7. Employee Compliance Training: Adapting Programmes to Local Laws and Customs
Managing multinational workforces
A common challenge in any international compliance programme is adapting principles and rules of general application to the particular circumstances of employees and other stakeholders, who may be operating in widely differing locales and situations. Among other matters, differences in languages, customs, cultures, business environments, risk profiles and legal systems can present daunting problems for any organisation that wants to embed its compliance programme in its global corporate culture.
Some aspects of being able to successfully navigate this challenge cut across all the components of a compliance programme and are at the core of the ‘effectiveness’ requirement that is generally acknowledged as the overarching criterion to assess the programme’s worth. Thus, for example, a clear and consistent ‘tone from the top’, channels for submitting complaints and reports of possible violations, policies and protocols for conducting investigations, robust internal controls and procedures, among other matters, all need to be incorporated into the various layers of the organisation and work in a coordinated and cohesive fashion.
Among these components, employee training has an essential role in ensuring that the compliance programme is disseminated throughout the organisation and incorporated into employees’ everyday activities. The training programme must therefore be integrated into a company’s broader effort of adapting the compliance programme to the various jurisdictions and areas in which it operates. However, this adaptation can be particularly complicated, because training is the most direct and substantial point of contact between a company’s ethics and compliance programme and its employees, and must show its effectiveness in successfully communicating and embedding the company’s policies and procedures into its workforce despite multiple legal, cultural, linguistic and other potential barriers.
Although there has been a global trend towards regulating, studying and developing ethics and compliance programmes through local laws, international treaties, business organisations and various non-governmental organisations (NGOs), the United States (primarily in the context of the Foreign Corrupt Practices Act (FCPA)) still leads the way in developing criteria for determining the effectiveness of these programmes. It is important, therefore, to highlight the most recent guidance to prosecutors from the US Department of Justice (US DOJ), updated in April 2019 (US DOJ Guidance), specifically referencing the issues to be assessed when reviewing a company’s employee training programme:
[A] hallmark of a well-designed compliance program is appropriately tailored training and communications.
Prosecutors should assess the steps taken by the company to ensure that policies and procedures have been integrated into the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners. Prosecutors should also assess whether the company has relayed information in a manner tailored to the audience’s size, sophistication, or subject matter expertise. Some companies, for instance, give employees practical advice or case studies to address real-life scenarios, and/or guidance on how to obtain ethics advice on a case-by-case basis as needs arise. Prosecutors should also assess whether the training adequately covers prior compliance incidents and how the company measures the effectiveness of its training curriculum.
Prosecutors, in short, should examine whether the compliance program is being disseminated to, and understood by, employees in practice in order to decide whether the compliance program is ‘truly effective’.
In the context of multinational workforces, it is important to consider the circumstances of the places where the employees work. In the case of Latin America, some matters are relatively homogeneous, such as the broad use of Spanish (with the obvious exceptions of Brazil and some Caribbean countries) and the widespread adoption of civil law systems. Even within these general homogeneities, however, there are important exceptions and caveats, since most countries in Latin America have indigenous populations, with their own local languages and customs. Depending on the places in which a company operates, the industries in which it is engaged and the composition of its workforce, among other matters, these factors can be relevant and present complex challenges for a company trying to implement a global compliance programme.
So, as tends to be the rule when dealing with complicated problems, there are no simple answers or solutions to adapting a global compliance programme to multinational workforces. Each company needs to allocate the necessary resources, time and commitment to ensuring that its employees, consultants and other relevant stakeholders are aware of the compliance programme and can work with it effectively. This chapter provides some practical guidance to companies faced with this daunting challenge.
Complying with legislation of varying levels of maturity and cultures
It is generally acknowledged that professional and reliable risk assessments, carried out at the launch of a programme and subsequently in periodic iterations, are the foundation of an effective ethics and compliance programme. One essential aspect of any compliance risk assessment is identifying applicable laws and the measures that a company needs to adopt to ensure compliance with those laws and mitigate the risks of non-compliance.
For companies that operate in multiple jurisdictions, the risk assessment must evaluate not only the content of local laws, but also the way in which they are effectively enforced and their potential impact on the business and its personnel. For example, a country may have enacted very strict anti-corruption laws, but in practice its business environment may be highly corrupt, and laws may be selectively enforced (e.g., for political or corrupt reasons) or not enforced at all. Thus, the risk assessment should consider these factors and determine the mitigation measures that are appropriate given the company’s culture and risk tolerance, including their possible effect on the enforcement of other laws in jurisdictions to which the company may also be subject.
As a result of this analysis, a company would need to make quantitative and qualitative determinations about the implications of the legal situation in specific contexts and identify any potential tensions or conflicts with other applicable laws or the company’s general policies and standards. This can perhaps be achieved only by the combined efforts of local lawyers who are familiar with the realities of the local legal system and lawyers who understand the broader international legal framework as well as the company’s compliance programme.
Of course, this means that a company’s compliance officer needs to be involved in ensuring that there is clear communication with the persons responsible for implementing the compliance programme at the local level and with attorneys who understand the local legal landscape, both in terms of the contents of the law and its practical application, including potential pitfalls and improper practices. In Latin America, compliance departments tend to be embedded in the legal function and are sometimes not formally recognised as a distinct area of expertise, but rather as just another part of the legal department’s mandate. In this context, it is important that at least some individuals in the local legal departments understand the difference between the compliance programme and the legal function, and that mechanisms are in place to avoid potential conflicts of interest between the two areas.
Similar considerations apply when it comes to dealing with cultural differences. The company’s risk assessment would need to evaluate the effects of those differences on its compliance programme and the broader organisation, and the compliance department and other relevant areas would determine appropriate mitigation measures. Some of these cultural differences may refer to the law itself, since attitudes and practices towards concepts such as strict adherence to rules, personal or group loyalty, social versus legal norms, can have a significant effect on whether and how laws are obeyed and enforced.
To ensure these cultural differences are adequately identified and their potential impact measured, companies should again ensure that local employees and other persons with an understanding of the local culture coordinate closely with the compliance department and other areas with relevant knowledge of the corporate culture and the international laws and standards under which the company operates. This effort will set the groundwork for ensuring that the corporate compliance programme has a real effect at the local level and that the company can adequately assess the risks and implications of varying cultural practices in the jurisdictions where it conducts business.
Once a company has obtained a clear understanding of the different legal and cultural contexts in which it operates, it can then tailor its compliance programme as needed. The risk assessment can be used as the foundation on which the company designs and implements focused training throughout the organisation, allocating resources to high-priority areas and crafting a cohesive narrative around corporate culture and risk mitigation. Again, the 2019 US DOJ Guidance provides some useful criteria in the form of questions to be considered by prosecutors in evaluating a compliance programme:
Risk-Based Training – What training have employees in relevant control functions received? Has the company provided tailored training for high-risk and control employees, including training that addresses risks in the area where the misconduct occurred? Have supervisory employees received different or supplementary training? What analysis has the company undertaken to determine who should be trained and on what subjects?
Form/Content/Effectiveness of Training – Has the training been offered in the form and language appropriate for the audience? Is the training provided online or in-person (or both), and what is the company’s rationale for its choice? Has the training addressed lessons learned from prior compliance incidents? How has the company measured the effectiveness of the training? Have employees been tested on what they have learned? How has the company addressed employees who fail all or a portion of the testing?
Communications about Misconduct – What has senior management done to let employees know about the company’s position concerning misconduct? What communications have there been generally when an employee is terminated or otherwise disciplined for failure to comply with the company’s policies, procedures, and controls (e.g., anonymized descriptions of the type of misconduct that leads to discipline)?
Availability of Guidance – What resources have been available to employees to provide guidance relating to compliance policies? How has the company assessed whether its employees know when to seek advice and whether they would be willing to do so? 
Beyond these immediate considerations, conducting a risk assessment (both initially and in subsequent iterations) can yield other useful benefits. For example, the company might be able to identify commonalities among various jurisdictions, both in terms of risks and opportunities, and adopt regional or even global responses, such as training materials and policies that can be used in several countries. The exercise could also help the company to identify bright lines and non-negotiable general principles and rules, such as ‘the company will not tolerate and will report all suspected instances of child labour’ or ‘the company will never pay for trips of government officials’, while avoiding adopting rules that may be difficult or impossible to comply with (‘the company will never make political contributions’). Also, once identified, these general rules can serve as powerful messages that local legal or cultural differences cannot be used as an excuse to violate the company’s policies, standards or values.
Additionally, ethics and compliance risk assessments can help a company to detect systemic risks or problems that would not be visible at the purely local or purely global levels, such as irregular money flows between certain jurisdictions or the spread of improper practices across borders. Finally, the company could also identify best practices or innovative solutions to compliance problems at the local level that might be transferrable to other jurisdictions, or even to the entire organisation.
Tailoring a global compliance policy
Once a company has identified the relevant ethics and compliance risks in the jurisdictions in which it operates and mapped out its priorities and mitigation strategies, it must design and roll out a training plan tailored to its audiences and explicitly linked to its overall ethics and compliance programme; that is, it should be clear how the training plan helps the company reduce its compliance risks in measurable ways and is not just window dressing.
A good starting point for tailoring a global compliance policy to local operations is to extract the core principles and guidelines of the policy and use them as a template for any necessary adaptations. This can help the company avoid excessive deviations from the norm and keep consistency of form and substance across multiple jurisdictions and business units. A common practice is to start with a broad global policy setting forth rules of general applicability and use ancillary documents, such as appendices and protocols, to incorporate exceptions, special rules and criteria, and other considerations applicable to specific jurisdictions, regions, business units and categories of persons, among other circumstances. This entails that considerable care should be used in drafting the global policy in the first place, since it should be broad enough to allow for such tailoring but also specific enough to contain actionable rules and guidelines that protect the company and set clear expectations of behaviour across the board.
Among other things, some basic considerations and issues a company should keep in mind when tailoring its global policies include the following:
- Local teams: Representatives from legal, compliance, human resources, comptrollership, communications and other relevant areas of the corresponding locality or business unit should be actively involved, not only to ensure that the tailoring is responsive to local requirements and circumstances, but also to get buy-in and accountability from the persons likely to be overseeing the day-to-day operation of the policies.
- Translations: The company should allocate enough time and resources to ensure any required translations are professionally prepared and vetted by persons familiar with local idioms and customs. Poorly prepared translations are a common problem and can greatly undermine an otherwise well-designed adaptation. Another pitfall to avoid is including hypotheticals, or specific examples, that may not make sense to particular local audiences. This is particularly relevant in Latin America, since the commonality of language, history and legal systems can lead to the erroneous conclusion that what works in one country or location will work everywhere else. As mentioned earlier in this chapter, there are substantial differences between countries in Latin America.
- Online versus in-person training. Decisions about whether it is best to conduct training online or in person depend on several factors, and companies should develop clear criteria to justify their decisions in each case. In general, online sessions can be effective when trying to reach large audiences, rules and policies are relatively simple and not subject to interpretation, and the learning of the trainees can be easily assessed through quizzes or exams. Of course, access by local employees to the required technology and the availability of good-quality translations will also be relevant considerations. On the other hand, in-person training is most effective when policies are more technical, complicated or ambiguous and require context-specific explanations, including opportunities to ask questions or raise concerns. In-person training is also preferable in the case of senior management, or others facing the greatest levels of compliance risk. When doing in-person training, it can useful to combine trainers from corporate headquarters and from the local compliance department. The presence of representatives of the global compliance programme sends a clear message about the importance and seriousness the company places on compliance, and helps to ensure consistency and quality control. Further, the participation of local trainers helps to address legal or cultural issues and serves to empower the local compliance function.
An important development in Latin America during the past decade that can be useful in helping companies to tailor their ethics and compliance policies, is that countries throughout the region have been incorporating the concept of compliance programmes (under various names) into their domestic laws, largely as a result of their participation in the Organisation for Economic Co-operation and Development’s (OECD) Anti-bribery Convention. In addition, the region as a whole has experienced an increase in awareness of the importance of ethical corporate behaviour. This is reflected in the adoption of codes of ethics and best practices by business organisations, the participation of local and international watchdogs and NGOs, and public indignation about corruption scandals that revealed extensive networks of complicity among corrupt politicians, corporations and prominent businessmen and women.
Brazil started this trend in 2013 with its Clean Company Act, and most of the major economies of the region have followed suit to varying degrees. Mexico introduced criminal corporate liability and the notion of corporate ‘integrity policies’ in 2016’ Argentina did the same in 2017. Colombia, Chile and Peru have made similar changes to their laws. The import of these laws has mainly been to introduce leniency programmes for companies that adopt effective ethics and compliance programmes.
Since these laws tend to be modelled on the FCPA/OECD paradigm, they share similar requirements regarding the elements of an effective compliance programme. As is to be expected, employee training is a requirement in all of them, but of note is that some laws that distinguish between necessary and optional elements invariably include training in the necessary column. This gives companies and their compliance officers a new and powerful tool to counteract resistance or arguments based on local culture or laws, and allows them to authoritatively affirm that compliance training is now incorporated into the laws of most jurisdictions in which they operate.
Recruiting, hiring, performance appraisal, compensation and labour relations
An ethics and compliance programme can only be as effective as the people living it and applying it in their everyday activities. Therefore, companies should screen prospective employees for potential compliance risks at the point of entry into the organisation (i.e., at the recruitment and hiring stages) and subsequently through periodic reviews. Article 25 of Mexico’s General Administrative Responsibilities Law, for example, provides that a compliance programme shall include, among other matters, ‘[h]uman resource policies designed to prevent the hiring of persons who may create an integrity risk to the corporation’.
Since labour laws vary widely by country, local counsel should be involved to ensure that the recruiting, hiring, appraisal and compensation components of the ethics and compliance programme do not run afoul of local law. On the other hand, members of the global compliance department also need to check that any local adaptations or exclusions do not jeopardise the core policies or tenets of the company’s code of ethics. A common suggestion is to include compliance with the company’s code of ethics, policies and procedures as central obligations of employees in their labour contracts, and to include non-compliance as cause for disciplinary measures, up to and including dismissal.
In the context of compliance training, an integral part of any session should be to make clear the consequences of failure to comply with the ethics and compliance programme. Of course, failure to take the training itself should be considered non-compliance with the company’s policies and standards.
Recruitment and hiring
Several laws and treaties specifically require that companies include adequate ethics and compliance due diligence in their employee recruitment and selections processes, particularly for senior management or high-risk areas. In addition, companies should include compliance training as part of their onboarding procedures, but it might be a good idea to require some form of prelimary training, or other type of proactive screening, before hiring decisions are made, to allow the company to pre-emptively identify and evaluate potential risks.
The due diligence process in hiring can be fairly straightforward, primarily through risk-based screening (e.g., interviews and questionnaires) of potential candidates. The company should develop clear protocols to identify and channel ‘red flags’ that arise during the screening process. Typically, a company would want to check potential candidates against sanctions or PEP (politically exposed persons) lists, and identify potential conflicts of interest, past incidences of illegal or unethical behaviour, among other matters.
The type of compliance training that should accompany the onboarding process will vary by company, industry, position and location, but will usually be introductory in nature and focus on the overall corporate culture and on the most important policies, values and practices of the organisation. A good practice is to include a brief message by the company’s president or chief executive officer emphasising the importance of complying with the ethics and compliance programme.
Finally, companies should take care to avoid discriminatory or unfair hiring practices under the guise of compliance screening. Labour and anti-discrimination laws vary greatly across countries, so it is important to check with local counsel to ensure the screening process will not raise any such concerns. In any case, potential candidates should be made aware of the criteria used to make hiring decisions, and efforts should be made to ensure that they feel that they have been treated fairly.
Performance appraisal and compensation
Companies should explore ways to link employee performance reviews and at least some part of their compensation (such as performance bonuses or other forms of variable compensation) to compliance with the company’s programme and ‘living’ or ‘exemplifying’ the company’s values, principles and standards of conduct. (The pros and cons of this practice are discussed in the next section; for now the focus is on the legal issues arising from linking performance appraisal and compensation).
As in the recruitment and hiring processes, companies should be careful to avoid discriminatory or unfair treatment when performing employee compliance assessments. Again, transparency and objective criteria are key factors in avoiding perceptions of injustice or discrimination. Companies may also develop surveys and statistical models to identify trends and promptly identify potential biases in their performance appraisals and compensation decisions; for example, if the data show a wide gender discrepancy in the allocation of compliance-based performance bonuses, the problem may lie – at least in part – with the review process and not the underperforming candidates. The company can then undertake remediation measures before the problem worsens. Conversely, reliable data gleaned from these analyses can help a company defend itself against unfounded accusations of bias or unfair treatment.
Another relevant issue to bear in mind is the risk that any bonuses or other awards based on compliance performance appraisals may be construed as entitlements or similar ‘earned rights’ under local laws. Again, companies should consult local counsel to mitigate this risk, but the same general recommendations made above should apply here: include appropriate provisions in labour contracts, maximise transparency and objectivity, develop reliable statistical data, remediate application errors, and clearly link the appraisal and compensation decisions to the overarching goal of having an effective ethics and compliance programme.
It can be tricky to align the ethics and compliance programme with the priorities and agendas of unions or other labour organisations or representatives, but if done correctly it can be a powerful tool in shaping the corporate culture and mitigating compliance risks. Of course, much will depend on the circumstances, as not all unions and labour laws favour innovation in employee compensation and incentive packages, but some basic recommendations may be helpful.
First, establishing trust and building a constructive, non-adversarial relationship between the company and the union or labour representatives is essential. The company should be able to make the case that an ethical workplace, where rules and values are clearly understood and shared, works to the benefit of all parties, since employees are less likely to be put in inappropriate situations and face legal, reputational or personal risks. In that context, it makes sense to recognise and incentivise behaviour aligned with the ethics and compliance programme.
Second, as in the case with individual employees and executives, the company should try to include compliance with the ethics and compliance programme as an explicit part of employees’ obligations in collective bargaining or similar agreements, and obtain acknowledgment that violations will result in disciplinary measures, up to and including dismissal. To get this acknowledgment, the company may need to commit to carrying out fair and independent investigations of potential violations, including allowing participation by union or labour representatives, where required or permitted by local law. Likewise, the company should endeavour to obtain acknowledgment that related bonuses and awards will not create entitlements or other forms of earned rights. Again, the company should ensure that it is advised by competent local labour counsel.
Finally, the company could explore possibilities to share best practices with the union and offer to provide training, policies, programme design and planning, controls and procedures, and other elements of an effective compliance programme that the union could itself adopt as an organisation. Conversely, union leaders could offer to assist in setting their own ‘tone from the top’ and conveying the message to unionised employees that they are aligned with the company’s ethics and compliance programme.
Incentivising compliance (and disincentivising non-compliance)
As has already been mentioned, it is good practice to expressly link employees’ performance reviews, including compensation, to metrics or criteria regarding the ethics and compliance programme. There are some obvious ways to do this, such as verifiable participation in training sessions, implementation of compliance controls and procedures, incidence of complaints and results of audits, among others. The more difficult questions have to do with determining the right kinds of incentives (or disincentives), their relative weight in respect of other criteria, ensuring that other incentives do not contradict or conflict with them, and tailoring them to local laws and customs.
It is natural to think about monetary compensation as the most direct type of incentive to reward performance. While this may be true in most instances, such as reaching sales targets, reducing costs or developing products, it is not necessarily the case when trying to incentivise ethical behaviour or compliance with a company’s policies. This does not mean that financial rewards are necessarily ineffective in the case of ethics and compliance, but rather that companies should think creatively, too, about alternative kinds of incentives and disincentives.
If a company does decide to link part of its employee compensation to its ethics and compliance programme, the following are some relevant points to bear in mind.
What types of behaviour will be rewarded and how will they be measured?
The easiest answer to this question is to use objective and observable criteria, such as those mentioned in the first paragraph of this section. For example, a company may decide that managers in a business unit should complete at least 10 hours of ethics and compliance training and may even specify which topics should be mandatorily covered. It may then assign weights to successful completion of the training programme and to quizzes administered after each training session, and on that basis award up to 20 per cent of the total annual bonus available to each employee. Another potential option involves rewarding or penalising managers based on their team members’ participation in compliance training.
While this approach may be useful and relatively simple to implement, it raises some obvious concerns. For one thing, it may lead to a ‘check-the-box’ mentality, where the compliance office may be more concerned with getting as many people as possible trained and certified, versus focusing on whether they are internalising the core lessons and incorporating them into their daily work. In addition, the company will face the challenge of identifying objective criteria to justify that the amount of the award – say 20 per cent of total bonus – is the right weight to give this component of the bonus package, such that it sufficiently incentivises the desired behaviour and is compatible with the other elements of the bonus package.
As an alternative, the company may decide to use softer or more subjective criteria to identify and reward behaviour. For example, it may conduct surveys among peers, customers or suppliers, or it may recognise certain types of exemplary behaviour. Of course, this is more difficult to implement and measure, and may run a higher risk of resulting in perceived injustices or arbitrariness. So, it may be that these types of reward programmes work better in companies with strong cultures and identities, where employees share a clear understanding of the kind of behaviour that is expected and who exemplifies that behaviour.
Unfortunately, there is no one-size-fits-all answer to this question. The challenge for each company is to try to answer it as honestly and objectively as possible and place it in the context of the broader ethics and compliance programme. Once this has been achieved, employees should be made aware of the criteria used to evaluate and reward the desired behaviour, primarily through training and communication programmes.
Incorporating compliance-based compensation into different circumstances
As mentioned in the section titled ‘Recruiting, hiring, performance appraisal, compensation and labour relations’, it can be difficult to harmonise a company’s global compliance policies and standards with local laws and customs. Furthermore, a company may face different compliance risks depending on multiple factors, such as locations, types of industries, and the functional areas and business units involved. It can therefore be challenging to align the criteria for rewarding compliance-based behaviour with these widely varying circumstances.
To grasp how to address this question, the compliance risk analysis can again be a good starting point. If properly done, the analysis should have identified local risks and assessed them both with respect to the local operations and to broader levels of the organisation. On that basis, the company could place a higher weight on behaviour that mitigates the relevant risks for the corresponding location or business unit (for example, in one case it could place a higher priority on its anti-bribery policy, whereas in another case it could emphasise its competition policy). These determinations could then be incorporated into bespoke compensation plans for each location and business unit, subject to alignment with the overall ethics and compliance programme.
Once resolved, the company should communicate its answer to this question through employee training and communication campaigns. If successfully implemented, this adaptation of compliance-based compensation criteria to local circumstances can help a company better mitigate its compliance risks and align employees’ behaviour with desired outcomes. Additionally, employees are more likely to feel that they have been treated fairly and that compensation decisions have been made in a clear and objective fashion.
Regardless of whether their ethics and compliance programmes are linked to compensation, companies should think creatively about alternative incentives, such as public or peer recognition, career advancement opportunities, and social or behavioural ‘nudges’, among other possibilities. Depending on the corporate culture, local laws and customs, and business areas affected, among other factors, these incentives can be powerful motivators, but they can also send the wrong message if they are not carefully thought out. For example, any perceived unfairness in how a recognition is awarded may lead to resentment, or even backfire by undermining the credibility of the programme. Likewise, non-monetary rewards run the risk of being seen by employees (and, perhaps, authorities) as a mere token if they do not provide some form of real value to their recipients, such as status, recognition, sense of fulfilment or purpose, career advancement or other desirable outcome.
Similarly, non-monetary penalties or other negative consequences can be effective disincentives of non-compliance, but – if anything – companies should be even more careful in their design and implementation, both for legal and cultural reasons. From a legal standpoint, the design of policies and procedures and the application of disciplinary measures and other punitive actions should be carefully thought out and vetted by global and local counsel. Among other reasons, a successful challenge (through litigation or other legal proceedings) to any disciplinary measure can seriously undermine the credibility and effectiveness of a compliance programme. From a cultural perspective, badly designed or implemented disciplinary measures can have a deleterious effect on two levels: first, they can undermine the corporate culture (for example, employee morale may be affected by perceived injustices); and second, they can lead to conflicts because of improper sensitivity to local norms and customs (for example, employees in a particular country may be especially susceptible to notions of honour or discretion).
Therefore, the challenge of adequately implementing non-monetary incentives is probably even greater than in the case of strictly financial measures, since it behoves the company to prove their efficacy in modifying behaviour and shaping corporate culture. Ultimately, as with every other component of an effective ethics and compliance programme, its adequacy to the task will be judged by how it integrates into the overall structure of the programme and measurably contributes to the mitigation of relevant risks.
Whatever determination a company makes about the types of compliance incentives and disincentives for its employees, it must communicate them clearly and make them a part of its training programme. This entails ensuring that training and communications materials include references to these incentives and implementing measures to evaluate employee awareness of both the benefits of complying with the company’s policies and the consequences of non-compliance.
 Luis A García Campuzano is a partner at Villarreal-VGF.
 See also Chapters 6 and 10.
 Some of the laws and other documents regulating or guiding corporate compliance programmes include Brazil’s Clean Company Act < http://www.planalto.gov.br/CCIVIL_03/_Ato2011-2014/2013/Lei/L12846.htm], Mexico’s Law of Administrative Responsibility < www.diputados.gob.mx/LeyesBiblio/pdf/LGRA_191119.pdf>, Argentina’s Corporate Criminal Liability Law < https://www.boletinoficial.gob.ar/detalleAviso/primera/175501/20171201>, the Organisation for Economic Co-operation and Development’s ‘Good Practice Guidance on Internal Controls, Ethics, and Compliance’ (http://www.oecd.org/daf/anti-bribery/44884389.pdf>, the United Nation’s anti-corruption portal for the private sector, TRACK < https://track.unodc.org/private_sector/Pages/home.aspx>, Transparency International’s ‘Business Principles for Combating Bribery’ < https://issuu.com/transparencyinternational/docs/business_principles_web_final>, the International Chamber of Commerce’s ‘Fighting Corruption: International Corporate Integrity Handbook’ < https://2go.iccwbo.org/fighting-corruption.html> and the International Organization for Standardization’s Standard on Anti-Bribery Management Systems (ISO 37001:2016) < https://www.iso.org/iso-37001-anti-bribery-management.html>.
 US Department of Justice [US DOJ], Criminal Division, ‘Evaluation of Corporate Compliance Programs’, Guidance Document, updated April 2019 [US DOJ Guidance Document] < https://www.justice.gov/criminal-fraud/page/file/937501/download>.
 See also Chapter 4.
 For discussions about the distinction between the legal and compliance functions, see Tod Reichert, ‘The Roles of General Counsel and Chief Compliance Officers’ (2011) < https://www.corporatecomplianceinsights.com/the-roles-of-general-counsel-and-chief-compliance-officers/> and Michael Volkov, ‘An Independent CCO is a Compliance Program Requirement’ (2013) < https://www.law.com/corpcounsel/almID/1202595223223&An_Independent_CCO_is_a_Compliance_Program_Requirement&slreturn=20130608141307/?slreturn=20200105122651>.
 For a detailed study of various societies attitudes toward social and other norms, see Gelfand, Michael J; et al., ‘Differences between Tight and Loose Cultures: A 33-Nation Study’ (2011) [Electronic version] (accessed 5 February 2020, from Cornell University, ILR School site < https://digitalcommons.ilr.cornell.edu/articles/1287>).
 US DOJ Guidance Document (footnote 4, above).
 These are just examples of general rules that a company may want to adopt or avoid, depending on its circumstances, not suggestions that these rules should necessarily be adopted or avoided.
 See Lecon, Nico, ‘Anti-corruption laws/regulations in Latin America’, The Complete Compliance and Ethics Manual – 2019, Society of Corporate Compliance and Ethics, pp. 5.53 to 5.65.
 id., at 5.57 to 5.64.
 See, e.g., Brazil’s Office of the Federal Comptroller General (CGU), ‘Compliance Programs – Guidelines for Private Companies’ < https://www.gov.br/cgu/pt-br/centrais-de-conteudo/publicacoes/etica-e-integridade/arquivos/programa-de-integridade-diretrizes-para-empresas-privadas.pdf/view> and Argentina’s Corporate Criminal Liability Law, Article 23 < https://www.boletinoficial.gob.ar/detalleAviso/primera/175501/20171201>.
 See, e.g., United States Sentencing Commission – Sentencing of Organizations, ‘Guidelines Manual 2018’. ‘The organization shall hire and promote individuals so as to ensure that all individuals within the high-level personnel and substantial authority personnel of the organization will perform their assigned duties in a manner consistent with the exercise of due diligence and the promotion of an organizational culture that encourages ethical conduct and a commitment to compliance with the law’) < https://www.ussc.gov/guidelines/2018-guidelines-manual/annotated-2018-chapter-8>.
 See, e.g., Murphy, Joseph E, ‘Using Incentives in Your Compliance and Ethics Program’, Society of Corporate Compliance and Ethics (November 2011), p. 29: ‘Rewards and recognition are powerful tools. Even in companies that have not otherwise offered these, it is worth considering them to promote the compliance and ethics program. Employees are likely to remember the fact that meaningful recognition was given for leadership in this area. If an employee is ever asked by the government about the company’s compliance and ethics program and its code, the person is very likely to respond with the story about the awards dinner. Such outstanding recognition will be part of the stories employees recount to new employees at the company. When done right, it can be one of the surest ways to affect the culture in an organization.’
 Again, this is just an example of how a compliance bonus may be structured, not a recommendation that a company adopt this type of system, or the hours and percentages mentioned.
 For a detailed study of the design of choice architecture mechanisms to incentivise behaviour, see Thaler, Richard H; Sunstein, Cass R (2008), Nudge: Improving decisions about health, wealth, and happiness, New Haven: Yale University Press.