On September 22, 2015, Brazil’s Comptroller‑General of the Union (the “CGU”) issued guidelines (the “Guidelines”) on framing and implementing compliance programs under Law No. 12,846, the so‑called Clean Company Act (the “Act”), and Decree No. 8,420 (the “Decree”), which implemented the Act. Building on recently enacted Brazilian Ordinance No. 909 relating to compliance programs, the Guidelines provide further, non‑binding guidance on how companies ought to structure their compliance programs to comply with the Brazilian anti‑corruption framework. Similar to compliance guidance issued by others – including the OECD, the United States, the United Kingdom, and other governments, as well as civil society organizations – the Guidelines focus on Continued on page 2 Also in this issue: 12 UK “Corporate Offence” – Scottish Company Enters First Settlement Expressly Relating to Section 7 of the Bribery Act Click here for an index of all FCPA Update articles If there are additional individuals within your organization who would like to receive FCPA Update, please email email@example.com or firstname.lastname@example.org www.debevoise.com FCPA Update 2 October 2015 Volume 7 Number 3 a broad compliance strategy that includes relevant policies, procedures, training, monitoring, remediation, and, most importantly, appropriate corporate culture and support by senior executives and boards. Although the general tenor of the Guidelines harmonizes with guidance from other regulators, certain aspects are comparatively more detailed and may require closer attention from companies with Brazilian operations. Among other steps, the Guidelines recommend that all employees receive compliance training. The Guidelines also contain potentially strict language that, read expansively and literally, could require the initiation of internal investigations upon the receipt of any evidence of wrongdoing. In this article, we review the Guidelines, which represent Brazil’s most recent addition to its anti‑corruption enforcement program, and identify potential steps that companies may wish to consider taking in light of the Guidelines’ issuance. I. Brazil’s Anti‑Corruption Framework The Act imposes strict civil and administrative liability on corporate entities doing business in Brazil for corrupt conduct or bribery of Brazilian or foreign public officials, as well as fraud in connection with public tenders.1 It applies broadly to corporations, partnerships, and proprietorships, and to other for‑profit and non‑profit entities. The Act provides for monetary fines ranging from 0.1% to 20.0% of a company’s annual gross revenues. Issued in April 2015, the Decree clarifies the process – known as PAR (Processo Administrativo de Responsabilização) – for imposing administrative liability on legal entities for acts of bribery or corruption under the Act.2 It also sets forth guidelines for calculating fines, lays out rules governing leniency agreements, and establishes general parameters for evaluating a company’s compliance program. Both the Act and the Decree provide that the adoption and implementation of a robust anti‑corruption compliance program shall be a mitigating factor when the government is called upon to calculate fines applicable to a company’s breach of the Act. They also establish that leniency agreements must contain a provision requiring the adoption, application, or improvement of an existing compliance program by the breaching company. Brazil Issues Guidelines For Compliance Programs Continued from page 1 1. See Andrew M. Levine, Bruce E. Yannett, Renata Muzzi Gomes de Almeida, Steven S. Michaels, and Ana L. Frischtak, “Brazil Enacts Long‑Pending Anti‑Corruption Legislation,” FCPA Update, Vol. 5, No. 1 (Aug. 2013), http://www.debevoise.com/insights/ publications/2013/08/fcpa‑update. 2. See Andrew M. Levine, Bruce E. Yannett, Steven S. Michaels, Daniel Aun, and Bernardo Becker Fontana, “Brazil Issues Long‑Awaited Decree Implementing the Clean Company Act,” FCPA Update, Vol. 6, No. 8 (Mar. 2015), http://www.debevoise.com/insights/publications/2015/03/ fcpa‑update‑march‑2015. Continued on page 3 www.debevoise.com FCPA Update 3 October 2015 Volume 7 Number 3 Brazil Issues Guidelines For Compliance Programs Continued from page 2 As the Act and the Decree left certain questions unanswered, the CGU enacted four ordinances in April 2015 that provided additional guidance about Brazil’s anti‑corruption framework.3 Two dealt with compliance programs: Ordinance No. 909 provided guidance on how companies should structure their compliance programs and detailed how authorities will assess their adequacy and effectiveness; and Ordinance No. 910 provided, among other things, that prior to entering into a leniency agreement with a breaching company, the CGU will evaluate the firm’s compliance program. The recent Guidelines supplement these mandates and are discussed below. II. The New Guidelines on Compliance Programs The Guidelines set forth five “pillars” for the development and implementation of an effective compliance program:4 (i) commitment and support of a company’s senior management; (ii) designation of a specific department responsible for handling compliance issues within the company; (iii) risk analysis based on the company’s profile; (iv) structuring of compliance rules and tools; and (v) strategies for continuous monitoring. A. Five Pillars for an Effective Compliance Program 1. First Pillar: Senior Management’s Commitment and Support The Guidelines highlight that a company’s senior management support is indispensable to fostering a culture that is ethical and respectful of the rule of law, and to effective implementation of the compliance program. 3. See Andrew M. Levine, Sean Hecker, Daniel Aun, and Bernardo Becker Fontana, “Brazil Further Regulates Its Anti‑Corruption Framework,” FCPA Update, Vol. 6, No. 9 (Apr. 2015), http://www.debevoise.com/insights/publications/2015/04/fcpa-update. 4. The term used by the Brazilian regulations, including the Guidelines, is integrity program. The Guidelines explain that an integrity program is a compliance program tailored specifically to the goals of prevention, detection, and remediation of misconduct covered by the Act, and that, in addition to bribery, an integrity program will also focus on fraud in public bids and contracts. For consistency with anti‑corruption laws and guidelines in other jurisdictions, we use herein the term compliance program. Continued on page 4 “The Guidelines set forth five ‘pillars’ for the development and implementation of an effective compliance program: (i) commitment and support of a company’s senior management; (ii) designation of a specific department responsible for handling compliance issues within the company; (iii) risk analysis based on the company’s profile; (iv) structuring of compliance rules and tools; and (v) strategies for continuous monitoring.” www.debevoise.com FCPA Update 4 October 2015 Volume 7 Number 3 The Guidelines lay out a series of measures to be taken by the senior management. These include: (i) publicly endorsing the company’s compliance program and urging its observance in public statements and speeches, as well as in internal discussions; (ii) discussing the effectiveness of the company’s compliance efforts in regular meetings, including with lower‑level management members; (iii) providing adequate funding to the program’s implementation; (iv) acting righteously and therefore serving as a model of proper conduct and observance of the company’s compliance program; and (v) ensuring that the company is able to improve the program and adopt adequate corrective measures that may be necessary. The Guidelines stress that participation of senior management in wrongdoing violates these ideals as it displays a lack of institutional commitment to compliance. As an example of improper conduct, the Guidelines cite the case of managers who become aware of possible illegal action and do not take steps to remedy the situation or who turn a blind eye toward such events. 2. Second Pillar: Assigning Compliance Issues to a Specific Department Within the Company The Guidelines also highlight the importance of assigning a department within the company to the task of developing, applying, and monitoring the compliance program, and to allocating the appropriate financial, material, and human resources to it. Such a department should have autonomy to make its own decisions, ensure that any evidence of illegality be effectively investigated, and take all necessary actions to that end. The Guidelines emphasize that the company shall devise mechanisms that protect that department from arbitrary punishment resulting from the exercise of its authority. 3. Third Pillar: Risk Analysis Based on the Company’s Profile The Guidelines provide that the compliance program must be devised with due regard to a company’s circumstances, including its organizational and shareholding structure, number of employees and third parties, and the level of interaction with government entities. The Guidelines also note that the compliance program must account for the company’s risk profile, including the characteristics of the markets in which it operates (covering such aspects as the local culture, level of state regulation, and corruption exposure) and the corresponding likelihood of fraud and corruption. The Guidelines identify examples of circumstances that increase a company’s Brazil Issues Guidelines For Compliance Programs Continued from page 3 Continued on page 5 www.debevoise.com FCPA Update 5 October 2015 Volume 7 Number 3 corruption exposure, including: (i) participation in public bids and administrative contracts; (ii) need for licenses, authorizations, and permits; (iii) regular dealings with public agents engaged in government oversight of the private sector; (iv) contracting with current and former public agents; (v) gift giving to public agents; (vi) setting unrealistic business goals that may pressure employees to engage in improper conduct to achieve them; (vii) sponsorships and donations; (viii) use of third parties; and (ix) mergers, acquisitions, and corporate restructurings. As to gift giving to public agents, the Guidelines recommend that special caution is warranted for hospitality offers and gifts given to government employees due to possible liability under the FCPA and the U.K. Bribery Act. As to the use of third parties, the Guidelines highlight that companies can be liable under the Act for any unlawful acts committed by such entities to further the company’s interests. With regard to mergers, acquisitions, and corporate restructuring, the Guidelines stress that, under Brazilian law, companies might be held liable for acts committed prior to the transaction and therefore recommend that firms perform pre‑closing due diligence on their counterparties. 4. Fourth Pillar: Structuring of Compliance Rules and Tools The Guidelines’ most detailed section instructs companies on how to structure their internal rules and procedures to comply with the relevant Brazilian anti‑corruption statutes. First, the Guidelines recommend that companies craft a code of ethics that is made available to the company’s employees, clients, and business partners setting out the company’s standards of ethics and conduct in clear and concise fashion. The code of ethics should: (i) set out the company’s ethical principles; (ii) detail the company’s policies for the detection of wrongdoing, particularly in dealings with the government; (iii) expressly prohibit the payment of bribes, frauds in public bids, and improper arrangements with competitors in a public bid, among other offenses; (iv) instruct the company’s employees on the existence and use of internal mechanisms to report on wrongdoing, and prohibit the sanctioning of those who make use of such mechanisms; and (v) detail the sanctions to those liable for breaching the company’s code of ethics or conduct. The Guidelines then provide further guidance on key areas with respect to which companies may develop policies. Brazil Issues Guidelines For Compliance Programs Continued from page 4 Continued on page 6 www.debevoise.com FCPA Update 6 October 2015 Volume 7 Number 3 Dealings with the public sector. With respect to dealings with the public sector, policies should mitigate risks relating to bids and government contracts, the payment of taxes, and the granting of licenses and permits, among others. By way of example, the Guidelines suggest a few measures that may assist companies to achieve these goals, including rotation of employees who deal with public entities and government officials, a requirement that certain decisions be pre‑approved by superiors or by a compliance body, and mandatory technical parameters within which decisions should be taken by individuals discharging key functions, so as to reduce the room for discretionary actions on their part. Hospitality and gifts to public agents. The provision of hospitality and gift giving may be legitimate ways to promote a company’s name, but could lead to wrongdoing depending on circumstances such as the value of the gift and the role and power of its recipient. To address this risk, the Guidelines suggest that companies devise hospitality and gift policies providing, for example, that: (i) gifts should not be given with the purpose of seeking improper advantages or compensating the recipient for his or her assistance; (ii) the frequency with which gifts are given should not be unreasonable and in any event gifts should not be given repeatedly to the same recipient; (iii) companies should establish caps on gift‑related expenses, which in any event cannot exceed the boundaries of reasonableness; and (iv) gifts should not be given if they are not compatible with all applicable rules, including all of the statutes that may apply (e.g., the Act, the FCPA, and the U.K. Bribery Act) and the recipient’s own rules, if any. Books and records. Because bribery payments are often misreported in a company’s books and records as legitimate expenses, the Guidelines also deal with the establishment of strict books and records policies as a means to detect wrongdoing. The Guidelines note that, under the Act, companies whose business exposes them to higher risks of wrongdoing must devise policies that call for more detailed and analytical records of their transactions. These would include, for instance, explanations for the contracting of certain services, details on contract prices vis‑à‑vis market prices, and justifications for payments that exceed market prices. In addition, the Guidelines note that it may be appropriate for a company to assign a particular area or individual to the task of monitoring accounting issues relating to circumstances or dealings that entail a larger compliance risk; the rationale underlying this suggestion is that sudden changes in the company’s accounting parameters or unusual transactions that are easily noticeable by a single team or individual in charge of monitoring these issues may give rise to red flags that require further investigation. Brazil Issues Guidelines For Compliance Programs Continued from page 5 Continued on page 7 www.debevoise.com FCPA Update 7 October 2015 Volume 7 Number 3 Third‑party contracts. Contracting with third parties, particularly in connection with dealings with the public sector, may give rise to serious compliance issues. Accordingly, the Guidelines recommend that companies conduct due diligence on third parties ahead of contracting them and check, for example, whether they were involved in any corruption issues in the past or have compliance programs of their own. The Guidelines also recommend that companies seek to include in their contracts with third parties provisions that ensure their compliance with anti‑corruption rules, allow for the exercise of audit rights, and entitle them to terminate the contracts in the event these are breached. Furthermore, the Guidelines alert companies to potential red flags involving dealings with third parties, including unusual payment requests and the payment of success fees. Donations and sponsorships. The Guidelines recommend that companies inform themselves about the corruption‑related track record of the recipients of donations and sponsorships. They also recommend that companies determine whether the recipient of the funds is somehow linked to any government bodies. The Guidelines also provide that in circumstances that may give rise to a heightened compliance exposure companies should continuously monitor how their donations and sponsorships are spent. One way to do so is to enter into agreements with the recipients of the funds requiring them to specify in detail the uses of funds, and allowing the company to terminate its assistance if this clause is breached. Mergers, acquisitions, and corporate restructurings. The Guidelines also advise companies to conduct due diligence in order to assess the corruption exposure of a merger or acquisition target. If evidence of wrongdoing is found, the company should consider conducting more detailed investigation, including to assess the steps taken by the target entity to address the issue. Brazil Issues Guidelines For Compliance Programs Continued from page 6 Continued on page 8 “The Guidelines also provide that in circumstances that may give rise to a heightened compliance exposure companies should continuously monitor how their donations and sponsorships are spent. One way to do so is to enter into agreements with the recipients of the funds requiring them to specify in detail the uses of funds, and allowing the company to terminate its assistance if this clause is breached.” www.debevoise.com FCPA Update 8 October 2015 Volume 7 Number 3 Communications and training. The Guidelines stress that the ethics code and other compliance‑related materials must be easily available to all interested parties, e.g., online or on the company’s intranet. This may be more difficult for companies either just starting out, or smaller, older firms that have not yet modernized technologically. In addition, the Guidelines emphasize that companies doing business in foreign countries should produce compliance materials that account for risks particular to that jurisdiction and make them available in the relevant language. Also, employees must be made aware of whistleblowing channels (discussed more below) and whistleblower protection policies, as well as of the possibility of reporting any suspicion of wrongdoing. The company must keep open channels for orienting employees and answering their questions about the compliance program. In one of its broadest prescription, the Guidelines provide that, for a compliance program to be adequate, everyone within the company shall receive compliance training, and suggest that specific training be conducted with respect to particular aspects of the policies, such as on public bids and contracts, and on books and records matters. The Guidelines also suggest that training include practical examples, case studies, and “dilemma” situations. As a way of ensuring broad employee participation, the Guidelines recommend that the company make career progression dependent on participation in compliance training. Finally, the Guidelines highly recommend that the company keep records of internal training sessions, including information on the individuals who attended the sessions and the topics discussed in each of them, as this might be necessary for the company to demonstrate its efforts to implement a proper compliance program. Whistleblowing channels. The Guidelines recommend that the company evaluate the need to adopt different whistleblowing channels, such as complaint boxes, and telephone or online forums. They also note the importance that such channels be available to third parties and to the public in general. In order to ensure that whistleblowing channels work effectively, the Guidelines state that it is necessary for the company to keep policies in place to ensure whistleblower protection, for example by permitting anonymous reporting, prohibiting retaliation against whistleblowers, and establishing confidentiality rules. The Guidelines also indicate the desirability of whistleblowers having means to keep track of the development of their complaints. Brazil Issues Guidelines For Compliance Programs Continued from page 7 Continued on page 9 www.debevoise.com FCPA Update 9 October 2015 Volume 7 Number 3 Disciplinary measures. The Guidelines advise companies to maintain written disciplinary rules assigning to a department or individual the duty to apply disciplinary measures and dictating the formal procedures to do so. According to the Guidelines, sanctions must be proportional to the violation committed and to the liability of the individuals involved. The Guidelines also provide that companies must ensure that no manager or employee is exempt from disciplinary sanctions as a consequence of their place in the corporate hierarchy. Remedial actions. In another significant step for global companies, the Guidelines provide that the receipt of indicia of wrongdoing involving local or foreign governments requires companies to initiate an internal investigation. If the investigation confirms that wrongdoing occurred, the Guidelines mandate that measures be taken immediately to halt any ongoing improper practices and to remedy any damage caused. The Guidelines also expressly recommend that companies use data from the internal investigation to effectively cooperate with regulators, to the extent that the competent authorities may consider this to be a mitigating factor for sanctioning purposes. The Guidelines also provide that companies consider hiring independent investigators to look into the matter. 5. Fifth Pillar: Continuous Monitoring Strategies Lastly, the Guidelines address the strategies to be adopted by companies in order to monitor and improve the effectiveness of their compliance programs. Monitoring can be accomplished through the collection and analysis of information from various sources, including: (i) periodic reports on the program and any investigations; (ii) any trends identified in customer complaints; (iii) information from hotlines; and (iv) reports from regulatory or supervisory agencies. Submitting compliance measures for the review of an external auditor is another possibility contemplated by the Guidelines. B. The Compliance Program as an Element of Defense The Guidelines emphasize that, when it comes to compliance programs, there is no one‑size‑fits‑all approach. Compliance programs should be case‑specific and tailored to particular companies, at the risk of being ineffective or merely pro forma, and not being taken into account by regulators in an enforcement action. In that sense, the Guidelines stress the need for the five pillars above to work cohesively and systemically. Continued on page 10 Brazil Issues Guidelines For Compliance Programs Continued from page 8 www.debevoise.com FCPA Update 10 October 2015 Volume 7 Number 3 Under the Act and its implementing regulations, an effective compliance program can lead to a reduction in fines against a company charged with wrongdoing and can play an important role in regulators’ decision about entering into a leniency agreement with a company. Accordingly, the Guidelines characterize compliance programs as part of a company’s defense, thereby stressing the need for businesses to properly document all actions taken as part of their compliance efforts in order to demonstrate its effectiveness. III. Conclusion Although the Guidelines do not constitute binding advice, they provide an important resource for companies concerned with compliance issues in Brazil, reflecting local regulators’ expectations in connection with the Brazilian anti‑corruption framework. Taken literally, some of the recommendations appear somewhat strict and rigid. It remains to be seen the extent to which Brazilian regulators will take into account good‑faith efforts to follow these Guidelines and to apply them reasonably. For example, a literal application of the guidance that the receipt of evidence of wrongdoing – without further qualification – shall prompt companies to commence an internal investigation may lead to an inefficient allocation of scarce compliance resources, if interpreted expansively. It can only be hoped that the Brazilian authorities will interpret this Guideline in a reasonable manner and will not punish a company that does not incur the potentially significant costs of an internal investigation when doing so would provide little or no benefit. Similarly, a mandate that every company employee receive compliance training, if interpreted too rigidly, could deter companies initiating compliance programs from allocating training in a risk‑based manner. It can only be hoped that Brazilian regulators will recognize that, at a minimum, it may make sense to defer Brazil Issues Guidelines For Compliance Programs Continued from page 9 Continued on page 11 “Although the Guidelines do not constitute binding advice, they provide an important resource for companies concerned with compliance issues in Brazil, reflecting local regulators’ expectations in connection with the Brazilian anti-corruption framework.” www.debevoise.com FCPA Update 11 October 2015 Volume 7 Number 3 the training of employees who have no exposure to government or commercial counterparties and who pose little to no risk of being involved in corruption beyond a simple overview of the company’s compliance program. When viewed against the background of events in Brazil and the growing international consensus that companies must take strong measures to reduce the risk of bribery, however, even the strongest of the recommendations seem understandable. At bottom, the Guidelines serve as further indication that Brazilian authorities are continuing to take steps to implement strong anti‑corruption laws, in an effort that seems generally aligned with best practices endorsed in the United States,5 the United Kingdom,6 and elsewhere. Andrew M. Levine Sean Hecker Steven S. Michaels Daniel Aun Bernardo Becker Fontana Andrew M. Levine and Sean Hecker are partners, Steven S. Michaels is a counsel, Daniel Aun is an associate, and Bernardo Becker Fontana is a law clerk (admitted in Brazil), in the New York office. They are members of the Litigation Department and the White Collar Litigation Practice Group. The authors may be reached at email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, and email@example.com. Full contact details for each author are available at www.debevoise.com.