Compliance programmes

Programme requirements

What requirements exist concerning the nature and content of compliance and supervisory programmes for each type of regulated entity?

According to Resolution 2,554, of 24 September 1998, financial institutions and other institutions authorised to operate by the Central Bank should establish internal policies and procedures to monitor their:

  • activities;
  • financial, operational and management information systems; and
  • compliance with all regulations they are subject to.

In this regard, a financial institution is responsible for:

  • implementing an effective in-house monitoring structure;
  • defining responsibilities and monitoring procedures, setting out the corresponding objectives at all levels of the institution; and
  • verifying compliance with internal procedures.

These internal controls should be effective and in line with the nature, complexity and risk of the transactions the institutions undertake.

Additionally, financial institutions must be audited by independent accountants, and appoint an executive officer responsible for compliance with all regulations related to financial and auditing records.

Financial institutions should also comply with anti-money laundering and know-your-client requirements, which, under Brazilian law and regulations, are set forth in Law 9,613 of 3 March 1998, as amended, and in regulations issued by the Central Bank and the CVM. Anti-money laundering and know-your-client rules apply to financial institutions and to a comprehensive list of entities engaging in financial and payment-related activities, which must observe certain requirements related to identification of clients and record keeping, including:

  • identifying clients and keeping their records updated; and
  • keeping a record of every transaction in Brazilian or foreign currency, securities, credit instruments, metals or other assets convertible into cash, when exceeding the thresholds set out by the competent authorities.

How important are gatekeepers in the regulatory structure?

As stated above, financial institutions must be audited by independent accountants and appoint an executive officer responsible for compliance with all regulations related to financial and auditing records. In addition to audit reports, independent accountants are also tasked with:

  • evaluating the financial institutions’ internal controls and procedures for managing risks, presenting any potential failings verified; and
  • describing any non-compliance with regulations applicable to the statements and activities of financial institutions.

Further, the financial institutions that meet the requirements established in CMN Resolution 3,198 of 2004 must have an audit committee, whose principal functions are to:

  • nominate the independent accountants to be elected by the board of directors;
  • supervise the work of independent accountants;
  • revise the financial records for each half-year period, as well as the administrative and auditing reports;
  • supervise accounting and auditing, including compliance with internal procedures and applicable regulations;
  • evaluate whether the financial institution’s management complies with the guidelines provided by independent accountants;
  • offer guidance to directors and officers with regard to internal controls and procedures to be adopted; and
  • meet with directors and officers, independent accountants and internal accountants to verify compliance with its guidelines.

Financial institutions must also set an ombudsman’s department to ensure compliance with the rules on consumer rights and to act as an interface between the financial institution and its customers and other users of its products and services, also serving as mediator in conflicts.

In August, 2017, the CMN enacted Resolution 4,595 establishing that Brazilian financial institutions and other institutions authorised to operate by the Central Bank must implement and maintain a compliance policy compatible with the nature, size, complexity, structure, risk profile and business model of the institution. This compliance policy is intended to ensure effective compliance risk management by the institution and may be established at the ‘consolidated enterprise level’.

The compliance policy must be approved by the board of directors, which is tasked with ensuring adequate management of the compliance policy throughout the institution, its effectiveness and continued application; its communication to all employees and service providers; and making integrity and ethical standards part of the institutional culture. The board of directors is also responsible for ensuring the application of measures in cases of non-compliance, and for providing the necessary resources for adequate conduct of compliance functions.

Financial services firms must also set up an adequate continuous and integrated risk management structure, as provided by Resolution 4,557, of 23 February 2017, and maintain an internal audit activity commensurate with the nature, size, complexity, structure, risk profile and business model of the institution, as established by Resolution 4,588, of 29 June 2017.

More recently, financial institutions have been required to implement and maintain a cybersecurity policy designed out of principles and guidelines that are intended to ensure the confidentiality, integrity and availability of data and information systems used by them. The cybersecurity policy shall be compatible with the size, risk profile and business model of the institution; with the type of transactions and the complexity of products, services, activities and processes of the institution; and with the sensitivity of data and information under the institution’s care and responsibility. In addition, financial institutions shall make public a summary of this policy outlining its general aspects.

Directors' duties and liability

What are the duties of directors, and what standard of care applies to the boards of directors of financial services firms?

A financial institution may be managed by a board of directors, executive officers or both (senior management).

The board of directors is a decision-making body with authority to establish the company’s business policy in general; to elect and dismiss executive officers; to set the duties and monitor the day-to-day managerial actions taken by the executive officers; to express an opinion in advance on any matters to be submitted to the shareholders; and to approve the implementation by the executive officers of specific matters prescribed by law or under the company’s by-laws.

The executive officers, among other duties, represent the company in its business interactions with third parties. The by-laws may establish that certain managerial decisions should be taken in executive officer meetings only.

Law 6,404 of 15 December 1976 (the Corporation Law) sets forth the fiduciary duties and liabilities applicable to senior managers.

The fiduciary duties applicable to senior managers and to members of technical or advisory bodies assisting them (provided such bodies were created through the company’s by-laws) are summarised below:

  • Duty of care: senior managers must devote to the company’s business the same standards of care and diligence that any active, diligent and honest person uses in the administration of his or her own business, using the powers conferred on them to achieve the goals of the company and acting in the best interests of the latter.
  • Duty of loyalty: senior managers must act with loyalty, putting corporate’s affairs ahead of their own.
  • Duty of acting without conflict of interests: senior managers must always act with no conflicting interests, not intervening in any transaction that involves a conflict of interests with the company, or in any decision that the other board members may take about it.
  • Duty to inform: this applies specifically to publicly held corporations.

When are directors typically held individually accountable for the activities of financial services firms?

In general, the liability of senior managers of joint-stock companies is set forth in article 158 of the Corporation Law. Senior managers will not be deemed personally liable for obligations assumed on behalf of the company by virtue of a regular act of management. However, senior managers are individually held accountable for any damage caused by acts committed with fault or intent; or in violation of the law or by-laws.

Senior managers are liable in the civil sphere for damage caused when acting with fault (negligence, recklessness or incompetence) or intent, even if they have not acted beyond their purposes or powers. An abuse of power occurs when a senior manager exceeds the powers or authority prescribed by law or under the by-laws, acting contrary to the interests of the company, its shareholders or third parties; a misuse of power is held to exist when a senior manager performs apparently legal acts (formal legality) other than for the purpose for which he or she was granted the powers of ordinary management.

Further, senior managers are liable:

  • for the damage originating from breach of the duties imposed by law to ensure the normal functioning of the financial institution;
  • for breach of banking rules, especially in their specific areas of expertise; and
  • in the case of intervention and non-judicial liquidation of financial institutions (bank resolution) as provided by Law 6,024 of 13 March 1974.

Finally, unlike in most countries, in Brazil, the controlling shareholders are jointly and severally liable for the liabilities exceeding assets of the financial institution in the case of bank resolution.

Private rights of action

Do private rights of action apply to violations of national financial services authority rules and regulations?

Article 5 of the federal constitution establishes that the law shall not exclude any injury or threat to a right from consideration by the judiciary. Accordingly, it is possible for individuals - as well as for consumer protection associations or the Public Prosecutor’s Office - to bring suit for the alleged violation of financial regulations.

Civil lawsuits related to financial and banking matters are numerous and spare no financial institution - from banks and payment agencies to banking correspondents and investments funds, among others. Banking litigation typically arises in disputes on financial transactions, interest rates, improper charges, pricing, and defective products or services.

Standard of care for customers

What is the standard of care that applies to each type of financial services firm and authorised person when dealing with retail customers?

Brazil’s legal system is based on the Civil Code, under which a duty to redress is subject to the existence of an illicit act, and to a causal relation between the illicit act and the loss caused to the aggrieved person.

In principle, there is no separate legal framework for financial institutions based on a special duty of care. But the CMN and the Central Bank have issued a number of different rules to protect consumers, and the STF, in a landmark decision on 7 June 2006, has held that the Consumer Protection Code applies to the relationship between banks and consumers as well. The STJ has sided with this view, and has issued from time to time interpretative rulings establishing the liability of financial institutions on specific matters.

Does the standard of care differ based on the sophistication of the customer or counterparty?

Yes. As noted under question 18, financial institutions are subject to a dual system of liability in Brazil:

  • for corporate clients, the basic principles of civil law liability; and
  • for consumers, a more protective system based on rules issued by the supervisory authorities and based on the Consumer Protection Code.

In addition, there are a number of rules requiring disclosure of products and services, and limiting the fees and other amounts charged to consumers on such products and services.

The trend is that court rulings will increasingly lean toward application of the Consumer Protection Code to banking agreements and toward revision of these agreements to make them less burdensome for consumers. In addition, the CMN and the Central Bank issue from time to time specific rulings on consumer rights in the banking industry.

The basic consumer rights with regard to financial institutions are as follows:

  • the burden of proof is reversed in court;
  • financial institutions must ensure that proper and clear information is provided on the different products and services offered, with accurate specifications for quantity, characteristics, composition, quality and price, and on any risks such products may pose;
  • the products and services being offered or recommended must be adequate to the needs, interests and objectives of clients and users (suitability);
  • financial institutions are prohibited from releasing misleading or improper advertisement or information about their contracts or services, as well as promoting overbearing or disloyal commercial practices;
  • financial institutions are liable for damage caused to their clients by any misrepresentation in their advertisement or information provided;
  • interest on consumer credit and related transactions must be proportionally reduced in the case of early payment of debts;
  • debt collection actions cannot be threatening or expose the client to embarrassment; and
  • amounts charged improperly in bad faith must be returned at twice the excess payment (except for excusable error, such as a system or operational error).
Rule making

How are rules that affect the financial services industry adopted? Is there a consultation process?

It is common that the regulations issued by the CMN, Central Bank and CVM, when involving relevant aspects of the national financial system, are first taken to public consultation, during which they are open to suggestions and statements from the general public.