How to Build Effective Internal Communication Channels

This is an Insight article, written by a selected partner as part of Latin Lawyer's co-published content. Read more on Insight

Managing multinational workforces in an age of anti-corruption ‘accretion’

Managing risk within multinational, matrixed organisations is no simple feat. The complexities that accompany risk management have only been compounded as US regulators have unveiled several pieces of policy and renewed guidance for corporate compliance programmes in early 2023 alone.

Entities that face particular challenges amid these developments include, for example, those that employ nearly 100,000 employees worldwide and that generate significant revenue through production or sales in high-risk jurisdictions that are divided into several business segments. Often, such organisations are supported by global or regional compliance professionals tasked with navigating multiple jurisdictional demands in diverse areas of risk, including anti-bribery programming, employee onboarding and training, third-party due diligence and sanctions.

Building effective communication channels to advance global initiatives to workforces across the globe requires balancing both compliance and commercial priorities. To manage this balance effectively, a compliance programme must deploy a variety of techniques to support multinational workforces while ensuring the compliance programme is oriented to actual business risk and the enforcement landscape.

After receiving its mandate from the Biden administration to ‘fight’ against corruption as a core national security interest,[2] the US Department of Justice (DOJ) has been committed to turning anti-corruption principles into policies in rapid succession in late 2022 and early 2023. The cascade of policy announcements surrounding anti-corruption efforts and tools to combat corporate crime more broadly have dramatically altered the enforcement landscape.

In New York in September 2022, Deputy Attorney General Lisa O Monaco (DAG Monaco or Monaco) announced policies to incentivise responsible corporate citizenship before an audience that included the Director of the Securities and Exchange Commission’s (SEC) Enforcement Division, Gurbir Grewal.[3]

In Washington, DC in January 2023, Assistant Attorney General for the DOJ’s Criminal Division, Kenneth A Polite, Jr (AAG Polite or Polite) unveiled the first significant changes to the Corporate Enforcement Policy (CEP) since 2017.[4] The amendments to the CEP provide a renewed framework by which the DOJ will reward companies that self-disclose misconduct, cooperate and remediate by offering increased reductions off applicable US Sentencing Guidelines ranges.[5] And for all US Attorney’s Offices (USAOs) across the country, the DOJ announced a corporate Voluntary Self-Disclosure Policy (VSD Policy) in February 2023, setting nationwide incentives for voluntary corporate disclosures.[6]

In Miami in March 2023, Monaco and Polite took the stage yet again at the 38th American Bar Association’s National Institute on White Collar Crime (ABA Conference) to provide greater colour on the DOJ’s sweeping policy changes. In her remarks, Monaco explained that the VSD Policy had been implemented nationwide to eliminate geographic disparities and ensure a ‘predictable’, ‘consistent’ and ‘transparent’ approach to enforcement.[7] And Polite’s keynote only amplified Monaco’s message, underscoring the importance of ‘marshal[ing] a variety of tools to creatively address the challenges before us’.[8]

For companies that operate across the Americas and the globe, those challenges often loom large. From the small-town hospital administrator who demands bribes in exchange for life-saving services to the globe-trotting kleptocrat who offshores an embezzled fortune to terrorist groups that accept millions in exchange for greenlighting company operations at a facility in Syria – recent remarks, policy announcements and enforcement actions are highly attuned to the cadence of corruption in the United States and abroad.

DOJ’s policy announcements and remarks at the ABA Conference signal a renewed commitment to coordinating with other governments to combat corruption. Polite’s spotlight on Venezuela, for example, exemplifies collaboration among the Foreign Corrupt Practices Act (FCPA) Unit, the USAO in the Southern District of Florida, the Criminal Division’s Office of International Affairs (OIA) and the Policía Nacional (Spanish National Police) in the successful prosecution of Claudia Patricia Diaz Guillen, the former National Treasurer of Venezuela and resident of Spain, who accepted over US$100 million in bribes from a Venezuelan billionaire.[9] Against the backdrop of 96 per cent of Venezuelans living in poverty, DOJ considers this collaboration as the type of ‘righteous’ case the agency will continue to pursue.[10]

The tone from the very top, from the highest levels of the US government itself, is reverberating with a resounding call for collaboration, creativity and clawbacks, where warranted, to achieve its commitment to combat corporate crime.

As the US government reinforces its already robust system of accountability, multinational compliance programmes must expect that they will be held to account for doing the same with their workforces. Compliance professionals will therefore need to answer the call to action this represents and work even more effectively at managing, communicating and amplifying anti-corruption efforts along with their sanctions framework, as applicable, particularly as the threat of enforcement looms.[11]

However, those who build effective internal communication channels and adapt their compliance programmes will be well positioned.

Building effective internal communication channels

One key element of corporate governance is a well-designed and well-­implemented compliance programme. However, even the best programme will falter absent effective channels to diffuse the principles of an organisation’s ‘culture of compliance’ – the norms that encourage ethical conduct and a commitment to compliance with the law. Effective internal communication facilitates smooth information flow and shapes the way employees engage with an organisation, including how employees perceive its mission and values and how they relate to its culture.

A company conveys sound communication practices through the following:

  • setting the tone beyond just the top to include the entire organisation;
  • delegating compliance oversight and enforcement to a dedicated function;
  • implementing and publicising compliance policies, procedures and practices;
  • enforcing its policies, procedures and practices;
  • operating a well-functioning confidential reporting mechanism;
  • collecting and analysing compliance metrics; and
  • establishing training initiatives that are tailored and adapted to local laws and customs.

No one size fits all when it comes to the channels used to communicate corporate compliance. This chapter discusses general best practices across industries, but they should be individually tailored to each company’s operational realities.

Tone throughout: communicating a commitment to compliance culture

Effective internal communication is multidirectional: top-down and bottom-up. Organisations comprise individual executives and employees who each should feel personally invested in ensuring and promoting compliance.[12] Consistent with this principle, regulators evaluate a company’s commitment to fostering a strong culture of compliance at all levels of the company – not merely within its compliance department.[13]

Senior leadership sets the tone for the rest of the organisation. The commitment to compliance is manifested by the extent to which senior leadership articulates the company’s ethical standards, conveys and disseminates those standards in clear and unambiguous terms and demonstrates rigorous adherence by example.[14] In its revised March 2023 guidance on the Evaluation of Corporate Compliance Programs (ECCP), DOJ recognised that the tone at the top must be further bolstered by the tone at the middle and beyond, which drives the compliance programme on a daily basis and invests subordinates with a sense of ethical responsibility.[15] Most employees, especially at larger organisations, have little direct contact with senior leadership and therefore are most influenced by the managers who supervise them on a regular basis.

Who owns this? Assigning compliance oversight

Another hallmark of commitment to ethical practices is designating a dedicated function to implement and enforce compliance initiatives. The delegation of this core mandate should account for an organisation’s size and structure and need not be a compliance officer or in-house personnel. Whichever option best complements the size and structure of an organisation, the compliance function should be independent from management and be resourced adequately in terms of budget, human capital and information technology (IT).[16]

In assessing an organisation’s compliance programme, regulators ask not only whether compliance officers have ‘adequate access to and engagement with’ the business, management and board of directors but also whether an organisation has taken steps ‘to ensure that compliance has adequate stature within the company and is promoted as a resource’.[17] US regulators are further scrutinising the qualifications and expertise of key compliance personnel, signalling a preference for chief compliance personnel to lead any presentation with regulators and to demonstrate knowledge and ownership of a company’s compliance programme.[18] The overarching goal is to maintain a compliance function that is not merely a ‘paper programme’ but one that is well designed and equipped to handle an organisation’s operational demands.[19]

Compliance policies, procedures and practices

An organisation’s policies and procedures form the foundation upon which an effective compliance programme is built. These policies set forth ethical expectations, outline disciplinary procedures and, more broadly, incorporate the culture of compliance into the organisation’s day-to-day operations.[20]

But policies are meaningful only if personnel know about them. Before doling out disciplinary action, for example, a company must first communicate clearly what constitutes a breach of internal policies, procedures and values and how the company will respond to such a breach. If a breach is corroborated and repercussions are warranted, the company should issue disciplinary action promptly and consistently.[21] This communicates that misconduct will not be tolerated while also reinforcing fidelity to ethics and accountability.[22]

A company can ensure employees keep up to date with its policies by requiring periodic certification of compliance and introducing new employees to its ethical values during onboarding.[23] Relatedly, a company should inform business partners that it expects all activities carried out on its behalf to comport with internal ethics protocols and lawful business practices by seeking assurances from third parties, where appropriate, through certifications or contractual representations of reciprocal commitments.[24] These measures ensure that the compliance programme is visible, understood and followed appropriately by all relevant stakeholders. They also comport with regulators’ expectation that a company implement policies that reflect the spectrum of risks posed by an evolving legal, regulatory and business landscape.[25]

Moreover, recent guidance from DOJ makes plain that prosecutors will be asked to consider ‘the extent to which the company’s communications convey to its employees that unethical conduct will not be tolerated and will bring swift consequences, regardless of the position or title of the employee who engages in the conduct’.[26] Compliance professionals should follow suit. Prosecutors will further be asked to consider ‘whether a company has publicized disciplinary actions internally, where appropriate and possible, which can have valuable deterrent effects’.[27] Similarly, compliance professionals will need to weigh any benefits that might be gained in the publicisation of disciplinary actions for their own organisations.

Use of third-party messaging apps and mobile devices

The use of third-party messaging platforms (e.g., WhatsApp, WeChat) as well as ephemeral and encrypted messaging applications (e.g., Signal) for business communications increased substantially during the covid-19 pandemic due, in part, to limitations on in-person gatherings and remote work environments.[28] Although the global pandemic has waned, app-based messaging is here to stay. This is particularly true in Latin America, where WhatsApp is the most used social network in the region, with more than 94 per cent of internet users in selected countries accessing the platform.[29] And, as these messaging services continue to grow in popularity, regulators increasingly will expect companies to adapt their communication policies and practices to evolving technological realities.[30]

Though there may be legitimate reasons for the business use of these applications, they also present significant challenges for companies’ ability to maintain effective internal communication channels. Such challenges include the ability to monitor the use of such devices for misconduct, diversity of retention requirements between industries and data privacy restrictions across jurisdictions. Companies operating in Latin America and elsewhere would thus benefit enormously from implementing centralised guidance on the use of third-party messaging applications to ensure that employees’ business communications comport with relevant regulatory obligations and that they can be monitored and preserved, as necessary.

In March 2023, DOJ expounded on the significant changes introduced by DAG Monaco in a September 2022 memorandum addressing the use of communications platforms, messaging applications and mobile devices.[31] Under DOJ’s revised ECCP guidance, regulators will not only ask about the electronic communication channels used by the business and their preservation settings, they will also consider how companies communicate the policies to employees and whether they enforce them on a consistent basis.[32] Regulators will inquire about the company’s ability to access such communications, whether they are stored on corporate devices or servers, as well as the company’s knowledge of applicable privacy and local laws. ‘A company’s answers – or lack of answers – may very well affect the offer it receives to resolve criminal liability’.[33]

US enforcement authorities are delivering on their recommendations and admonishments, leaving less ambiguity on their expectations for compliance with respect to communications management. In 2022, the SEC and the Commodity Futures Trading Commission collectively levied billions in fines against a number of major banks and other financial institutions for not retaining SMS texts, iMessage, and app-based communications (which the SEC deemed ‘off-channel communications’).[34] According to the SEC, employees routinely used off-channel communications to discuss business matters, thus impeding institutions’ ability to archive business-related communications as required by securities laws.[35]

Even companies that historically have not had a legal duty to manage employees’ communication platforms, such as those not regulated by securities laws, should take note of regulators’ growing scrutiny of these communications more widely.[36] As evidenced by the DOJ’s articulated views, companies should proactively enhance their compliance programmes to better withstand any future scrutiny of their employees’ communication channels. From the government’s perspective, companies that currently have no legal requirement to preserve business-related communications are ‘amply on notice’ of the risks of failing to do so.[37]

Prosecutors’ expectation that companies implement communications policies includes those policies that permit employees to use managed BYOD[38] devices rather than company-issued devices to access company information, known as bring-your-own-device, or BYOD, policies.[39] Many companies require work to be conducted on corporate devices; others permit the use of managed BYOD or unmanaged personal devices. A managed BYOD device is often allowed with clear limitations of use that are technologically enforced, in full or in part, by MDM or EMM.[40] They, like corporate-issued, might also have specialised apps or middleware that capture text and app-based communication content, allowing for preservation and monitoring for compliance reviews. An unmanaged personal device that is permitted for business communications will not have technological controls to assist in enforcing the company’s communications policy. Such personal devices typically hold a complicated commingling of business and personal communications.

Companies may not be able to prevent every employee from using unauthorised messaging apps for business use, but they can take steps to demonstrate reasonable controls, including by maintaining a clear policy, ensuring retention capabilities, auditing employee use and incorporating information security best practices. In addition, companies should consider technological solutions to restrict employees’ ability to instal unapproved apps on company-issued and managed BYOD devices and provide employee training to establish further awareness of and compliance with information security practices. For example, some applications may delete messages as soon as they are read (i.e., ephemeral messaging) and some may automatically delete messages after a specified period unless default settings are changed by the user.[41] It is therefore critical that companies evaluate, in coordination with their local IT functions, the effect that various applications have on company data retention and information security goals.

However a company chooses to address the use of messaging platforms or mobile devices for business communications, it must strive to prevent circumvention of compliance protocols through off-system activity, preserve all key data and communications and maintain the capability to promptly produce that information for government investigations.[42]

Compliance through carrots and sticks

Good-faith enforcement of policies and expectations further communicates an organisation’s culture of corporate compliance. Indeed, in analysing an organisation’s commitment to corporate compliance, government authorities examine whether corporate management is enforcing the programme or tacitly encouraging employees to engage in impropriety.[43] A company can demonstrate good-faith enforcement by sanctioning misconduct and rewarding good behaviour.[44] Disciplinary action and compensation structures that impose financial penalties for misconduct can deter risky behaviour and foster a culture of corporate compliance.[45] At the same time, positive incentives, such as promotions, rewards and bonuses for improving and developing a compliance programme or demonstrating ethical leadership, can drive compliance.[46]

With these principles in mind, DAG Monaco recently announced department-wide policy updates concerning corporate compensation systems, noting two significant changes in particular.

First, US prosecutors will assess a company’s compensation structures when evaluating compliance programmes to determine how these structures contribute to the presence – or lack – of an effective compliance programme.[47] Is the company, for example, targeting bonuses to employees and supervisors who set the right tone, make compliance a priority and build an ethical culture? Companies should ensure that executives and employees are personally invested in promoting compliance, and ‘nothing grabs attention or demands personal investment like having skin in the game’ through direct and tangible financial incentives.[48]

Second, the DOJ is launching a three-year pilot programme to require, as part of a criminal resolution, that corporate compliance programmes include compensation-related criteria, and to offer fine reductions for companies that clawed back incentives paid out to employees and supervisors who engaged in or did not stop wrongdoing.[49] A company that fully cooperates with an investigation and timely and appropriately remediates the misconduct may receive an additional fine reduction if the company has implemented a programme to recoup compensation from the culpable employees.[50] ‘We expect companies that use these programs to address not only employees who engaged in wrongdoing in connection with the conduct under investigation, but also those who had supervisory authority over the employees or business area engaged in the misconduct, and knew of, or were willfully blind to, the misconduct’, stated the DOJ.[51]

These announcements exemplify the continuing formalisation of an existing practice of crediting companies for taking appropriate action as to culpable employees’ compensation. For example, incentives for compliance-promoting behaviour were incorporated in a recent plea agreement between the DOJ and Danske Bank, the largest bank in Denmark, over alleged failures in the lender’s anti-money laundering controls. As part of its agreement and in addition to forfeiting $2 billion, Danske Bank agreed to revise its performance review and bonus system to include criteria related to compliance so that each executive is evaluated on his or her efforts to ensure that the relevant business unit is complying with internal policies and applicable laws and regulations.[52] Accordingly, Danske Bank executives with a failing score for compliance will fail to secure a bonus for that year.

Prosecutors’ examination of the relationship between compensation structures and fostering responsible corporate behaviour reflects a broader commitment to finding the right incentives to support a culture of corporate compliance.[53] Companies are therefore encouraged to explore innovative, effective and targeted ways of leveraging compensation to incentivise good corporate behaviour and deter misconduct through their own mix of carrots and sticks.

Anonymous reporting mechanisms

Among the truest measures of a company’s commitment to compliance is how it responds to potential misconduct. A company should have in place a well-functioning reporting mechanism for the anonymous reporting of suspected or actual breaches of internal policy.[54] An effective mechanism will facilitate the timely and thorough investigation of those reports, which includes routing complaints to proper personnel and tracking timing metrics of open and closed investigations.[55] Upon completion of a thorough probe, an organisation should document outcomes, monitor implementation of any remedial measures and share investigative findings with relevant stakeholders.[56] Should reported allegations be substantiated, best practices recommended by the DOJ dictate that the company examine what happened, why it happened (i.e., the root cause) and how to avert similar incidents moving forward (i.e., the lessons learned).[57]

But it is not enough to have such a reporting system in place without ensuring that employees and third parties know it exists.[58] Publicise the reporting system broadly, perhaps through periodic trainings or email reminders that boost its profile.[59] Hotline usage can be a good barometer of how well a company is advertising its reporting channels. Infrequent or non-use of a reporting hotline implies that employees or third parties are unaware of its existence or are aware but either lack the know-how to escalate concerns or are uncomfortable with or distrust the process.[60] In contrast, healthy hotline usage evinces a well-functioning system and constructive environment wherein individuals are empowered to ‘speak up’.

Moreover, actively encouraging personnel to submit reports without fear of reprisal reinforces a corporate culture that promotes honest behaviour and incorporates reporting as part of one’s ethical duties. To further signal transparency and foster trust in the process, provide detailed information on the procedural next steps after submitting a report.[61] Regulators want to see that reports ‘are taken seriously, appropriately documented, investigated, and – if substantiated – remediated’.[62]

Monitoring and measuring compliance through data analytics

A staple of dynamic compliance programmes are mechanisms for collecting metrics to help detect and prevent misconduct, which also strengthen an organisation’s internal communication channels more broadly. Indeed, government enforcement authorities have signalled that companies need to be collecting and analysing metrics about their programmes, emphasising the growing importance of data analytics in communicating to employees and stakeholders an organisation’s commitment to maintaining an effective compliance system.[63] In October 2022, for example, DOJ announced that it had hired Matt Galvin, former Global Vice President of Ethics and Compliance at Anheuser-Busch InBev SA, the world’s largest brewery, for the new role of Compliance and Data Analytics Counsel in the Criminal Division’s Fraud Section.[64] Moreover, ‘[o]bservers should expect Galvin to leave a mark on the DOJ similar to the one he left at AB InBev, where he transformed the company’s compliance program to a data-driven machine’.[65]

Relatedly, DOJ Fraud Section Chief Glenn Leon recently announced that DOJ is gearing up to expand its use of data analytics as a key prosecutorial tool, and AAG Polite further noted that regulators have been focusing more and more on companies’ use of data analytics to identify and prevent criminal wrongdoing.[66] Just as government regulators use these tools to detect and combat criminal schemes, so too are organisations increasingly expected to leverage data analytics tools within their operations to monitor compliance with laws and policies, ferret out wrongdoing, and deliver meaningful remediation.[67]

Gathering data helps organisations identify, mitigate, and respond to compliance risks in real time and diagnose behavioural compliance trends. Either internally or with external assistance, companies can optimise the utility of data analytics by tracking core compliance metrics, including due diligence reviews, hotline usage, investigations opened and closed, training completion rates, policies drafted or revised, disciplinary action and remediation status.[68] Capturing these metrics not only helps companies analyse patterns of misconduct and identify compliance vulnerabilities, it also helps companies demonstrate their commitment to mitigating risk when engaging with regulators in the context of government investigations.[69] As AAG Polite stated, ‘When we see criminality, we will not just ask what happened. We want to understand the root causes – why it happened, and whether it will happen again’.[70] Analysing metrics further enables substantive assessment of high points and growth opportunities while offering benchmarks with which to anchor compliance targets and goals moving forward. This, in turn, breeds transparency and accountability by facilitating the reporting of actionable data to relevant stakeholders.

Adapting to local laws and customs

As if implementing a dynamic compliance programme were not already a delicate balancing act on its own, adapting programmes to address a spectrum of anti-corruption laws and other legislation adds to the challenge but is one that compliance programmes must address.

Complying with sweeping legislation across jurisdictions with varying enforcement landscapes

Distilling the vast expanse of bribery laws into manageable content for employees to understand and follow is not easy, especially with the cascade of countries that have enacted or amended a host of strong anti-corruption laws and enforcement regimes over the past decade. The FCPA, enforced by the DOJ and the SEC, is broadly applicable to US companies as well as foreign companies or persons with a nexus to the United States and their affiliates. This legislation prohibits foreign bribery of government officials but applies to the bribe payer only, whereas the UK Bribery Act (UKBA), passed in 2010, applies to both the bribe payer and the recipient. Moreover, the UKBA prohibits bribery of foreign public officials and private parties alike. These statutory regimes and the regulators who enforce them are usually well known to compliance professionals.

Relatedly, the anti-corruption terrain in Latin America imposes jurisdiction-specific requirements that organisations must navigate. Various countries in Latin America, including Brazil, Colombia and Mexico,[71] have enacted corporate compliance requirements of their own in recent years, and companies engaged in those markets must be cognisant of these varying enforcement landscapes, which are also undergoing their own respective evolutions. For example, in July 2022, the Brazilian government published Federal Decree No. 11,129/2022, amending the regulation of Brazil’s 2013 anti-corruption law known as the Brazilian Clean Companies Act (BCCA).[72] The decree also furnishes additional guidance related to the expectations of the Controladoria Geral da União, the entity that oversees compliance with the BCCA, in their assessment of integrity programmes and the range and application of administrative fines for violations of the law.[73] Additionally, the Chilean government even proposed new anti-corruption provisions to their constitution.[74] Though the constitutional proposal overall was rejected, as of March 2023, Chile has begun its second attempt to write a new constitution with a group of experts appointed by Congress. The vote to approve or reject the proposed text is scheduled for December 2023 and the potential passage of the constitution with any anti-corruption provisions the experts may draft will certainly be an area to monitor.[75]

Taken together, it is clear that multinational organisations will need to ensure that their compliance programmes and global personnel adhere to the mandates that regulators impose. And whether it is the FCPA, the UKBA or local anti-corruption laws, the basic proscription is the same: nothing of value can be given, directly or indirectly, to improperly influence government officials or commercial counterparties.

Tailoring a global compliance policy

A global enterprise faces a wide array of compliance concerns including bribery, corruption, embezzlement, money laundering, employee kickbacks, accounting irregularities and conflicts of interest across geographies. Tailoring compliance programmes to the localities in which multinational companies operate while simultaneously addressing these cross-jurisdictional concerns poses yet another uphill challenge.

A multinational company may, for instance, choose to implement uniform global compliance policies that include requirements that are either more or less restrictive than local regulations, like those discussed above. Other multinational companies may mix and match – applying consistent standards globally while also supplementing them with country-specific guidance. Given the sheer number of individuals within a multinational organisation, it is also advisable that companies create roles for compliance professionals to be available to personnel globally for ‘on the ground’ guidance and feedback.

Tailoring training to an audience’s size, industry, risk profile, geographical footprint, language, sophistication and subject-matter expertise is crucial and underscored in the DOJ’s March 2023 ECCP.[76] Above all else, when developing training programmes, multinational companies should tailor presentations and materials to the roles of its workforce, and policies and training should be presented in local languages and in person to the extent possible.[77] Aiding companies that operate in Spanish-speaking jurisdictions and recognizing the significant need for alignment with regional developments, AAG Polite at the ABA Conference announced that the DOJ would reissue the 2020 FCPA Resource Guide in Spanish.[78]

Training programmes should also be brimming with real-world examples tailored to any specific localities. Real-world examples that span the globe while also implicating Latin America are not difficult to find. In April 2022, for example, Stericycle Inc. (‘Stericycle), an international waste management company headquartered in Illinois, agreed to pay more than US$84 million to resolve parallel investigations by authorities in the United States and Brazil into the bribery of foreign officials in Brazil, Mexico and Argentina.[79] Specifically, between 2011 and 2016, Stericycle caused hundreds of bribe payments that were calculated as a percentage of the underlying contract payments owed to Stericycle from government customers to be made to officials at government agencies and instrumentalities in Brazil, Mexico and Argentina.[80]

The DOJ enforcement action against Stericycle, along with a parallel investigation by the SEC related to conduct in multiple jurisdictions, provides a window for compliance professionals to educate their workforces on how bribery and books-and-records violations can play out in Latin America. Indeed, in all three countries, the co-conspirators tracked the bribe payments through spreadsheets and described the bribes through code words and euphemisms, such as ‘CP’ or ‘commission payment’ in Brazil, ‘IP’ or ‘incentive payment’ in Mexico, and ‘alfajores’ (a popular cookie) in Argentina.[81]

In the aviation sector, Linhas Aéreas Inteligentes S.A. (GOL), an airline headquartered in São Paulo, Brazil, paid more than $41 million to resolve parallel bribery investigations by criminal and civil authorities in the United States and Brazil.[82] According to AAG Polite’s statement in a September 2022 press release:

GOL paid millions of dollars in bribes to foreign officials in Brazil in exchange for the passage of legislation that was beneficial to the airline . . . The company entered into fraudulent contracts with third-party vendors for the purpose of generating and concealing the funds necessary to perpetrate this criminal conduct, and then falsely recorded the sham payments in their own books.[83]

As part of the resolution, GOL agreed to continue to enhance its compliance programme and provide reports to the DOJ regarding the remediation and implementation of compliance measures, signalling the importance of compliance professionals enhancing their compliance programmes in the first instance.

Companies that operate in the oil and gas sector will also find lessons learned in the use of intermediaries to facilitate improper payments from Honeywell UOP’s December 2022 resolution. There, Honeywell UOP agreed to pay US$160 million to resolve parallel bribery investigations by criminal and civil authorities in the United States and Brazil stemming from funds offered to a high-ranking official at Brazil’s state-owned oil company.[84] As part of the arrangement, Honeywell UOP entered into an agency agreement with a sales agent for the purpose of paying US$4 million to the high-ranking Petróleo Brasileiro S.A. (Petrobras) executive.[85]

The increase in individual prosecutions involving Latin America also signals a continued focus on the region as well as a regulatory focus on individual accountability. In 2022 and 2023, for example, both Venezuelan and Brazilian nationals have been charged with violations of the FCPA. More specifically, in February 2023, a senior oil and gas trader and a Brazil-based intermediary were charged with conspiracy, multiple counts of violating the FCPA and money laundering in connection with an alleged scheme to pay bribes to Brazilian officials to win contracts with Brazil’s state-owned and state-controlled energy company, Petrobras.[86] Clearly, FCPA enforcement in Latin America is ‘forecast to remain hot as US regulators strengthen partnerships with their counterparts’ and the ‘pace of FCPA enforcement doesn’t appear to be slowing in 2023’.[87]

Tailoring global compliance policies in a way that grapples with these real-world realities, whether they draw from corporate resolutions or individual prosecutions, will only provide multinational companies with a competitive advantage and bolster their ability to attract and retain superior talent. It will also ensure that business is done the ‘right’ way and help employees, wherever they are in the world, take stock in a company that acts with integrity.


Compliance programmes that incorporate the lessons learned from around the globe and marshal the tools outlined above as prophylactics will be well positioned to avoid enforcement actions on the back end. Government regulators are encouraging companies to do precisely that for their own benefit.

Architects who design compliance programmes in this age of anti-corruption ‘accretion’ must look to the past, present and future in managing multinational workforces and building effective internal communication channels. Compliance programmes should factor into their policies the role of incentives and clawbacks, especially as they relate to executive compensation and rewarding compliance leadership. Training should include lessons learned from past enforcement actions as well as lessons from within a company while making innovative use of measures such as data analytics in diagnosing, mitigating and responding to compliance risks. Training should also take a multidirectional approach to educating the workforce on the current state of anti-corruption accretion and its evolving nature and be tailored to an employee’s locality when applicable. In addition, trainings should provide employees a glimpse into what the future could hold as seen in recent enforcement actions if compliance is not prioritised, providing adequate resources, anonymous reporting mechanisms, guidance and even mega-fine figures to ensure that the future is not, in fact, realised.


[1] María González Calvet is a partner, and Krystal Vazquez and Baldemar Gonzalez are associates, at Ropes & Gray.

[2] In June 2021, the Biden Administration issued a memorandum highlighting the cost of corruption and declaring the fight against corruption to be a core national security interest. See The White House, Memorandum on Establishing the Fight Against Corruption as a Core United States National Security Interest (3 June 2021),

[3] See DOJ Unveils New Policies to Incentivize Responsible Corporate Citizenship and Deter Wrongdoing, Ropes & Gray LLP (16 September 2022),

[4] See Ryan Rohlfsen et al., DOJ Unveils Changes to the Criminal Division’s Corporate Enforcement Policy to Incentivize Voluntary Self-Disclosure and Cooperation, Ropes & Gray LLP (20 January 2023),

[5] id.

[7] Justice Department Announces New Policies Impacting Corporate Criminal Enforcement, Ropes & Gray LLP (7 March 2023),

[8] US DOJ, Assistant Attorney General Kenneth A. Polite, Jr. Delivers Keynote at the ABA’s 38th Annual National Institute on White Collar Crime (3 March 2023), [ABA Conference Polite Remarks].

[9] US Embassy in Venezuela, Former Venezuelan National Treasurer Charged in Connection with Bribery and Money Laundering Scheme (16 December 2020),

[11] See ABA Conference Polite Remarks (‘That is what I urge you all to do as well. Not just fellow prosecutors, but defense counsel, in-house professionals – use your mission to solve problems you see. Act in a way that is meaningful, sets the right tone, and leads by example.’).

[12] See US DOJ, Principal Associate Deputy Attorney General Marshall Miller Delivers Live Keynote Address at Global Investigations Review (20 September 2022), [GIR Miller Remarks].

[13] US DOJ, Memorandum from the Deputy Att’y Gen., Further Revisions to Corporate Criminal Enforcement Policies Following Discussions with Corporate Crime Advisory Group (15 September 2022), [Monaco Memo].

[14] See US DOJ, Crim. Div., Evaluation of Corporate Compliance Programs 9 (March 2023), [US DOJ ECCP]; World Bank Group, Integrity Compliance Guidelines 5 (2017), [World Bank Guidelines].

[15] See US DOJ ECCP, at 9 (‘Prosecutors should also examine how middle management, in turn, have reinforced those standards and encouraged employees to abide by them.’); US DOJ & SEC, FCPA: A Resource Guide to the U.S. Foreign Corrupt Practices Act 58 (2d ed. 2020), [FCPA Resource Guide].

[16] See US DOJ ECCP, at 10. Dep’t of the Treasury’s Office of Foreign Assets Control, A Framework for OFAC Compliance Commitments 2 (May 2019), [OFAC Framework].

[17] US DOJ, Assistant Attorney General Kenneth A. Polite Jr. Delivers Remarks at NYU Law’s Program on Corporate Compliance and Enforcement (PCCE) (25 March 2022), [NYU PCCE Polite Remarks].

[19] See US DOJ ECCP, at 9.

[20] See id., at 4.

[21] See id., at 6, 12–13 (adding that disciplinary action should be commensurate with the violations).

[22] See id., at 12–13. Some companies have even found that publicising disciplinary actions internally, where appropriate under local law, can have an important deterrent effect, warning that unethical actions have swift and sure consequences. See id., at 12.

[23] See OECD, Corporate Anti-Corruption Compliance Drivers, Mechanisms and Ideas for Change 39 (2020), [OECD Compliance Drivers].

[24] See World Bank Guidelines, at 10; FCPA Resource Guide, at 62.

[25] See NYU PCCE Polite Remarks.

[26] US DOJ ECCP, at 12; U.S.S.G. § 8B2.1(b)(6) (‘[t]he organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct’).

[27] US DOJ ECCP, at 12.

[28] In one study, roughly eight in 10 people aged 25 to 34 stated that they use messaging platforms such as WhatsApp to communicate with their colleagues at least once per week. See Simon Kemp, Digital 2020: October Global Statshot (20 October 2020), This trend existed even pre-pandemic. WeChat reported over 1.2 billion monthly active users in 2020, more than double the 550 million monthly active users it reported in 2015. See Lai Lin Thomala, Number of active WeChat messenger accounts Q2 2011–Q4 2020, Statista (7 December 2022), WhatsApp reported in 2020 that roughly 100 billion messages were exchanged each day on the platform, up from 30 billion messages in 2015. See L. Ceci, Number of monthly active WhatsApp users 2013-2020, Statista (27 July 2022),

[29] See Tiago Bianchi, WhatsApp reach in selected Latin American countries 2021, Statista (1 August 2021)

[30] See GIR Miller Remarks (‘Company policies and procedures addressing the use of personal devices and third-party messaging systems for business purposes will be reviewed as part of evaluating the effectiveness of a corporation’s compliance program.’).

[31] We are intentionally not referring to mobile devices as ‘personal devices’. Given important legal and technical implications that apply to the different types of mobile devices, discipline should be employed when addressing this topic to note the differences between (1) corporate-issued mobile devices; (2) BYOD mobile devices; and (3) truly personal devices.

[32] See US DOJ ECCP, at 17; ABA Conference Polite Remarks.

[34] In 2022, the SEC and the CFTC imposed fines totalling US$1.8 billion in penalties as part of a series of settlements with major financial institutions for failing to preserve off-channel communications by employees. Jon Hill, HSBC Says It’s Close to Settling SEC, CFTC Texting Probes, Law360 (22 February 2023), Those actions followed a US$200 million fine levied against JPMorgan Chase in late 2021 to settle similar record-keeping lapses tied to employees’ messaging use. Id.

[35] See Jon Hill, SEC, CFTC Messaging Probes Net $1.8B In Big Bank Penalties, Law360 (27 September 2022),

[36] See Jane Yoon & Mark Carper, Revisiting Employee Communication Policies After DOJ Memo, Law360 (13 October 2022),

[38] Here we make a distinction between a managed BYOD device from a truly personal and unmanaged device. A managed BYOD device will have some form of MDM (Mobile Device Management) or EMM (Enterprise Mobility Management), which serves to allow access to approved systems, can block the installation of unapproved systems and apps, and offers other security features. This is one reason it is important to refer to mobile devices more specifically as between corporate-issued, BYOD and personal.

[39] See ABA Conference Polite Remarks.

[40] See footnote 38.

[41] See Yoon & Carper, supra note 36.

[42] See GIR Miller Remarks.

[43] See US DOJ ECCP, at 2.

[44] See US Sent’g Comm’n, Guidelines ManualU.S.S.G. § 8B2.1 (b)(6) (2021) (noting that an organisation’s compliance programme should entail ‘(‘(A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct’). conduct’).

[45] See Monaco Memo (‘Compensation systems that clearly and effectively impose financial penalties for misconduct can incentivize compliant conduct, deter risky behavior, and instill a corporate culture in which employees follow the law and avoid legal ‘gray areas.’’).

[46] See Stephen M. Cutler, Dir., Div. of Enf’t, Second Ann. Gen. Counsel Roundtable, Tone at the Top: Getting It Right, SEC (3 December 2004), (‘[M]ake integrity, ethics and compliance part of the promotion, compensation and evaluation processes as well. For at the end of the day, the most effective way to communicate that ‘doing the right thing’ is a priority, is to reward it.’).

[47] See ABA Conference Polite Remarks.

[48] ABA Conference Monaco Remarks.

[49] See ABA Conference Polite Remarks.

[50] See id. (noting that ‘prosecutors will accord an additional fine reduction equal to the amount of any compensation that is recouped’ if a company has initiated the process to recover such compensation at the time of resolution); ABA Conference Monaco Remarks (‘If the company succeeds and recoups compensation from a responsible employee, the company gets to keep that clawback money—and also doesn’t have to pay the amount it recovered.’).

[51] ABA Conference Polite Remarks.

[52] See US DOJ, Plea Agreement in United States v. Danske Bank A/S C-5 (2022),

[53] See ABA Conference Monaco Remarks (‘We want companies to step up and own up when they discover misconduct and to use compensation systems to align their executives’ financial interests with the company’s interest in good corporate citizenship.’).

[54] See US DOJ ECCP, at 6.

[55] See id.

[56] See FCPA Resource Guide, at 66.

[57] See ABA Conference Polite Remarks (providing that prosecutors will continue to ask how companies ‘learn from the issues they encounter’).

[58] See World Bank Guidelines, at 13.

[59] See Helen Kim, Taking a Fresh Look at Hotlines: Fostering a Speak-Up Culture and Leveraging Data, Anti-Corruption Report (16 September 2020),

[60] See Vincent Pitaro, Revisiting Compliance Programs in Light of the DOJ’s Updated ECCP, Anti-Corruption Report, Anti-Corruption Report (30 September 2020),

[61] See Kim, supra note 59 (‘Companies should provide regular training to employees on the reporting process, not just the existence of the hotline, to set expectations and encourage continued engagement.’).

[62] NYU PCCE Polite Remarks.

[63] See, e.g., Rebecca Hughes Parker, Using Data to Enhance Compliance Programs, Anti-Corruption Report (5 January 2022), (‘The DOJ, SEC and other enforcement authorities have made clear that companies need to be gathering and analyzing data about their compliance programs, and the agencies themselves have become more sophisticated in their knowledge of data analytics.’); US DOJ, Deputy Attorney General Lisa O. Monaco Gives Keynote Address at ABA’s 36th National Institute on White Collar Crime (28 October 2021), (‘[D]ata analytics plays a larger and larger role in corporate criminal investigations, whether that be in healthcare fraud or insider trading or market manipulation.’).

[64] Hui Chen, New DOJ Fraud Section Data Expert Will Reshape Compliance, Law360 (7 October 2022),

[67] See NYU PCCE Polite Remarks.

[68] See Andy Miller, How Visual Analytics Can Fuel a Compliance Program, Anti-Corruption Report (2 December 2020),

[69] See NYU PCCE Polite Remarks (‘We want to see examples of compliance success stories—the discipline of poor behavior, the rewarding of positive behavior, the transactions that were rejected due to compliance risk, positive trends in whistleblower reporting, and the partnerships that have developed between compliance officers and the business. . . . We want to know that a company can identify compliance gaps or violations of policy or law.’).

[70] ABA Conference Polite Remarks.

[71] In Colombia, the Anti-Corruption Act, Law 1474 of 2011, criminalises active and passive bribery, foreign bribery, political corruption and money laundering, among other crimes, and establishes administrative, criminal and fiscal sanctions. In Mexico, the General Law of the National Anti-Corruption System (SNA) coordinates the prevention, detection and prosecution of anti-corruption cases across municipal, state and local jurisdictions. Additionally, the Chilean government has even proposed new anti-corruption provisions to their constitution. Ropes & Gray LLP, Columbia, (last visited 22 March 2023); Anti-Corruption Act, Law 1474 of 2011, (last accessed 22 March 2023).

[72] BRAZIL. Decree 11.129 of 11 July 2022. Regulates Law No. 12,846, of 1 August 2013, which provides for administrative and civil liability of legal entities for the practice of acts against the public administration, national or foreign. Diário Oficial da União, Brasília, DF, 12 July 2022, (last accessed 22 March 2023).

[74] Eduardo Engel & Benjamin Garcia, A new constitution for Chile: Let’s try again?, Hewlett Found. (21 February 2023),

[75] Chile starts second attempt to draft a new constitution, Reuters (6 March 2023),

[76] See US DOJ ECCP, at 1.

[77] See Globalizing Your Compliance Program, Ropes & Gray LLP (29 January 2018),

[78] ABA Conference Polite Remarks.

[79] See US DOJ, press release 22-401, Stericycle Agrees to Pay Over $84 Million in Coordinated Foreign Bribery Resolution (20 April 2022), (last accessed 22 March 2023).

[80] See id.

[81] See id.

[82] US DOJ, press release 22-978, GOL Linhas Aéreas Inteligentes S.A. Will Pay Over $41 Million in Resolution of Foreign Bribery Investigations in the United States and Brazil, (15 September 2022), (last accessed 22 March 2023).

[84] US DOJ, press release 22-1383, Honeywell UOP to Pay Over $160 Million to Resolve Foreign Bribery Investigations in U.S. and Brazil, (19 December 2022), (last accessed 22 March 2023).

[85] See id.

[86] US DOJ, press release 23-187, Senior Oil and Gas Trader and Brazil-Based Intermediary Charged in Bribery and Money Laundering Scheme (17 February 2023), (last accessed 22 March 2023).

[87] Phillip Bantz, White Collar Attys Brace For More Latin America FCPA Action, Law360 (8 February 2023),

Unlock unlimited access to all Latin Lawyer content