Legal and regulatory framework

Legal role

What legal role does corporate risk and compliance management play in your jurisdiction?

Corporate risk and compliance management have significantly increased in importance in Brazil since the enactment of the Brazilian Clean Companies Act (BCCA, Law No. 12,846/13) and its regulation, Decree No. 8,420/15, which determine that the execution of an effective integrity programme can reduce penalties imposed to legal entities by up to 20 per cent.

Equally important is Law No. 12,850/13, enacted around the same time as the BCCA, which provides for criminal enforcement against a newly created concept of ‘criminal organisations’ - namely, an association of four or more individuals structurally organised, characterised by a division of tasks, with the object of obtaining, directly or indirectly, any sort of advantage as a result of the practice of certain criminal infringements. An important provision introduced by the Law concerns plea bargaining agreements, which significantly changed the dynamics of criminal investigations in the country.

Partially because of these new pieces of legislation, and partially because of new interpretation of former legislations and burden of proof standards applied by the courts, several Brazilian companies have been dragged into the criminal investigation spotlight - particularly Operation Car Wash, which was largely covered by the local and international media.

The outcomes for Brazilian companies (for their commercial activities in Brazil and abroad) could not be more challenging within this new compliance and governance environment.

Laws and regulations

Which laws and regulations specifically address corporate risk and compliance management?

The main legislation directly addressing corporate risk and compliance management in Brazil is as follows:

  • Law No. 12,846/13 -BCCA;
  • Law No. 12,850/13 - Criminal Organisations;
  • Law Decree No. 8,420/15 - BCCA Regulation;
  • Law No. 13,303/16 - Public Companies’ Law;
  • Law No. 12,529/11 - Competition Law;
  • Law No. 9,613/98 - Money Laundering Law;
  • Law No. 8,666/93 - Public Bidding Law;
  • Law No. 8,429/92 - Improbity Law; and
  • Law Decree No. 2,848/40 - Criminal Code.

Types of undertaking

Which are the primary types of undertakings targeted by the rules related to risk and compliance management?

Law No. 12,846/13 applies to any corporation, foundation, association or to foreign companies that have their registered office, branch or representation in Brazil, and that engage in wrongful acts against the public administration. Both foreign governments and public international organisations are described by the term ‘public administration’. As for foreign public agents, the law is defined as anyone who holds an office, is employed or is in civil service in public entities, government entities or diplomatic representations abroad. The entity would be controlled by the foreign government or international public organisations.

It is important to note that the BCCA did not establish criminal liability of legal entities, but rather an administrative and civil liability of such entities. Moreover, the Law does not exclude the administrative and civil liability of its directors or officers, that may be held accountable in connection with a tort, to the extent of their culpability. In addition, directors or officers may also be held criminally accountable under the provisions of the Brazilian Criminal Code.

The Law also establishes that, in the event of a merger or amalgamation, the responsibility of the successor will be restricted to a payment of a fine limited to the value of the assets transferred. In addition, parent companies, subsidiaries, affiliates or members of a consortium, within the scope of the contract, may be jointly and severally liable for the infringements perpetrated, such liability being limited to the payment of administrative fines and full compensation of damages caused.

Related legislation such as the Improbity Law and the Brazilian Competition Law have a similar perspective in terms of targeted undertakings. Regarding money laundering, the penalties apply for those who directly engage in illegal conduct, and also ‘gatekeepers’ who fail in their duty to inform.

Regulatory and enforcement bodies

Identify the principal regulatory and enforcement bodies with responsibility for corporate compliance. What are their main powers?

Under the administrative sphere, the regulatory body responsible for enforcing the BCCA is the higher authority of the corresponding public entity against which the infringement was committed, or a ministry of the state if the conduct is executed against the direct public administration. In such cases, the latter will designate a special commission for the monitoring and judgment of the procedure.

In addition, whenever the infringement involves the Federal Public Administration, the Federal Comptroller’s Office (CGU) has delegated powers to enforce legislation. The CGU also holds general powers to take over investigations related to infringements committed against any other public authorities.

In case of procedures for damage compensation, the harmed public agency may file a claim before the judiciary courts, with the assistance of the Attorney General. Public prosecutors also have concurrent jurisdiction to bring damage claims, mainly to enforce administrative fines against legal entities before the courts.

There are also other entities in charge of enforcing different legislation, such as the Federal and State Account Tribunal (over issues of Improbity Law) and the Administrative Counsel of Economic Defence. They deal with competition issues involving bid rigging, among other things.


Are ‘risk management’ and ‘compliance management’ defined by laws and regulations?

Normative Instruction No. 01/2016 issued by the Federal Public Prosecutor and General Controller (now the Ministry of Transparency) define ‘risk management’ as a ‘process, to identify, evaluate, manage and control potential events or situations, to provide reasonable certainty as to the achievement of the objectives of the organisation’.


Are risk and compliance management processes set out in laws and regulations?

Law No. 13,303/16 defines the processes to be adopted in state-owned companies and mixed-capital entities, while the BCCA and its Regulation determines the desirable processes to be implemented in private companies.

Standards and guidelines

Give details of the main standards and guidelines regarding risk and compliance management processes.

Decree No. 8,420/2015 provides for the minimum requirements for an integrity programme to be considered effective and, thus, to be able to benefit from a reduction in fines for infringements by legal entities.

According to the Decree, a compliance programme consists of:

[the] mechanisms and internal proceedings of integrity, auditing and incentives to denounce violations in the context of a corporation, and the effective application of codes of ethics and conduct, policies and guidelines with the objective to detect and correct violations, fraud, irregularities and illicit acts committed against the public administration, either national or international.

Minimum requirements for the programme to be considered a mitigating factor include:

  • engagement of senior management of the company;
  • implementation of a code of ethics, code of conduct and compliance policies applicable to all employees and managers;
  • extension of the programme to third parties such as suppliers, service providers, agents and associated companies;
  • periodic training;
  • periodic risk assessment;
  • proper accounting registries;
  • internal controls that secure trustworthy financial reports;
  • internal proceedings that prevent fraud and illicit acts;
  • independence, means and delegation of powers to the compliance officer;
  • an open communication channel for reporting of irregular activity;
  • disciplinary actions in case of violations;
  • internal procedures to secure the immediate interruption of the detected violation, and damage remediation;
  • appropriate checking measures for hiring third parties; and
  • disclosing donations to political parties and candidates transparently.


Are undertakings domiciled or operating in your jurisdiction subject to risk and compliance governance obligations?

Resolution 4,567/2017, edited by the National Monetary Council, created the obligation for financial institutions to adopt compliance mechanisms. The institutions covered by the Resolution must have a communication channel through which employees, customers, users, partners or suppliers may report any wrongdoing or unlawful action related to the activities of the institution, without identifying themselves. The competent area within the organisation shall prepare semi-annual follow-up reports on the matters reported, containing at least the number of reports received, their nature, the areas responsible for dealing with the situation, the average time to deal with each situation and the measures adopted by the institution with regard to the reported matter.

More recently, the State and the Federal District of Rio de Janeiro enacted State Law No. 7,753/2017 and District Law No. 6,112/2018, respectively. Both items of legislation set forth the mandatory implementation of integrity programmes by companies that execute agreements with the Public Administration, whether it is a contract, consortium, concession or any other type of agreement.

In the case of the Federal District, the rule is valid for any agreements with a term that exceeds 180 days and that has an estimated value equal to or higher than the value established for bids under the price submission procedure (80,000 reais-650,000 reais).

The rules of State Law No. 7,753/2017 apply to any agreement with a term that exceeds 180 days and that has a value that exceeds those established for bids under the competition procedure, currently 1,500,000 reais for construction works and engineering services, and 650,000 reais for acquisitions and services.

Technically, other than for the financial institutions covered by Resolution 4,567/2017 or companies subject to State Law No. 7,753/2017 or District Law No. 6,112/2018, there is no general obligation to implement risk and compliance governance in Brazil; however, there are benefits for doing so. Nevertheless, certain obligations may apply in certain circumstances, such as for participating in the ‘new market’ of the Brazilian Stock Exchange (higher levels of governance apply).

What are the key risk and compliance management obligations of undertakings?

As mentioned above, there are no legal general obligations to implement risk and compliance governance in Brazil. However, each company will determine, on a case-by-case basis, the level of governance it intends to implement, following best guidelines and legal standards provided by the legislation.

In this regard, it is recommended that companies implement mechanisms and internal control proceedings against irregularities on the application of its conduct and ethics statutes. Such mechanisms, referred to as an ‘integrity programme’, must be suitable and updated according to the activities and requirements of the undertaking. The existence of a well-structured integrity programme helps to diminish penalties in the event of an infraction of the compliance or anticorruption obligations set out by law.

Moreover, the creation of such programmes has been increasingly considered, not only by public authorities but also by the private sector, in order to allow for financing mechanisms, public and private bids and general contracting services.


Liability of undertakings

What are the risk and compliance management obligations of members of governing bodies and senior management of undertakings?

As part of the undertaking’s management activities, these individuals may be held liable for infringements of the legislation referred to herein, but only to the extent of their guilt or intent. More precisely, new local criminal theories - such as the Theory of Final Domain of Fact - may expose executives to administrative and criminal prosecution resulting from a failure in their duty (omissive action) to supervise their subordinates once an executive is aware of - and should have acted on - the facts involving the decision-making process of their subordinates.

Do undertakings face civil liability for risk and compliance management deficiencies?

There are no direct consequences for deficiencies in risk and compliance management mechanisms; however, there could be penalties if these deficiencies result in infringement of Brazilian statutes. Moreover, deficiency in compliance controls will prevent undertakings from benefitting from reductions on possible administrative fines.

Do undertakings face administrative or regulatory consequences for risk and compliance management deficiencies?

As in question 11, there are no direct consequences for deficiencies in risk and compliance management mechanisms; however, there could be penalties if these deficiencies result in infringement of Brazilian statutes.

Do undertakings face criminal liability for risk and compliance management deficiencies?

In Brazil, there is no criminal liability for legal entities except for issues related to the environment. However, it is possible for directors and officers of an undertaking to be criminally liable for infringements they have committed, but only to the extent of their guilt or intent. In these cases, the applicable procedures and penalties will be the ones provided for in the Criminal Code and related legislation.

Liability of governing bodies and senior management

Do members of governing bodies and senior management face civil liability for breach of risk and compliance management obligations?

According to the BCCA, these individuals are liable to the extent of their guilt, regardless of the legal entities’ liability. The individual will be subject to the provisions of the Improbity Law that determines that offenders repair the damage or return the goods that were illicitly obtained, as well as the ones provided in the Civil Code and Law No. 6,404/75 (regarding corporations and their partners).

Do members of governing bodies and senior management face administrative or regulatory consequences for breach of risk and compliance management obligations?

The BCCA does not provide for liability of individuals. Regarding the antitrust legislation, individuals may be subject to a fine and may be prevented from exercising commerce for a period of up to five years. According to the terms of the Improbity Law, individuals may be subject to freeze of assets, return of money illegally obtained or a fine of up to three times of the value obtained illegally, in addition to the restoration of the damages caused.

Do members of governing bodies and senior management face criminal liability for breach of risk and compliance management obligations?

To the extent that a criminal infringement (such as corruption, money laundering, fraud, cartel, etc) is proved against a member of a governing body or senior management, criminal liability provided for in the Brazilian statutes may vary according to the nature of the infringement in question.

Criminal liability is only applicable to individuals in Brazil (except for environmental issues where there may be corporate criminal liability). Private corruption is not considered a crime (therefore there must be a public agent or public body involved in order for it to be considered a crime).

Corporate compliance

Corporate compliance defence

Is there a corporate compliance defence? What are the requirements?

The offenders may present a defence based on the hypothesis set out in article 18 of Decree No. 8,420/15, such as:

  • having a robust compliance programme;
  • voluntary self-disclosure;
  • collaborating with the investigation, regardless of the execution of a leniency agreement; and
  • refunding damages caused.

This defence will not exempt the offender from guilt, but could help diminish the penalties to be applied.

Recent cases

Discuss the most recent leading cases regarding corporate risk and compliance management failures?

In Brazil, the all-time leading cases regarding corporate risk and compliance management failures were brought up by Operation Car Wash. The companies targeted were discovered to be part of a corruption and cartel scandal in several different markets in which they are active, shedding light on the importance of a well-structured compliance programme and regular monitoring. The settlement agreements executed - and still under negotiation - are also serving to determine the structure of such mechanisms.

Government obligations

Are there risk and compliance management obligations for government, government agencies and state-owned enterprises?

Law No. 13,303/16 provides for obligations to state-owned companies and mixed-economy entities. Government agencies and the government itself are subject to the provisions of the Improbity Law and the Fiscal Management Liability Law (Complementary Law No. 101/2000).

Digital transformation

Framework covering digital transformation

What are the key statutory and regulatory differences between public sector and private sector risk and compliance management obligations?

The main compliance law applicable to the public sector is the Improbity Law, which punishes improbity acts performed by public agents against the public administration. It can also be applied to private parties if they are proven to have benefited directly or indirectly from the act. It must be proved that the offender acted with guilt (first or second degree) in order for him or her to be penalised.

As for the private sector, the main regulation is the BCCA. It is applicable to legal entities who perform wrongful acts towards national or foreign administration. Contrary to the Improbity Law, there is strict liability provided - meaning it is not necessary to prove intent or guilt.

In addition, the BCCA would arguably provide for a compliance defence, which is not possible under the Improbity Law.