Risk & Compliance Management in Mexico

Use the Lexology Getting The Deal Through tool to compare the answers in this article with those from other jurisdictions.

Legal and regulatory framework

Legal role

What legal role does corporate risk and compliance management play in your jurisdiction?

Corporate risk and compliance management in Mexico has traditionally played a mostly commercial and business contingency role. Mexico has not had corporate criminal liability until recently, and does not have significant product liability or product recall actions. Although Mexico has had a class-action lawsuit mechanism since 2011, lawyers have not taken up the challenge of forming a class action bar such as exists in the United States and other jurisdictions. Mexico still shares a significant core of common culture, and litigiousness is clearly not one of its characteristics. Most Mexicans prefer to conserve the social fabric and community of which they are a part, and consider this to be of more value than short-term pecuniary personal gain. For this reason, tort litigation is almost unheard of in Mexico. Regulatory compliance has also not traditionally been a focus of serious risk and compliance management because many managers have relied on their abilities to bribe officials who threaten fines or closure for lack of regulatory compliance.

One of the few areas in which litigation is considered acceptable social behaviour is labour and employment. Termination of labour employment can only be for legislatively defined just cause, which is notoriously hard to prove. Therefore, Mexican employees expect generous severance payments when they are dismissed or laid off. If full severance is not paid to an employee, the employee will often sue to recover this amount, which may take several years. For this reason, corporate risk and compliance management in Mexico focuses significantly on labour and employment matters.

Recent years have seen a change of situation. The largest single factor driving this change is aggressive enforcement by the US Department of Justice (DOJ) and Securities and Exchange Commission (SEC) of the Foreign Corrupt Practices Act in Mexico. With regard to the number of enforcement actions settled by the DOJ and SEC, Mexico ranks fourth in the world with 48 actions, trailing only China, Nigeria and Iraq. Arguably, this ranking is not as negative as it might at first appear, given Mexico’s status as the US’s second-biggest trading partner. However, this activity is especially visible to US-based companies operating in Mexico, which take the threat of prosecution very seriously, especially in the past 10 years that have seen a significant uptick in enforcement actions.

More recently, Mexican lawmakers have become active in areas that drive risk and compliance management. The class action lawsuit mechanism that became law in 2011 have not yet become actively used, but development takes time: the modern US class action was born in 1966 with a renewal of the Federal Rules of Civil Procedure. The most likely reason for the lack of activity in the class action space in Mexico is the very limited provisions for litigation discovery. This deprives the plaintiffs of the opportunity to establish their case in many instances.

Perhaps of most importance for the evolution of risk and compliance management in Mexico is the recent advent of criminal liability for corporate entities. In December 2014, the Mexico City legislature enacted criminal liability for companies. Although this change was not widely reported at the time, and many practitioners did not become aware of the change until well after its enactment, word has begun to spread through the community. This is especially the case because of a few high-profile cases that have involved criminal liability for companies, owing to the significant fines levied on the companies. Where Mexican criminal law traditionally has been based on a defined number of multiples of the federally mandated minimum wage (currently around US$5 per day) and designed to punish individuals who can be incarcerated, fines have been somewhat low. For example, top fines for such crimes as bribery under federal law are approximately US$5,000. Mexico City’s law defines its monetary penalties based on not the daily wage of the worker, but on the average daily profits of the company, and equates a year of incarceration to a penalty of 920 days of average daily profits.

The Mexico City criminal law should drive risk and compliance management because, for lower level employees, one of the elements of the crime is that the company did not exercise proper control over the activities of the employees who were the active participants in the crime.

Federal criminal law (the Federal Criminal Code and the National Code of Criminal Procedure) was modified in June 2016 to impose criminal liability on companies for most types of white-collar crimes. This law also includes the element of lack of proper controls, so it should also drive compliance and risk management in Mexican companies.

Finally, the General Law of Administrative Responsibilities establishes administrative penalties for various corruption-related offences. Enacted in July 2016, it entered into force fully in July 2017. It establishes a much more detailed set of standards that a company must meet to avoid liability. As discussed below, under the General Law of Administrative Responsibilities, having a compliance programme can act in essence as an affirmative defence. Failure to have a compliance programme or an adequate integrity policy can be a significant factor in determining corporate criminal liability and expose corporate entities to sanctions, which can be as high as US$6.5 million, plus damages and disgorgement.

Laws and regulations

Which laws and regulations specifically address corporate risk and compliance management?

Specifically, the new General Law of Administrative Responsibilities sets out the characteristics needed for an integrity policy or compliance programme. In addition, the Model Program for Corporation Integrity published by the Ministry of Public Administration provides recommendations for compliance programmes or integrity policies.

Highly regulated industries, such as finance, insurance and healthcare industries, have specific legal regimes to manage the types of risk and compliance that are specific to each industry. For companies in general, the laws and regulations that specifically address risk and compliance management and are of the highest priority are the corporate law, consumers’ protection law, commercial law, labour law, administrative law and criminal law.

Types of undertaking

Which are the primary types of undertakings targeted by the rules related to risk and compliance management?

Under the General Law of Administrative Responsibilities all companies are regulated regardless of the form of the entity.

Limited companies are the least regulated types of company unless they engage in one of the more regulated industries or activities discussed below. These entities must follow laws that protect their shareholders (corporate laws), employees (labour laws), commercial counterparts (commercial laws) and consumers (consumers’ protection laws), as well as civil society as a whole (environmental laws, competition laws, land use laws, criminal laws, etc).

Publicly traded or listed companies are also subject to laws regarding periodic financial reporting and disclosure, and avoidance of self-dealing and insider trading.

Financial institutions are subject to additional laws regarding their fiduciary duties toward the parties whose assets they hold. These differ depending on whether they are banks, investment funds, insurance companies or other types of financial institutions.

Healthcare companies are another type of undertaking subject to special rules related to risk and compliance management. Specifically, treatments provided to patients, clinical studies, medications, medical devices and the claims and promotional programmes made in relation to the foregoing are more highly regulated than other types of corporate activity.

Other industries that are highly regulated include power generation and transmission, mining, aviation and transportation. Each has its own set of standards that drive risk and compliance management.

Regulatory and enforcement bodies

Identify the principal regulatory and enforcement bodies with responsibility for corporate compliance. What are their main powers?

For all federal crimes, the General Prosecutor of the Republic heads both the investigation and prosecution, through the federal prosecutor’s office. For laws that apply to specific industries or activities, Mexican law has created special administrative enforcement entities that may assist the federal prosecutors in their work. Each of the 31 states and the City of Mexico have their own state prosecutors.

The principal powers of the General Prosecutor of the Republic are investigating and prosecuting federal crimes through the police, gathering evidence, carrying out actions to protect victims or the public, requesting arrest and search warrants from the federal courts, and deciding whether or not to prosecute.

The main agency involved in investigating crimes, including bribery, is the Attorney General, who investigates crimes at the federal level (General Prosecutor of the Republic) and at the state level (eg, Judicial Attorney General).

The agency’s most recent report from 2017 contains a section on crimes committed by public servants and against the administration of justice. This section includes statistics and data as to the efficacy of the agency’s investigations, and also refers to the Special Unit for the Investigation of Crimes Committed by Public Servants and against the Administration of Justice, and its mission to combat corruption and impunity of public servants.

Each Mexican government agency has the authority to enforce the General Law of Administrative Responsibilities.

Under the General Law of Administrative Responsibilities, internal control bodies of each government agency are responsible for investigating, substantiating, determining and imposing sanctions for minor administrative offences by public officials. In cases of serious offences by either public officials or private entities, the Superior Federal Court of Administrative Justice has jurisdiction to impose sanctions.

The Federal Court of Administrative Justice (now split from the fiscal court) resolves matters appealed from the internal control bodies for government employees, and all matters for private citizens.

For regulatory matters, Mexican law has created special entities to investigate and resolve administrative matters, which may later be appealed to the courts. For instance, the Federal Commission for Protection Against Sanitary Risks is assigned to investigate and determine administrative liability for healthcare regulations. It has investigatory powers, including inspections. In financial industry matters, the National Banking and Securities Commission has investigatory and inspection faculties.

Definitions

Are ‘risk management’ and ‘compliance management’ defined by laws and regulations?

Mexican law defines risk management and compliance management for various industries, such as the healthcare, mining and financial industries. These definitions focus on technical aspects of each discipline. Federal and state criminal laws require ‘proper internal controls’ to avoid liability for criminal acts carried out for their benefit or on their behalf. However, it is the General Law of Administrative Responsibilities that has the clearest definition of risk management under Mexican law. The existence of an adequate integrity policy or compliance programme can be a significant factor in determining corporate criminal liability for reducing sanctions as long as it meets the following characteristics set out in the General Law of Administrative Responsibilities:

• a clear and complete organisational and procedural manual that clearly defines the functions and responsibilities of each part of the company, and specifies clearly the chains of command and leadership for each corporate structure;
• a code of conduct that is duly published and made known to every person in the organisation and that has systems and mechanisms for effective implementation;
• adequate and effective controls, monitoring and auditing systems that ensure compliance on a continuous and periodic basis throughout the organisation;
• adequate whistle-blowing systems for internal reports also allowing for reporting to authorities, as well as disciplinary processes with clear and specific consequences for those who act contrary to internal company policies or to Mexican legislation;
• adequate systems and processes for training on ethics standards;
• human resources policies to avoid hiring employees who could be a risk to the integrity of the company. These policies cannot enable discrimination on the basis of ethnicity, nationality, gender, age, disabilities, social status, health status, religion, political opinion, sexual orientation, marital status, or any other ground that compromises human dignity or curtails human rights and liberties; and
• mechanisms to ensure transparency and disclosure of interests (avoiding conflicts of interest) at all times.

Processes

Are risk and compliance management processes set out in laws and regulations?

The characteristics of a compliance programme or integrity policy have been defined for the first time in the new General Law of Administrative Responsibilities, which entered into force in July 2017. Additionally, in June 2017, the Ministry of Public Administration published the Model Program for Corporate Integrity, which provides the following recommendations for compliance programmes or integrity policies:

• include measures to promote internal norms and accountability within the company, in accordance with national and international commitments;
• ‘tone at the top’ commitment from board of directors and general manager;
• third parties and distributors are obligated to adhere to the company’s compliance policies;
• the Code of Conduct must be adequately published and communicated to company personnel. Reference to the Confederation of Employers of the Mexican Republic is recommended;
• apply the Code of Conduct in practice and promote reports of suspicious activities. If a company has multiple divisions, implementation can take place on an area-by-area basis;
• the anti-corruption policy must take into account the degrees of risk for the country, industry, transaction, commercial opportunity and commercial association. For these purposes, rely on the Model for International Internal Controls;
• for financial organisations, refer to these three guidelines:
• the Sole Memorandum for Banks;
• the Sole Memorandum for Stock Exchange; and
• the Sarbanes Oxley Act;
• special attention is to be paid to the following areas of the company: sales, contracts, human resources and government contacts. The guide also recommends observance of the guide for the UK Bribery Act;
• systems for self-reporting and training must be adequate and efficient; and
• human resources must employ policies to avoid the employment of individuals who could generate a risk to the integrity of the company.

Standards and guidelines

Give details of the main standards and guidelines regarding risk and compliance management processes.

The General Law of Administrative Responsibilities sets out the main standards for risk management in anti-corruption matters. The law has no regulations at this time. However, the Model Program for Corporate Integrity provides recommendations for compliance programmes or integrity policies, as discussed above.

Other industry-specific laws set out processes in various regulations and Mexican official standards (NOM). For example, NOM-220-SSA1-2012 sets out the plan that healthcare companies must establish for pharmacovigilance. Similar standards for other industries would be too numerous to list, and require specific subject-matter expertise to interpret.

Obligations

Are undertakings domiciled or operating in your jurisdiction subject to risk and compliance governance obligations?

As discussed above, risk and compliance governance obligations apply to operations in Mexico of various undertakings, regardless of the form of the entity. With the exception of a relatively few provisions of Mexican law, such as criminalisation of foreign corrupt practices of Mexican companies, Mexican law is territorial in its application. Whether an entity is domiciled or not in Mexico, its operations in Mexico will be subject to Mexican law, including risk and compliance governance obligations.

What are the key risk and compliance management obligations of undertakings?

While it is not mandatory, undertakings are expected to implement and maintain an adequate integrity policy or compliance programme as discussed in questions 6 and 7 above.

Liability

Liability of undertakings

What are the risk and compliance management obligations of members of governing bodies and senior management of undertakings?

Members of the board of directors and administration have a duty of care and of loyalty toward the company. As part of this duty, they must disclose conflicts of interest and recuse themselves from participating in decisions in which they have a conflict of interest. If they fail to do so, they are liable to the company for any damages caused. Directors and administrators are liable for the value of the capital contributions made by shareholders, for dividends, for accounting, control, files and other information required by law, and for the fulfilment of shareholder resolutions. They must also report any breaches of duty of care or loyalty to the auditors or be jointly liable with the directors at fault. If shareholders representing 25 per cent or more of the corporate capital of the company agree, they may sue the directors in the name of the company.

Do undertakings face civil liability for risk and compliance management deficiencies?

Yes. When companies fail to comply with legally established regulations, they can be civilly liable for any damages caused to third parties owing to their lack of compliance. For example, if a mining company does not follow safety standards (NOM-032-STPS-2008, NOM-023-STPS-2012) it may be liable pursuant to the federal or state civil code for any harm suffered by third parties or employees. In another example, a company that does not maintain proper risk and compliance management of the performance of its employees will be unable to demonstrate just cause for termination and, therefore, be liable for severance payments that would otherwise not be due.

Do undertakings face administrative or regulatory consequences for risk and compliance management deficiencies?

Yes. As discussed above, as of July 2017, under the General Law of Administrative Responsibilities, legal entities may be subject to corporate administrative liability when acts related to serious administrative offences are committed by individuals - either employees or third-party representatives - acting on behalf of the entity. Sanctions for corporate entities include double disgorgement or, even if there was no proven tangible benefit, sanctions can include fines of up to the equivalent of US$6.5 million. Corporate entities can be sanctioned by up to 10 years’ debarment from participating in public procurement, suspension of the entity’s activities or even dissolution of the corporate entity. Because the General Law of Administrative Responsibilities was recently fully implemented, there is no track record yet on the criteria that the administrative courts may use to evaluate compliance programmes or integrity policies nor guidance by the enforcement authorities on how they may use evidence of compliance programmes in decisions on whether or not to bring enforcement actions.

Lack of risk and compliance management in relation to regulations for specific industries will expose companies to liability for fines and other sanctions.

Do undertakings face criminal liability for risk and compliance management deficiencies?

Yes. As discussed above, under Mexico City and the Federal Criminal Code, when a person commits a crime for the benefit, account, in the name of, or using means provided by the company, and the company has not implemented ‘proper controls’, the company will be liable for the crime, along with any individuals who may be liable. The concept of proper controls is not defined by the law, nor is it clear how judges have been or will interpret the requirement that their absence be proven as an element of the criminal liability for companies. Although criminal proceedings are now open to the public under the 2011 criminal procedure provisions, the files are only available to victims and defendants, so legal professionals only have access to rulings on an anecdotal basis.

Liability of governing bodies and senior management

Do members of governing bodies and senior management face civil liability for breach of risk and compliance management obligations?

Not unless they have breached their duty of care or loyalty.

Do members of governing bodies and senior management face administrative or regulatory consequences for breach of risk and compliance management obligations?

Not directly unless they have breached their duty of care or loyalty.

Do members of governing bodies and senior management face criminal liability for breach of risk and compliance management obligations?

The Mexico City Criminal Code divides criminal liability in companies between high-ranking officials, for which there is strict liability for the company, and lower-ranking employees, for whom the prosecutor must prove a lack of proper controls. For the strict liability cases, it is almost inevitable that at least one of the administrators will have committed acts sufficiently related to the criminal liability that the administrator will be liable criminally as well. This liability would not be for breach of risk and compliance management obligations. It would be for independent criminal acts. However, in the second case, where proper controls are not established, the law does not establish criminal liability for directors or senior managers in the absence of mens rea of their own.

Corporate compliance

Corporate compliance defence

Is there a corporate compliance defence? What are the requirements?

As discussed above, it appears that a lack of ‘proper controls’ is a required element of the crime itself. However, it is not clear how strict judges are being in interpreting this requirement. They may, in practice, be considering that if a crime is committed for the benefit of the company or using its resources, the lack of proper controls is a given. If this is the case, a defendant company that is able to show proper controls will likely be treated as having presented an affirmative defence. There are no specific requirements. However, it is likely that the elements of an integrity policy or compliance programme, as discussed in question 5, would be persuasive in showing proper controls.

For administrative liability, while there is no affirmative defence for adequate procedures to negate corporate administrative liability in Mexico, the existence of an adequate integrity policy or compliance programme is a significant factor in determining liability, which must be proven beyond a reasonable doubt, a standard usually reserved for the criminal context. The requirements for an effective integrity policy are listed in question 5 above.

Recent cases

Discuss the most recent leading cases regarding corporate risk and compliance management failures?

Since its enactment in 2012, the Federal Law for the Protection of Personal Data in Possession of Private Parties has been strictly enforced by the National Institute for Access to Information (INAI). During the past five years, the INAI has levied fines totalling approximately US$19 million to companies for data protection violations, most of them in the financial and insurance sector.

From 2014 to 2017, the Mexican antitrust watchdog, the Federal Economic Competition Commission, levied fines totalling approximately US$224 million for antitrust violations committed by seven competing maritime shipping companies, four financial and investment fund management firms, and Pemex Transformación Industrial, among others.

In August of 2015, Gas Express Nieto, a local natural gas company, paid approximately US$4 million in settlement of criminal charges for failure to follow regulatory safety obligations in relation to natural gas delivery. An explosion in January of that year near a children’s hospital in the outskirts of Mexico City caused the deaths of five persons and injuries to over 70 others.

In November of 2011, HSBC Mexico agreed to pay nearly US$30 million to the Mexican National Banking and Securities Commission, admitting to over 800 compliance failures identified in 2007 and 2008 in relation to money laundering. This case led HSBC Mexico to launch an internal project to implement significant improvements and a complete overhaul of its compliance department.

Government obligations

Are there risk and compliance management obligations for government, government agencies and state-owned enterprises?

Yes. The Organic Law of Federal Public Administration requires that all government agencies and government in general conduct their business according to policies. Specifically regulated areas include public safety, crime prevention, prevention of unlawful discrimination, sale of public property, elimination of poverty, social inclusion, environmental protection, trade, industry, transportation, communication, anti-corruption, public health and population centres.

The new General Law of Administrative Responsibilities substitutes the Federal Law of Administrative Responsibilities of Public Servants with its own provisions, which are now not limited primarily to government officials.

State-owned enterprises also have obligations on risk management and compliance. For example, the board of directors of the largest state-owned enterprise, Petróleos Mexicanos, has the obligation to establish policies in many areas, including environmental, health and safety compliance, employment practices and third-party contracting. To implement the third-party contracting policies, there is a Committee on Acquisitions, Leasing, Works and Services, which must identify and evaluate risks in the implementation of its policies. Pemex also has an Audit Committee, with its own policies.

Digital transformation

Framework covering digital transformation

What are the key statutory and regulatory differences between public sector and private sector risk and compliance management obligations?

In general, the public sector has been and continues to be far more highly regulated than the private sector, including in matters of risk and compliance management. From a legal perspective, public sector entities are limited in their activities to those that are specifically mandated by law. Private sector entities are free to act, as long as it is not prohibited by law. Although healthcare, worker protection, consumers’ protection, market competition and financial services have been regulated for many years in relation to risk and compliance management, only recently has the law introduced general provisions on risk management, such as those of the Federal Criminal Code or the General Law of Administrative Responsibilities.

Update and trends

Update and trends

Updates and trends

In June 2017, the Ministry of Public Administration published its Model Program for Corporate Integrity to provide interpretation of the provisions of the General Law of Administrative Responsibilities. This Model Program provides guidance on corporate compliance programmes and integrity policies.