Developing a Robust Compliance Programme in Latin America

This is an Insight article, written by a selected partner as part of Latin Lawyer's co-published content. Read more on Insight

For several years, there has been an ever-increasing focus on corruption in Latin America.[2] After major corruption scandals,[3] protests and calls for change,[4] governments in Latin American countries have added to or enhanced anti-corruption provisions in their corporate liability schemes.[5] The covid-19 pandemic further exacerbated corruption risks by increasing financial pressure, reducing oversight and disrupting supply chains,[6] so companies should increase focus on internal compliance programmes to prepare for closer scrutiny and a more active enforcement environment.[7] For multinational companies, this can be challenging. An effective compliance programme should meet the requirements that authorities promulgated in every jurisdiction in which a company operates, and some countries’ enforcement regimes apply extraterritorially. And a compliance programme must be tailored to a company’s specific risks based on geography, industry and any other relevant factors.[8]

This chapter summarises some of the key risks and challenges that a multinational corporation’s compliance programme in Latin America must confront, including with respect to guidance issued by the US Department of Justice (DOJ),[9] which is one of the most active anti-corruption enforcement authorities in Latin America.[10] This chapter then discusses best practices for companies to maintain effectively tailored compliance programmes.

We begin with the baseline prevalence of corruption, which is itself highly variable.[11] As the magnitude of the risk varies dramatically from country to country, so do the types of risks.[12] Local enforcement regimes must be considered in establishing an effective compliance programme. Many countries in Latin America have recently enacted substantially tougher anti-corruption measures.[13] Still, the variances among them can be significant.[14]

One benefit of an effective compliance programme is detecting illicit conduct, if and when it occurs. Most countries incentivise and credit companies that maintain compliance programmes and self-report conduct to anti-corruption regulators.[15]

With this backdrop, we next address the essential elements of an effective compliance programme.

Components of an effective compliance programme

Not all countries explicitly require compliance programmes. But the US DOJ and SEC evaluate the effectiveness of a compliance programme when they are considering bringing an enforcement action and the penalty that should result, and they have used the FCPA’s broad extraterritorial jurisdiction to bring enforcement actions against companies headquartered in Latin America for conduct that principally occurred there and was carried out by nationals of Latin American countries.[16] Thus, major companies in Latin America that are (or that may be) subject to US enforcement jurisdiction should take account of the anti-corruption guidance from US agencies.[17]

Compliance-programme guidance by US regulators has changed in recent years. The US DOJ promulgated new guidance in April 2019, which it updated in June 2020 and March 2023. The guidance now asks three core questions when assessing a corporation’s compliance programme:

  • Is the corporation’s compliance programme well designed?
  • Is the programme being applied earnestly and in good faith? In other words, is the programme being implemented effectively?
  • Does the corporation’s compliance programme work in practice?[18]

And in other enforcement-related guidance documents, US regulators have provided a baseline criteria to receive credit for an effective compliance programme.[19] While there is no one-size-fits-all formula, below are some of the key elements, drawn from the US DOJ’s relevant guidance and the compliance requirements in several Latin American countries, to consider for any compliance programme.

Tone at the top

Both senior and middle management should send a clear message that misconduct is not tolerated and that management endorses (and enforces) the policies and procedures designed to drive ethical conduct. Every opportunity should be taken to show management’s commitment to compliance, and to show that misconduct or significant risks will not be tacitly or otherwise tolerated in pursuit of business goals.[20]

Risk assessment

Great emphasis should be placed on the degree to which a programme is tailored to the particular risks facing the company. Risks should be assessed based on a company’s geography, its industry, its competitive and regulatory environments, who its actual or potential clients or business partners are, what sales or other agents it employs and why, what types of transactions it has or may have with government officials, and what payments or donations it makes to charities or other third parties.[21] Companies should expect not only to show that they have identified and assessed these risks, but also to defend their assessment process and methodology.[22]

Resource allocation and autonomy

More than just being adequately staffed and funded, a compliance function should have sufficient resources and authority.[23] Leadership of the compliance function must have seniority in the organisation, as well as autonomy and independence from management.[24] Consideration should be given to the compliance function’s place in the corporate structure, and whether any additional business-related responsibilities or reporting obligations might detract from compliance personnel’s independence.

Policies and procedures

A code of conduct is a must; it should be reinforced by management and readily available and broadcast to all employees in the languages employees speak at work. There also should be broadly communicated resources that allow employees to seek guidance on issues relating to the company’s code of conduct or other policies or procedures. And if a mistake is made, the company should have in place controls to make sure that the mistake is corrected through proper channels, even if there are negative business consequences.

Training programmes

Training, too, is a must – for directors and officers, for relevant employees, and in many cases for business partners, agents and other third parties. Of particular importance is training for gatekeepers: supervisors or control personnel, or other persons with approval authority or certification responsibilities. It should account for the audience’s size, sophistication and experience with the subject matter, it should be tailored to the specific business risks employees may face, and it should evolve based on data-driven insights regarding its effectiveness.[25]

Audit function

A core compliance-programme component is its internal audit function, or comparable systems designed to test and monitor compliance, which should be mapped onto the results of periodic risks assessments and should emphasise high-risk areas. The documented results of those audits should periodically reach management and, depending on the scope or significance, management should take actions in response to audit findings.

Third-party management

One of the areas of highest risk for companies is their relationship with third parties. Third parties are a common vehicle to make or conceal illicit payments. The prevalence of this risk is illustrated by a recent US$282 million combined fine that Walmart paid to the US SEC and US DOJ for failure of various subsidiaries to effectively investigate and mitigate third-party risk, including in Brazil and Mexico.[26] Thorough vetting, due diligence and applicable controls should include an assessment of each third party’s qualifications and reputation; the particular business need for their services; a specific description of the objectively verified services they will provide; a method to determine that compensation was at a fair-market price for that industry and geographical region; and verification that the services were performed. Also, a process should be in place to document any red flags and how they are addressed, and to retain that information to use in assessing future opportunities involving that third party.[27]

Confidential reporting structure

Confidential reporting, or whistleblowing, allows employees to report possible misconduct when they either feel they have been unsuccessful in reporting it through ordinary supervisory channels or fear they will be unsuccessful in (or will suffer negative consequences for) doing so. Whistleblowers often report misconduct or policy violations at significant personal and professional risk, so companies should widely broadcast their reporting mechanisms and consider proactive ways to foster an understanding that confidential reporting will remain as confidential as is legally permissible, that retaliation will not be permitted, and that processes are in place to protect whistleblowers.

Several countries are focusing on guidance changes designed to reinforce protections for whistleblowing, including Argentina, Brazil, Colombia, Mexico and Peru.[28] These changes have increased awareness of anonymous reporting mechanisms and encouraged their use. To illustrate, a survey tracking employees’ awareness and understanding of the compliance policies and procedures implemented at their companies showed significant increases in the percentage of employees who were aware that their companies offered anonymous reporting mechanisms – in Argentina, employee awareness rose from 48 per cent in 2016 to 70 per cent in 2020, and in Peru it rose from 38 per cent in 2016 to 67 per cent in 2020.[29]

Investigation process

Although handling internal investigations is treated in detail elsewhere in this publication, a basic measure of an effective compliance programme is its process for investigating issues that arise. The compliance programme should require adequately tailored data retention policies, the timely completion of investigations, appropriate follow-up and, when appropriate, the consequences for persons involved in any actual misconduct.[30] When an investigation is concluded, the investigators’ conclusions and the investigation’s outcome should be documented, and the company should engage in a candid and thorough root cause analysis to determine whether the misconduct involved any failures in controls, and whether and how controls could be improved. A plan for remediation should be developed, documented and executed.

Incentives and discipline

Although policies can set forth the rules, a compliance programme must recognise that employees must be incentivised to engage in compliant behaviour, and there must be both positive and negative consequences for compliance or violations.[31] Thought should be given to how the company can ensure that there is consistency in how discipline or incentives are applied throughout the company – laterally through different lines of business and vertically through different layers of management. This can be done, for example, by creating compensation structures to promote compliance, a recent focus for US regulators evaluating compliance programmes.[32]


Even the best-designed compliance programme still requires periodic review and updating.[33] Those revisions begin with an assessment of the risks presented (including new or emerging risks) and should also map other changes in the company – such as structural changes to the organisation or its components, changes in the company’s geographical markets or industries, and legal or regulatory developments. Mining the lessons learned from prior incidents into a compliance programme (including future training programmes, in particular) is an effective way to show that a company is learning and adapting its compliance programme overall.[34]

Mergers and acquisitions

Somewhat distinct from the compliance programme in the ordinary course is having a due diligence process in place for mergers and acquisitions activity (see also Chapter 10, ‘Assessing and Mitigating Compliance Risks in the Transactional Context’).[35] Subjecting a target company to adequate due diligence is not only important so that the successor or acquiror does not unwittingly inherit undisclosed risk or pay a price for a target that fails to reflect the target’s actual risk level; it has also been flagged by the US DOJ as ‘indicative of whether [a company’s] compliance programme is, as implemented, able to effectively enforce its internal controls and remediate misconduct at all levels of the organisation.’[36] Critically, a process also should be in place to track and address any post-acquisition risks or actual misconduct identified during pre-acquisition due diligence.[37]

Compliance across multiple jurisdictions

The US DOJ’s guidance documents are detailed, but a company’s compliance programme must account for all jurisdictions in which it operates, some of which may conflict with one another. In some instances, Latin American countries may have particular compliance requirements that go beyond the US DOJ’s core topics, like requiring external audits from an auditor with an independent duty to report apparent wrongdoing, or requiring a company’s human resources function to avoid hiring employees who could risk the ‘integrity of the company’.[38]

Treatment of whistleblowers

As noted, whistleblowing channels are a critical element of a compliance programme. This is also an area where local attitudes can affect both the whistleblower and the behaviour of the persons receiving a whistleblower report. In this way, cultural factors can substantially alter the risk profile of a given country.[39] For instance, in certain Latin American countries, notably Brazil, there is a history of hostility towards whistleblowers and a concomitant reluctance for them to come forward.[40] In other countries (like Mexico), employees may place a lesser value on confidentiality.[41] Marrying that cultural reality to the various legal requirements can be challenging for multinational companies.

Various countries in Latin America have particular legal provisions that cover whistleblowers, but they do not all afford the same protection, if any at all.[42] And while multiple Latin American enforcement agencies have created whistleblower channels, given the considerable perceived risks in reporting misconduct, it may take time before use of whistleblower channels is ingrained in the relevant corporate cultures.[43] By contrast, the European Union adopted a robust Directive[44] that imposes specific requirements on corporate whistleblowing channels, protecting more people from a broader range of retaliatory conduct than US or many Latin American whistleblower provisions. Companies with operations in both Latin America and the EU will need to ensure that they meet these enhanced requirements.

Best practices

As we expect has now been made clear, managing a multinational company’s compliance programme in a variety of environments to meet the factors described herein is a substantial and ongoing challenge. We therefore outline some practices that companies can use to help create a compliance programme that is up to the task.

Documenting changes and successes

Not only is it important to have a documented compliance policy, but to document and record compliance processes and any changes made to the programme.

If a violation of law is discovered by (or reported to) regulators and any resulting investigation or prosecution is being resolved, a company’s compliance programme will be evaluated both at the time the resolution is negotiated and at the time the offence occurred.[45] But, as the US DOJ guidance puts it, ‘

Due to the backward-looking nature of the . . . inquiry, one of the most difficult questions prosecutors must answer in evaluating a compliance program following misconduct is whether the program was working effectively at the time of the offense, especially where the misconduct was not immediately detected.’[46]

It is similarly difficult for the company itself to look back in time to measure its compliance programme. But the US DOJ has emphasised that it is committed to credit companies for investing in an effective compliance programme even when misconduct was not prevented or detected.[47] This makes clear the importance of data, documentation, tracking and preserving institutional memory. A company may make adjustments to its compliance programme diligently and in earnest, but it should also track any changes to its programme, its remediation of identified misconduct and its compliance successes in an accessible system; the value of those good measures may be lost when they are forgotten or when the memory of them leaves with the employees who implemented them.

Relatedly, when potential misconduct is brought to a company’s attention, a company should examine its procedures and compliance programme to determine whether improvements can be made. Although a company might fear that making changes to a compliance programme, and documenting them, would be taken by a regulator as a concession that deficiencies exist, in reality, making changes to a programme indicates both (1) effective remediation of potential misconduct and (2) revisiting and updating of the programme. And when evaluating the form and contents of a possible criminal resolution, those factors can reduce the risk that a compliance monitor or other ongoing reporting obligations will be imposed.[48]

Broadcasting a culture of compliance

It is vital that a multinational corporation has a healthy culture of compliance and ensures that this culture is globally disseminated. As an organisation grows, cultural, linguistic and geographical barriers can hamper its ability to communicate its compliance culture outside of its home territory.[49] Effective company-wide communication begins with ensuring compliance materials are translated into the local language or dialect, but it is not only a matter of translation of the words themselves.[50] The subtleties of these issues can result in miscommunication and confusion when a compliance programme is simply exported wholesale from a home office.[51]

Local input and buy-in

Relatedly, local stakeholders, including local managers and employees, should be consulted and given a voice in crafting and tailoring a compliance programme for their region.[52] Cultural practices, like gift-giving, can often present a compliance risk, which an effective policy must anticipate and account for.[53] Similarly, requests for charitable donations from local officials, though unexceptional on their face and routinely permissible elsewhere, may well constitute an unmistakable demand for an illegal payment in a particular location.[54]

Involving local stakeholders has the added benefit of increasing buy-in to the programme.[55] This insight is confirmed by recent behavioural scientific research on the risks of overbearing enforcement strategies, which shows that extrinsic imposition of strict rules can alienate local employees and create ‘compliance fatigue’ while crowding out employees’ intrinsic motivation to do the right thing, such as actively reporting compliance risks.[56] Thus, incorporating input from local managers, who often will be the people actually charged with implementing the programme, will increase their commitment to the programme and their help in implementing it.[57]

Relying on local counsel

Consulting high-quality local counsel is essential to meet the challenges of a particular legal environment in a given country. Local counsel can provide insights into how a company’s compliance programme should be modified to meet particular aspects of local laws.[58]

For instance, Mexico’s anti-corruption law has a relatively specific list of components that must be included in a compliance programme to justify a sentence reduction.[59] Local counsel will also very often have a valuable – and external – perspective on cultural issues, or other issues peculiar to a given locale, and that advice should be taken into account alongside the voice of the company’s own local personnel.[60]

Using data analytics[61]

There has been an increased emphasis on data analytics, which can take many forms, from off-the-shelf software suites to artificial intelligence.[62] Indeed, the US DOJ’s 2020 update to its compliance guidance provided language that has been incorporated into at least nine deferred prosecution agreements requiring companies to integrate data analytics in compliance programmes.[63] The US Commodity Futures Trading Commission (CFTC) has used data analytics in its own enforcement efforts.[64]

Data analytics can assist companies in developing and tailoring their training programmes, as well as demonstrating to regulators that their programmes are robust and assess appropriate risks.[65]

Adapting to evolving legal regimes

Companies must monitor and update their programmes continually to adapt to changes in the compliance environment.[66] This is especially important given substantial uncertainty surrounding how newly enacted legislation in different countries in the region will be interpreted and applied.[67]


In summary, an effective compliance programme can save a company from considerable adverse consequences later on. It can prevent illicit conduct in the first place, it can detect it at the earliest possible stage if it does arise, and it can lessen or avoid many of the consequences that come with an enforcement action – not least of which could be a compliance monitor to help devise and implement a programme that should have been established in the first place.


[1] Brendan P Cullen and Anthony J Lewis are litigation partners at Sullivan & Cromwell LLP. The authors thank Aviv S Halpern, Noah P Stern and Kelly H Yin for their valuable assistance in researching this chapter.

[2] Congressional Research Service [CRS], ‘Anti-corruption Efforts in Latin America and the Caribbean’ [Anti-Corruption Efforts], p. 1 (1 February 2022),; Bantz, Phillip, ‘White Collar Attys Brace for More Latin America FCPA Action,’ (8 February 2023), (60% of US DOJ’s 2022 enforcement actions involved Latin America); see also ‘2022 FCPA Year in Review’, Stanford Law School FCPA Clearinghouse,; CRS, ‘Combating Corruption in Latin America: Congressional Consideration’ [Combating Corruption], 7 (2019),

[3] Benjamin N Gedan, Santiago Canton, ‘Radical Transparency: The Last Hope for Fighting Corruption in Latin America’, Georgetown J. In’tl Affairs, (1 April 2022),; see also Rodolfo Borges, Lorena Arroyo, Francesco Manetto, ‘Cases Against Former Latin American Leaders: A Challenge for the Credibility of the Courts’, El Pais (28 April 2021),; Miller, Ben; Uriegas, Fernanda, ‘Latin America’s Biggest Corruption Cases: A Retrospective’, Americas Quarterly (22 July 2019),; CRS, Combating Corruption (footnote 2, above) Appendix C.

[4] Gedan & Canton (footnote 3, above); see also Sheridan, Mary Beth, ‘Why political turmoil Is erupting across Latin America’, The Washington Post (10 October 2019),; Daugaard, Andreas, ‘Honduras: How a surge of corruption scandals has fuelled political crisis’, Voices for Transparency (22 September 2019),

[5] Kahn, Daniel S, ‘Latin America Compliance Requirements’, Global Investigations Review (2 September 2022),; Corres, Luis Dantón Martínez; et al., ‘Mexico: At a Turning Point in Anti-Corruption Investigations and Enforcement’ in Americas Investigations Review 2020, at 135, 137 to 144; Fava, Pamina; et al., ‘How to Mitigate Corruption Risk When Investing in Latin America’, Anti-Corruption Report (25 July 2018),

[6] See CRS, Anti-Corruption Efforts (footnote 2, above); Pitaro, Vincent, Anti-Corruption Report, ‘Kroll Corruption Survey Finds ESG a Post-COVID Compliance Focus’ (18 August 2021),; see also CRS, ‘Anti-corruption Efforts in Latin America and the Caribbean’, p. 1 (1 February 2022),

[7] Bantz (footnote 2, above) (discussing US DOJ’s 2022 enforcement trends and expectations for 2023); Americas Society/Council of the Americas, ‘Latin America’s Battle Against Corruption: A Path Forward’, 7 (2018),; Newbery, Charles, ‘Compliance Is Taking Off in Latin America. Is It Effective?’, Americas Quarterly (22 July 2019),; Hamilton-Martin, Roger, ‘Investigator’s Guide to Brazil’, Global Investigations Review (8 December 2017),

[8] US DOJ & SEC, A Resource Guide to the U.S. Foreign Corrupt Practices Act, Second Edition at 56, 59 (3 July 2020) [2020 FCPA Resource Guide],; see also Transparency International, ‘Business Principles for Countering Bribery’, at 7 (2013); Sureda, Aixa; González Soldo, Evangelina, ‘Argentina’, Americas Investigations Review 2020, Global Investigations Review (19 August 2019),

[9] US Dep’t of Justice [US DOJ], Criminal Division, ‘Evaluation of Corporate Compliance Programs’ (March 2020) [US DOJ Guidance], In July 2020, the US DOJ and the SEC also issued an updated edition of the US Foreign Corrupt Practices Act (FCPA) Resource Guide for the first time in nearly eight years, which reflects the agencies’ current thinking about anti-corruption enforcement. 2020 FCPA Resource Guide (footnote 8, above).

[10] See Sheehan, Evelyn B, Tuminelli, Amanda, ‘Latin American Corruption in the Crosshairs of the Biden Administration,’ Anti-Corruption Report (14 April 2021), This trend is likely to continue given new legislative changes in the United States that have created additional tools for prosecutors, including increased whistleblower rewards and expanded subpoena power over foreign bank records permitting prosecutors to subpoena foreign bank records even if local law would prohibit disclosure of those records. Id.

[11] Koukios, James M; et al., ‘Anti-Corruption in Latin America’ in The Guide to Corporate Crisis Management, at 68.

[12] See Tillen, James; Bates, Gregory, Miller & Chevalier, ‘Managing Corruption in Latin America’s Police Forces,’ Anti-Corruption Report (16 September 2020), (noting that corruption risks evolve over time).

[13] See Portella, Renato Tastardi, ‘Managing Multi-jurisdictional Investigations in Latin America’ in Americas Investigations Review 2020, at 53–57 (reviewing newly enacted anti-corruption laws of Brazil, Mexico, Chile, Colombia and Argentina); see also Fontán Balestra, Santiago, ‘Argentina moves to modernize its AML legislation,’ (27 September 2022),

[14] See Koukios (footnote 11, above), at 70­71 (providing a comparison of local anti-corruption laws in Latin America). For example, some regimes permit ‘facilitating payments’ in limited circumstances (as does the FCPA), but they are locally prohibited in many countries. Corres (footnote 5, above), at 139 (‘The prohibitions in the GLAR are rather broad and there is no facilitating payments exception.’); see also Fava (footnote 5, above).

[15] Chapter 13, ‘The Advantages of a Robust Compliance Programme in the Event of an External Investigation’; see also Kahn (footnote 5, above) (reviewing compliance-related policies and statutes in Latin America); Basch, Fernando Felipe; Cargnel, Maria Emilia, ‘Argentina’ in The International Investigations Review, 41, 45, 46 (Law Business Research, Nicolas Bourtin ed., 9th ed. 2019); Bofill, Jorge; Praetorius, Daniel, ‘Chile’, in The International Investigations Review, 103 (Law Business Research, Nicolas Bourtin ed., 9th ed. 2019).

[16] Sheehan, Evelyn; Short, Jason, ‘DOJ’s Long Arm Over Latin America: Recent Trends and Future Risks From Extraterritorial Application of U.S. Laws’, Anti-Corruption Report (30 September 2020),; see also Sheehan (footnote 10, above); Bantz (footnote 2, above).

[17] See Tillen (footnote 12, above).

[18] US DOJ Guidance (footnote 9, above).

[19] See Memorandum from Lisa A Monaco (US Deputy Attorney General) to US DOJ Criminal Division Personnel, ‘Further Revisions to Corporate Criminal Enforcement Policies Following Discussions with Corporate Crime Advisory Group’ [Monaco Memo] (15 September 2022),; US DOJ, Criminal Division, ‘9-47.120–Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy’ (January 2023) [US DOJ Corporate Enforcement Guidance],; US Attorneys’ Office [USAO], ‘United States Attorneys’ Offices Voluntary Self-Disclosure Policy’ (February 2023) [USAO Guidance], Even more recent guidance documents reflect the US DOJ’s recent focus on retention of electronic messaging on mobile devices and clawing back compensation by wrongdoers. See Memorandum from Kenneth A Polite, Jr (Asst. Attorney General, Criminal Division) to US DOJ Criminal Division Personnel, ‘Revised Memorandum on Selection of Monitors in Criminal Division Matters’ [Polite Memo] (1 March 2023),; US DOJ, ‘9-28.000 Principles of Federal Prosecution of Business Organizations’ [US DOJ Principles] (updated March 2023),

[20] See US DOJ Corporate Enforcement Guidance (footnote 20, above), at 5.

[21] US DOJ Guidance (footnote 9, above), at 3; e.g., US DOJ, Justice Manual 9-28.800 [Justice Manual],

[22] See US DOJ Corporate Enforcement Guidance (footnote 20, above), at 5. This is one area in which innovative uses of data and machine learning can assist in developing and maintaining an effective compliance programme. See Zweibel, Megan, Cybersecurity Law Report, ‘Cargill Compliance Director Discusses Putting Training Data to Work’, (24 February 2021),; see also Zweibel, Megan, Anti-Corruption Report, ‘AB InBev’s C2CRIGHT Initiative: Can Companies Work Together to Prevent Corruption?’ (13 October 2021),; see also Chapter 11, ‘Why Fresh Perspectives on Tech Solutions Are Key to Evolving Data-Driven Compliance Monitoring’, Gabriela Paredes, Dheeraj Thimmaiah, Jaime Muñoz and John Sardar.

[23] Sufficient resource allocation and autonomy is already required in several Latin American countries, and it is a consideration by the US DOJ. See US DOJ Corporate Enforcement Guidance (footnote 20, above), at 5; Tillen, James; Montenegro Almonte, Alejandra; Hollinger, Abi; Miller & Chevalier, ‘A Comparative Look at Anti-Corruption Compliance Program Expectations in Latin America’, Anti-Corruption Report (28 October 2020),

[24] See US DOJ Corporate Enforcement Guidance (footnote 20, above), at 5.

[25] See, e.g., Zweibel (footnote 22, above).

[26] Press release, US SEC, ‘Walmart Charged with FCPA Violations’ (20 June 2019),

[27] See, e.g., Press release, US DOJ, ‘Zimmer Biomet Holdings Inc. Agrees to Pay $17.4 Million to Resolve Foreign Corrupt Practices Act Charges’ (12 January 2017), In 2017, Zimmer paid more than US$17 million in criminal penalties, in part, for continuing to use a Brazilian distributor that Zimmer knew had previously paid bribes on behalf of the company. The US parent was also faulted for failing to implement adequate controls at its Mexican subsidiary despite known red flags.

[28] Weiss, Ed & Chung, Theodore, Principal Legal Issues—International Trends—Latin America, 3 Successful Partnering Between Inside and Outside Counsel §46C:30 (April 2021).

[29] See Tillen, Montenegro Almonte, & Hollinger (footnote 23, above).

[30] US DOJ Guidance (footnote 9, above) at 16–18.

[31] See US DOJ Corporate Enforcement Guidance (footnote 20, above), at 5.

[32] See Monaco Memo at 9-10; US DOJ Guidance (footnote 9, above) at 12-14, 18; US DOJ Principles, § 9-28.300; see, e.g., Plea, at C-5 to C-6, United States v. Danske Bank A/S, Case No. 22-cr-00679 (12 December 2022) (mandating the company implement a compensation structure to promote compliance). For instance, in early March 2023, the US DOJ instituted a Pilot Program Regarding Compensation Incentives and Clawbacks, a three-year initiative designed to create compensation-based compliance incentives. The Pilot Program provides for fine reduction by any amount clawed back from employees who engaged in wrongdoing in connection with the conduct under investigation, or others who had supervisory authority over the employee or business area, or who had knowledge of (or were wilfully blind to) relevant conduct. US DOJ, ‘The Criminal Division’s Pilot Program Regarding Compensation Incentives and Clawbacks’, (March 3, 2023),

[33] US DOJ Guidance (footnote 9, above), at 3.

[34] 2020 FCPA Resource Guide (footnote 8, above), at 65, 67; US DOJ Guidance (footnote 9, above), at 13; US DOJ Corporate Enforcement Guidance (footnote 20, above), at 5.

[35] See US DOJ Corporate Enforcement Guidance (footnote 20, above), at 4 (noting that where a company uncovers misconduct through thorough and timely due diligence or post-acquisition audits or compliance integration, it may receive a presumption of a declination if it voluntarily self-discloses the misconduct and otherwise fully cooperates and remediates).

[36] US DOJ Guidance (footnote 9, above), at 8.

[37] US DOJ Corporate Enforcement Guidance (footnote 20, above), at 3.

[38] Tillen, Montenegro Almonte, & Hollinger (footnote 23, above); see also Kahn (footnote 5, above); Bofill and Praetorius (footnote 15, above), at 99; Rassi, João Daniel; Labate, Victor, ‘Brazil’ in The International Investigations Review (Law Business Research, Nicolas Bourtin ed., 9th ed. 2019), at 91.

[39] See KPMG International, ‘Cross-border investigations: Are you prepared for the challenge?’ (2013),

[40] See Fundação Getúlio Vargas, ‘Speak Now or Forever Hold Your Peace: An Empirical Investigation of Whistleblowing in Brazilian Organizations’ (2012), (‘Brazilian organizations seem to consider whistle-blowing a taboo or a deviant behavior . . . .’); McLeod, Frances; Voss, Jenna, ‘Moving Forward after an Investigation’ in Americas Investigations Review 2020, at 86 [Moving Forward After an Investigation] (‘Historical factors . . . may contribute to a heightened culture of retaliation. A whistleblower in such a society may be viewed as a traitor.’); Transparency International – Brazil, ‘United Nations Convention Against Corruption,’ at 38–41 (22 September 2022),

[41] Sierra, Diego, ‘Mexico’, in The Practitioner’s Guide to Global Investigations, Part II, 205 (Law Business Research, Judith Seddon, et al. eds., 3rd ed. 2019) (A ‘principle challenge’ in cross-border investigations is ‘maintaining confidentiality’ during employee interviews. ‘This is often an issue as there is a weak confidentiality culture in Mexico.’).

[42] Basch and Cargnel (footnote 14, above) (Argentina); Rassi and Labate (footnote 30, above), at 89, 99 (Brazil and Chile); see also Barcellos, Ana Paula, CEP Magazine, ‘An introduction to Brazil’s new whistleblower protection law’ (June 2020),,%2C%20and%20government%2Dfunded%20programs (discussing new monetary rewards and protections for whistleblowers); Kolodner, Jonathan, et al., ‘New Anticorruption Decree Modifies Regulation of Brazilian Clean Companies Act,’ (22 July 2022),

[43] Bofill and Praetorius (footnote 15, above), at 99.

[44] Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law.

[45] US DOJ Corporate Enforcement Guidance (footnote 20, above), at 4–5, 7.

[46] US DOJ Guidance (footnote 9, above), at 13.

[47] Zwiebel, Megan, ‘AAG Benczkowski Wants Prosecutors to Be Compliance Sophisticates’, Anti-Corruption Report (8 January 2020),

[48] Memorandum from Brian A Benczkowski (US Assistant Attorney General) to US DOJ Criminal Division Personnel, ‘Selection of Monitors in Criminal Division Matters’ (18 October 2018),

[49] See OECD, Corporate Governance and Business Integrity: A Stocktaking of Corporate Practices 56 (2015),; Sureda and González Soldo (footnote 8, above).

[50] See 2020 FCPA Resource Guide at 59-60 (footnote 8, above); KPMG (footnote 38, above), at 17.

[51] Tillen, James G; Delman, Sonia M, ‘Lost in Translation: The Language of Bribery’, The Corporate Governance Advisor (1 August 2010); see also DPA, United States of America v. Orthofix International, N.V., 12-cr-0015 (2012) (describing how Orthofix promulgated its own anti-corruption policy but failed to either translate it to Spanish or ensure it would be implemented in Mexico).

[52] See Transparency International (footnote 8, above), at 7; Sureda and González Soldo (footnote 8, above).

[53] United Nations Global Compact, ‘A Guide for Anti-Corruption Risk Assessment’, 23 (2013) [UN Global Compact Report]; Tillen and Delman (footnote 49, above).

[54] Baker McKenzie, ‘Latin America Corporate Compliance Report: Seven Compliance Challenges and How to Overcome Them’, 31 (2015),

[55] See Costa Carvalho, Isabel; et al., ‘Brazil’ in The Practitioner’s Guide to Global Investigations, Part II (Judith Seddon, et al., eds., 3d ed. 2019); Moving Forward After an Investigation, at 86.

[56] See Teichmann, Fabian Maximilian Johannes & Wittmann, Chiara, ‘Compliance Cultures and the Role of Financial Incentives’ at 3-4, J. of Fin. Crime, (16 August 2022); OECD, Behavioral Insights for Public Integrity: Harnessing the Human Factor to Counter Corruption, at 33 (2018) [OECD, Behavioral Insights],; Graf Lambsdorff, Johann, ‘Preventing corruption by promoting trust: Insights from behavioral science’, at 4-5 (Passauer Diskussionspapiere – Volkswirtschaftliche Reihe, No. V-69-15, 2015),

[57] See UN Global Compact Report (footnote 51, above), at 15-16; cf. OECD, Behavioral Insights (footnote 54, above), at 35.

[58] See Portella and Tastardi (footnote 13, above), at 55.

[59] See Corres (footnote 5, above) at 140; Portella and Tastardi (footnote 13, above), at 55-56.

[60] Warin, F Joseph; et al, ‘Co-operating with the Authorities: The US Perspective’ in The Practitioner’s Guide to Global Investigations, Part I (Judith Seddon et al. eds., 3d ed. 2019); Lehtman, Jeffrey A; Laporte, Margot, ‘Individuals in Cross-Border Investigations or Proceedings: The US Perspective’, in The Practitioner’s Guide to Global Investigations, Part I.

[61] See Chapter 11,‘Why Fresh Perspectives on Tech Solutions Are Key to Evolving Data-Driven Compliance Monitoring’, Gabriela Paredes, Dheeraj Thimmaiah, Jaime Muñoz and John Sardar.

[62] See, e.g., Zweibel (footnote 22, above).

[63] Kagubare Ines, ‘Latest DPAs increase focus on compliance data’, Global Investigations Review (1 October 2020),; see also DPA at C-8, United States v. Herbalife Nutrition Ltd., 20-CR-00443 (24 August 2020); DPA at C-8, United States v. The Goldman Sachs Group, Inc., 20-CR-00437 (21 October 2020); DPA at C-8, United States v. Beam Suntory Inc., 20-CR-00745 (23 October 2020); DPA at C-8, United States v. Vitol Inc., 20-CR-00539 (3 December 2020); DPA, C-8, United States v. Deutsche Bank Aktiengesellschaft, 20-CR-00584 (7 January 2021); DPA at C-9, United States v. Amec Foster Wheeler Energy Ltd., 21-CR-00298 (24 June 2021); DPA at C-9, United States v. Credit Suisse Group AG, 21-CR-00521 (19 October 2021); DPA, at C-9, United States v. Stericycle, Inc., 22-cr-20156 (18 April 2022); DPA, at C-9, United States v. Gol Linhas Areas Inteligentes S.A., 22-cr-00325 (16 September 2022).

[64] See CFTC, ‘FY2020 Division of Enforcement Annual Report’ 8 (2020); Memorandum from James M McDonald (Director, Division of Enforcement) to CFTC, Division of Enforcement Staff, ‘Guidance on Evaluating Compliance Programs in Connection with Enforcement Matters’ (10 September 2020)

[65] See Chapter 10, ‘Embracing Technology’; see, e.g., Pitaro, Vincent, Cybersecurity Law Report, ‘How Lockheed Uses Big Data to Evaluate Risk at Small Worksites’, Cybersecurity Law Report (21 October 2020),

[66] US DOJ Guidance (footnote 9, above), at 7, 14.

[67] See OECD, Integrity for Good Governance in Latin America and the Caribbean: From Commitments to Action, at 68 (2018),; Fonseca, André; Lima, Marina, ‘Brazil’ in The International Comparative Legal Guide to: Corporate Investigations (Keith D Krakaur and Ryan Junck, eds., 2018),; Corres (footnote 5, above), at 137–44..

Unlock unlimited access to all Latin Lawyer content