Legal and regulatory framework

Legal role

What legal role does corporate risk and compliance management play in your jurisdiction?

Corporate risk and compliance management have significantly increased in importance in Brazil since the enactment of the Brazilian Clean Companies Act (BCCA, Law No. 12,846/13) and its regulation, Decree No. 8,420/15, which determine that the execution of an effective integrity programme can reduce penalties imposed to legal entities by up to 20 per cent.

Equally important is Law No. 12,850/13, enacted around the same time as the BCCA, which provides for criminal enforcement against a newly created concept of ‘criminal organisations’ - namely, an association of four or more individuals structurally organised, characterised by a division of tasks, with the object of obtaining, directly or indirectly, any sort of advantage as a result of the practice of certain criminal infringements. An important provision introduced by the Law concerns plea bargaining agreements, which significantly changed the dynamics of criminal investigations in the country.

Partially because of these new pieces of legislation, and partially because of new interpretation of former legislations and burden of proof standards applied by the courts, several Brazilian companies have been dragged into the criminal investigation spotlight - particularly Operation Car Wash, which was largely covered by the local and international media.

The outcomes for Brazilian companies (for their commercial activities in Brazil and abroad) could not be more challenging within this new compliance and governance environment.

Laws and regulations

Which laws and regulations specifically address corporate risk and compliance management?

The main legislation directly addressing corporate risk and compliance management in Brazil is as follows:

  • Law No. 12,846/13 -BCCA;
  • Law No. 12,850/13 - Criminal Organisations;
  • Law Decree No. 8,420/15 - BCCA Regulation;
  • Law No. 13,303/16 - Public Companies’ Law;
  • Law No. 12,529/11 - Competition Law;
  • Law No. 9,613/98 - Money Laundering Law;
  • Law No. 8,666/93 - Public Bidding Law;
  • Law No. 8,429/92 - Improbity Law; and
  • Law Decree No. 2,848/40 - Criminal Code.
Standards and guidelines

Give details of the main standards and guidelines regarding risk and compliance management processes.

Decree No. 8,420/2015 provides for the minimum requirements for an integrity programme to be considered effective and, thus, to be able to benefit from a reduction in fines for infringements by legal entities.

According to the Decree, a compliance programme consists of:

[the] mechanisms and internal proceedings of integrity, auditing and incentives to denounce violations in the context of a corporation, and the effective application of codes of ethics and conduct, policies and guidelines with the objective to detect and correct violations, fraud, irregularities and illicit acts committed against the public administration, either national or international.

Minimum requirements for the programme to be considered a mitigating factor include:

  • engagement of senior management of the company;
  • implementation of a code of ethics, code of conduct and compliance policies applicable to all employees and managers;
  • extension of the programme to third parties such as suppliers, service providers, agents and associated companies;
  • periodic training;
  • periodic risk assessment;
  • proper accounting registries;
  • internal controls that secure trustworthy financial reports;
  • internal proceedings that prevent fraud and illicit acts;
  • independence, means and delegation of powers to the compliance officer;
  • an open communication channel for reporting of irregular activity;
  • disciplinary actions in case of violations;
  • internal procedures to secure the immediate interruption of the detected violation, and damage remediation;
  • appropriate checking measures for hiring third parties; and
  • disclosing donations to political parties and candidates transparently.

Are undertakings domiciled or operating in your jurisdiction subject to risk and compliance governance obligations?

Resolution 4,567/2017, edited by the National Monetary Council, created the obligation for financial institutions to adopt compliance mechanisms. The institutions covered by the Resolution must have a communication channel through which employees, customers, users, partners or suppliers may report any wrongdoing or unlawful action related to the activities of the institution, without identifying themselves. The competent area within the organisation shall prepare semi-annual follow-up reports on the matters reported, containing at least the number of reports received, their nature, the areas responsible for dealing with the situation, the average time to deal with each situation and the measures adopted by the institution with regard to the reported matter.

More recently, the State and the Federal District of Rio de Janeiro enacted State Law No. 7,753/2017 and District Law No. 6,112/2018, respectively. Both items of legislation set forth the mandatory implementation of integrity programmes by companies that execute agreements with the Public Administration, whether it is a contract, consortium, concession or any other type of agreement.

In the case of the Federal District, the rule is valid for any agreements with a term that exceeds 180 days and that has an estimated value equal to or higher than the value established for bids under the price submission procedure (80,000 reais-650,000 reais).

The rules of State Law No. 7,753/2017 apply to any agreement with a term that exceeds 180 days and that has a value that exceeds those established for bids under the competition procedure, currently 1,500,000 reais for construction works and engineering services, and 650,000 reais for acquisitions and services.

Technically, other than for the financial institutions covered by Resolution 4,567/2017 or companies subject to State Law No. 7,753/2017 or District Law No. 6,112/2018, there is no general obligation to implement risk and compliance governance in Brazil; however, there are benefits for doing so. Nevertheless, certain obligations may apply in certain circumstances, such as for participating in the ‘new market’ of the Brazilian Stock Exchange (higher levels of governance apply).

What are the key risk and compliance management obligations of undertakings?

As mentioned above, there are no legal general obligations to implement risk and compliance governance in Brazil. However, each company will determine, on a case-by-case basis, the level of governance it intends to implement, following best guidelines and legal standards provided by the legislation.

In this regard, it is recommended that companies implement mechanisms and internal control proceedings against irregularities on the application of its conduct and ethics statutes. Such mechanisms, referred to as an ‘integrity programme’, must be suitable and updated according to the activities and requirements of the undertaking. The existence of a well-structured integrity programme helps to diminish penalties in the event of an infraction of the compliance or anticorruption obligations set out by law.

Moreover, the creation of such programmes has been increasingly considered, not only by public authorities but also by the private sector, in order to allow for financing mechanisms, public and private bids and general contracting services.