This is an Insight article, written by a selected partner as part of Latin Lawyer's co-published content. Read more on Insight
Compliance in context
I recall vividly the first time I led a compliance seminar in Latin America. Although I received a warm welcome that day in São Paulo, many in the room seemed uncertain about the relevance locally of the US Foreign Corrupt Practices Act and, more generally, anti-corruption best practices. From a compliance perspective, that was a lifetime ago. So much has changed.
Back then, it seemed improbable that Brazil would soon adopt a sweeping anti-corruption law. Only a short time later, following riots in the streets, Brazil did precisely that, and the law dramatically took effect in January 2014. Those sceptical that Brazil ever would adopt such a law quickly transitioned their scepticism, next doubting that Brazil ever would enforce this law. That assumption again proved faulty. A tsunami of enforcement followed soon after, making headlines around the globe. Companies have paid big penalties, and high-profile politicians and business executives have been charged, convicted and imprisoned. Even so, questions persist regarding some of these proceedings, and backlash continues in various forms. It also remains unclear exactly how the recent change in administration will impact Brazil’s anti-corruption path.
In addition to spawning countless enforcement operations within Brazil, these developments have reverberated throughout Latin America, with further shockwaves felt around the world. Although Brazil has played an outsized role in Latin America’s anti-corruption narrative, other jurisdictions also have augmented their efforts to combat corruption. Numerous countries in the region (such as Argentina, Colombia, Mexico and Peru) have adopted new and expansive anti-corruption laws. More surprising to many, local authorities increasingly have enforced these laws, albeit to varying degrees and while grappling with an array of political, economic and other challenges. Anti-corruption contours vary throughout the region, but some of the basic ingredients persist, including highly relevant laws, locals fed up with corruption and scandals that abound.
Within this context, actual enforcement can serve as a powerful motivator of intensified corporate compliance efforts. For obvious reasons, the spectre of aggressive enforcement offers a highly persuasive justification for finding religion in this area and making the necessary adjustments and investments. Along these lines, the US Deputy Attorney General has warned that ‘[c]ompanies need to actively review their compliance programs to ensure they adequately monitor for and remediate misconduct – or else it’s going to cost them down the line’.
More broadly, enforcement risk remains acute in the United States and certain other jurisdictions. This is especially the case in the United States after the Biden administration in 2021 elevated fighting corruption to a national security priority and since has launched related initiatives. Unsurprisingly, a significant element of the resulting US anti-corruption strategy involves active engagement and close coordination with foreign partners, possibly foretelling greater collaboration between US authorities and Latin American counterparts.
An effective compliance programme
Companies and individuals often want to do the right thing, but an effective compliance programme entails more than just a pristine ethical mindset. Among other essential features discussed in this book, a compliance programme requires the commitment of management at all levels and sufficient resourcing to do the job well.
Indeed, much ink has been spilled over what constitutes an effective compliance programme, including in Latin America. Yet the main elements are relatively uncontroversial, with certain compliance truths remaining generally applicable. For example, as outlined in guidance issued by the US Department of Justice and updated most recently in March 2023, proper evaluation of a corporate compliance programme necessarily involves assessing its design, implementation and effective functioning:
- Design: proper design begins with a thoughtful risk assessment. This includes evaluating a company’s compliance risk factors, such as its jurisdictions of operation, industry, government touchpoints and reliance on third parties. Just as no two companies are the same, a compliance programme cannot be one-size-fits-all but must be tailored to a company’s risk profile and integrated into its internal controls.
- Implementation: even the most brilliantly crafted programme can provide only limited comfort if it is not implemented effectively. This requires the commitment of management, autonomy, resourcing and empowerment of the compliance function, and both incentives for compliance and disincentives for non-compliance.
- Functioning: a compliance programme is only as good as it functions in practice. Adequate monitoring, testing and review are necessary to ensure that a programme is working as intended and is refined as needed. Proper functioning also requires the investigation of potential misconduct and remediation of any underlying issues.
It bears underscoring that risks posed by third parties, in particular, remain many companies’ most significant anti-corruption exposure. Countless examples of recent enforcement in Latin America illustrate this reality: third parties rather than company employees often pay the bribes later subjected to government investigations. Third-party management is therefore a core element of an effective compliance programme and should include risk-based due diligence, written contracts that enshrine compliance obligations and careful oversight of the third parties’ services.
In the end, no compliance programme is perfect or can prevent all wrongdoing, even with the best of intentions and good-faith efforts. For most companies, the question is not whether a compliance violation one day will occur but how severe and extensive it will be, how early and by what means it will be detected, and how the company ultimately will respond.
Companies and their stakeholders must accept this reality while making judicious use of sometimes limited compliance resources. This balancing act becomes particularly challenging amid a crisis, such as the covid-19 pandemic. However, it is predictably during a crisis when the cost of neglecting a compliance programme may be most acute. And, since 2020, economic challenges and political upheaval have both exacerbated the pandemic’s devastating impacts and disrupted some of region’s anti-corruption momentum.
Prosecutors play a valuable role in helping to incentivise companies to implement and maintain effective compliance programmes. Authorities in the region can do even more to support the growing compliance culture, including by imposing lower penalties on companies that implement effective programmes or, better yet, by declining altogether under appropriate circumstances from penalising these companies when certain things go wrong. This is especially so when companies are plagued by isolated misconduct of a rogue employee or a small number of employees. While active enforcement undoubtedly breeds greater efforts to comply, enforcement decisions that respect such genuine compliance efforts arguably can do so even more.
Overview of the book
This project has been a true labour of love for many. It also has been an absolute delight to collaborate with such knowledgeable and thoughtful contributors. I thank them deeply for their regional insights, nuanced analysis, spirited advice and deep commitment to spreading the gospel of compliance.
The book proceeds in four parts and includes significant updates since the prior edition and several new chapters (12, 20 and 21). Part 1 sets the scene by surveying the broader Latin American compliance landscape:
- Chapter 1: Peter Spivack and Isabel Costa Carvalho of Hogan Lovells LLP examine the dramatic rise and evolution of compliance in Latin America over several decades, becoming the necessity that it is today. They illustrate the increasing importance of compliance in the region, bolstered in part by guidelines issued by authorities in Argentina, Brazil, Colombia, Mexico and Peru. While acknowledging challenges in promoting cultural change and ensuring appropriate enforcement, the authors also observe how compliance now is transcending strict legal compliance to consider broader societal impacts.
- Chapter 2: Julie Bédard, Lauren A Eisenberg and Mayra Suárez of Skadden, Arps, Slate, Meagher & Flom LLP assess the current compliance climate and significant legislative changes in Latin America. The authors also explore regional enforcement trends, including the impact of increasing cooperation and coordination among regulators, the prioritisation of prosecuting individuals and enforcement involving particular industries. In light of these developments, the authors illuminate why companies operating in Latin America should maintain appropriate anti-corruption policies and other safeguards.
Part 2 then addresses key considerations in building an effective compliance programme:
- Chapter 3: Reynaldo Manzanarez Radilla, head of legal affairs and compliance at Incode Technologies Inc., profiles a successful compliance department. Although recognising that there is not a single formula for success, he analyses some of the fundamentals, including a strong tone at the top, core compliance policies, a true team of professionals and adequate resourcing. He explains how the compliance function must act as a trusted adviser to the business, operating cost-effectively and demonstrating its value, including when dealing with the unexpected.
- Chapter 4: Brendan P Cullen and Anthony J Lewis of Sullivan & Cromwell LLP elaborate on building a robust compliance programme in Latin America. They describe the elements of an effective programme, including based on guidance issued by US regulators, and associated challenges. Additionally, the authors recount compliance best practices such as documenting programme changes and successes, broadcasting a culture of compliance, obtaining local input and buy-in, relying on local counsel and leveraging data analytics.
- Chapter 5: Andrew Jánszky, a corporate governance and compliance consultant, turns to the pivotal role a company’s board of directors should play, suggesting that expectations of boards have risen and should continue to do so. Specifically, he calls on board members to engage substantively on risk assessment and other compliance matters, actively complementing (but not supplanting) the essential role of management. While recognising the improbability that any company could achieve best practices in all respects, he extracts from various case studies cautionary lessons for boards and underscores the importance for a compliance function of independence, autonomy, and structural and cultural compatibility.
- Chapter 6: Daniel S Kahn, Tatiana R Martins and Jordan Leigh Smith of Davis Polk & Wardwell LLP next tackle conducting compliance risk assessments, the starting point for designing an effective compliance programme. As part of this process, they review the elemental tasks of mapping compliance risks based on factors such as a company’s geographical and operational footprint and then ensuring that compliance resources and controls adequately address the identified risks. The authors also identify significant considerations regarding who conducts a compliance risk assessment, as well as the importance of refreshing an assessment, especially in the face of triggers that may alter a company’s intrinsic risk profile.
- Chapter 7: Palmina M Fava, Zachary Terwilliger, Laura Muse and Martin Pereya of Vinson & Elkins LLP tackle the significant compliance risks and related challenges posed by third parties. The authors provide compelling enforcement examples and then recount best practices for mitigating potential exposures, including by conducting risk-based due diligence, documenting compliance expectations and appropriately training third parties and monitoring their activities.
- Chapter 8: María González Calvet, Krystal Vazquez and Baldemar Conzalez of Ropes & Gray LLP next discuss best practices for building effective internal communications channels and the vital role of compliance training. They address the centrality of communications from the top and elsewhere regarding a deep commitment to compliance, the foundational role of compliance policies and procedures, and the imperative of an anonymous reporting mechanism. The authors explore challenges involving third-party messaging applications and mobile devices, as well as the prospect of measuring compliance through data analytics. They elaborate on the importance of tailoring a compliance programme to relevant laws and cultures, including adapting a global policy to a given location and delivering training that is customised for local workforces and replete with real-world examples
- Chapter 9: Adrián Magallanes Pérez and Diego Sierra Laris of Von Wobeser y Sierra, SC review best practices for conducting internal investigations of alleged wrongdoing. After elaborating on why these investigations are vital, they detail the investigative life cycle, including conducting a preliminary assessment, determining whether to engage external counsel, developing an investigative plan, preserving evidence, taking steps to avoid any retaliation, reviewing documents, conducting interviews, preparing a final report and proposing any remedial steps. The authors highlight the value of conducting internal investigations and, in certain circumstances, self-reporting improper conduct to authorities.
- Chapter 10: my Debevoise & Plimpton LLP colleague Erich O Grosz and I delve into assessing and mitigating compliance risks in the transactional context, including before, during and after a transaction. While unknowingly buying a compliance problem can be disastrous, even assets tainted by corruption can sometimes be attractive targets. This chapter examines why and how compliance due diligence is essential for evaluating a potential transaction’s true value and appropriateness, offering practical steps for conducting due diligence and addressing related risks. In addition, the chapter explains why identifying any problematic conduct pre-investment can be critical, both to avoid overpaying for an asset and to terminate and remediate any misconduct promptly after closing.
- Chapter 11: Gabriela Paredes, Dheeraj Thimmaiah, Jaime Munoz and John Sardar, all compliance professionals at Anheuser-Busch InBev, articulate a provocative technological manifesto, illustrating in practical terms how a data-driven approach can and must revolutionise corporate compliance programmes. The authors espouse benefits for programmes that leverage data science and analytics, including across risk assessments, internal investigations, and compliance monitoring. While recognising that companies will proceed in varying ways, the authors note opportunities encompassing automation and process optimisation, identification and harmonisation of data sets, and application of both supervised and unsupervised machine learning.
- Chapter 12: Nelson Luis, Raúl Saccani and Fernando Peyretti of Deloitte explore how attorneys and forensic accountants work collaboratively to help clients mitigate financial and compliance risks, including by detecting and preventing fraud and other malfeasance. For both proactive and reactive matters, such as due diligence and investigations, respectively, the authors describe attorneys’ and accountants’ complementary skills that help clients make better informed decisions. Among other timely topics, the authors examine best practices involving third-party risk management, challenges of preserving and collecting evidence, and approaches to transaction testing and monitoring.
Part 3 turns to specific legislative and regulatory pressure points:
- Chapter 13: Lorena Pavic, José Pardo, Benjamín Torres and Raimundo Gálvez of Carey explore challenges in navigating competition rules, drawing in part on reforms in Argentina, Brazil, Chile, Ecuador, Mexico and Peru. The authors address relevant legal landscapes, illustrating the increased anticompetition standards throughout the region. The chapter then examines related exposures, including cartel investigations, and proposes safeguards to mitigate competition risks, including avoiding, deterring and detecting collusive behaviour. As the authors note, close attention to competition law is imperative for effective corporate compliance in Latin America.
- Chapter 14: a team from Vinson & Elkins LLP – Palmina M Fava, Gabriel Silva and Christopher James – discusses how data protection laws have proliferated throughout Latin America, more recently following the European Union’s model. The authors explore differences in the various legal regimes, including around breach notification requirements. Additionally, the authors explain the value of an effective data compliance programme, subject to testing and updating, both to prevent violations and, if necessary, to defend a company against any related lawsuits or investigations.
- Chapter 15: relatedly, Antonio Gesteira, Jordan Rae Kelly and Adriana Prado of FTI Consulting explore strategies for reducing cybersecurity and data risk, focusing in particular on ensuring incident readiness and building a culture of compliance. The authors detail the perfect storm of growing risks involving data breaches and cyber incidents, compounded by increasing enforcement in Latin America regarding data protection. In particular, the authors underscore the importance of prevention, including careful attention to incident response planning, and best practices for confronting an incident and dealing with the aftermath.
- Chapter 16: Ryan Fayhee, Diego Durán de la Vega, Tyler Grove and Anna Hamati of Hughes Hubbard & Reed LLP explore risks in Latin America involving compliance with US sanctions, a topic of particular prominence given recent global events. After providing an overview of US economic sanctions, the authors focus on recent developments regarding Nicaragua, Paraguay, Venezuela and Russia, and they assess related enforcement, including civil penalty and secondary sanctions actions. The authors conclude with recommendations for designing and implementing an effective sanctions compliance programme, emphasising the importance of such steps given the far reach of US enforcement.
- Chapter 17: Maximiliano D’Auro and Gustavo Papeschi of Beccar Varela provide an Argentine perspective on risk management in the financial services industry. Although financial services providers usually recognise their inherent exposure to anti-money laundering risk, the authors argue that these providers often insufficiently appreciate their anti-corruption exposure, notwithstanding the breadth of government touchpoints. Accordingly, the authors expound the elements of an integrity programme for financial services providers, especially in light of changes to Argentine law and associated compliance guidelines.
Last, Part 4 looks to the future, highlighting some compliance trends to watch:
- Chapter 18: Ben O’Neil and Elissa N Bauer of McGuire Woods LLP foretell the creep of legislation targeting private corruption. They review the corrosive effects of commercial bribery, which are increasingly borne by the public, and the differing regulatory regimes used to combat these types of corrupt practices. The authors also discuss strategies for identifying the telltale signs of kickback schemes and for preventing private corruption through appropriate compliance policies and internal controls.
- Chapter 19: a team from Morrison & Foerster LLP – Ruti Smithline, Hayley Ichilcik, James M Koukios, Lauren Navarro and Stephanie Pong – delves deeply into the social pillar (the ‘S’) of environmental, social and governance (ESG), broadly encompassing companies’ relationships with stakeholders including employees, suppliers, customers and others. The authors detail several frameworks for measuring associated progress, such as the UN Sustainable Development Goals, and then explore relevant legal developments in Brazil, Chile, Colombia, Mexico and Peru. In addition, the authors highlight practical considerations for companies in addressing the social pillar, concluding that those doing so effectively may enjoy a competitive advantage, especially as new ESG-related legal regimes emerge.
- Chapter 20: relatedly, Martín Sánchez, Gabriel Calvillo, Adriana Morales and Paula Pérez Benítez of Mijares Angoitia Cortés y Fuentes SC recount relevant ESG risks and developments in the region, with particular focus on Mexico. In a post-pandemic world, the authors observe that ESG challenges are more visible. Especially given the lack of an internationally harmonised approach to ESG, the authors note how stakeholders in Latin America and elsewhere leverage tools to help identify ESG risks, while hopefully mitigating the dangers of green and social washing. The authors conclude by identifying best practices for effective ESG management, including ethical commitment and appropriate oversight, and how traditional compliance infrastructure can serve as a valuable foundation for ESG matters.
- Chapter 21: a team from Chevez, Ruiz, Zamarripa y Cía – Ana Sofía Ríos, Valentín Ibarra and Alejandra Pacheco – delves deeply into the constantly evolving fintech industry, highlighting recent changes in Mexico and associated opportunities and challenges. As relevant regulations proliferate, including with respect to data privacy and anti-money laundering, the authors suggest embracing technology to help strengthen compliance efforts. More broadly, given the strict regulations that govern fintech firms, the authors emphasise that strict compliance is essential to maintain customer, investor and regulator trust and to foster an environment in which the industry can thrive.
Companies throughout the region (and world) naturally find themselves in different places in their compliance journeys. There is understandably a learning curve when it comes to compliance programmes, and companies often are learning in real time, as are prosecutors.
As this book illustrates, compliance is a continuing process of assessing risks in a dynamic environment amid ever-increasing regulatory expectations, and then crafting, implementing and refining strategies to mitigate these risks. Building effective compliance programmes and respecting the relevant laws help us to reach the desired destination, but these programmes and laws are the means and not the end.
On behalf of all the contributors, we sincerely hope that this book can serve as a valuable resource to the many compliance professionals, lawyers, business executives, board members, advisers, investors and others making this essential journey.
Andrew M Levine
Debevoise & Plimpton LLP
 Andrew M Levine is a partner at Debevoise & Plimpton LLP.
 US Department of Justice, ‘Deputy Attorney General Lisa O. Monaco Gives Keynote Address at ABA’s 36th National Institute on White Collar Crime’ (28 October 2021), https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-gives-keynote-address-abas-36th-national-institute.
 US Department of Justice, Criminal Division, ‘Evaluation of Corporate Compliance Programs’ (updated March 2023), https://www.justice.gov/criminal-fraud/page/file/937501/download.