How to build an effective anti-corruption compliance programme for Latin American corporates

Daniel S Kahn, Brooke Theodora, Davis Polk & Wardwell LLP

This is an extract from the Third Edition of The Guide to Compliance. The whole publication is available here.

This is an Insight article, written by a selected contributor as part of GIR's co-published content. Read more on Insight

The past decade has brought into sharp focus the anti-corruption enforcement risk for companies in Latin America, and with it the growing importance of building an effective corporate compliance programme, both to avoid potential misconduct and regulatory scrutiny in the first place and to receive mitigation credit if misconduct nonetheless occurs and triggers a government investigation. Designing, implementing and maintaining a risk-based compliance programme that prevents and detects misconduct, and that will garner the most favourable outcome from government regulators, has become paramount not only under US law but more recently under newly enacted statutes in Latin America.

This chapter first provides an overview of the guiding principles relating to anti-corruption liability and compliance, including the relevant statutes and policies. It then sets out best practices for designing, implementing and maintaining an effective corporate anti-corruption compliance programme that complies with those requirements and principles, helps companies avoid and identify misconduct, and mitigates liability where a violation occurs.

Compliance-related policies and statutes in Latin America

The past decade has seen the emergence of new, more aggressive legal frameworks to combat corporate corruption in Latin America. From recent local laws that establish corporate criminal liability for anti-corruption offences to the increased international focus on compliance as a proactive measure to detect and prevent corruption, there are a number of Latin American and international authorities that companies can look to as signposts for corporate compliance programmes.

Latin American authorities

A number of Latin American countries now have laws establishing corporate criminal liability for bribery and corruption offences, many of which were enacted within the past few years. For example, Argentina,^[2] Chile,^[3] Mexico,^[4] Venezuela^[5] and Peru^[6] each have some form of corporate criminal liability for corruption-related offences. The penalties for corporate criminal liability in these countries range from fines to commercial suspension or dissolution, loss or suspension of government benefits, and publication of the conviction imposed on the legal entity.^[7]

Although other Latin American countries do not have direct corporate criminal liability, many (including Brazil and Colombia) do have civil, regulatory or administrative anti-corruption regimes^[8] that allow for virtually identical sanctions^[9] or even hold a company jointly and severally liable with employees who have committed corruption-related crimes.^[10]

Importantly, a growing number of these statutes in Latin America provide guidelines for corporate anti-corruption compliance programmes in one form or another, from requiring companies to maintain such programmes to either offering leniency or establishing an affirmative defence on the basis of an effective compliance programme. Although exact guidance on what constitutes an effective compliance programme differs from country to country, most laws relating to or requiring compliance programmes share common substantive themes.^[11]

Brazil

Brazil’s Decree No. 11,129, which came into effect on 18 July 2022, updated the remedies available against corporations under Brazil’s Anticorruption Law (known as the Clean Company Act).^[12] Decree No. 11,129 generally provides that an effective, pre-existing compliance programme may be a mitigating factor in fines for anti-corruption violations being reduced. Under Decree No. 11,129, compliance programmes must be tailored to the risks of the particular corporation and updated to ensure continuous improvement and effectiveness. The Decree outlines several components of an effective compliance programme, including the commitment of senior management and board members, the allocation of adequate resources, the implementation of internal and third-party policies (e.g., a code of conduct and third-party due diligence procedures), periodic training sessions and other communications about the programme, continuing risk assessment and programme adaptation (where necessary in light of the company’s evolving risk profile), accurate and precise internal records and controls, and the establishment of remediation and disciplinary measures, among other components.

Although Decree No. 11,129 does not make a compliance programme mandatory, Law No. 14,133 does require certain companies participating in public tenders to have robust compliance programmes.^[13] Law No. 14,133, which came into effect on 1 April 2023,^[14] requires companies that win public bids valued at over 200 million reais to develop an effective compliance programme within six months of the underlying contract’s execution. In addition, the law states that the presence of such a compliance programme will serve as a tiebreaker – assuming all else is equal – between two bids for a contract.

Colombia

Colombia’s Transnational Corruption Act similarly establishes that an effective compliance programme may reduce administrative fines for anti-corruption violations.^[15] On 1 January 2021, the Colombian Corporations Commission (the Superintendencia)^[16] adopted Resolution 100-006261, which expanded the sphere of companies that are required to implement compliance programmes (i.e., business transparency and ethics programmes). Now, the vast majority of companies that operate in Colombia and abroad, or engage in international transactions and are otherwise supervised by the Superintendencia, must implement such a programme.^[17]

To qualify for a fine reduction, a compliance programme must contain a number of features, including being tailored to the particular risks of the corporation, being endorsed by senior management and imposing effective control mechanisms, such as third-party due diligence procedures and periodic audits, among other things, to ensure effective detection of violations and the undertaking of remedial actions.

Mexico

A compliance programme may be a mitigating factor to liability for anti-corruption violations so long as the programme meets certain minimum requirements under Mexico’s General Law of Administrative Responsibility. Under this Law, an effective compliance programme must have a clear and complete organisational and procedures manual, a published code of conduct, adequate and effective internal controls, adequate whistle-blowing systems and disciplinary processes, effective training programmes and human resources policies, and adequate mechanisms to ensure transparency and avoid conflicts of interest.

Peru

Companies in Peru that have effective compliance programmes (i.e., prevention models) at the time of an alleged corruption offence are completely immune from corporate liability for the conduct.^[18] To qualify for an exemption from liability, compliance programmes must, at a minimum:

• appoint a person to be in charge of the prevention functions;
• take measures to identify, evaluate and mitigate risks to prevent crime;
• disseminate periodic compliance training;
• implement internal complaint proceedings (e.g., a whistle-blower hotline); and
• undertake continuing evaluation and monitoring of the programme.

Notably, if a company implements a compliance programme after the alleged offence but before the start of trial – or if the company proves that it has partially implemented a compliance programme with the minimum elements described above – the company may still be entitled to a reduction in fines.^[19]

Chile

Similar to Peru, Chile exempts companies from criminal liability if they have adopted an effective compliance programme before the commission of an alleged corruption offence.^[20] To qualify as a prevention model, Chilean law sets out minimum requirements for a compliance programme that generally mirror those established in Peru.^[21]

Argentina

Under Argentina’s Corporate Criminal Liability Law (Law No. 27,401), the existence of an effective compliance programme – which is not required unless contracting with the Argentine federal government – can reduce penalties or even exempt an entity from penalties for corruption violations. To qualify, the programme must meet certain minimum requirements, including the implementation of a code of conduct, specific policies or procedures to prevent criminal offences in dealings with public administration and periodic compliance training.

In addition to these mandatory requirements, Law No. 27,401 sets forth recommended components of compliance programmes, including periodic risk analyses, a clear anti-corruption tone from senior management and supervisors, whistle-blower reporting channels, a whistle-blower protection policy, internal investigation protocols, third-party and merger and acquisition due diligence policies, and the appointment of a compliance officer.^[22]

International authorities

In addition to Latin American authorities that are directly applicable to companies in the region, there are also a number of regulatory and other bodies outside Latin America that provide helpful guidance on corporate compliance programmes. Some of these authorities may likewise be directly applicable to Latin American companies; for example, if companies are listed on a US stock exchange and, therefore, are subject to US anti-corruption enforcement.

Enforcement authorities in Latin America have increasingly collaborated with regulators around the world to investigate and prosecute allegations of corruption, which may expose Latin American corporations to cross-border liability. Additionally, foreign and international regimes laying out guidelines for effective corporate compliance programmes have increasingly influenced the passage of new compliance-related laws in Latin America or may simply serve as additional signposts for designing, implementing and maintaining corporate compliance programmes.

United States

US anti-corruption law and policy is an integral framework for any corporate compliance programme, given the broad jurisdiction of the US Foreign Corrupt Practices Act (FCPA), its robust influence on international anti-corruption enforcement, and US regulators’ long-standing cross-border partnerships with Latin American enforcement agencies.^[23] Notably, in March 2023, the US Department of Justice (DOJ) and the US Securities and Exchange Commission (SEC) for the first time published a Spanish-language edition of their ‘Resource Guide to the US Foreign Corrupt Practices Act’,^[24] indicating their continued focus on the Latin America region. Moreover, in March 2024, the DOJ announced a new whistle-blower reward programme generally intended to assist it in bringing more foreign corruption cases.^[25]

In general, the anti-bribery provisions of the FCPA prohibit both US and foreign companies that are either listed on a US exchange or have employees or agents who act while in the United States from making corrupt payments to foreign officials to obtain or retain business.^[26] Although the FCPA’s anti-bribery provisions do not impose an affirmative duty to implement a compliance programme, its accounting provisions require publicly traded companies to maintain a system of internal controls that are sufficient to provide reasonable assurances that transactions are executed and assets are accounted for in accordance with the law.^[27] Although a company’s internal accounting controls are not synonymous with its compliance programme, an effective compliance programme contains a number of components that may overlap with integral components of an issuer’s internal accounting controls under the FCPA.^[28]

Moreover, under US law, corporate compliance is an integral part of anti-corruption (as well as other corporate) enforcement. In fact, it affects every component of a corporate criminal resolution:

• It is one of the factors that prosecutors consider in determining whether a corporate enforcement action is appropriate and, if so, what form it should take.
• It affects the fine that would be called for under the US Sentencing Guidelines,^[29] as well as any reduction from that amount that prosecutors may conclude, at their discretion, is appropriate.
• It is the driving factor in determining whether the company must retain an independent compliance monitor or whether the company can self-monitor during the term of the resolution agreement.

US regulators have increasingly expanded incentives for companies to develop and maintain robust compliance programmes over the years. For instance, in 2023, the DOJ updated its Corporate Enforcement Policy (CEP) to expand companies’ eligibility for declinations of prosecution – even in the face of ‘aggravating’ misconduct (e.g., egregious or pervasive wrongdoing) where, among other things, the company had an effective compliance programme and system of internal controls that enabled identification of the misconduct and led to voluntary self-disclosure.^[30] Additionally, under the revised CEP, companies that do not receive a declination but that voluntarily self-disclose, cooperate and remediate (which depends on, among other things, the ‘[i]mplementation of an effective compliance and ethics program’^[31]) will still benefit from the DOJ ‘accord[ing] or recommend[ing] to a sentencing court’ a fine reduction of at least 50 per cent and up to 75 per cent off the low end of the US Sentencing Guidelines fine range, except in the case of a criminal recidivist.^[32] The DOJ has continued into 2024 to emphasise the importance of corporate compliance policies, including those that promote voluntary self-disclosure of wrongdoing.^[33]

Likewise, the DOJ’s ‘Principles of Federal Prosecution of Business Organizations’ instruct prosecutors to consider a compliance programme’s design, implementation and effectiveness in determining whether to bring charges against a company as well as in negotiating pleas or other agreements.^[34] The adequacy of a corporation’s compliance programme may influence the DOJ’s decision as to whether charges should be resolved through a guilty plea, a deferred prosecution agreement or a non-prosecution agreement, as well as the appropriate length of any such agreement or the term of corporate probation.^[35] Further, the DOJ will generally not require the appointment of a monitor if a company voluntarily self-discloses, fully cooperates, timely and appropriately remediates, and has, at the time of resolution, implemented and tested an effective compliance programme.^[36]

The US Sentencing Guidelines similarly take into account whether a company has an effective compliance and ethics programme, which may lead to a three-point reduction in an organisation’s culpability score under Section 8C2.5 and affect the fine calculation under the Guidelines.^[37] The Guidelines lay out the minimum criteria for an effective corporate compliance programme, under which an organisation must:

• establish standards and procedures to prevent and detect crime;
• provide oversight by high-level management, typically the board of directors;
• exercise due care in delegating substantial discretionary authority;
• establish effective communication and training for all employees;
• monitor, audit and report suspected wrongdoing, and periodically evaluate the effectiveness of the ethics and compliance programme;
• promote and consistently enforce the corporate compliance programme by incentivising use of the established mechanisms, and disciplining employees who commit crimes or fail to take reasonable steps to prevent or detect criminal conduct; and
• take reasonable steps to respond to criminal conduct once it has been detected and to prevent further criminal conduct.

Perhaps most notably, the ‘Evaluation of Corporate Compliance Programs’ (ECCP), published by the DOJ’s Criminal Division (which oversees all criminal enforcement of the FCPA), provides companies with detailed guidance concerning the design, implementation and maintenance of an effective corporate compliance programme.^[38] The ECCP comprises 21 pages of questions organised by topic, which prosecutors use with respect to compliance programmes in making charging decisions, deciding whether a resolution is appropriate, formulating monetary penalties, if any, and determining whether compliance obligations are necessary for any corporate criminal resolution (e.g., monitorship or reporting obligations).^[39] Although not prescriptive, the ECCP provides valuable insight into how the DOJ will measure and judge a company’s compliance programme.

This guidance is often used by other domestic and foreign enforcement authorities in their evaluation of corporate compliance programmes. In February 2023, for example, the DOJ announced a new corporate voluntary self-disclosure policy that requires all 94 US attorney’s offices across the United States and its territories to consider the ECCP in determining whether to impose an independent compliance monitor as part of a corporate resolution.

Europe

Latin American regulators also sometimes collaborate with European authorities to enforce anti-corruption laws.^[40] As with the United States, European laws and policy can serve as a helpful benchmark for Latin American companies.

Under the UK Bribery Act 2010,^[41] an effective compliance programme is a defence to the offence of failing to prevent bribery and is also a significant consideration in the Serious Fraud Office’s determination of whether to enter into a deferred prosecution agreement.^[42] To qualify for a compliance defence, corporate compliance programmes must adhere to six principles – to:

• implement procedures proportionate to the bribery risks that an organisation faces;
• ensure top-level management is committed to preventing bribery;
• undertake a risk assessment of the extent of the company’s exposure to bribery risks;
• implement proportionate due diligence procedures;
• communicate compliance training, policies and procedures; and
• monitor, review and improve compliance procedures.

Similarly, France’s Sapin II anti-corruption law contains provisions requiring the implementation of corporate compliance programmes under certain circumstances. On 22 December 2017, the French Anti-Corruption Agency published recommended guidelines for compliance programmes, which are similar to those issued by the United States and the United Kingdom.^[43]

In May 2023, the European Commission proposed a new directive that would require EU Member States to incorporate uniform anti-bribery measures into their laws.^[44] The proposed directive seeks to provide more consistency and enforce minimum standards across the European Union with respect to anti-bribery issues. The European Parliament and Council are expected to enter negotiations on the final version of the proposed directive in the second half of 2024.^[45] If the directive is adopted by the European Parliament and the Council, EU Member States would be required to enact its framework into national law within 18 months. Under the proposed directive, effective internal controls and anti-corruption compliance programmes are considered a mitigating factor, as is the rapid and voluntary disclosure of misconduct to regulators.

International conventions and multilateral development banks

Latin American countries have also been heavily influenced by international compliance guidelines, including those issued by the Organisation for Economic Co-operation and Development (OECD). As at May 2024, the OECD’s Anti-Bribery Convention – which establishes legally binding standards to criminalise bribery of foreign public officials in international business transactions – has seven Latin American countries as signatories: Argentina, Brazil, Chile, Colombia, Costa Rica, Mexico and Peru.^[46] In November 2021, the OECD updated its ‘Good Practice Guidance on Internal Controls, Ethics and Compliance’ and called on its member countries to incentivise the development of compliance programmes.^[47] Its enhanced compliance guidelines share many similarities with US requirements for effective anti-corruption compliance programmes.

Similarly, multilateral development banks (MDBs), such as the World Bank, have the ability to debar companies and individuals for corrupt practices. The World Bank’s ‘Sanctioning Guidelines’ provide for mitigation credit of up to 50 per cent (and more in exceptional circumstances) for companies that have taken voluntary corrective action and can demonstrate that they have implemented an effective corporate compliance programme. The World Bank’s ‘Integrity Compliance Guidelines’ describe a number of guidelines from compliance programmes, including a comprehensive and periodic assessment of risk, robust policies and procedures to detect and remediate misconduct, effective internal controls and efficient reporting standards.^[48]

In addition, in March 2023, the World Bank and five other major multilateral development banks (African Development Bank, Asian Development Bank, European Bank for Reconstruction and Development, European Investment Bank and Inter-American Development Bank) agreed to and published new ‘General Principles for Business Integrity Programmes’, which provide the participating MDBs with a ‘harmonized’ approach to considering a company’s ‘business integrity programme’ in connection with investigations and potential sanctions for fraud and corruption.^[49]

Designing, implementing and maintaining an effective compliance programme

As the authorities above demonstrate, although there is no ‘one-size-fits-all’ approach to implementing an effective compliance programme, regulators have articulated hallmarks that are common to effective compliance programmes. At its core, a compliance programme should be grounded both in preventing and mitigating the company’s unique risks and in documenting the process through which those risks are identified, monitored and addressed.

Creating a ‘well-designed’ compliance programme

Risk analysis

A common theme for the authorities cited above is that companies should take a risk-based approach to compliance. It is recognised that companies have a limited set of resources and cannot devote endless time, money and workforce resources to addressing and preventing every compliance risk that might exist, and that companies, therefore, should allocate resources to those risks that pose the greatest threats. As a result, the starting point for designing any compliance programme is an analysis of a company’s unique risk profile. Regulators will look at whether compliance programmes are ‘designed to detect [and prevent] the particular types of misconduct most likely to occur in a particular corporation’s line of business’ and ‘complex regulatory environment’ in order to determine whether the programme is crafted for ‘maximum effectiveness in preventing and detecting wrongdoing’.^[50]

In undertaking their risk analysis, companies should fundamentally endeavour to (1) understand their geographical and operational footprint and how that footprint interfaces with relevant regulatory regimes, and (2) identify areas of their business that pose a higher likelihood of possibly violating applicable laws. Although the analysis can take many forms, companies may start by using a questionnaire or survey, or by interviewing employees, to identify and assess from the company’s own employees’ perspectives the risks presented by their location of operations, industry, market competitiveness, regulatory landscape, potential clients and business partners, transactions with foreign governments, payments to foreign officials, use of third parties, gifts, travel and entertainment expenses, and charitable and political donations.^[51] In their risk analysis, companies should ensure that they are considering any applicable emerging technologies, including artificial intelligence (AI) mechanisms, that may be used to perpetrate misconduct, as regulators have been increasingly focused on corporations’ ability to manage these emerging risks.^[52] In addition, companies can compare enforcement actions involving their competitors and enforcement actions with others involving the same region or regions in which the companies operate. These enforcement actions can provide valuable insights into the types of risks that the company may be facing.

Codes of conduct, policies and procedures

Once a company has defined and assessed its risk profile, that assessment should become the pole star of its compliance programme, and the design and implementation should flow from it. Most often, the next step involves setting up a code of conduct, policies and procedures that are aimed at (1) addressing and reducing identified risks, and (2) incorporating a culture of compliance in the company’s day-to-day operations. The policies and procedures should address, among other things, gifts, hospitality, entertainment and expenses, customer travel, political contributions, charitable donations and sponsorships, and solicitation and extortion. While the policies and procedures should contain all necessary information, they should also be accessible to the relevant employees. Functionality is much more important than form, both from the perspective of preventing and detecting misconduct as well as impressing regulators: if employees do not understand the rules, they will not be able to follow them. Moreover, if policies are not practical, employees will seek to ignore or circumvent them. The best way to ensure that policies are comprehensible and practical is to consult with the business in developing the company’s policies and procedures. Regulators will likewise react more favourably to policies that are practical and where the business has had an active role in their development.

In March 2023, the ECCP was updated to provide new guidance with respect to establishing policies and procedures concerning the use of personal devices, communications platforms and messaging applications, including ephemeral messaging applications. This signals an increased focus by the DOJ on those devices and the role they play in corruption investigations. The ECCP explains that a company’s policies and procedures regarding personal devices and communications should be tailored to its risk profile and business needs and designed so that communications are being preserved to the fullest extent possible. The ECCP provides examples of assessments that companies should perform to ensure that its policies and procedures regarding personal devices and communications are sufficient, including assessing what electronic communication channels employees actually use and determining what preservation or deletion settings are in place and why those settings have been implemented.

Training

Once effective policies and procedures are developed, it is important to then train the relevant employees on those policies and procedures and applicable risks. The company’s training and communications programmes should be tailored to ensure effective integration of the company’s compliance policies throughout the organisation. Compliance training need not, and often should not, be developed to apply to every employee of the company; rather, training should be developed and tailored to the relevant group of employees who are exposed to the particular risk addressed by the training. Likewise, the company should give thought to how best to conduct training sessions – whether in person, pre-recorded, or virtual but live. Often, in-person training allows for more feedback and constructive dialogue about issues that are arising but may not be feasible because of the number and locations of employees and company resources. Training should also evolve over time to incorporate lessons learned from issues that have occurred within the company as well as from enforcement actions involving competitors or companies operating in the same geographical region.

Internal reporting mechanisms

Companies should also incorporate an efficient and trusted mechanism by which employees can anonymously and confidentially report alleged misconduct and breaches of the company’s code of conduct and policies. The ECCP specifies that an effective compliance regime includes, in particular, the use of mechanisms for confidential internal reporting of suspected misconduct as well as processes for conducting prompt internal investigations of allegations and incorporating lessons learned from those investigations.^[53]

Third-party controls and due diligence

Another key component of a compliance programme is a system that ensures appropriate risk-based due diligence and controls around the hiring, retention and use of third parties. Third parties continue to be the most significant risk for companies because, unlike with its own employees, a company does not have nearly as much transparency into the activities of third parties and what the third parties do with the money they receive. Regulators, therefore, will look for companies to design a programme that:

• examines the business rationale for needing the third party in the transaction;
• analyses the risks posed by third-party partners, including the third-party partners’ relationships with foreign officials;
• endeavours to understand whether the third party is actually doing the work it has been engaged to perform; and
• analyses whether the third party’s compensation is commensurate with work being provided relative to the industry and geographical region.

Regulators have increasingly referred to the use of AI and data analytics to identify third parties that are engaged in aberrant, and potentially problematic, behaviour. For example, data analytics can be used to identify whether there has been a spike in the frequency of payments or the amount of money that a third party is paid relative to other third parties engaging in similar activity. Companies without sufficient resources to engage in data analytics across its third parties will not be held to the same standard as companies that have those resources, but regulators will still want evidence that the company is taking seriously the risk that third parties pose, including by setting up appropriate controls around the payment of invoices (such as approval by someone outside the business unit who is responsible for hiring and using the third party).

Similarly, companies should ensure comprehensive due diligence of any acquisition targets as well as a process for timely integration of the acquired entity into the company’s existing compliance programme, structure and internal controls. As with the rest of the compliance programme, such diligence and integration should be tailored to the specific risks posed by the acquisition. The integration of the company’s compliance programme onto the acquisition company should not be conducted without first understanding the unique risks facing that newly acquired entity. It may be that not all the policies and procedures are applicable or right-sized for the newly acquired entity; therefore, both for the purposes of implementing the most effective programme and to demonstrate to regulators that the company is being thoughtful about its approach to compliance, the company should assess the risk and integrate its compliance programme and controls, and conduct training as appropriate.

Ensuring the compliance programme is adequately resourced and empowered to function effectively

Although a well-designed compliance programme is necessary to prevent and detect misconduct and to receive mitigation credit from regulators, companies must also ensure that their compliance programmes are adequately resourced and empowered to function effectively. In fact, regulators look closely at whether a company’s compliance programme is a ‘paper programme or one implemented, reviewed, and revised, as appropriate, in an effective manner’.^[54]

Commitment by senior and middle management

A well-resourced and effective compliance programme includes a strong commitment by senior and middle management to implement a culture of compliance from the top down. The DOJ, for example, has shifted from emphasising the tone at the top and now focuses on conduct at the top and shared commitment by senior and middle management. Regulators will look at whether senior and middle management clearly articulate the company’s ethical standards, demonstrate rigorous adherence by example, and encourage employees to abide by those standards.

Likewise, DOJ guidance addresses the need for a company’s board of directors to be equipped with appropriate expertise and oversight, including over any areas in which misconduct has occurred. Examples that demonstrate such a commitment to regulators could include a certain amount of time at board meetings devoted to proactive compliance discussions (e.g., developments in the programme, lessons learned from enforcement actions against competitors or companies operating in similar regions) or instances where the board identified or addressed compliance risks associated with a particular transaction or deal.

Risk-appropriate resourcing

Along the same lines, regulators evaluate whether companies ensure that their compliance programmes are structured with sufficient resources, personnel and funding to enable accurate and independent auditing, documentation and analysis. This includes tailoring attention and resources on a risk-weighted basis, which can be critical not only to monitoring for misconduct but also to defending the programme before various regulatory authorities when misconduct does occur.

In the United States, prosecutors may ‘credit the quality and effectiveness of a risk-based compliance program’ that devotes resources and attention in a risk-appropriate manner, ‘even if it fails to prevent an infraction’.^[55] The analysis also includes ensuring that those responsible for compliance have sufficient autonomy from management, such as direct access to the board of directors or the board’s audit committee. In fact, when the DOJ resolves a financial fraud or FCPA case, it routinely includes an attachment to the resolution that details requirements to be met in connection with the resolution of the case (often referred to as Attachment C). Attachment C clarifies that responsibility for the implementation and oversight of a company’s compliance code, policies and procedures – including those inherent in conducting a risk assessment – should be assigned to one or more senior executives with authority to report directly to independent monitoring bodies, such as the audit committee or the board.

Disciplinary procedures and incentives

With respect to disciplinary procedures, regulators assess whether companies implement clear consequence management procedures (i.e., procedures to identify, investigate, discipline and remediate any compliance issues) and whether they enforce them consistently across the organisation.^[56] Among other things, regulators will look into whether a company’s ‘communications convey to its employees that unethical conduct will not be tolerated and will bring swift consequences, regardless of the position or title of the employee who engages in the conduct’.^[57] For example, regulators ask whether companies publicise disciplinary actions internally.

Conversely, regulators also assess whether companies provide positive incentives for improving and developing compliance and demonstrating ethical leadership, including designing and implementing compensation schemes that foster a culture of compliance. Regarding compensation, the March 2023 update of the ECCP contains a significant amount of new guidance concerning the establishment of financial incentives for compliance and disincentives for non-compliance in a company’s compensation structure. With respect to financial incentives for compliance, the ECCP provides that prosecutors may look at whether a company has included compliance as a significant metric for promotions and bonuses. With respect to financial disincentives, the ECCP provides that prosecutors may consider whether companies have designed compensation systems that delay certain compensation until an employee has demonstrated conduct consistent with company values and policies, or recoup or reduce compensation if an employee engages in misconduct.

In line with the ECCP’s new guidance with respect to compensation structures, the DOJ also announced ‘The Criminal Division’s Pilot Program Regarding Compensation Incentives and Clawbacks’, under which companies resolving cases with the DOJ will be required to implement compliance-promoting criteria within their compensation and bonus system, and the DOJ will reduce fines for companies that claw back or attempt to claw back compensation from wrongdoers.^[58]

Measuring, monitoring and improving the compliance programme

Last, companies should ensure that their compliance programmes actually work in practice. As most regulators acknowledge, ‘no compliance programme can ever prevent all criminal activity by a corporation’s employees’.^[59] Accordingly, regulators will focus on ‘the adequacy and effectiveness of the corporation’s compliance program’ during the relevant period and at the time of the resolution, both in making charging decisions as well as in determining penalties.^[60] It is important, therefore, for a company to be able to show that its compliance programme was working effectively at the time of an alleged offence but also that the programme has continued to evolve to address new risks and incorporate lessons learned from instances of misconduct.

Ensuring compliance programmes actually work in practice, therefore, involves investing in continuous improvement, testing and review. Regulators will look at whether a company periodically engages in monitoring, measuring and testing its compliance programme. This can take the form of a review by internal audit, or by an outside vendor or law firm, and often includes a renewed risk assessment, review of existing policies and procedures, interviews with compliance personnel and employees in various business units, surveys of employees, controls testing, and evaluation and analysis of instances of misconduct or hotline reports that have occurred since the previous review.

In addition to formal, set periodic reviews of a compliance programme, companies can also engage in informal, continuous evaluation and measurement of it. For example, when a company conducts training for its employees, steps can be taken to evaluate the effectiveness of a particular training session. Likewise, the company can examine how its hotline is operating, and whether the third-party due diligence process is identifying risky or problematic third parties.

In addition to testing and measuring, it is important to adequately address potential misconduct when it does occur. Regulators will evaluate whether companies have in place a process for adequately investigating, addressing and remediating misconduct, but also for understanding the underlying root cause of the misconduct and adapting the compliance programme to prevent recurrence. Regulators will want to see that a company properly scopes its investigations and that those investigations are ‘independent, objective, appropriately conducted, and properly documented’.^[61] In conducting a root cause analysis, regulators will expect a company to analyse whether systemic issues or control weaknesses were involved, and what was done to address these issues.

With respect to personal devices – given regulators’ increased focus on them – companies should take care to ensure that they are enforcing and measuring the effectiveness of their communications-related policies. For example, under the ECCP, prosecutors will ask whether employees have been disciplined for violating the policies, whether compliance or investigations have been impaired because data was not recoverable, whether the company actually exercises control over communication channels subject to the policies, and whether the company has assessed the continued reasonableness of its policies and procedures in the context of its evolving business needs and risk profile.

Finally, but importantly, to enable a company to measure the effectiveness of its compliance programme, and also to demonstrate that effectiveness to regulators, it is imperative that compliance events be documented. Regulators expect not simply to hear about the effectiveness of a compliance programme but also to see evidence of it. Some examples of information categories that regulators often seek when evaluating the effectiveness of a company’s compliance programme are third parties that are rejected as a result of the company’s due diligence process; transactions or deals that are modified or rejected because of compliance risk; discipline that is imposed and remediation that is implemented as a result of misconduct; and responses to hotline reports. If the company is not tracking this and other information, regulators may be sceptical that it is in fact happening and will question how the company can measure the effectiveness of its compliance programme without that information.

Conclusion

With an intensified focus on corporate wrongdoing and enforcement across Latin America, an effective compliance programme has become a critical component of a company’s operations. Although there is not a one-size-fits-all approach to compliance by either regulators or companies, there are important steps that companies can take to put themselves in the best position to avoid, or at least limit, misconduct and, when a company comes under regulatory scrutiny, to secure mitigation credit for the effectiveness of its compliance programme; namely:

• Understand the risks that face the company as a result of its geographical and operational footprint and the regulators’ expectations around compliance.
• Use that risk assessment to design and implement a compliance programme with policies and procedures that are appropriately tailored to address the issues identified in the guidance documents cited in this chapter.
• Take a risk-based approach to resourcing the compliance programme and ensure that there are individuals with appropriate experience and expertise within the compliance function and on the board.
• Incorporate compliance into the culture of the company, including through the examples provided in this chapter.
• Respond to allegations of misconduct through properly scoped investigations, undertake a root cause analysis to understand and remediate the cause of the issues, and consider whether to voluntarily self-disclose any identified wrongdoing.
• Document compliance processes and rationales. This documentation is necessary to evaluate a company’s compliance programme and, if misconduct occurs, will be critical in defending the company or securing mitigation credit (or both).