further, Decree No. 8,420/2015 provides that, out of the penalty that can go up to 20 per cent of the company’s turnover, a discount of 1 to 4 per cent of the turnover will be given to companies that can evidence that they not only have a compliance programme but effectively apply it, according to certain parameters.
Other incentives are provided that indirectly have to do with an effective compliance programme: penalties are reduced by 2 per cent of the company’s turnover if the violation is voluntarily disclosed, by 1 per cent if the violation was not consummated and by 1.5 per cent if the company cooperates with the investigation or if it compensates the damage caused. Knowledge and tolerance of the conduct by the senior management of the corporation is, on the other hand, an aggravating factor.
The concept of a compliance programme was provided in article 41 of the Decree:
For the purpose of this Decree, a compliance programme consists of the mechanisms and internal proceedings of integrity, auditing and incentives to denounce violations in the context of a corporation, and the effective application of codes of ethics and conduct, policies and guidelines with the objective to detect and correct violations, fraud, irregularities and illicit acts committed against the public administration, either national or international.
Article 41 provides for additional elements to the effectiveness of the compliance programme:
The compliance programme must be structured, applied and updated in accordance with the characteristics and current risks of the activity performed by each corporation, which must secure constant development and updating of the programme, in order to guarantee its effectiveness.
Article 42 of the Decree lists the minimum requirements for the compliance programme to be considered as a mitigating factor for the penalty, to wit:
- the engagement of senior management of the company, including the board, evidenced by visible and unequivocal support for the programme;
- implementation of a code of ethics, a code of conduct and compliance policies applicable to all employees and managers irrespective of the job description;
- extension of the programme to third parties like suppliers, service providers, agents and associated companies;
- periodic training;
- periodic risk assessment to update and adjust the programme according to the company’s risk exposure;
- rigour in accounting registries, which need to correctly and precisely reflect company’s transactions;
- internal controls that secure trustworthy financial reports;
- internal proceedings that prevent fraud and illicit acts in public procurement, execution of administrative contracts or any other interaction with the public sector, even when intermediated by third parties, such as in the payment of taxes, running through inspections, obtaining public authorisations, licences, permissions and certificates;
- independence, means and delegation of powers to the compliance officer;
- open communication channel for reporting of irregular activity, which must be widely announced both within the organisation and to third parties, along with protection mechanisms to whistleblowers;
- imposition of disciplinary actions in case of violation of the compliance programme;
- internal procedures to secure the immediate interruption of the detected violation and the timely remediation of the damage caused;
- appropriate checking measures for hiring and, if the case, supervising, third parties such as suppliers, service providers, agents and associates;
- conducting anti-corruption due diligence reviews in mergers, acquisitions and corporate restructurings;
- constantly monitoring and updating the compliance programme in order to prevent, detect and combat the occurrence of violations of the Clean Companies Act; and
- disclosing donations to political parties and candidates transparently.
A compliance programme must include at least these elements for a company to become eligible for the penalty reduction. Small companies are excused from evidencing some of these elements, specifically: the extension of the programme to third parties, the periodic risk assessment, the compliance officer, the hotline for violations and whistleblowers’ protection, anti-corruption due diligence, appropriate checking measures of hiring third parties and the constant updating of the programme. Further regulation related to how much small companies have to do may be enacted by the Secretary of Small Companies and the Head of the Comptroller’s Office.
The size of the company, number of employees, complexity of the internal hierarchy, number of legal entities of the group, use of agents, sector involved, countries where it does business, level of interaction with the public sector and relevance of government authorisations, licences, permissions and certificates to its business – will all be taken into consideration for the purpose of the effectiveness of the compliance programme, pursuant to the Decree.
The minimum standards provided by the Decree cover a lot – if not all – of what needs to be in a compliance programme for it to be effective.
The Decree is silent on what is arguably the most important consideration for a compliance programme to be effective: simplicity. It has to be understandable and reachable to all employees across all areas and hierarchy levels of the company.
If one really intends to avoid violations, rather than merely benefit from a fine reduction, the following advice should be noted.
The first element listed in the regulation, the unequivocal engagement of senior management of the company, is of great importance. If management does not support the programme, employees will see it as a piece of paper.
Another key element is the appointment of the right person or group of people to implement and monitor the compliance programme. It is highly advisable that this job is handed to a senior executive or group of executives (the compliance committee), with total independence and authority, full access to senior management and deep knowledge about the internal structure of the company. The executive or group of executives must be in a position to keep suspicious activities reported to them confidential.
Compliance programmes must be tailored to the specific needs of each company and its business activity. It must be capable of educating and training executives and employees about risks that they and the company are exposed to. It has to deal with real life examples for the company’s staff. Ideally, materials should include videos, online training sessions, workshops and other activities that trigger the interest of people in the subject matter. Commonly, employees are tested after training and grades are considered in their professional evaluations.
A hotline for reporting violations, allowing the immediate reporting of suspicious activities to the compliance officer or committee is also very useful. Confidentiality and anonymity is absolutely crucial for the success of the programme. More than anything, people must feel safe and protected by the internal institutions to say ‘no’ to an improper offer or situation, even when under extreme pressure to deliver results.
An effective programme must also establish a document retention policy, which takes into account obligations provided by tax and commercial laws and clearly instructs people not to destroy documentation.
Last but not least, a strong compliance programme must cover all areas to which the company is exposed, ranging from corporate governance to environmental laws, from tax regulations to money laundering, from bribery and corruption to antitrust.
Compliance and ethical behaviour may be the only adequate response to the local demand for a revised way of doing business in Brazil. When boundaries are crossed, companies have a lot at stake: reputation, brand, stock. But also their values. Compliance programmes can be an alarm bell and give senior management the opportunity to respond properly before things get worse.
Brazil owed the OECD member countries a response to the loopholes identified by the international community following the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions in 2010.
Through the Act and its implementing regulations, authorities in Brazil have recently promulgated clear direction on bribery and corruption, including on the effectiveness and structure of compliance programmes. Companies should be attentive to the message that the regulation is sending about the content of their compliance programme and act accordingly.