4. Developing a Robust Compliance Programme in Latin America
This is an Insight article, written by a selected partner as part of Latin Lawyer's co-published content. Read more on Insight
For several years, there has been an ever-increasing focus on corruption in Latin America.[2] In the wake of major corruption scandals,[3] protests have swept the region.[4] In response, legislatures in Argentina, Brazil, Mexico and Peru, among others, have added to or enhanced anti-corruption provisions in their corporate liability schemes.[5] Companies operating in the region should brace themselves for increased scrutiny and a more active enforcement environment.[6] As a result, companies have been increasingly focusing more closely on internal compliance programmes.[7] For multinational companies with operations that span the region, this can be a significant challenge, since an effective compliance programme should meet the requirements promulgated by authorities in every jurisdiction in which a company operates. This is particularly true when countries’ corruption or criminal enforcement legal regimes apply extraterritorially. However, the risks presented by operations in a given country vary throughout Latin America and, to be effective, a compliance programme must be tailored to those risks – based on geography, industry and any other relevant factors.[8]
This chapter gives a snapshot of some of the key risks and challenges a multinational corporation’s compliance programme in Latin America must confront. From this discussion, it is hoped the reader will gain an appreciation of both the value and complexity of tailoring a compliance programme to fit the needs of a given country of operation. It then outlines some of the necessary elements of an effective compliance programme, based in large part on the recent guidance issued by the US Department of Justice (US DOJ)[9] – which is one of the most active anti-corruption enforcement authorities in Latin America. There is then discussion about the practices companies can adopt to maintain an effectively tailored compliance programme.
Background
To understand the variability of the control environments throughout Latin America, we begin with the base-line prevalence of corruption, which is itself highly variable.
As the magnitude of the risk varies dramatically from country to country, so do the types of risks.[10] Take as an example the challenges of dealing with state-owned enterprises (SOEs). Dealings with SOEs can present an acute corruption liability risk,[11] but the prevalence of SOEs in commerce also varies dramatically throughout the region.[12]
The manner in which risks materialise also differs. Latin American countries ‘rank non-declaration of conflict of interest, receiving bribes and influence peddling as among the top three risks for SOEs; however, these latter two do not even appear in the top 10 risks for OECD countries’.[13]
Another axis to be kept in mind is the industry in which the branch of the firm will operate. For instance, firms in the pharmaceutical or healthcare industries must regularly deal with doctors who are, in Latin America, very often public employees, increasing the risk of running afoul of public corruption laws.[14]
Local enforcement regimes must also be considered in establishing an effective compliance programme. Many countries in Latin America have recently enacted substantially tougher anti-corruption measures.[15] The variances among them can be significant.[16] A good example of this is the laws regulating ‘facilitating payments’. Some regimes permit them in limited circumstances (as does the US FCPA), but they are prohibited under local law in many countries, such as Brazil and Mexico.[17]
While the principal objective of a compliance programme is to ensure a company is avoiding risk and complying with the law, one of the significant benefits of an effective compliance programme is detecting illicit conduct, if and when it does occur. Different countries seek to incentivise companies to self-report conduct to anti-corruption regulators in different ways, but in most jurisdictions companies will gain some benefit from early reporting of corruption-related misconduct. And the best way to enable a company to decide to report misconduct to the government is by having an effective compliance programme that will bring those matters to management’s attention as early as possible.
Ultimately, at the time of resolving an investigation into possible violations, most governments provide some form of incentive or credit for companies who have a compliance programme in place. In Argentina, for example, one of the necessary conditions for corporations to be eligible for exemption from penalties and administrative liability is that a system of internal controls and supervision be in place, and that circumventing the system required deliberate effort by the wrongdoers (the company must also self-report and disgorge undue benefits).[18] In Chile, companies might be either exempted from liability or have their penalty reduced as a result of implementing an effective compliance programme.[19]
With this backdrop of the importance of a compliance programme, we move on to address the essential elements of an effective one.
Components of an effective compliance programme
The US DOJ and US Securities and Exchange Commission have used their broad extraterritorial jurisdiction to bring enforcement actions against companies headquartered in Latin America, for conduct that occurred principally in Latin America and carried out by nationals of countries in Latin America. It also often has imposed higher nominal fines than the regulator in the country where the conduct principally occurred, although, during the past five years, US regulators have often credited the foreign authority’s fine against the US fine. The net effect of this has been that local regulators are collecting a significant portion of – and, in some cases, the majority of – the total fine imposed.[20] Therefore no compliance programme by a major company in Latin America can be built effectively without incorporating the US DOJ’s views.
Having a compliance programme is not required in the United States. This is true for many countries in Latin America, too, such as Argentina (except for entities who are parties to certain federal government contracts). Nevertheless, it is one of the factors that is assessed in resolving a criminal violation when one occurs.[21] The US DOJ recently has emphasised both training prosecutors on compliance and hiring prosecutors who have compliance experience, and thus companies can expect more sophisticated analyses of their compliance programmes.[22]
The US DOJ Guidance for the most part is consistent with requirements for compliance programmes promulgated in various Latin American countries. Previously, the US DOJ had structured its guidance for evaluating compliance programmes into 11 compliance topics and 46 sub-topics. In April 2019, the US DOJ promulgated revised guidance that asks three core questions:
- First, is the corporation’s compliance programme well designed?
- Second, is the programme being applied earnestly and in good faith? In other words, is the programme being implemented effectively?
- Third, does the corporation’s compliance programme work in practice?[23]
The US DOJ Guidance expounded on each of these questions in often-overlapping topics that are designed to allow companies to measure their compliance programme in the way the US DOJ would. Those topics also align with the guidance or requirements promulgated in many Latin American countries. While no formula will fit all companies, below are some of the key elements, drawn from the US DOJ Guidance and the compliance requirements in Latin American countries, that should be considered for any compliance programme.
Tone at the top
Both senior and middle management should be sending out a clear message that misconduct is not tolerated, and that management endorses – and will enforce – the policies and procedures designed to drive ethical conduct.
Every opportunity should be taken to show in concrete steps and clear terms management’s commitment to compliance, and to show that misconduct or significant risks will not be tacitly or otherwise tolerated in pursuit of business goals. When employees are dismissed or disciplined, it should be used as an opportunity for a company to reinforce its intolerance of misconduct or violations of its policies, procedures, or other legal requirements, for example by using anonymised descriptions of the type of misconduct at issue. Any signalling that the company or its leadership is compromising on adhering to its compliance values and rules may be read by more aggressive employees as condoning bribes or other prohibited conduct.
Risk assessment
In any compliance programme, great emphasis should be placed on the degree to which a programme is tailored to the risks that are presented by a particular company’s business. Risks should be assessed based on a company’s geography, its industry, its competitive and regulatory environments, who its actual or potential clients or business partners are, and what types of transactions, payments or donations might be made to government officials, charities or other third parties.[24] Companies should expect not only to show that they have identified and assessed the risks they face, but will be expected to be able to defend the way in which they have done so.
Resource allocation and autonomy
A compliance function must not only be adequately staffed and funded, it must have sufficient authority to perform its role. Leadership of the compliance function must have seniority in the organisation, as well as autonomy and independence from management. Ideally the head of compliance has access to the company’s board, the board’s audit committee or the chief executive office (or more than one of these), and the job performance of compliance personnel is reviewed by very senior managers, the board’s compensation committee, or other components of the company that are sufficiently independent from the business operations that the compliance function reviews. Consideration should be given to whether the compliance function will be housed within the legal department or splintered and subordinated to various business units. As an alternative, compliance personnel might report directly to the chief executive or the audit committee. Companies also should consider whether compliance personnel’s responsibilities will be purely compliance-related or if they will wear two hats and have a role in the business they may be reviewing, which may detract from their independence.
Once the company has identified the risks it faces, those risks must be used not only to shape the policies and procedures that apply to employees’ conduct, but to weight the compliance resources – such as funding, and personnel in sufficient quantity and experience – that will be deployed to address them.
Policies and procedures
A code of conduct is one of the threshold matters that should be in place, reinforced by management and readily available and broadcast to all employees, in the languages those employees speak at work. There should be resources in place – which also are broadly communicated – that allow employees to seek guidance on issues relating to the company’s code of conduct or other policies or procedures. Controls should be in place to avoid opportunistic bribe-seeking by state officials. If a mistake is made (for example, in completing a customs form for importing a company’s products, which a customs official could ‘overlook’ in exchange for a bribe), the company should have in place controls to make sure that the mistake is corrected through proper channels, even if there are negative business consequences for the company.
Training programmes
Training is a must – for directors and officers, for relevant employees, and in many cases for business partners, agents and other third parties. It should take account of the audience’s size, sophistication and experience with the subject matter. Of particular importance are gatekeepers: supervisors or control personnel, or other persons with approval authority or certification responsibilities. Those people must first be identified, then particular training for them should be developed and deployed.
Overall, a company should have a methodology for developing its training curriculum for different personnel up front, and on the back end should have ways to measure the effectiveness of its training programme – for example, documenting the completion rate, testing employees on what they have learned, addressing employees who fail to pass those tests, and tracking which personnel receive which training. Most employees may well understand they cannot pay cash to a procurement official, for example, but may not appreciate, without specific training, that they also cannot offer him or her free or discounted company products.
Audit function
One of the core components of a compliance programme is its internal audit function, which should be directly mapped onto the results of periodic risk assessments and should place greater emphasis on high-risk areas. The documented results of those audits should periodically reach management and, depending on the scope or significance, the board, as should actions taken in response to audit findings. Similar to compliance operations overall, the audit function must have the resources and rank to do its job, which may involve scrutinising other high-level businesspeople, and be empowered to do it.
Third-party management
One of the areas of highest risk for companies is their agents, consultants, distributors or other vendors. It is widely recognised that third parties are a common vehicle to conceal illicit payments. The prevalence of this risk is vividly illustrated by a recent US$282 million combined fine that Walmart paid to the US SEC and US DOJ for failure of various subsidiaries to effectively investigate and mitigate third party risk, including in Brazil and Mexico.[25] Thorough vetting or due diligence, and applicable controls, should include an assessment of each third party’s qualifications and reputation; the particular business need for their services; a specific description of the services they will be providing that can be objectively verified; a method to determine that compensation was at a fair market price for that industry and geographical region; and verification that the services were actually performed. Other enhancements might include updating due diligence, training personnel at those third parties, negotiating and exercising audit rights, or compliance certifications. A process should be in place for documenting when red flags are discovered and how they are addressed, and for retaining that information to use in assessing future opportunities involving that third party. Failure to do so can result in substantial penalties. For example, in 2017, Zimmer Biomet Holdings Inc paid a criminal penalty of more than US$17 million, in part for continuing to use a Brazilian distributor that Zimmer knew had previously paid bribes on behalf of the company.[26]
Confidential reporting structure
Confidential reporting, or whistle-blowing, allows employees to report possible misconduct when they either feel they have been unsuccessful in reporting it through ordinary supervisory channels or fear they will be unsuccessful in (or will suffer negative consequences for) doing so. While it appears to be a straightforward process to implement, whistle-blowers often fear retaliation and report misconduct or policy violations at significant personal and professional risk. Therefore, companies should widely broadcast their reporting mechanisms and should consider ways proactively to foster an understanding that confidential reporting will remain as confidential as is legally permissible, that retaliation will not be permitted and that processes are in place to protect whistle-blowers. Consider the example of a recent US SEC enforcement action alleging a scheme to bribe Peruvian officials to obtain government contracts. The SEC Order describes how, as the scheme progressed and ‘the volume of improper payments increased, [a] Senior Finance Manager became increasingly concerned about authorizing them’.[27] He ‘was brushed aside’ when he reported his concerns to another manager. The Senior Finance Manager then raised the issue with a financial executive responsible for Latin America, who also failed to act. Had the Senior Finance Manager used a confidential reporting structure, the scheme might have been uncovered, but instead it went on for years more and the company ultimately paid nearly US$10 million in fines.
Investigation process
Although handling internal investigations is treated in detail elsewhere in this publication, a basic measure of an effective compliance programme is its process for investigating complaints that do arise.[28] The compliance programme should require the timely completion of investigations and appropriate follow-up and, where and as appropriate, the consequences for persons involved in any actual misconduct. When staffing investigations, it is important to select personnel who will be independent and objective. Some investigations may require external investigators, as in cases where the conduct appears widespread or may involve senior management. In those instances, the investigation should be managed by independent members of the board and by using external counsel. When the investigations are concluded, the investigators’ conclusions and outcome should be documented, and the company should engage in a candid and thorough root cause analysis to determine whether the misconduct involved any failures in controls, and whether those controls could be improved or any other weaknesses in the controls could be improved. A plan for remediation should be developed, documented and executed.
Incentives and discipline
While policies can set forth the rules, a compliance programme must recognise that employees’ behaviour must be incentivised to follow them, and there must be both positive and negative consequences for compliance or violations. Publicising disciplinary measures, often without the employee’s name, can deter similar conduct. Conversely, promotions, rewards or bonuses for participation in compliance functions – building a programme, implementing it or leading it – or for consistently abiding by the requirements of such a programme can all encourage employees to adhere to the company’s policies and the law.
Managers under whose supervision misconduct occurred may need to be disciplined if they did not exercise meaningful supervision or were put on inquiry notice related to the conduct at issue but failed to take appropriate action (and in that regard, the scope of an investigation should often include the management component or components overseeing the conduct at issue).
Thought should be given to how the company can ensure that there is consistency in how discipline or incentives are applied throughout the company – laterally through different lines of business and vertically through different layers of management.
Updating
Even the best-designed compliance programme still requires periodic review and updating.[29] Those revisions begin with an assessment of the risks presented (including previously unidentified or insignificant risks) and should also map other changes in the company – such as structural changes to the organisation or its components, changes in the company’s geographical markets or industries, and legal or regulatory changes.
Ploughing the lessons learned from prior incidents into a compliance programme (including future training programmes, in particular) is an effective way to show that a company is learning and adapting its compliance programme overall. Compliance programmes should evolve over time, just as the companies for which they have been designed evolve.[30]
Mergers and acquisitions
Somewhat distinct from the compliance programme in the ordinary course is having a due diligence process in place for mergers and acquisitions activity (see also Chapter 11 on Assessing and Mitigating Compliance Risks in the Transactional Context). Subjecting a target company to adequate due diligence is not only important so that the successor or acquiror does not unwittingly inherit risk it should have found or pay a price for a target that fails to reflect the target’s actual risk level; it has also been flagged by the US DOJ as ‘indicative of whether [a company’s] compliance programme is, as implemented, able to effectively enforce its internal controls and remediate misconduct at all levels of the organisation’.[31] It is in a way a microcosm of the overall compliance programme, and should involve a risk assessment and incorporation into the merger or acquisition and subsequent integration process. Critically, a process also should be in place to track and address post-acquisition any risks or actual misconduct identified during pre-acquisition due diligence.
Summary
The US DOJ guidance is detailed, but a company’s compliance programme must take account of all the jurisdictions in which it operates, which may not provide for all the same elements as US DOJ’s guidance, and in some instances may impose requirements that conflict with those of the US DOJ. In many instances, these elements align. For example, by statute in Argentina, to be considered adequate, a company’s compliance programme must be tailored to its risks, include a code of ethics and internal policies, and require periodic training.[32] Additional elements in Argentina largely align with the elements in the US DOJ’s guidance: periodic updates, tone at the top, channels to report irregularities (i.e., whistle-blowing channels), an internal investigation system, third-party vetting, mergers and acquisitions diligence, and the authority given to the compliance function.[33]
In other instances, Latin American countries may have particular compliance requirements that go beyond these core, general topics. For example, in Brazil, while many elements are consistent with the topics treated above, an effective compliance programme should specifically include transparency regarding any donations made by a company to any political party.[34] Or in Chile, where again the components of an effective compliance programme are largely addressed by the topics above, companies can choose to have their compliance programme certified by the accredited organisations registered with the Financial Market Commission.[35]
But in still other instances they may be in tension.
To take just one example, when an issue escalates from an anomaly discovered by compliance into something that is investigated, the company will need to decide how it will approach its employees. In Argentina, a compliance programme should take account of the rights of persons who are under investigation.[36] US companies will typically require their employees – as a condition of continued employment – to cooperate in an internal review or investigation. A recent US court decision ruled that a company’s external law firm essentially served as a proxy for the government and, therefore, improperly compelled employees to provide information through interviews.[37] While the US DOJ may continue to expect that companies will insist upon cooperation from their employees, other jurisdictions may require companies to observe different or inconsistent limits in approaching and interviewing their employees.
Sanctions compliance
Three days after the US DOJ published its new guidance on evaluating compliance programmes, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued a Framework for OFAC Compliance Commitments. OFAC administers sanctions regulations under US law (for example, sanctions prohibiting US companies from doing business with Iran or with certain designated individuals). While the US DOJ has authority to investigate criminal offences, including criminal sanctions violations, OFAC has authority to pursue civil penalties and administrative remedies for sanctions violations.
The focus of OFAC’s compliance framework is overall the same as the US DOJ’s guidance. Instead of three main questions, OFAC’s framework calls for ‘five essential components of a compliance programme: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training’.[38] In many ways it is a different cross-section of the same landscape of an effective compliance programme. It also emphasises the favourable consideration a company will receive, when resolving a violation, for having had an effective compliance programme at the time of a violation, as well as for remedial steps taken since.
Some aspects, however, are particular to the sanctions environment and illustrate why any compliance programme must be customised to a company’s particular situation. For example, OFAC’s framework specifically looks to whether compliance staff have experience with OFAC’s regulations, processes and actions, and whether they have the ability to understand complex financial and commercial activities and to apply their knowledge of OFAC to them. Information technology software and systems are called out, in particular because sanctions compliance often depends on screening a company’s transactions, payments, customers and other counterparties against OFAC’s list of sanctioned persons and entities, as well as geographical regions. OFAC’s framework emphasises the importance of implementing compensating controls once a possible violation is discovered until a root cause is identified and remediated, and the importance of record-keeping as it relates to activities that may be prohibited by OFAC’s regulations.
A sanctions compliance programme must also be able to adjust quickly to the fluid regulatory environment and changes in multiple jurisdictions. Mexico, for example, is implementing the ability to blacklist individuals suspected of money laundering and other financial crimes.[39]
There are two other salient issues particular to sanctions that are worth noting. First, a sanctions compliance programme requires companies to acknowledge and navigate the sanctions imposed by one jurisdiction (such as the United States) and blocking statutes enacted by certain other jurisdictions (such as the European Union) that prevent companies from complying with those sanctions.[40] Experienced legal counsel in each jurisdiction should help the company address how it will treat conflicting legal obligations like these.
Second, mergers and acquisitions can present heightened challenges in complying with sanctions. An acquisition target may operate in a jurisdiction that has a blocking statute in place (prohibiting the target from complying with sanctions issued by another jurisdiction, such as the acquiror’s) that does not recognise US sanctions, or that is in or proximate to high-risk sanctions regions. Moreover, as a part of the United States’ Cuban sanctions programme, companies increasingly have found themselves in litigation as a result of the March 2019 decision to allow private lawsuits against anyone who traffics in property that was confiscated by the Cuban government.[41] Heightened due diligence may be called for to determine the provenance of assets, and the history and reach of business operations.
Antitrust compliance
In evaluating a company’s antitrust compliance programme, the Antitrust Division’s guidance asks three principal questions:
- Does the programme address and prohibit criminal antitrust violations?
- Did the programme detect and facilitate prompt reporting of the violation?
- To what extent was a company’s senior management involved in the violation?
Many of the topics covered in the Antitrust Division’s guidance cover the same ground as the US DOJ’s general guidance referenced earlier, but many points are specific to the antitrust context.
Although not particular to antitrust, the Antitrust Division’s guidance also specifically called for guidance to employees regarding document destruction and obstruction of justice.
Treatment of whistle-blowers
As noted earlier, whistle-blowing channels are a critical element of a compliance programme. It is also an area where local attitudes can affect both the whistle-blower and the behaviour of the persons receiving a whistle-blower report. In this way, cultural factors can substantially alter the risk profile of a given country. The diverse array of cultures and customs throughout Latin America is a major challenge when establishing a compliance programme that spans the region.[42] For instance, in certain Latin American countries, notably Brazil, there is a history of hostility towards whistle-blowers, and a concomitant reluctance for them to come forward.[43] In other countries (Mexico for instance), employees may place a lesser value on confidentiality.[44]
Marrying that cultural reality to the various legal requirements can be challenging for multinational companies.
Various countries in Latin America have particular legal provisions that cover whistle-blowers, but they do not all afford the same – and some do not provide any – protection. Argentina recently passed legislation that permits the government to provide economic awards to whistle-blowers as a special investigative technique and recommends that a compliance programme should contain a policy that protects whistle-blowers from retaliation.[45] In Brazil, benefits can be used to encourage whistle-blowers, but whistle-blowers enjoy no legal protections.[46] Similarly, in Chile, there are no legal protections for whistle-blowers in the private sector, although increasingly larger companies with operations in Chile are implementing compliance programmes that adopt protections as a matter of policy.[47]
While multiple Latin American government offices have created channels for witnesses to provide information to regulators, given the considerable risks that whistle-blowers often perceive in reporting misconduct, it may take time – and probably some widely reported success stories – before their use begins to be engrained in corporate culture.[48]
By contrast, the European Union has adopted a new Directive[49] that imposes specific requirements on corporate whistle-blowing channels. This Directive protects a broader set of people from a broader range of retaliatory conduct than US or many Latin American whistle-blower provisions. Companies with operations in both Latin America and the European Union will need to ensure that they meet the EU’s enhanced requirements.
Best practices
As we expect has now been made clear, managing a multinational company’s compliance programme in a diverse array of environments to meet the factors described herein is a substantial and ongoing challenge. We therefore outline some practices that companies can use to help create a compliance programme that is up to the task.
Documenting changes and successes
Not only is it important to have a documented compliance policy, but to document and record the processes called for by that policy and any changes made to the compliance programme.
In the event that a violation of law is discovered by (or reported to) regulators and any resulting investigation or prosecution is being resolved, a company’s compliance programme will be evaluated both at the time the resolution is negotiated and also as of the time the offence occurred. Compliance programmes, designed to prevent and detect misconduct, are thus often viewed through a lens looking back to when the misconduct occurred but was not detected. The ‘adequacy and effectiveness of the corporation’s compliance programme at the time of the offense’ must be evaluated, but as the US DOJ guidance puts it: ‘Due to the backward-looking nature of the . . . inquiry, one of the most difficult questions prosecutors must answer in evaluating a compliance program following misconduct is whether the program was working effectively at the time of the offense, especially where the misconduct was not immediately detected.’[50] Similarly, it is difficult for the company itself to look back in time to measure its compliance programme.
But the US DOJ has emphasised that it is committed to credit companies for investing in an effective compliance programme even when misconduct was not prevented or detected.[51]
This makes clear the importance of documentation, tracking and institutional memory. A company may make adjustments to its compliance programme diligently and in earnest, but if the process for doing so and the basis for doing so are not tracked and housed in an accessible system, the value of those good measures may be lost when they are forgotten or when the memory of them leaves with the employees who implemented them. It may be difficult to reconstruct changes to compliance programmes from an oral history of employees, particularly with personnel turnover or changes to record-keeping systems without a centralised process to record the steps in the evolution of the programme.
Not only should instances of misconduct be identified or tracked, but companies can consider a procedure to document success stories. It might be populated with unilateral changes it has made to its compliance programmes; strategic adjustments made to respond to compliance concerns; specific disciplinary actions taken, such as declining promotions or awards for persons found to have engaged in misconduct; transactions that were modified or halted; or third parties whose services were declined. A company is generally not going to know when its compliance programme will be evaluated in the future, so having a system to track an effective compliance programme is an important way to derive the benefits of having one.
When potential misconduct is brought to a company’s attention, it is incumbent on the company to examine its procedures and compliance programme to determine whether improvements can be made. In some instances, a company might fear that making changes to a compliance programme, and documenting them, would concede that deficiencies exist. But making changes to a programme indicates both (1) effective remediation of potential misconduct, and (2) revisiting and updating the programme, both of which are important factors in demonstrating an effective compliance programme. Remediation is not only a factor when evaluating the form of a possible criminal resolution and the amount of a fine, but also whether a monitor will be considered or other ongoing reporting obligations will be imposed.[52]
Broadcasting a culture of compliance
It is vital that a multinational corporation has a healthy culture of compliance and ensures that it is disseminated across the globe. As an organisation grows, cultural, linguistic and geographical barriers can hamper its effectiveness.[53] Effective communication begins with ensuring compliance materials are translated into the local language or dialect, but it is not only a matter of translation.[54] The subtleties of these issues can result in miscommunication and confusion when a compliance programme is exported wholesale from a home office.[55] Inappropriate cultural references should be removed and replaced with more suitable ones – an analogy to American football, say, would very likely be lost on most Latin-American audiences and risks alienating them. These recommendations may seem obvious, but companies fail to follow them with surprising frequency. In 2012, for example, after the multinational company Orthofix NV acquired a Mexican subsidiary, it promulgated its own anti-corruption policy but failed either to translate it into Spanish or to assure it was implemented in Mexico.[56] Orthofix ultimately paid more than US$2 million in fines over corrupt payments to secure purchase orders.
Local input and buy-in
Relatedly, local stakeholders, including local managers and employees, should be consulted and given a voice in the crafting of a compliance programme for their region. Compliance materials should, whenever possible, be tailored to account for each country’s culture, customs and compliance environment.[57] Cultural practices can often present a compliance risk. Gift-giving is traditional and routine in some places and can present obvious compliance risks that an effective policy must anticipate and account for.[58] Similarly, requests for charitable donations from local officials, unexceptional on their face, may well in a particular location constitute an unmistakable demand for an illegal payment.[59]
As an example, in 2013 and 2014, Telefônica Brasil SA hosted a hospitality programme in connection with the 2013 Confederations Cup and 2014 World Cup association football tournaments.[60] Through the programme, the company provided tickets and hospitality services to government officials who were directly involved with or could influence legislative actions, regulatory approvals and business dealings involving the company. For failure to devise and maintain sufficient internal accounting controls surrounding this incident, the company was fined more than US$4 million. Understanding the form that hospitality may take, for example, and gaining a detailed picture of how a business is operating at a local level is necessary to the successful implementation of a compliance programme. Adapting a compliance programme to the local culture is also vital[61] and local management is often the most knowledgeable about the particular compliance risks facing its operations.[62]
Involving local stakeholders has the added benefit of increasing buy-in to the programme. A top-down imposition of strict rules can create a sense of resentment in branch offices that are given no ownership over their operations.[63] This insight is confirmed by recent behavioural scientific research on the risks of overbearing enforcement strategies, which shows this type of extrinsic incentive can alienate local employees and create ‘compliance fatigue’, while at the same time crowding out employees’ intrinsic motivation to do the right thing, such as actively reporting compliance risks.[64] Incorporating input from local managers, who will often be the people actually charged with implementing the programme, will increase their commitment to the programme and therefore help in implementing it.[65]
Involvement of local managers should not translate into complete delegation, however, or detract from corporate management’s commitment and ownership of the compliance programme. Ultimately, multinational corporations must incorporate local input while still retaining a focus on carefully overseeing the programme. Resistance from a local manager that aspects of a policy are ‘not the way we do things here’ is not the end of the discussion but the beginning of one about how best to implement a particular policy in that office’s context.
Relying on local counsel
Consulting high-quality local counsel is essential to meet the challenges of a particular legal environment in a given country. Local counsel can provide insights into how a company’s compliance programme should be modified to meet particular aspects of local laws.[66]
For instance, Mexico’s newly enacted anti-corruption law has a relatively specific list of components that must be included in a compliance programme to justify a sentence reduction.[67] Local counsel will also very often have a valuable – and external – perspective on cultural issues, or other issues peculiar to a given locale, and their counsel should be taken into account alongside the voice of the company’s own local personnel.[68] (Any statement by a local manager that ‘everybody does’ something that would otherwise violate a compliance policy can be tested with local counsel, who can also help in communicating to that manager that his or her perception of how widespread a practice is does not comport with counsel’s experience.)
Using data analytics
There has been an increased emphasis on data analytics, which can take many forms, from off-the-shelf software suites to artificial intelligence. They are useful to companies as they look for efficiencies when implementing their compliance programmes. Analytics can also be a valuable tool in assessing risks and shaping an audit programme. Using analytics also can help demonstrate to regulators that objective, quantitative analysis has been performed on the data available to the company.
As a practical matter, implementing data analytics may require imposing uniformity on how various pieces of data are ingested and stored in the company’s systems.[69]
See also Chapter 9 on Embracing Technology.
Adapting to evolving legal regimes
Even after a programme is established, the task is not complete. It is especially true in Latin America today that firms must monitor and update their programmes continually to adapt to changes in the compliance environment.[70] Updating a compliance programme is always important, but there is substantial uncertainty surrounding how newly enacted legislation in different countries in the region will be interpreted and applied. Nowhere is this truer than with respect to enforcement authorities’ treatment of corporate compliance programmes, which will have to be updated continually as the regulatory landscape changes.[71]
In summary, an effective compliance programme can save a company from considerable consequences later on. It can prevent illicit conduct in the first place, it can detect it at the earliest possible stage if it does arise, and it can lessen or avoid many of the consequences that come with an enforcement action – not least of which could be a compliance monitor to help devise and implement a programme that should have been established in the first place.
[1] Brendan P Cullen is a litigation partner and Anthony J Lewis is special counsel at Sullivan & Cromwell LLP. The authors thank Noah P Stern, associate at Sullivan & Cromwell LLP, for his valuable assistance in researching this chapter.
[2] Congressional Research Service, ‘Combating Corruption in Latin America: Congressional Consideration’, p. 7 (2019) < https://crsreports.congress.gov/product/pdf/R/R45733>.
[3] Miller, Ben; Uriegas, Fernanda, ‘Latin America’s Biggest Corruption Cases: A Retrospective’, Americas Quarterly (22 July 2019) < https://www.americasquarterly.org/content/decades-most-iconic-corruption-cases> (describing high-profile corruption cases across the region); Congressional Research Service, ‘Combating Corruption in Latin America: Congressional Consideration’, Appendix C (2019) < https://crsreports.congress.gov/product/pdf/R/R45733> (providing a timeline of corruption scandals in Latin America from 2014 to 2018).
[4] Sheridan, Mary Beth, ‘Why political turmoil Is erupting across Latin America’, The Washington Post (10 October 2019) < https://www.washingtonpost.com/world/the_americas/why-political-turmoil-is-erupting-across-latin-america/2019/10/10/a459cc96-eab9-11e9-a329-7378fbfa1b63_story.html> (describing protests in part against corruption across the region, including Brazil, Peru, Guatemala, Haiti and Honduras); Daugaard, Andreas, ‘Honduras: How a surge of corruption scandals has fuelled political crisis’, Voices for Transparency (22 September 2019) < https://voices.transparency.org/honduras-how-a-surge-of-corruption-scandals-has-fueled-political-crisis-85af16ceac85> (linking corruption scandals In Honduras with mass protests there).
[5] Corres, Luis Dantón Martínez; et al., ‘Mexico: At a Turning Point in Anti-Corruption Investigations and Enforcement’ in Americas Investigations Review 2020, at 135, 137 to 144; Fava, Pamina; et al., ‘How to Mitigate Corruption Risk When Investing in Latin America’, Anti-Corruption Report (25 July 2018) < https://www.anti-corruption.com/2619631/how-to-mitigate-corruption-risk-when-investing-in-latin-america.thtml>.
[6] ‘Combating Corruption in Latin America: Congressional Consideration’ (footnote 2, above), at 9.
[7] Americas Society/Council of the Americas, ‘Latin America’s Battle Against Corruption: A Path Forward’, 7 (2018) < https://www.as-coa.org/sites/default/files/CorruptionReport2018_ASCOA.pdf; Newbery, Charles, ‘Compliance Is Taking Off in Latin America. Is It Effective?’, Americas Quarterly (22 July 2019) < https://www.americasquarterly.org/content/compliance-takes-latin-americ-it-working>; Hamilton-Martin, Roger, ‘Investigator’s Guide to Brazil’, Global Investigations Review (8 December 2017) < https://globalinvestigationsreview.com/article/1151271/investigators-guide-to-brazil>.
[8] Transparency International, ‘Business Principles for Countering Bribery, at 7 (2013); Sureda, Aixa; González Soldo, Evangelina, ‘Argentina’, Americas Investigations Review 2020, Global Investigations Review (19 August 2019) < https://globalinvestigationsreview.com/benchmarking/americas-investigations-review-2020/1196467/argentina>.
[9] US Dep’t of Justice [US DOJ], Criminal Division, ‘Evaluation of Corporate Compliance Programs’ (29 April 2019) [US DOJ Guidance] < https://www.justice.gov/criminal-fraud/page/file/937501/download>.
[10] Koukios, James M; et al., ‘Anti-Corruption in Latin America’ in The Guide to Corporate Crisis Management, at 68 (discussing the prevalence of regional variations in corruption risk).
[11] See Organisation for Economic Co-operation and Development [OECD], ‘Survey on integrity and anti-corruption in state-owned enterprises in Latin American and OECD countries’ (2017), at 4 [OECD, SOE Integrity Survey]; OECD ‘Foreign Bribery Report: An Analysis of the Crime of Bribery of Foreign Public Officials’, at 8 (2014) [OECD, Foreign Bribery Report] < https://dx.doi.org/10.1787/9789264226616-en>.
[12] OECD, ‘The Size and Sectoral Distribution of State-Owned Enterprises’ (2017), at 14 to 15, tbl. 1 < https://dx.doi.org/10.1787/9789264280663-en> (reporting that, as of 2015, Brazil had almost twice as many SOEs as Mexico, the next highest in the region).
[13] OECD, SOE Integrity Survey, at 10. The report continues: ‘Similarly, OECD top 3 risks (violations of data protection and privacy, stealing or theft of goods, and violations of regulations) do not even feature within the LatAm countries’ list of top 10 risks.’
[14] Earle, Beverley; Cava, Anita, ‘The Penumbra of the United States’ Foreign Corrupt Practices Act: Brazil’s Clean Companies Act and Implications for the Pharmaceutical Industry’, 13, Rich. J. Global L. & Bus., 439, 448, 449 (2014); Baker McKenzie, ‘Latin America Corporate Compliance Report: Seven Compliance Challenges and How to Overcome Them’, 11 (2015) < https://www.bakermckenzie.com/-/media/files/insight/publications/2015/12/spotlight-on-latin-america/la_compliancereport_english.pdf>.
[15] See Portella, Renato Tastardi, ‘Managing Multi-jurisdictional Investigations in Latin America’ in Americas Investigations Review 2020, at 53 to 57 (reviewing the newly enacted anti-corruption laws of Brazil, Mexico, Chile, Columbia and Argentina).
[16] See Koukios (footnote 10, above), at 70 and 71 (providing a comparison of the local anti-corruption laws in Latin America).
[17] Corres (footnote 5, above), at 139 (‘The prohibitions in the GLAR are rather broad and there is no facilitating payments exception.’); see also Fava (footnote 5, above).
[18] Basch, Fernando Felipe; Cargnel, Maria Emilia, ‘Argentina’ in The International Investigations Review, 41, 45, 46 (Law Business Research, Nicolas Bourtin ed., 9th ed. 2019).
[19] Bofill, Jorge; Praetorius, Daniel, ‘Chile’, in The International Investigations Review (Law Business Research, Nicolas Bourtin ed., 9th ed. 2019), at 103.
[20] e.g., Deferred Prosecution Agreement, United States v. TechnipFMC plc, Case No. 19-CR-278 (EDNY, 25 June 2019) < https://www.justice.gov/opa/press-release/file/1177316/download>.
[21] Basch and Cargnel (footnote 18, above), at 46.
[22] Benczkowski, Brian A (Assistant Attorney General), US DOJ, Remarks at NYU School of Law Program on Corporate Compliance and Enforcement Conference on Achieving Effective Compliance (12 October 2018) < https://www.justice.gov/opa/speech/assistant-attorney-general-brian-benczkowski-delivers-remarks-nyu-school-law-program>.
[23] US DOJ Guidance (footnote 9, above).
[24] id., at 3; e.g., US DOJ, Justice Manual 9-28.800 [Justice Manual] < https://www.justice.gov/jm/jm-9-28000-principles-federal-prosecution-business-organizations#9-28.800>.
[25] Press release, US SEC, ‘Walmart Charged with FCPA Violations’ (20 June 2019) < http://fcpa.stanford.edu/fcpac/documents/5000/003871.pdf>.
[26] Press release, US DOJ, ‘Zimmer Biomet Holdings Inc. Agrees to Pay $17.4 Million to Resolve Foreign Corrupt Practices Act Charges’ (12 January 2017) < http://fcpa.stanford.edu/fcpac/documents/4000/003434.pdf>. The US parent was also faulted for failing ‘to implement an adequate system of internal accounting controls at the company’s subsidiary in Mexico, despite employees and executives having been made aware of red flags suggesting that bribes were being paid’.
[27] See Cease and Desist Order, In Re Quad/Graphics, Inc., File No. 3-19531, Paras. 12, 13, 65 (26 September 2019) < http://fcpa.stanford.edu/fcpac/documents/5000/003934.pdf>.
[28] Justice Manual (footnote 24, above), at 9-28.800; US Sentencing Guidelines Manual, § 8B2.1(b)(5)(C) (US Sentencing Commission, 2018) [Sentencing Guidelines] < https://guidelines.ussc.gov/gl/%C2%A78B2.1>.
[29] US DOJ Guidance (footnote 9, above), at 3; Sentencing Guidelines (footnote 28, above), at § 8B2.1(c).
[30] US DOJ Guidance (footnote 9, above), at 13.
[31] id., at 8.
[32] Basch and Cargnel (footnote 18, above), at 46.
[33] id.
[34] Rassi, João Daniel; Labate, Victor, ‘Brazil’ in The International Investigations Review (Law Business Research, Nicolas Bourtin ed., 9th ed. 2019), at 91.
[35] Bofill and Praetorius (footnote 19, above), at 99.
[36] Basch and Cargnel (footnote 18, above), at 46.
[37] United States v. Connolly, No. 16 Cr. 0370 (CM), 2019 WL 2120523 (SDNY, 2 May 2019).
[38] US Dep’t of the Treasury, Office of Foreign Asset Controls, ‘A Framework for OFAC Compliance Commitments’ (2 May 2019) < https://www.treasury.gov/resource-center/sanctions/Documents/framework_ofac_cc.pdf>.
[39] Neal, Will, ‘Mexican Parliament votes to expand powers of finance ministry’, Global Investigations Review (7 November 2019) < https://globalinvestigationsreview.com/article/1210714/mexican-parliament-votes-to-expand-powers-of-finance-ministry>.
[40] European Council Regulation No. 2271/96 (22 November 1996).
[41] e.g., Davy, Elizabeth; Earl, James; Kadel Jr, Eric; Szubin, Adam, ‘Developments in Economic Sanctions, Enforcement and Investigations’ in Americas Investigations Review 2020, Global Investigations Review (19 August 2019) < https://globalinvestigationsreview.com/insight/americas-investigations-review-2020/1196459/developments-in-economic-sanctions-enforcement-and-investigations>.
[42] KPMG International, ‘Cross-border investigations: Are you prepared for the challenge?’ (2013) < https://assets.kpmg/content/dam/kpmg/pdf/2013/12/cross-border-investigations.pdf>.
[43] See Fundação Getúlio Vargas, ‘Speak Now or Forever Hold Your Peace: An Empirical Investigation of Whistleblowing in Brazilian Organizations’ (2012) < https://pdfs.semanticscholar.org/492a/47ac593f21b7b20bc1861b50390186bcc8f8.pdf> (reporting results of survey, which confirms that ‘Brazilian organizations seem to consider whistleblowing a taboo or a deviant behavior and to persecute and retaliate those who blow the whistle as [if] they, rather than the wrongdoing, were the problem’); McLeod, Frances; Voss, Jenna, ‘Moving Forward After an Investigation’ in Americas Investigations Review 2020, at 86 [Moving Forward After an Investigation] (‘While retaliation is very much a cross-cultural phenomenon, it can be more pronounced in certain countries. Historical factors such as the local law enforcement culture, role of the military in law enforcement, confidentiality around investigations and the effect of prior autocratic government structures, may contribute to a heightened culture of retaliation. A whistleblower in such a society may be viewed as a traitor.’).
[44] Sierra, Diego, ‘Mexico’, in The Practitioner’s Guide to Global Investigations, Part II, 205 (Law Business Research, Judith Seddon, et al. eds., 3rd ed. 2019) (citing as a ‘principle challenge that arise[s] in cross-border investigations’ the ‘maintaining confidentiality of what comes to light during interviews with employees. This is often an issue as there is a weak confidentiality culture in Mexico.’).
[45] Basch and Cargnel (footnote 18, above).
[46] Rassi and Labate (footnote 34, above), at 89.
[47] Bofill and Praetorius (footnote 19, above), at 99.
[48] id.
[49] Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law.
[50] US DOJ Guidance (footnote 9, above), at 13.
[51] Zweibel, Megan, ‘AAG Benczkowski Wants Prosecutors to Be Compliance Sophisticates’, Anti-Corruption Report (8 January 2020) < https://www.anti-corruption.com/4230152/aag-benczkowski-wants-prosecutors-to-be-compliance-sophisticates.thtml?utm_source=emailArticle&utm_medium=email&utm_campaign=emailArticle>.
[52] Memorandum from Brian A Benczkowski (US Assistant Attorney General) to US DOJ Criminal Division Personnel, ‘Selection of Monitors in Criminal Division Matters’ (18 October 2018) < https://www.justice.gov/opa/speech/file/1100531/download>.
[53] See OECD, Corporate Governance and Business Integrity: A Stocktaking of Corporate Practices 56 (2015) < http://www.oecd.org/daf/ca/Corporate-Governance-Business-Integrity-2015.pdf>; Sureda and González Soldo (footnote 8, above).
[54] See US DOJ and US Securities and Exchange Commission, ‘FCPA: A Resource Guide to the U.S. Foreign Corrupt Practices Act’ (2012) < https://www.sec.gov/spotlight/fcpa/fcpa-resource-guide.pdf>; KPMG (footnote 42, above), at 17.
[55] Tillen, James G; Delman, Sonia M, ‘Lost in Translation: The Language of Bribery’, The Corporate Governance Advisor (1 August 2010).
[56] Deferred Prosecution Agreement, United States of America v. Orthofix International, N.V., 12-cr-0015 (2012) < http://fcpa.stanford.edu/fcpac/documents/3000/002056.pdf>.
[57] See Transparency International (footnote 8, above), at 7; Sureda and González Soldo (footnote 8, above).
[58] United Nations Global Compact, ‘A Guide for Anti-Corruption Risk Assessment’, 23 (2013) [UN Global Compact Report]; Tillen and Delman (footnote 55, above).
[59] Baker McKenzie (footnote 14, above), at 31.
[60] Press release, US SEC, ‘SEC Charges Telefônica Brasil S.A with Violating Books and Records and Internal Accounting Controls Provisions of the FCPA’ (9 May 2019) < http://fcpa.stanford.edu/fcpac/documents/5000/003861.pdf>.
[61] ‘Moving Forward After an Investigation’ (footnote 43, above), at 86.
[62] See UN Global Compact Report (footnote 58, above), at 20, 22; see also McLarty III, Thomas F, ‘Fire Marshals, Not Firefighters: A Different Approach to Crisis Management in Latin America’ in The Guide to Corporate Crisis Management, at 13 (Sergio J Galvis, et al., eds, 2018).
[63] See Costa Carvalho, Isabel; et al., ‘Brazil’ in The Practitioner’s Guide to Global Investigations, Part II (Judith Seddon, et al., eds., 3d ed. 2019); Moving Forward After an Investigation (footnote 43, above), at 86.
[64] See OECD, Behavioral Insights for Public Integrity: Harnessing the Human Factor to Counter Corruption, at 33 (2018) [OECD, Behavioral Insights] < https://dx.doi.org/10.1787/9789264297067-en>; Graf Lambsdorff, Johann, ‘Preventing corruption by promoting trust: Insights from behavioral science’, at 4 to 5 (Passauer Diskussionspapiere - Volkswirtschaftliche Reihe, No. V-69-15, 2015) < http://hdl.handle.net/10419/125558>.
[65] See UN Global Compact Report (footnote 58, above), at 15 to 16; cf. OECD, Behavioral Insights (footnote 64, above), at 35.
[66] Portella (footnote 15, above), at 55.
[67] See Corres (footnote 5, above) at 140; Portella (footnote 15, above), at 55 to 56.
[68] Warin, F Joseph; et al, ‘Co-operating with the Authorities: The US Perspective’ in The Practitioner’s Guide to Global Investigations, Part I (Judith Seddon et al. eds., 3d ed. 2019); Lehtman, Jeffrey A; Laporte, Margot, ‘Individuals in Cross-Border Investigations or Proceedings: The US Perspective’, in The Practitioner’s Guide to Global Investigation, Part I.
[69] Global Investigations Review, Proactive Compliance, ‘One Corporate’s Approach to Predicting Corrupt Payments’, at 15 (7 January 2020).
[70] US DOJ Guidance (footnote 9, above), at 7, 14.
[71] See OECD, Integrity for Good Governance in Latin America and the Caribbean: From Commitments to Action, at 68 (2018) < https://doi.org/10.1787/9789264201866-en>; Fonseca, André; Lima, Marina, ‘Brazil’ in The International Comparative Legal Guide to: Corporate Investigations (Keith D Krakaur and Ryan Junck, eds., 2018) < https://www.acc.com/sites/default/files/resources/vl/membersonly/Article/1475099_1.pdf>; Corres (footnote 5, above), at 137 to 144.