1. The Evolution of Compliance: How Did We Get Here?
Corporate compliance is the focus of many corporations around the world these days, but compliance has not always been a priority. In the United States, compliance programmes have transformed during the past five decades from a passive, reactive approach to a proactive approach that seeks to harness big data to monitor and ensure compliance. This new decade favours an approach that considers not only traditional aspects of effective compliance programmes, but also incorporates new elements such as behavioural science, social responsibility and societal benefits.
The United Nations, the Organization for Economic Co-operation and Development (OECD), the World Bank and other multilateral organisations have sought to promote compliance programmes as part of economic development. The United States and other nations have similarly incorporated law enforcement cooperation and compliance enhancement as part of their diplomatic strategies. These efforts have slowly taken hold. Prior to 2014, there was minimal awareness pertaining to corporate governance in Latin America. Operation Car Wash, the largest anti-corruption investigation in Brazil, which spread across the region, was a catalyst for Latin American countries to focus their attention on compliance and its effects.
This chapter reviews the evolution of compliance from the 1970s until today in the United States and Latin America. It traces how compliance programmes have evolved from being considered a luxury to becoming a necessity, especially for leniency in corporate prosecutions.
1970s and 1980s: Accounting compliance and accountability
In the United States, the 1970s was a decade riddled by scandal. An investigation by the US Securities and Exchange Commission (SEC) revealed that hundreds of US companies – including some of the most widely known and respected – bribed foreign officials to further their business interests. Corporations, across a wide range of industries, chose to remediate mistakes internally instead of correcting and reporting the errors. In response, the Foreign Corrupt Practices Act (FCPA) was signed into law in December 1977.
In the 1980s, there was an emphasis on ethics, specifically in the defence and healthcare industries, that required government contractors to adhere to stringent rules. It was not until a decade later, as corporations began to be held liable and be prosecuted for the criminal acts of their employees and agents, that corporations paid greater attention to proactive compliance programmes. Before this, corporate compliance was largely addressed passively through codes of conduct and value statements that were provided to employees or hung on walls but carried little weight.
1990s: Expansion of corporate liability
In the United States, corporate criminal liability can be traced back to respondeat superior, a legal doctrine commonly used in tort law. Respondeat superior requires that corporations take responsibility for the acts of their employees and agents if the act occurs within the scope of employment or agency, even if contrary to organisational policy and training. Under early case law, a corporation was considered to be a legally fictitious entity, incapable of forming the mens rea necessary to commit a criminal act. The Supreme Court ultimately rejected this notion in 1909 in New York Central & Hudson River Railroad v. United States. (Notably, this concept of a legal person not being subject to criminal liability was also recognised in most civil code countries. As discussed below, that legal doctrine is also changing in countries such as Brazil, Argentina and Colombia.)
The modern notion of corporate criminal liability was established in United States v. Hilton Hotels Corp. This case established that corporations can be liable for the criminal activity of its employees and agents even if the employee or agent acted contrary to the corporation’s policies or an officer’s direction, as long as the employee or agent acted within the scope of his or her apparent authority and with the intent – even if only in part – to benefit the corporation.
Despite a corporation’s best efforts to prevent criminal conduct within the organisation, corporate prosecution could bring forth financial and reputational ruin, as well as negatively affecting the morale of the corporation’s employees.
To address this institutional vulnerability and incentivise corporations to exemplify good corporate citizenship, but also to provide a means to rehabilitate corporations that have engaged in criminal conduct, the United States Sentencing Commission developed the Federal Sentencing Guidelines for Organizations (the Organizational Guidelines). These Guidelines signalled to corporations that the corporate code of conduct and value statements established decades ago were no longer sufficient by themselves to reduce penalties. The Guidelines recognise that an effective compliance programme is necessary to prevent and deter corporate criminal activity.
Federal Sentencing Guidelines for Organizations
The Organizational Guidelines apply to corporations, partnerships, non-profit entities, workforce unions, government units, pension funds and trusts. They address two key elements of sentencing: just punishment and deterrence. Just punishment intends to justly reflect the offender’s degree of blameworthiness; deterrence offers incentives for organisations to detect and prevent criminal acts. These Guidelines lay out the minimum criteria for an effective corporate compliance programme, under which an organisation must:
- establish standards and procedures to prevent and detect crime;
- provide oversight by high-level management, typically the board of directors;
- exercise due care in delegating substantial discretionary authority;
- establish effective communication and training for all employees;
- monitor, audit and report suspected wrongdoing, and periodically evaluate the effectiveness of the ethics and compliance programme;
- promote and consistently enforce the corporate compliance programme by incentivising use of the established mechanisms, and disciplining employees who commit crimes or fail to take reasonable steps to prevent or detect criminal conduct; and
- take reasonable steps to respond to criminal conduct once it has been detected and to prevent further criminal conduct.
Corporate compliance programmes
The most effective compliance programmes are those tailored for particular companies. However, a typical programme includes the key elements required by the Organizational Guidelines. In practical terms, the following are necessary: the endorsement and commitment of senior management, the appointment of a responsible officer to run the programme, risk assessment, relevant policies and procedures, training, certification of compliance with the rules and procedures of the programme, internal financial controls, due diligence of business partners, reporting mechanisms, investigation protocol, a progressive discipline policy, periodic auditing, monitoring, assessments of effectiveness and trend analysis. The Guidelines deliberately do not address the implementation of compliance programmes to provide organisations with the flexibility to design a programme that is best suited to their needs and particular industry.
Corporate compliance programmes are likewise important because of the liability a corporation and its officers can face. In re Caremark established a duty at the board of directors level to ensure companies had reporting systems in place to detect, prevent and mitigate violations of law. Courts view the Organizational Guidelines as powerful incentives for corporations ‘to have in place compliance programs to detect violations of law, promptly to report violations to appropriate public officials when discovered, and to make prompt, voluntary remedial efforts’. Officers can breach their fiduciary duty if they intentionally disregard red flags that should alert them to fraudulent activity within their corporation. Note, however, that officers can be civilly liable for unintentional actions as well.
2000s: Reaction to financial scandals and economic crisis
The start of the millennium brought fraudulent accounting scandals that resulted in bankruptcy for corporate giants Enron and Worldcom, and Enron’s auditor, accountancy firm Arthur Andersen. Enron and Worldcom were prosecuted for falsifying balance sheets to inflate earnings. These acts eroded investors’ confidence and the Sarbanes-Oxley Act of 2002 (SOX) was enacted to provide investors with a slate of protections from future wrongdoings.
Securities and Exchange Commission
In October 2001, the SEC issued a Report of Investigation and Statement (known as the Seaboard Report) explaining its decision not to take enforcement action against a public company it had investigated for financial statement irregularities. In this Report, the SEC articulated an analytical framework for evaluating cooperation by companies. In respect of compliance programmes, the Report stressed the importance of ‘[s]elf-policing prior to the discovery of the misconduct, including establishing effective compliance procedures and an appropriate tone at the top’ and ‘[r]emediation, including dismissing or appropriately disciplining wrongdoers, modifying and improving internal controls and procedures to prevent recurrence of the misconduct, and appropriately compensating those adversely affected’.
Sarbanes-Oxley Act of 2002
The United States Congress soon saw an opportunity to include compliance measures in legislation borne out of a series of financial crises. SOX is a federal law that addresses corporate fraud. Named after its sponsors, Senator Paul Sarbanes, D-Md and Congressman Michael Oxley, R-Ohio, SOX is primarily enforced by the SEC, and its main goal is to increase corporate responsibility and protect investors. Many companies in Latin America have sought access to the US capital markets and, as a result, have become familiar with SOX compliance.
SOX holds corporate officers responsible for transparent and accurate financial accounting and timely reporting of violations. The Act mandates that chief executive officers and chief financial officers acknowledge responsibility for the accuracy, documentation and submission of all financial reports to the SEC. Management is responsible for internal control of financial records and flaws within this reporting. SOX requires corporations to develop, communicate and enforce formal data security policies for all financial data that is stored and used. Corporations must document, continuously update and remain compliant with SOX requirements. SOX also mandates annual audits and requires external auditors to attest that a corporation’s internal controls regarding financial records are appropriate. Both results of annual audits and certification by management and attestation by external auditors must be made available to stakeholders.
SOX also includes a provision that protects whistle-blowers at publicly traded companies. The provision encourages internal reporting by prohibiting retaliation against a whistle-blower who provides information, causes information to be provided, or assists in an investigation of any conduct that the whistle-blower reasonably believes should be reported to the SEC.
Before the first decade was out, the United States suffered another financial crisis. In response, the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank) was enacted. A major goal of Dodd-Frank was to protect the US economy from the collapse of financial institutions, such as was experienced in 2007 and 2008.
Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010
Dodd-Frank significantly reformed regulatory schemes by improving accountability and transparency in corporate accounting in an effort to promote financial stability. The Act forced improvements in corporate governance, such as executive compensation review and clawback, and other, provisions.
This law also expanded on the whistle-blower protections created under SOX. Section 1057 of Dodd-Frank expanded the SOX protections to create a private cause of action for whistle-blowers in the financial industry, lowered the burden of proof to prevail on a claim, extended the statute of limitations and rewarded prospective whistle-blowers.
The most significant change in Dodd-Frank is that it amends the Securities Exchange Act of 1934 to provide a ‘bounty’ system for prospective whistle-blowers. The amended provisions financially reward whistle-blowers who voluntarily report to the SEC ‘original information’ that leads to a successful recovery by the SEC as it relates to a violation of securities law. A whistle-blower is eligible for an award of between 10 per cent and 30 per cent of the collected monetary sanctions in excess of US$1 million. The amended provision incentivises whistle-blowers to report directly to the SEC at the same time as they report to the company through internal channels.
The Dodd-Frank protections apply to publicly traded companies, subsidiaries and affiliates. Whistle-blowers are protected when providing information about, or refusing to participate in, activity reasonably believed to be a violation of law under the SEC’s jurisdiction. The burden of proof necessary to prevail is also reduced under Dodd-Frank. To prevail, the whistle-blower must show by a preponderance of the evidence that protected conduct contributed to retaliation against the whistle-blower. To defeat the action, the employer must demonstrate by clear and convincing evidence that the employer’s action against the whistle-blower would be the same even if the employee had not reported the activity. The provision also prohibits pre-dispute arbitration, except when it is set forth in collective bargaining agreements.
Whistle-blower provisions, as well as the prosecution of Arthur Andersen in the midst of the Enron scandal, moved the focus to the internal workings of an organisation. In part as a result of the collapse of Arthur Andersen following its prosecution, the corporate prosecutorial strategy of the US Department of Justice (US DOJ) shifted from the punishment of corporate conduct to the reform of corrupt corporate cultures. One way to assess a corporation from the inside out is through an external corporate monitor.
Now relatively common, the US DOJ required a corporate monitor for the first time in 2008. Corporate monitors are required in a particular case as part of a plea or deferred prosecution agreement, usually when the US DOJ or the SEC (or both) believe that the company’s compliance system is not adequately developed or mature. A corporate monitor is responsible for developing, maintaining and monitoring a corporation’s compliance programme. As part of its Principles of Federal Prosecution of Business Organizations, the US DOJ considers corporate compliance programmes when making charging decisions.
2010s: Voluntary disclosure and government enforcement of compliance
The 2010s highlighted a concerted effort to export compliance through public and private enforcement. In the United States, regulatory agencies created policies to incentivise corporations to develop effective compliance programmes, and corporations have increasingly understood the benefit of compliance. In fact, corporations without effective compliance programmes may suffer significant penalties. Organisational and regulatory agency guidance assists companies in developing and monitoring the effectiveness of compliance programmes, which, in turn, assesses risks and increases the likelihood of voluntary disclosure of violations. A summary of some of the more significant guidance is below.
OECD Good Practice Guidance on Internal Controls, Ethics, and Compliance
In 2010, the OECD adopted good practice guidance to establish and ensure the effectiveness of compliance programmes and internal controls to detect and prevent foreign bribery in international business transactions. The guidance is similar to the components of effective compliance programmes in the United States and ‘recognises that to be effective, such programmes or measures should be interconnected with a company’s overall compliance framework’.
Guidance on compliance
In 2012, the US DOJ and SEC jointly issued guidance that made clear that in exercising judgement, prosecutors will look to determine whether the company had a compliance programme in place and whether there was a commitment by the company to make effective use of such a programme. The US DOJ further elaborated on this guidance in its FCPA Corporate Enforcement Policy. A strong demonstration of a company’s compliance programme can help to change the structure of a resolution, moving it from a criminal charge to a deferred prosecution agreement, and can reduce the compliance obligations, such as for an external monitor. Moreover, even if a company is charged with a criminal violation of the FCPA, the Organizational Guidelines, which have considerable influence on the ultimate penalty imposed, provide for a mitigation of penalties if a company can demonstrate that the violation occurred in spite of an effective compliance programme. These Guidelines apply to all corporate criminal conduct and not just FCPA violations.
US DOJ compliance guidance
Corporations have been rewarded for effective compliance programmes for decades, but the US DOJ’s updated guidance released in April 2019 seeks to provide criteria by which to evaluate the true effectiveness of the programme. The United States Attorney’s Justice Manual instructs prosecutors to probe specifically whether a compliance programme is a ‘paper program’ or one ‘implemented, reviewed, and revised, as appropriate, in an effective manner’. Prosecutors will also determine whether the programme is sufficiently staffed to meet the audit and reporting requirements, and will evaluate the extent to which employees are informed about the compliance programme and the corporation’s commitment to the programme.
Harnessing big data: the rise of data analytics in compliance programmes
Compliance is a top priority for corporations today, and they are increasingly turning to harnessing internal data to monitor employees and increase the effectiveness of compliance programmes. Data analytics help compliance personnel within corporations to identify patterns that human beings cannot recognise, improve the way risk is managed and respond quickly to developing compliance issues. Of course, data analytics are only as effective as the data inputs and analytical outputs, so although this technique is a useful tool, it is not a replacement for a well-integrated compliance programme.
Soft skills and integrity
This new decade ushers in an approach that considers not only traditional aspects of effective compliance programmes, but must also incorporate social responsibility and societal benefits. The new approach requires corporations to move beyond the letter of the law or actions within corporate policy, and view compliance as a benefit for society.
Environmental, social and corporate governance factors
A corporation’s financial performance drives its business decisions. Corporate officers focus on hard numbers to determine success. The new approach asks these officers to look beyond the data and to environmental, social and corporate governance factors (ESG) to strengthen financial performance and compliance. ESG factors, such as how a corporation responds to climate change, how effective health and safety policies are at preventing accidents, and how good the corporation is at building trust and fostering innovation, are not traditionally calculated in a financial analysis, but adherents are advocating that they have relevance and financial impact.
ESG is different from the movement to motivate corporations to be more socially responsible. Unlike social responsibility, which examines what corporations will not do (such as sell firearms), investors evaluate a corporation’s ESG to understand its purpose and value. Using this information, investors make decisions about where to invest. For this reason, the financial effects of ESG factors can be significant.
Compliance in Latin America
As has been noted, until the beginning of 2010s, compliance was merely a secondary concern for companies in Latin America, seen as a superfluous investment with uncertain incomes. Even for companies subject to international anti-corruption laws, such as the FCPA and UK Bribery Act, compliance was often in place just as a paper programme without sufficient human and financial resources.
However, this situation began to change at the end of 2014 with the launch of Operation Car Wash. Although Brazil passed its anti-corruption law (the Clean Company Act) in late 2013, Operation Car Wash was the decisive turning point that transformed the fight against corruption in Brazil and across Latin America. As a result, the perception of the need for compliance policies also changed.
Operation Car Wash is the most extensive anti-corruption investigation in Latin America, focused on bribery schemes surrounding infrastructure projects and involving a series of construction companies, public officials and politicians. It is a cross-border investigation that exposed the corruption of public officials from several Latin American countries in addition to Brazil, including Argentina, Chile, Colombia, Dominican Republic, Ecuador, Mexico, Panama, Peru and Venezuela.
The compliance notions in Latin America were modified by two main elements of Operation Car Wash. The first was the fact that media attention put a red flag on investments in the region, which required a change of approach, especially by Latin American companies, to recover market confidence. The second was the international cooperation in investigations, resulting in multilateral agreements with rigid clauses, promoting the ‘regulation by enforcement’ in compliance rules.
With Operation Car Wash, several cross-border violations became public and resulted in close cooperation between Brazilian and foreign authorities. The three leading cases that led to cooperation between the US DOJ, the SEC and Brazilian authorities were Petróleo Brasileiro SA (Petrobras), Eletrobras – Centrais Elétricas Brasileiras SA (Eletrobras) and Construtora Norberto Odebrecht SA (Odebrecht). In all three cases, companies were subject to FCPA regulations as well as Brazil’s Clean Company Act since they are public entities listed on the New York Stock Exchange or had conducted business in the United States.
In addition to strengthening dialogue and cooperation between countries to build a global anti-corruption environment, these cases introduced new preventive, mitigation and disciplinary measures, creating a cross-regulation by enforcement. The imposition of corporate monitors is a clear example of innovation gained from this cooperation. A dual monitorship (i.e., the appointment of monitors from the United States and Brazil) was included in the settlement agreed between the US authorities and Odebrecht. Although it was not provided as a sanction in most Latin American compliance legislation, this alternative is currently on the radar of the local authorities.
Ultimately, Operation Car Wash put a spotlight on the weakness of compliance regulation and enforcement in Latin America, which resulted in a call for change. The response was the disruption of the current schemes and a movement to establish control measures. In Brazil, for example, participation in public tenders requires having a robust compliance programme addressing non-interference of the competitive nature of public tenders.
Through extensive enforcement, Brazilian legislation has become a reference in Latin America and the basis of newly enacted laws in the region, such as Mexico’s General Law of Administrative Responsibility of 2016 and Argentina’s Corporate Criminal Liability Law of 2018.
Compliance guidelines in Brazil
Although inspired by the FCPA, Brazil’s Clean Company Act is broader than the US requirements, extending to local officials and conduct against public administration, such as fraud in the public tender process and bid rigging.
The Clean Company Act forbids direct and indirect, active and passive bribery of local and foreign public officials, including the concealment and the use of intermediaries to engage in bribery. It also forbids fraud in public bids and obstruction of government investigations. It imposes civil and administrative strict liability for violations by an entity’s directors, officers, employees and agents when acting on behalf of the entity.
While the Clean Company Act outlines specific corruption violations, it was its supplementary law (Decree No. 8420), issued in 2015, that provided details about corporate liability, penalties and mitigating measures – including fines, public disclosure of violation and debarment from contracting with government entities for violations. Besides setting benefits relating to collaboration in investigations through leniency agreements, Decree No. 8420 provides for the existence of an effective compliance programme as the primary defence and mitigating measure.
Decree No. 8420 defines a compliance programme as a set of internal integrity and audit mechanisms, policies and guidelines to detect and remedy deviations, fraud, irregularities and unlawful acts committed against national or foreign public administration, and procedures for reporting irregularities and effectively enforcing codes of ethics and conduct. According to Decree No. 8420, a compliance programme must be tailored, implemented and updated following the peculiarities and risks of the entity, and to ensure its continuous improvement and effectiveness.
To be considered as a defence, a compliance programme will be evaluated according to several parameters, as outlined by Decree No. 8420:
- Tone at the top: The commitment of senior management, including board members, who must show unequivocal and public support for the compliance programme.
- Implementation of internal policies: Standards of conduct, codes of ethics, integrity policies and procedures shall apply to all employees and managers regardless of their position or function.
- Third-party policies: Policies for hiring, selecting and monitoring of third parties, due diligence procedures and risk matrix. In addition, third parties must be provided with the code of ethics and other applicable standards of conduct in force at the company.
- Training: Periodic training that is tailored to the target audience.
- Periodic risk assessment: Regular risk analysis to identify risks and to implement improvements.
- Internal control: Accurate and precise accounting records and information, and maintaining effective internal controls for financial reports and statements.
- Specific policies concerning interaction with public officials: Specific policies and procedures to prevent fraud and illicit conduct relating to bidding processes, execution of contracts with public entities, obtaining licences, and other interaction with public officials, including interactions intermediated by third parties.
- Responsible officer: Independence, sufficient powers and adequate human and financial resources available to the internal body responsible for the implementation and enforcement of the compliance programme.
- Reporting channels: Effective channels for reporting violations, based on non-retaliation and confidentiality, which shall be clearly and widely disclosed to employees and third parties.
- Disciplinary measures: Policies on internal investigations and enforcement of disciplinary measures for violations.
- Remediation and mitigation: Procedures that ensure the prompt interruption of violations when they are detected and the timely remediation of the damage generated.
In October 2015, the Office of the Comptroller General in Brazil (CGU) – a leading enforcement agency of the Clean Company Act – published its Integrity Programme: Guidelines for Legal Entities (the CGU Guidelines). These Guidelines summarised the requirements from Decree No. 8420 in ‘five pillars’ of the Integrity Programme: (1) Commitment of senior management; (2) An internal department responsible for the Integrity Programme; (3) Profile and risk analysis; (4) Structuring of rules and instruments; and (5) Continuous monitoring strategies. Besides the Brazilian legislation, the CGU Guidelines reference the UK’s Bribery Act Guidance, the OECD’s Good Practice Guidance on Internal Controls, Ethics and Compliance, the UN’s An Anticorruption Ethics and Compliance Programme for Business: A Practical Guide, the US Sentencing Commission’s Guidelines Manual and The Complete Compliance and Ethics Manual published by the Society of Corporate Compliance and Ethics.
Compliance guidelines in Colombia
Following the enactment of Brazil’s Decree No. 8420, Colombia, Mexico, Peru and Argentina also provided specific compliance standards. In general, those provisions are very similar to the FCPA and Brazil’s Clean Company Act, but with particular nuances concerning the extension of requirements, enforcement and gradation of mitigation for liability.
On 2 February 2016, Colombia enacted Law 1778 (the Transnational Corruption Act), in which anti-corruption mechanisms are set as relevant criteria for calculating penalties for violations. According to the Transnational Corruption Act, private companies that maintain transnational businesses and act under the supervision of the Colombian Superintendence of Corporations shall adopt compliance programmes, which shall provide internal anti-corruption mechanisms, audit policies and preventive measures, and promote transparency.
Similar to Decree No. 8420, Colombia enacted Resolution No. 100-000003 (the Transnational Corruption Act Compliance Guidelines), on 26 July 2016, to guide the implementation of compliance programmes, based on three basic principles:
- The compliance programme shall be tailored based on the particular risks of each entity. Accordingly, risk assessment must be undertaken based on (1) transparency risks from the country involved in the transnational operation, (2) the specific sector – taking into consideration that energy, infrastructure and healthcare require stronger controls – and (3) the level of interaction with third parties.
- Senior management shall endorse a commitment to a culture of ethical behaviour and lead measures to avoid transnational bribery and other corrupt violations.
- The establishment of control mechanisms, due diligence procedures and periodic audits to ensure the effective detection of violations and undertaking of mitigation actions.
Following these principles, the compliance programme shall:
- provide written compliance policies, and the code of conduct shall summarise and detail all relevant standards of conduct provided in those policies. The policies shall be translated into the language of the countries with which the company maintains transnational transactions;
- ensure wide disclosure of the compliance programme and clear communication of its requirements;
- conduct robust and periodic risk assessment concerning the hiring of third parties (due diligence) and performance of the compliance programme;
- train employees and assign responsibility, including members of senior management and boards, to detect, prevent and mitigate violations;
- implement internal control mechanisms and audit procedures to ensure precise accounting records and information; and
- require specific formal commitments concerning ethics, audit rights and termination from high-risk third parties.
To expand compliance guidelines beyond transnational operations, Colombia’s Secretary of Transparency introduced a Register of Active Companies in Anti-Corruption (EAA) to promote internal best practice and prevent corruption. The EAA uses nine categories to assess the compliance programmes of private entities: (1) risk assessment; (2) corporate organisation and responsibilities; (3) policies tailored to specific high-risk areas; (4) the programme’s implementation; (5) financial and internal controls; (6) communication and training; (7) human resources policies; (8) reporting of policy procedures; and (9) compliance programme audit system.
Compliance guidelines in Mexico
The wave of change to Mexico’s legal framework against corruption started with the Constitutional Reform of 7 February 2014, which introduced transparency obligations relating to the access of information. Then, the launch of the National Anticorruption System on 27 May 2015 resulted in the enactment of a series of anti-corruption provisions.
In addition, on 18 July 2016, the General Law of Administrative Responsibility (GLAR) was enacted with the purpose of outlining compliance obligations. GLAR is very similar to Brazil’s Clean Company Act and prohibits the payment of bribes to public officials, bid rigging, improper interference in public procurement processes and contracts, and other corruption violations.
Similarly to the Brazilian and Colombian legislation, GLAR establishes that a compliance programme may be a mitigating factor of liability, providing it meets the following minimum requirements:
- to provide clear information about the organisational structure and reporting lines;
- to establish and widely discloses a code of conduct, which shall include and detail standards of ethics and procedures;
- to provide adequate control, compliance and audit systems to support regular and periodic reviews of the performance of the compliance programme;
- to maintain robust hotline channels, both internally and outside the entity, and policies on investigation proceedings and disciplinary measures;
- to conduct periodic training;
- to provide human resources staff with policies and training to prevent the hiring of high-risk individuals; and
- to provide mechanisms to enhance transparency within the entity.
Compliance guidelines in Peru
The Peruvian anti-corruption legislation (the Corporate Administrative Liability Law) was enacted on 1 April 2016 as a corporate liability extension of the crime of corruption provided in the Criminal Code.
Under the Corporate Administrative Liability Law, the existence of an effective compliance programme can exempt an entity of penalties for a corruption violation. An effective compliance programme as outlined by the Law is significantly more straightforward than those required by legislation in other Latin American countries.
According to the Corporate Administrative Liability Law, to be regarded as ‘an effective preventive mechanism’, the compliance programme shall:
- properly map and identify an entity’s activities and procedures concerning risks of corruption, money laundering and terrorism, and other violations provided in the Criminal Code;
- establish preventive policies and procedures;
- identify management, audit and accounting policies and procedures that may prevent corruption violations; and
- provide reporting mechanisms, investigative protocols and disciplinary measures.
Compliance guidelines in Argentina
Law No. 27401 (the Corporate Criminal Liability Law) was enacted on 2 March 2018 to join Latin America’s efforts against corruption. It provides for local and transnational corruption violations, including bribery of public officials, fraudulent negotiations of public contracts, and fraudulent accounting reports and statements.
Under the Corporate Criminal Liability Law, an investigated entity that is proven to have an effective and appropriate compliance programme may be exempt from penalties. To qualify for the waiver, the compliance programme shall provide (1) periodic risk assessment and policy review, (2) support from senior management, (3) hotline mechanisms, (4) whistle-blower protection policies, (5) internal investigation protocols, (6) third-party due diligence process and procedures, (7) due diligence policies and procedures for corporate transactions, (8) periodic and continuous monitoring, and (9) assignment of a responsible officer to take charge of implementation and supervision.
Compliance guidelines in Chile
Unlike many Latin American countries affected by Operation Car Wash, Chile has chosen not to create a specific anti-corruption law. On 2 January 2009, Chile enacted Law No. 20393 (the Criminal Responsibility of Legal Entities Law), which broadly sets out provisions against money laundering, terrorism financing and bribery.
The Criminal Responsibility of Legal Entities Law sets a ‘crime preventive model’, which must be led by a responsible officer or department (a ‘preventive commissioner’) with an independent reporting line and adequate human and financial resources.
The preventive commissioner will be responsible for identifying risks, setting internal policies and controls, implementing accounting controls and enforcing disciplinary measures.
Other Latin American compliance provisions
Providing adequate treatment of the anti-corruption laws of the 20 countries and six dependencies that comprise Latin America would require a separate book. However, it is noteworthy that Panama and, recently, Costa Rica have also enacted laws providing compliance guidelines. Other countries, such as Guatemala and Uruguay, define corruption violations in their criminal codes but do not provide details on compliance requirements. However, most countries follow international compliance guidelines, such as the OECD’s Good Practice Guidance on Internal Controls, Ethics and Compliance.
Challenges for the future
The situations we have described demonstrate that compliance in Latin America has been introduced as a reactive measure borne out of corruption scandals. Consequently, the major challenge for these countries is to promote a cultural change in how to do business and continue to enforce the new anti-bribery laws.
The consolidation of the compliance culture has also been paved through the increase of requirements from foreign investors, demanding strict due diligence and robust compliance mechanisms before taking their investment decisions. Accordingly, the Latin American market has started to see corporate integrity as an asset that builds credibility and attracts investments.
In the United States and Latin America, compliance began with a focus on rules-based systems and employee training. Over time, government agencies have required, and corporations have realised, that compliance programmes serve as proactive measures to detect and prevent corruption. The evolution of compliance has gone from a poster on the wall to a dynamic programme that involves all members of an organisation and its investors. Compliance is no longer about simply following the letter of the law. The bar is being raised ever higher and, in addition to government agencies watching over misbehaviour and cooperating across the region, media, investors, potential business partners and other stakeholders are ever more watchful. Compliance is now evolving beyond simple legal compliance to a consideration of societal benefits and a holistic ESG approach.
 Peter Spivack and Isabel Costa Carvalho are partners at Hogan Lovells. The authors gratefully acknowledge the considerable assistance of Cintia Rosa and Jessica Bigby, associates at Hogan Lovells.
 212 U.S. 481 (1909).
 467 F.2d 1000 (9th Cir. 1973).
 The following is an example of an industry-specific compliance programme.
The Office of Inspector General [OIG] for the US Department of Health and Human Services issued a series of voluntary compliance programme guidance documents specifically tailored to the healthcare industry. The initial guidance, issued in 1997, applied to clinical laboratories, seeking to safeguard them from fraud and abuse. A year later, the OIG issued guidance aimed at hospitals, nursing homes, durable medical equipment suppliers and third-party billers. The 1998 guidance supports the development and use of internal controls to promote compliance with applicable US federal and state law, federal and state programme requirements, and private health plans. The model compliance programme should, as a minimum, include: written policies and procedures that emphasise a commitment to compliance; designation of an officer charged with the development and monitoring of compliance programme training for all employees; a hotline to receive complaints; policies and procedures to ensure the anonymity of complainants and to protect whistle-blowers from retaliation; audits or a similar mechanism to monitor compliance and to detect and prevent crime; and disciplinary policies to address potentially criminal misconduct.
 698 A.2d 959 (Del. Ch. 1996).
 id., at 982.
 McCall v. Scott, 239 F.3d 808, 819 (6th Cir. 2001).
 id., at 817 (‘unconsidered inaction can be the basis for [officer] liability because . . . ordinary business decisions . . . can significantly injure the corporation and make it subject to criminal sanctions’); but see Dellastations v. Williams, 242 F.3d. 191, 196 (4th Cir. 2001) (holding that officers can avoid liability by making a good faith effort to have a reporting system).
 ‘SEC Issues Report of Investigation and Statement Setting Forth Framework for Evaluating Cooperation in Exercising Prosecutorial Discretion’ (2001) < https://www.sec.gov/news/headlines/prosdiscretion.htm>.
 This system is similar to that used in the Federal False Claims Act since its modernisation in 1986, with the express intent of increasing the incentives to report violative conduct to the US government.
 In fiscal year 2019, approximately 480 whistle-blower tips came from outside the United States, including Latin America (source: US SEC, 2019 Annual Report to Congress on the Dodd-Frank Whistleblower Program, Appendix C < https://www.sec.gov/files/sec-2019-annual%20report-whistleblower%20program.pdf>).
 See United States v. Siemens Aktiengesellschaft, Case No. 08-CR-367-RJL (D.D.C. 2008).
 ‘A Resource Guide to the U.S. Foreign Corrupt Practices Act’ < https://www.justice.gov/sites/default/files/criminal-fraud/legacy/2015/01/16/guide.pdf>.
 For Latin American countries that wish to do business with the US government, the Federal Acquisition Regulation (FAR) establishes other requirements. The FAR prioritises ethics and compliance throughout the federal procurement process, from solicitation to execution of the awarded contract, and embodies the US government’s policy of dealing with only ‘presently responsible’ contractors. Government contractors must develop and maintain a compliance programme within 30 days of award. The programme must be in writing, available to all employees on the contract, and contain mechanisms to report violations; further, violations must be reported in writing to the contracting officer or the Office of Inspector General for the US Department of Health and Human Services in a timely manner. Solicitations and contracts expected to exceed US$5.5 million in value and 120 days in performance are required to include the Contractor Code of Business Ethics and Conduct clause in the documentation.
To be compliant with the FAR, it is not enough to conduct only due diligence. The FAR views compliance programmes as a good judge of a government contractor’s character and an effective compliance programme may lead to contract awards. There is also no excuse for omitting a required clause in contracting documents. The Christian Doctrine states that if the FAR requires a clause to be in a contract, it is considered a requirement regardless of whether it is actually in the contract.
In 2015, seven years after mandating compliance programmes, the FAR added a human trafficking requirement relevant to government contracting overseas. Supplies acquired and services performed overseas in excess of US$500,000 require that contractors certify compliance and monitoring of human trafficking issues. Importantly, government contractors may be liable for the actions of all contractors, subcontractors and agents.
 Justice Manual 9-28.800.
 See also Chapter 22 on External Compliance Monitorships.