Legal and regulatory framework

Legal role

What legal role does corporate risk and compliance management play in your jurisdiction?

Corporate risk and compliance management in Mexico has traditionally played a mostly commercial and business contingency role. Mexico has not had corporate criminal liability until recently, and does not have significant product liability or product recall actions. Although Mexico has had a class-action lawsuit mechanism since 2011, lawyers have not taken up the challenge of forming a class action bar such as exists in the United States and other jurisdictions. Mexico still shares a significant core of common culture, and litigiousness is clearly not one of its characteristics. Most Mexicans prefer to conserve the social fabric and community of which they are a part, and consider this to be of more value than short-term pecuniary personal gain. For this reason, tort litigation is almost unheard of in Mexico. Regulatory compliance has also not traditionally been a focus of serious risk and compliance management because many managers have relied on their abilities to bribe officials who threaten fines or closure for lack of regulatory compliance.

One of the few areas in which litigation is considered acceptable social behaviour is labour and employment. Termination of labour employment can only be for legislatively defined just cause, which is notoriously hard to prove. Therefore, Mexican employees expect generous severance payments when they are dismissed or laid off. If full severance is not paid to an employee, the employee will often sue to recover this amount, which may take several years. For this reason, corporate risk and compliance management in Mexico focuses significantly on labour and employment matters.

Recent years have seen a change of situation. The largest single factor driving this change is aggressive enforcement by the US Department of Justice (DOJ) and Securities and Exchange Commission (SEC) of the Foreign Corrupt Practices Act in Mexico. With regard to the number of enforcement actions settled by the DOJ and SEC, Mexico ranks fourth in the world with 48 actions, trailing only China, Nigeria and Iraq. Arguably, this ranking is not as negative as it might at first appear, given Mexico’s status as the US’s second-biggest trading partner. However, this activity is especially visible to US-based companies operating in Mexico, which take the threat of prosecution very seriously, especially in the past 10 years that have seen a significant uptick in enforcement actions.

More recently, Mexican lawmakers have become active in areas that drive risk and compliance management. The class action lawsuit mechanism that became law in 2011 have not yet become actively used, but development takes time: the modern US class action was born in 1966 with a renewal of the Federal Rules of Civil Procedure. The most likely reason for the lack of activity in the class action space in Mexico is the very limited provisions for litigation discovery. This deprives the plaintiffs of the opportunity to establish their case in many instances.

Perhaps of most importance for the evolution of risk and compliance management in Mexico is the recent advent of criminal liability for corporate entities. In December 2014, the Mexico City legislature enacted criminal liability for companies. Although this change was not widely reported at the time, and many practitioners did not become aware of the change until well after its enactment, word has begun to spread through the community. This is especially the case because of a few high-profile cases that have involved criminal liability for companies, owing to the significant fines levied on the companies. Where Mexican criminal law traditionally has been based on a defined number of multiples of the federally mandated minimum wage (currently around US$5 per day) and designed to punish individuals who can be incarcerated, fines have been somewhat low. For example, top fines for such crimes as bribery under federal law are approximately US$5,000. Mexico City’s law defines its monetary penalties based on not the daily wage of the worker, but on the average daily profits of the company, and equates a year of incarceration to a penalty of 920 days of average daily profits.

The Mexico City criminal law should drive risk and compliance management because, for lower level employees, one of the elements of the crime is that the company did not exercise proper control over the activities of the employees who were the active participants in the crime.

Federal criminal law (the Federal Criminal Code and the National Code of Criminal Procedure) was modified in June 2016 to impose criminal liability on companies for most types of white-collar crimes. This law also includes the element of lack of proper controls, so it should also drive compliance and risk management in Mexican companies.

Finally, the General Law of Administrative Responsibilities establishes administrative penalties for various corruption-related offences. Enacted in July 2016, it entered into force fully in July 2017. It establishes a much more detailed set of standards that a company must meet to avoid liability. As discussed below, under the General Law of Administrative Responsibilities, having a compliance programme can act in essence as an affirmative defence. Failure to have a compliance programme or an adequate integrity policy can be a significant factor in determining corporate criminal liability and expose corporate entities to sanctions, which can be as high as US$6.5 million, plus damages and disgorgement.

Laws and regulations

Which laws and regulations specifically address corporate risk and compliance management?

Specifically, the new General Law of Administrative Responsibilities sets out the characteristics needed for an integrity policy or compliance programme. In addition, the Model Program for Corporation Integrity published by the Ministry of Public Administration provides recommendations for compliance programmes or integrity policies.

Highly regulated industries, such as finance, insurance and healthcare industries, have specific legal regimes to manage the types of risk and compliance that are specific to each industry. For companies in general, the laws and regulations that specifically address risk and compliance management and are of the highest priority are the corporate law, consumers’ protection law, commercial law, labour law, administrative law and criminal law.

Standards and guidelines

Give details of the main standards and guidelines regarding risk and compliance management processes.

The General Law of Administrative Responsibilities sets out the main standards for risk management in anti-corruption matters. The law has no regulations at this time. However, the Model Program for Corporate Integrity provides recommendations for compliance programmes or integrity policies, as discussed above.

Other industry-specific laws set out processes in various regulations and Mexican official standards (NOM). For example, NOM-220-SSA1-2012 sets out the plan that healthcare companies must establish for pharmacovigilance. Similar standards for other industries would be too numerous to list, and require specific subject-matter expertise to interpret.


Are undertakings domiciled or operating in your jurisdiction subject to risk and compliance governance obligations?

As discussed above, risk and compliance governance obligations apply to operations in Mexico of various undertakings, regardless of the form of the entity. With the exception of a relatively few provisions of Mexican law, such as criminalisation of foreign corrupt practices of Mexican companies, Mexican law is territorial in its application. Whether an entity is domiciled or not in Mexico, its operations in Mexico will be subject to Mexican law, including risk and compliance governance obligations.

What are the key risk and compliance management obligations of undertakings?

While it is not mandatory, undertakings are expected to implement and maintain an adequate integrity policy or compliance programme as discussed in questions 6 and 7 above.