The Evolution of Compliance and Where it is Headed Next

This is an Insight article, written by a selected partner as part of Latin Lawyer's co-published content. Read more on Insight


Corporate compliance is the focus of many corporations around the world these days, but compliance has not always been a priority. In the United States, compliance programmes have transformed during the past five decades from a passive, reactive approach to a proactive approach that seeks to harness big data to monitor and ensure compliance. This new decade favours an approach that considers not only traditional aspects of effective compliance programmes, but also incorporates new elements such as behavioural science, social responsibility and societal benefits.

The United Nations, the Organisation for Economic Co-operation and Development (OECD), the World Bank and other multilateral organisations have sought to promote compliance programmes as part of economic development. The United States and other nations have similarly incorporated law enforcement cooperation and compliance enhance­ment as part of their diplomatic strategies. These efforts have slowly taken hold. Prior to 2014, there was minimal awareness pertaining to corporate governance in Latin America. Operation Car Wash, the largest anti-corruption investigation in Latin America, which spread across the region, was a catalyst for countries in the region to focus their attention on compliance and its effects.

Despite these advancements, there have also been some setbacks, with some relevant gains made since Operation Car Wash being reversed or overlooked due to political pressures. For instance, in Brazil, we have seen attempts to roll back many of the anti-corruption measures implemented in recent years by the Congress and Court decisions. This has led to a decline in public trust and a general sense of uncertainty regarding the ability of Latin America governments to fight corruption in the long term.

This chapter reviews the evolution of compliance from the 1970s until today in the United States and Latin America. It traces how compliance programmes have evolved from being considered a luxury to becoming a necessity, especially for leniency in corporate prosecutions.[2] It also shows that constant vigilance is a necessity to keep corruption in check, especially in Latin America.

1970s and 1980s: accounting compliance and accountability

In the United States, the 1970s was a decade riddled by scandal. An investigation by the US Securities and Exchange Commission (SEC) revealed that hundreds of US companies – including some of the most widely known and respected – bribed foreign officials to further their business interests. Corporations across a wide range of industries chose to remediate mistakes internally instead of correcting and reporting the errors. In response, the Foreign Corrupt Practices Act (FCPA) was signed into law in December 1977.

In the 1980s, there was an emphasis on ethics, specifically in the defence and healthcare industries, that required government contractors to adhere to stringent rules. It was not until a decade later, as corporations began to be held liable and be prosecuted for the criminal acts of their employees and agents, that corporations paid greater attention to proactive compliance programmes. Before this, corporate compliance was largely addressed passively through codes of conduct and value statements that were provided to employees or hung on walls but carried little weight.

1990s: expansion of corporate liability

In the United States, corporate criminal liability can be traced back to respondeat superior, a legal doctrine commonly used in tort law. Respondeat superior requires that corporations take responsibility for the acts of their employees and agents if the acts occur within the scope of employment or agency, even if contrary to organisational policy and training. Under early case law, a corporation was considered to be a legally fictitious entity, incapable of forming the mens rea necessary to commit a criminal act. The Supreme Court ultimately rejected this notion in 1909 in New York Central & Hudson River Railroad v. United States.[3] (Notably, this concept of a legal person not being subject to criminal liability was also recognised in most civil code countries. As discussed below, that legal doctrine is also changing in countries such as Brazil, Argentina and Colombia.)

The modern notion of corporate criminal liability was established in United States v. Hilton Hotels Corp.[4] This case established that corporations can be liable for the criminal activity of its employees and agents even if the employee or agent acted contrary to the corporation’s policies or an officer’s direction, as long as the employee or agent acted within the scope of his or her apparent authority and with the intent – even if only in part – to benefit the corporation.

Despite a corporation’s best efforts to prevent criminal conduct within the organisation, corporate prosecution could bring forth financial and reputational ruin, as well as negatively affecting the morale of the corporation’s employees.

To address this institutional vulnerability and incentivise corporations to exemplify good corporate citizenship, as well as to provide a means to rehabilitate corporations that have engaged in criminal conduct, the United States Sentencing Commission developed the Federal Sentencing Guidelines for Organizations (the Organizational Guidelines). These Guidelines signalled to corporations that the corporate code of conduct and value statements established decades ago were no longer sufficient by themselves to reduce penalties. The Guidelines recognise that an effective compliance programme is necessary to prevent and deter corporate criminal activity.

Federal Sentencing Guidelines for Organizations

The Federal Sentencing Guidelines for Organizations apply to corporations, partnerships, non-profit entities, workforce unions, government units, pension funds and trusts. They address two key elements of sentencing: just punishment and deterrence.[5] Just punishment intends to justly reflect the offender’s degree of blameworthiness; deterrence offers incentives for organisations to detect and prevent criminal acts. These Guidelines lay out the minimum criteria for an effective corporate compliance programme, under which an organisation must:

  • establish standards and procedures to prevent and detect crime;
  • provide oversight by high-level management, typically the board of directors;
  • exercise due care in delegating substantial discretionary authority;
  • establish effective communication and training for all employees;
  • monitor, audit and report suspected wrongdoing, and periodically evaluate the effectiveness of the ethics and compliance programme;
  • promote and consistently enforce the corporate compliance programme by incentivising use of the established mechanisms, and disciplining employees who commit crimes or fail to take reasonable steps to prevent or detect criminal conduct; and
  • take reasonable steps to respond to criminal conduct once it has been detected and to prevent further criminal conduct.

Corporate compliance programmes

The most effective compliance programmes are those tailored for particular companies. However, a typical programme includes the key elements required by the Organizational Guidelines. In practical terms, the following are necessary: the endorsement and commitment of senior management, the appointment of a responsible officer to run the programme, risk assessment, relevant policies and procedures, training, certification of compliance with the rules and procedures of the programme, internal financial controls, due diligence of business partners, reporting mechanisms, investigation protocol, a progressive discipline policy, periodic auditing, monitoring, assessments of effectiveness and trend analysis. The Guidelines deliberately do not address the implementation of compliance programmes to provide organisations with the flexibility to design a programme that is best suited to their needs and particular industry.[6]

Corporate compliance programmes are likewise important because of the liability a corporation and its officers can face. In re Caremark[7] established a duty at the board of direc­tors level to ensure companies had reporting systems in place to detect, prevent and mitigate violations of law. Courts view the Organizational Guidelines as powerful incentives for corporations ‘to have in place compliance programs to detect violations of law, promptly to report violations to appropriate public officials when discovered, and to make prompt, voluntary remedial efforts’.[8] Officers can breach their fiduciary duty if they intentionally disregard red flags that should alert them to fraudulent activity within their corporation.[9] Note, however, that officers can be civilly liable for unintentional actions as well.[10]

2000s: reaction to financial scandals and economic crisis

The start of the millennium brought fraudulent accounting scandals that resulted in bankruptcy for corporate giants Enron and Worldcom, and Enron’s auditor, accountancy firm Arthur Andersen. Enron and Worldcom were prosecuted for falsifying balance sheets to inflate earnings. These acts eroded investors’ confidence and the Sarbanes-Oxley Act of 2002 (SOX) was enacted to provide investors with a slate of protections from future wrongdoings.

Securities and Exchange Commission

In October 2001, the SEC issued a Report of Investigation and Statement (known as the Seaboard Report) explaining its decision not to take enforcement action against a public company it had investigated for financial statement irregularities. In this Report, the SEC articulated an analytical framework for evaluating cooperation by companies. In respect of compliance programmes, the Report stressed the importance of ‘[s]elf-policing prior to the discovery of the misconduct, including establishing effective compliance procedures and an appropriate tone at the top’ and ‘[r]emediation, including dismissing or appropriately disciplining wrongdoers, modifying and improving internal controls and procedures to prevent recurrence of the misconduct, and appropriately compensating those adversely affected’.[11]

Sarbanes-Oxley Act of 2002

The United States Congress soon saw an opportunity to include compliance measures in legislation borne out of a series of financial crises. SOX is a federal law that addresses corporate fraud. Named after its sponsors, Senator Paul Sarbanes, D-Md and Congressman Michael Oxley, R-Ohio, SOX is primarily enforced by the SEC, and its main goal is to increase corporate responsibility and protect investors. Many companies in Latin America have sought access to the US capital markets and, as a result, have become familiar with SOX compliance.

SOX holds corporate officers responsible for transparent and accurate financial accounting and timely reporting of violations. The Act mandates that chief executive officers and chief financial officers acknowledge responsibility for the accuracy, documentation and submission of all financial reports to the SEC. Management is responsible for internal control of financial records and flaws within this reporting. SOX requires corporations to develop, communicate and enforce formal data security policies for all financial data that is stored and used. Corporations must document, continuously update and remain compliant with SOX requirements. SOX also mandates annual audits and requires external auditors to attest that a corporation’s internal controls regarding financial records are appropriate. Both results of annual audits and certification by management and attestation by external auditors must be made available to stakeholders.

SOX also includes a provision that protects whistleblowers at publicly traded companies. The provision encourages internal reporting by prohibiting retaliation against a whistleblower who provides information, causes information to be provided, or assists in an investigation of any conduct that the whistleblower reasonably believes should be reported to the SEC.

Before the first decade was out, the United States suffered another financial crisis. In response, the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank) was enacted. A major goal of Dodd-Frank was to protect the US economy from the collapse of financial institutions, such as was experienced in 2007 and 2008.

Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010

Dodd-Frank significantly reformed regulatory schemes by improving accountability and transparency in corporate accounting in an effort to promote financial stability. The Act forced improvements in corporate governance, such as executive compensation review, clawback and other provisions.

This law also expanded on the whistleblower protections created under SOX. Section 1057 of Dodd-Frank expanded the SOX protections to create a private cause of action for whistleblowers in the financial industry, lowered the burden of proof to prevail on a claim, extended the statute of limitations and rewarded prospective whistleblowers.

The most significant change in Dodd-Frank is that it amends the Securities Exchange Act of 1934 to provide a ‘bounty’ system for prospective whistle­blowers.[12] The amended provisions financially reward whistleblowers who voluntarily report to the SEC ‘original information’ that leads to a successful recovery by the SEC as it relates to a violation of securities law. A whistleblower is eligible for an award of between 10 per cent and 30 per cent of the collected monetary sanctions in excess of US$1 million. The amended provision incentivises whistleblowers to report directly to the SEC at the same time as they report to the company through internal channels.[13]

The Dodd-Frank protections apply to publicly traded companies, subsidiaries and affiliates. Whistleblowers are protected when providing information about, or refusing to participate in, activity reasonably believed to be a violation of law under the SEC’s jurisdic­tion. The burden of proof necessary to prevail is also reduced under Dodd-Frank. To prevail, the whistleblower must show by a preponderance of the evidence that protected conduct contributed to retaliation against the whistleblower. To defeat the action, the employer must demonstrate by clear and convincing evidence that the employer’s action against the whistleblower would be the same even if the employee had not reported the activity. The provision also prohibits pre-dispute arbitration, except when it is set forth in collective bargaining agreements.

Whistleblower provisions, as well as the prosecution of Arthur Andersen in the midst of the Enron scandal, moved the focus to the internal workings of an organisation. In part as a result of the collapse of Arthur Andersen following its prosecution, the corporate prosecutorial strategy of the US Department of Justice (US DOJ) shifted from the punishment of corporate conduct to the reform of corrupt corporate cultures. One way to assess a corporation from the inside out is through an external corporate monitor.

Corporate monitors

Now relatively common, the US DOJ required a corporate monitor for the first time in 2008.[14] Corporate monitors are required in a particular case as part of a plea or deferred prosecution agreement, usually when the US DOJ or the SEC (or both) believe that the corporate’s compliance system is not adequately developed or mature. A corporate monitor is responsible for developing, maintaining and monitoring a corporation’s compliance programme. As part of its Principles of Federal Prosecution of Business Organizations, the US DOJ considers corporate compliance programmes when making charging decisions.

2010s: voluntary disclosure and government enforcement of compliance

The 2010s highlighted a concerted effort to export compliance through public and private enforcement. In the United States, regulatory agencies created policies to incentivise corpo­rations to develop effective compliance programmes, and corporations have increasingly understood the benefit of compliance. In fact, corporations without effective compliance programmes may suffer significant penalties. Organisational and regulatory agency guidance assists companies in developing and monitoring the effectiveness of compliance programmes, which, in turn, assesses risks and increases the likelihood of voluntary disclosure of violations. A summary of some of the more significant guidance is below.

OECD Good Practice Guidance on Internal Controls, Ethics, and Compliance

In 2010, the OECD adopted good practice guidance to establish and ensure the effectiveness of compliance programmes and internal controls to detect and prevent foreign bribery in international business transactions. The guidance is similar to the components of effective compliance programmes in the United States and ‘recognises that to be effective, such programmes or measures should be interconnected with a company’s overall compliance framework’.[15]

Guidance on compliance

In 2020, the US DOJ and SEC updated its jointly issued 2012 guidance that made clear that in exercising judgement, prosecutors will look to determine whether the company had a compliance programme in place and whether there was a commitment by the company to make effective use of such a programme.[16] The US DOJ further elaborated on this guidance in its FCPA Corporate Enforcement Policy.[17] A strong demonstration of a company’s compliance programme can help to change the structure of a resolution, moving it from a criminal charge to a deferred prosecution agreement, and can reduce the compliance obligations, such as for an external monitor. [18] Moreover, even if a company is charged with a criminal violation of the FCPA, the Organizational Guidelines, which have considerable influence on the ultimate penalty imposed, provide for a mitigation of penalties if a company can demonstrate that the violation occurred in spite of an effective compliance programme.[19] These Guidelines apply to all corporate criminal conduct and not just FCPA violations.[20]

In January 2023, US DOJ revised its Corporate Enforcement Policy (CEP) seeking to increase the incentives to corporations to voluntarily self-disclose misconduct and cooperate with government investigations. Under the revised policy, even companies with aggravating circumstances may be eligible for a declination under the CEP and reduced penalties if they satisfy three factors:

  • the voluntary self-disclosure was made immediately upon the company becoming aware of the allegation of misconduct;
  • at the time of the misconduct and the disclosure, the company had an effective compliance programme and system of internal accounting controls that enabled the identification of the misconduct and led to the company’s voluntary self-disclosure; and
  • the company provided extraordinary cooperation with the Department’s investigation and likewise undertook extraordinary remediation.[21]

Under specified circumstances, the revised CEP allows companies to avoid the most serious consequences – a corporate guilty plea and an external compliance monitor – even if aggravating factors such as a prior criminal enforcement action or pervasive misconduct are present.[22]

US DOJ compliance guidance

Corporations have been rewarded for effective compliance programmes for decades, and the US DOJ expects that corporations ensure their compliance programmes are strong. As announced in 2020, there is a focus on individual responsibility and accountability. The US DOJ takes a wider view of companies’ past wrongdoing, requires more detailed information on individuals related to actions in question and allows for the broader use of corporate compliance monitorships. Companies will need to be able to demonstrate their internal efforts to detect, prevent and mitigate fraud should an issue come to light.

The US DOJ’s updated compliance programme guidance announced in March 2023[23] focuses on the company’s policies and procedures governing the use of personal devices, communications platforms and messaging applications (including ephemeral messaging applications), and whether such policies are tailored to the company’s risk profile, specific business needs, and ensures that to the greatest extent possible, business-related data and communications are accessible and amenable to preservation by the company. US DOJ also looks to how these policies are communicated to employees, as well as whether they are enforced on a consistent and regular basis. [24]

US DOJ’s recent changes also include the creation of a three-year pilot programme (the Programme), beginning in March 2023, meant to reward corporations with compliance-promoting bonus and compensation programmes.[25] The Programme notes three non-exclusive criteria that may be required to receive credit, including: (1) a prohibition on bonuses for employees who fail to satisfy compliance requirements; (2) disciplinary measures for employees who violate applicable law, as well as for knowing or willfully blind supervisors of these employees; and (3) incentives for employees fully committed to the compliance process. In requiring such criteria as part of a corporate resolution, federal prosecutors have discretion to consider applicable foreign and domestic laws. The Programme offers potential fine reductions to corporations that attempt to clawback money from employees who committed the wrongdoing.[26] US DOJ also has discretion to provide a 25 per cent reduction in the fine if the corporation made a good faith but unsuccessful attempt to recoup the compensation. Time will tell how this Programme plays out, but corporations must now account for this new framework in their compliance programmes.

Harnessing big data: the rise of data analytics in compliance programmes

Compliance is a top priority for corporations today, and they are now harnessing internal data to monitor employees and increase the effectiveness of compliance programmes.[27] Data analytics help compliance personnel within corporations to identify patterns that human beings cannot recognise, improve the way risk is managed and respond quickly to developing compliance issues. Of course, data analytics are only as effective as the data inputs and analytical outputs. Although this technique is a useful tool, it is not a replacement for a well-integrated compliance programme.

Soft skills and integrity

This new decade ushers in an approach that considers not only traditional aspects of effective compliance programmes but must also incorporate social responsibility and societal benefits. The new approach requires corporations to move beyond the letter of the law or actions within corporate policy, and view compliance as a benefit for society.

Environmental, social and corporate governance factors

A corporation’s financial performance drives its business decisions. Corporate officers focus on hard numbers to determine success. The new approach asks these officers to look beyond the data and to environmental, social and corporate governance (ESG) factors to strengthen financial performance and compliance. ESG factors, such as how a corporation responds to climate change, how effective health and safety policies are at preventing accidents, and how good the corporation is at building trust and fostering innovation, are not traditionally calculated in a financial analysis, but adherents are advocating that they have relevance and financial impact.

ESG is different from the movement to motivate corporations to be more socially responsible. Unlike social responsibility, which examines what corporations will not do (such as sell firearms), investors evaluate a corporation’s ESG to understand its purpose and value. Using this information, investors make decisions about where to invest. For this reason, the financial effects of ESG factors can be significant.

Renewed focus on anti-corruption and coordination among national enforcement authorities

In 2021, the Biden administration conveyed its focus on anti-corruption efforts, established that anti-corruption is a national security interest, and issued the first ever US Strategy on Countering Corruption (the Strategy). The Strategy is a five-pillar framework:

  • modernising, coordinating and resourcing US government efforts to fight corruption;
  • curbing illicit finance;
  • holding corrupt actors accountable;
  • preserving and strengthening multilateral anti-corruption architecture; and
  • improving diplomatic engagement and leveraging foreign assistance resources to advance policy objectives.

This framework reflects the government’s broader-lens approach to understand and stop corrupt activity and signals increased scrutiny for corporations.[28]

Shortly after the Strategy was issued, the OECD adopted a comprehensive series of recommendations for Member States and for OECD Anti-Bribery Convention signatories to integrate into their legal frameworks to combat foreign bribery of public officials. The recommendations include strengthening enforcement of foreign bribery laws, addressing the demand side of foreign bribery, enhancing international cooperation, introducing principles on the use of non-trial resolutions in foreign bribery cases, incentivising anti-corruption compliance by companies, and providing comprehensive and effective protection for reporting persons.[29]

One trend that the pandemic has reinforced is the cooperation among national enforcement authorities and across borders.[30] Multinational corporations must be prepared for investigation by jurisdictional authorities as well as coordination among other enforcement officials as parallel inquiries proceed.

Compliance in Latin America

As has been noted, until the beginning of 2010s, compliance was merely a secondary concern for companies in Latin America, seen as a superfluous investment with uncertain incomes. Without effective enforcement at the local level combined with a high level of legal uncertainty – and even a degree of impunity – companies were less likely to invest in compliance as they did not view it as a priority or were concerned about the potential consequences of non-compliance. Even for companies subject to international anti-corruption laws, such as the FCPA and UK Bribery Act, compliance was often in place just as a paper programme without sufficient human and financial resources.

However, this situation began to change at the end of 2014 with the launch of Operation Car Wash. Although Brazil passed its anti-corruption law (the Clean Company Act) in late 2013, Operation Car Wash was the decisive turning point that transformed the fight against corruption in Brazil and across Latin America. This massive anti-corruption investigation was responsible for 295 arrests, 1,450 dawn raids, and 4.3 billion reais in ill-gotten gains being returned to the Brazilian state.[31] As a result, the perception of the need for compliance policies also changed.

Operation Car Wash is the most extensive anti-corruption investigation in Latin America, focused on bribery schemes surrounding infrastructure projects and involving a series of construction companies, public officials and politicians. It is a cross-border investigation that exposed the corruption of public officials from several Latin American countries in addition to Brazil, including Argentina, Chile, Colombia, Dominican Republic, Ecuador, Mexico, Panama, Peru and Venezuela.

The compliance notions in Latin America were modified by two main elements of Operation Car Wash. The first was the fact that media attention put a red flag on investments in the region, which required a change of approach, especially by Latin American companies, to recover market confidence. The second was the international cooperation in investigations, resulting in multilateral agreements with rigid clauses, promoting the ‘regulation by enforcement’ in compliance rules.

With Operation Car Wash, several cross-border violations became public and resulted in close cooperation between Brazilian and foreign authorities. As the investigation by US authorities into Latin American companies continued, the companies were forced to seek agreements with their own local authorities as well. Three leading cases that led to cooperation between the US DOJ, the SEC and Brazilian authorities were Petróleo Brasileiro SA (Petrobras), Eletrobras – Centrais Elétricas Brasileiras SA (Eletrobras) and Construtora Norberto Odebrecht SA (Odebrecht). In all three cases, companies were subject to FCPA regulations as well as Brazil’s Clean Company Act since they are public entities listed on the New York Stock Exchange or had conducted business in the United States.

In addition to strengthening dialogue and cooperation between countries to build a global anti-corruption environment, these cases introduced new preventive, mitigation and disciplinary measures, creating a cross-regulation by enforcement. The imposition of corporate monitors is a clear example of innovation gained from this cooperation. A dual monitorship (i.e., the appointment of monitors from the United States and Brazil) was included in the settlement agreed between the US authorities and Odebrecht. Although it was not provided as a sanction in most Latin American compliance legislation, this alternative is currently on the radar of the local authorities[32]. Since then, corporate monitors have been increasingly utilised by Latin American authorities in both transnational and local investigations. The main challenge of using such monitors in this region arises from the prevalence of family-owned businesses, legal uncertainty and spread out corruption, which create unique complexities. As a result, government authorities must consider the local particularities to incentivise companies to embrace corporate monitors.[33]

On 1 February 2021, after 79 action plans (or their so-called phases with their hand-picked names), Operation Car Wash was formally dissolved as a task force in Brazil. However, the remaining and related, and upcoming corruption cases continued to be closely investigated under the leadership of the permanent team called Special Group for the Fight Against the Organized Crime of the Federal Public Prosecutor’s Office. Some members of the former group, including its head, have transitioned to the special group.

Ultimately, Operation Car Wash put a spotlight on the weakness of compliance regulation and enforcement in Latin America, which resulted in a call for change. The response was the disruption of the current schemes and a movement to establish control measures. In Brazil, for example, participation in public tenders requires having a robust compliance programme addressing non-interference of the competitive nature of public tenders. Anti-corruption laws enacted in Mexico in 2016 (General Law of Administrative Responsibility) and Argentina (Corporate Criminal Liability Law) in 2018 followed the Brazilian Clean Company Act in including similar requirements regarding undue non-interference in public bids. In fact, bid rigging has become a hot topic in Latin America. Many countries in the region have large public sectors and rely heavily on government contracts for procuring goods and services, making them particularly vulnerable to bid rigging.

Compliance guidelines in Brazil

Although inspired by the FCPA, Brazil’s Clean Company Act is broader in certain respects than the US requirements, extending to local officials and conduct against public administration, such as fraud in the public tender process and bid rigging.

The Clean Company Act forbids direct and indirect, active and passive bribery of local and foreign public officials, including the concealment and the use of intermediaries to engage in bribery. It also forbids fraud in public bids and obstruction of government investigations. It imposes civil and administrative strict liability for violations by an entity’s directors, officers, employees and agents when acting on behalf of the entity.

While the Clean Company Act outlines specific corruption violations, it was its supplementary law (Decree No. 8,420), issued in 2015, that initially provided details about corporate liability, penalties and mitigating measures – including fines, public disclosure of violation and debarment from contracting with government entities for violations. Besides setting benefits relating to collaboration in investigations through leniency agreements, Decree No. 8420 provided for the existence of an effective compliance programme as the primary defence and mitigating measure.

Decree No. 8,420 defined a compliance programme as a set of internal integrity and audit mechanisms, policies and guidelines to detect and remedy deviations, fraud, irregularities and unlawful acts committed against national or foreign public administration, and procedures for reporting irregularities and effectively enforcing codes of ethics and conduct. According to Decree No. 8420, a compliance programme must be tailored, implemented and updated following the peculiarities and risks of the entity, and to ensure its continuous improvement and effectiveness.

To be considered as a defence, a compliance programme would be evaluated according to several parameters, as outlined by Decree No. 8,420:

  • Tone at the top: the commitment of senior management, including board members, who must show unequivocal and public support for the compliance programme.
  • Implementation of internal policies: standards of conduct, codes of ethics, integrity policies and procedures shall apply to all employees and managers regardless of their position or function.
  • Third-party policies: policies for hiring, selecting and monitoring of third parties, due diligence procedures and risk matrix. In addition, third parties must be provided with the code of ethics and other applicable standards of conduct in force at the company.
  • Training: periodic training that is tailored to the target audience.
  • Periodic risk assessment: regular risk analysis to identify risks and to implement improvements.
  • Internal control: accurate and precise accounting records and information, and maintaining effective internal controls for financial reports and statements.
  • Specific policies concerning interaction with public officials: specific policies and procedures to prevent fraud and illicit conduct relating to bidding processes, execution of contracts with public entities, obtaining licences, and other interaction with public officials, including interactions intermediated by third parties.
  • Responsible officer: independence, sufficient powers and adequate human and financial resources available to the internal body responsible for the implementation and enforcement of the compliance programme.
  • Reporting channels: effective channels for reporting violations, based on non-retaliation and confidentiality, which shall be clearly and widely disclosed to employees and third parties.
  • Disciplinary measures: policies on internal investigations and enforcement of disciplinary measures for violations.
  • Remediation and mitigation: procedures that ensure the prompt interruption of violations when they are detected and the timely remediation of the damage generated.

On 12 July 2022, the Brazilian federal government enacted Decree No. 11,129/2022, which revoked Decree No. 8,420/2015. Decree No. 11,129/2022 outlines relevant changes in parameters that were included in the former Decree No. 8,420/2015, as well as incorporates numerous provisions that have already been included in resolutions, normative acts and internal guidelines of the Office of the Comptroller General in Brazil (CGU) and the Brazilian Federal Attorney’s General Office (AGU), in addition to new provisions.

In relation to the parameters for assessing the effectiveness of integrity programmes, in addition to the parameters provided under Decree No. 8,420/2015, the new Decree No. 11,129/2022 outlines the:

  • inclusion of a provision to ‘foster and maintain a culture of integrity within a company’s environment’;
  • proper resource allocation so that an integrity programme demonstrates the tone at the top;
  • implementation of periodical communication actions by companies in addition to training;
  • in addition to a commitment to undertake risk analysis, companies should implement ‘adequate risk management, including its analysis and periodic reassessment’ to enable ‘necessary adaptations to its integrity program and efficient allocation of resources’;
  • inclusion of agents, consultants, commercial representatives and associates within the description of third parties for the purpose of conducting appropriate due diligence upon their hiring and supervision;
  • inclusion of politically exposed persons and their family members, close collaborators and companies that they are part of, for the purposes of conducting appropriate due diligence upon their hiring and supervision;
  • need to conduct due diligence and implementation of mechanisms for sponsorships and donations supervision;
  • implementation of procedures for the treatment of complaints originating from hotlines
  • inclusion as a parameter for evaluating the adequacy of an integrity programme, in addition to the number of employees (i.e., size of the company): (1) revenues to be taken into consideration whether the company is a micro or small business; and (2) the corporate governance structure (number of departments, structure and governing bodies, etc.); and
  • simplified evaluation for micro and small companies.

In October 2015, the CGU published its Integrity Programme: Guidelines for Private Legal Entities (the CGU Guidelines). These Guidelines summarised the ‘five pillars’ of a strong Integrity Programme according to CGU:

  • the commitment of senior management;
  • an internal department responsible for the Integrity Programme;
  • profile and risk analysis;
  • the structuring of rules and instruments; and
  • continuous monitoring strategies.

Besides the Brazilian legislation, the CGU Guidelines reference the UK’s Bribery Act Guidance, the OECD’s Good Practice Guidance on Internal Controls, Ethics and Compliance, the UN’s An Anticorruption Ethics and Compliance Programme for Business: A Practical Guide, the US Sentencing Commission’s Guidelines Manual and The Complete Compliance and Ethics Manual published by the Society of Corporate Compliance and Ethics.

Compliance guidelines in Colombia

Following the enactment of Brazil’s Decree No. 8,420, Colombia, Mexico, Peru and Argentina also provided specific compliance standards. In general, those provisions are very similar to the FCPA and Brazil’s Clean Company Act, but with particular nuances concerning the extension of requirements, enforcement and gradation of mitigation for liability.

On 2 February 2016, Colombia enacted Law No. 1,778 (the Transnational Corruption Act), in which anti-corruption mechanisms are set as relevant criteria for calculating penalties for violations. According to the Transnational Corruption Act, private companies that maintain transnational businesses and act under the supervision of the Colombian Superintendence of Corporations shall adopt compliance programmes, which shall provide internal anti-corruption mechanisms, audit policies and preventive measures, and promote transparency.

Similar to Decree No. 8420, Colombia enacted Resolution No. 100-000003 (the Transnational Corruption Act Compliance Guidelines), on 26 July 2016, to guide the implementation of compliance programmes, based on three basic principles:

The compliance programme shall be tailored based on the particular risks of each entity. Accordingly, risk assessment must be undertaken based on (1) transparency risks from the country involved in the transnational operation, (2) the specific sector – taking into consideration that energy, infrastructure and healthcare require stronger controls – and (3) the level of interaction with third parties.

Senior management shall endorse a commitment to a culture of ethical behaviour and lead measures to avoid transnational bribery and other corrupt violations.

Control mechanisms, due diligence procedures and periodic audits should be established to ensure the effective detection of violations and undertaking of mitigation actions.

Following these principles, the compliance programme shall:

  • provide written compliance policies, and the code of conduct shall summarise and detail all relevant standards of conduct provided in those policies. The policies shall be translated into the language of the countries with which the company maintains transnational transactions;
  • ensure wide disclosure of the compliance programme and clear communication of its requirements;
  • conduct robust and periodic risk assessment concerning the hiring of third parties (due diligence) and performance of the compliance programme;
  • train employees and assign responsibility, including members of senior management and boards, to detect, prevent and mitigate violations;
  • implement internal control mechanisms and audit procedures to ensure precise accounting records and information; and
  • require specific formal commitments concerning ethics, audit rights and termination from high-risk third parties.

To expand compliance guidelines beyond transnational operations, Colombia’s Secretary of Transparency introduced a Register of Active Companies in Anti-Corruption (EAA) to promote internal best practice and prevent corruption. The EAA uses nine categories to assess the compliance programmes of private entities:

  • risk assessment;
  • corporate organisation and responsibilities;
  • policies tailored to specific high-risk areas;
  • the programme’s implementation;
  • financial and internal controls;
  • communication and training;
  • human resources policies;
  • reporting of policy procedures; and
  • compliance programme audit system.

Recently, following OECD guidelines,[34] Colombia has enacted two new provisions to enhance monitoring and enforcement. First, on 16 October 2020, Colombia Enacted Decree No. 1,358, which determines the debarment from public procurement procedures and public finance sources companies convicted for corruption. In addition, on 26 June 2021, Colombia enacted Decree No. 830, which includes specific guidelines related to public exposed persons (PEPs), and certain reporting obligations for and the establishment of a public registry of PEPs.

Colombia enacted its Anti-Corruption Statute in 2011 focusing on punishing individuals for corruption. In 2013, Colombia joined the OECD Anti-Bribery Convention. After some years, Colombia accepted OECD’s recommendations and enacted, in 2016, a law that included corporate responsibility and effective prosecution against legal entities, leniency programmes and the obligation to adopt compliance programmes.

Compliance guidelines in Mexico

The wave of change to Mexico’s legal framework against corruption started with the Constitutional Reform of 7 February 2014, which introduced transparency obligations relating to the access of information. Then, the launch of the National Anticorruption System on 27 May 2015 resulted in the enactment of a series of anti-corruption provisions.

In addition, on 18 July 2016, the General Law of Administrative Responsibility (GLAR) was enacted with the purpose of outlining compliance obligations. GLAR is very similar to Brazil’s Clean Company Act and prohibits the payment of bribes to public officials, bid rigging, improper interference in public procurement processes and contracts, and other corruption violations.

Similarly, to the Brazilian and Colombian legislation, GLAR establishes that a compliance programme may be a mitigating factor of liability, provided it meets the following minimum requirements:

  • to provide clear information about the organisational structure and reporting lines;
  • to establish and widely discloses a code of conduct, which shall include and detail standards of ethics and procedures;
  • to provide adequate control, compliance and audit systems to support regular and periodic reviews of the performance of the compliance programme;
  • to maintain robust hotline channels, both internally and outside the entity, and policies on investigation proceedings and disciplinary measures;
  • to conduct periodic training;
  • to provide human resources staff with policies and training to prevent the hiring of high-risk individuals; and
  • to provide mechanisms to enhance transparency within the entity.

On 1 July 2020, the United States–Mexico–Canada Agreement (USMCA) entered into force, replacing the North America Free Trade Agreement (NAFTA) and creating a new landmark in the regional fight against corruption. Unlike NAFTA, USMCA has a chapter establishing obligations on anti-corruption efforts to benefit the three parties alike, entitled ‘Transparency and anti-corruption’, whose primary drive is to fight international trade and investment corruption. In addition, it provides a detailed framework for preventing and combating corruption and internal controls by requiring the countries to adopt, maintain and enforce anti-corruption measures aimed to criminalise failures regarding books and records accounting provisions and other corporate governance aspects and determining proper whistleblower protections to be put in place.[35]

Compliance guidelines in Peru

The Peruvian anti-corruption legislation (the Corporate Administrative Liability Law) was enacted on 1 April 2016 as a corporate liability extension of the crime of corruption provided in the Criminal Code. Later, in 2017, Law No. 30,424 was amended, extending such liability to other crimes, including active bribery of domestic public officials.

Under the Corporate Administrative Liability Law, the existence of an effective compliance programme can exempt an entity of penalties for a corruption violation. An effective compliance programme as outlined by the Law is significantly more straightforward than those required by legislation in other Latin American countries.

According to the Corporate Administrative Liability Law, to be regarded as ‘an effective preventive mechanism’, the compliance programme shall:

  • properly map and identify an entity’s activities and procedures concerning risks of corruption, money laundering and terrorism, and other violations provided in the Criminal Code;
  • establish preventive policies and procedures;
  • identify management, audit and accounting policies and procedures that may prevent corruption violations; and
  • provide reporting mechanisms, investigative protocols and disciplinary measures.

Another milestone in the fight of the Peruvian government against corruption was the criminalisation of private corruption – approved in 2018 – that also had a great impact on the business environment.

Compliance guidelines in Argentina

Law No. 27401 (the Corporate Criminal Liability Law) was enacted on 2 March 2018 to join Latin America’s efforts against corruption. It provides for local and transnational corruption violations, including bribery of public officials, fraudulent negotiations of public contracts, and fraudulent accounting reports and statements.

Under the Corporate Criminal Liability Law, an investigated entity that is proven to have an effective and appropriate compliance programme may be exempt from penalties. To qualify for the waiver, the compliance programme shall provide

  • periodic risk assessment and policy review;
  • support from senior management;
  • hotline mechanisms;
  • whistleblower protection policies;
  • internal investigation protocols;
  • third-party due diligence process and procedures;
  • due diligence policies and procedures for corporate transactions;
  • periodic and continuous monitoring; and
  • assignment of a responsible officer to take charge of implementation and supervision.

The National Anti-Corruption Office also issued non-mandatory ‘Guidelines for the Implementation of Integrity Programs’, stating that a robust compliance programme should include internal investigation protocols. Most notably, these guidelines point towards balancing the employer’s right to control and supervise its activity with the employees´ legitimate expectation of privacy.

Compliance guidelines in Chile

On 2 January 2009, Chile enacted Law No. 20,393 (the Criminal Responsibility of Legal Entities Law), which broadly sets out provisions against money laundering, terrorism financing and bribery.

The Criminal Responsibility of Legal Entities Law sets a ‘crime preventive model’, which must be led by a responsible officer or department (a ‘preventive commissioner’) with an independent reporting line and adequate human and financial resources.

The preventive commissioner will be responsible for identifying risks, setting internal policies and controls, implementing accounting controls and enforcing disciplinary measures.

Other Latin American compliance provisions

Providing adequate treatment of the anti-corruption laws of the 20 countries and six dependencies that comprise Latin America would require a separate book. However, it is noteworthy that Panama and, recently, Costa Rica have also enacted laws providing compliance guidelines. Other countries, such as Guatemala and Uruguay, define corruption violations in their criminal codes but do not provide details on compliance requirements. However, most countries follow international compliance guidelines, such as the OECD’s Good Practice Guidance on Internal Controls, Ethics and Compliance.

Another step forward to corporate integrity in Latin America was the OECD decision, disclosed on 25 January 2022, to open the discussions with Argentina, Brazil and Peru regarding their access to OECD membership.

The fact that accession was also opened to three key Latin American countries may have a significant impact on the region’s economic growth, as it can result in a gigantic legislative advance for the entire area and attract investors. However, the process will be tough, and it is seen as a long road ahead to be concluded. An individual roadmap for the detailed assessment process will now be prepared, provided the countries confirm their adherence to the values, vision, and priorities reflected in the OECD’s 60th Anniversary Vision Statement and the Ministerial Council Statement (the OECD Statement) adopted last year. The OECD Statement includes the organisation’s primary values, such as individual liberty, democracy, rule of law preservation and protection of human rights, and the value of open trading, competitive, sustainable and transparent market economies. OECD members also have to commit to promoting sustainable and inclusive economic growth and their goals to tackle climate change, including halting and reversing biodiversity loss and deforestation.

The process will include a rigorous and in-depth evaluation by more than 20 technical committees of the candidate country’s alignment with OECD standards, policies and practices. As a result of these technical reviews, changes to the candidate countries’ legislation, policy and practices will be required to align with OECD standards and best practices, thus serving as a powerful catalyst for reform. Therefore, it is expected that Latin America will start adopting several legislative reforms to comply with the requirements.

Future in sight

The closure of Operation Car Wash is emblematic for Latin America by representing what the last decade meant for the fight against corruption in the region. However, the number of new corruption investigations involving Latin America demonstrates that mere existence of a new legal panorama is not enough to prevent violations from arising, particularly in scenarios of large-scale and urgent public procurement procedures. Unfortunately, in 2022, Brazil remained the most frequently cited Latin American country in connection with ongoing FCPA-related investigations. Brazil also claimed the top spot as the country most commonly implicated in FCPA-related bribery schemes resulting in enforcement actions. Inquiries into corrupt businesses are likely to increase in Latin America.[36] Therefore, while the 2010s outlined the new legal framework for the fight against corruption in Latin America, the new decade will stake a claim for effectiveness, public governance, social responsibility and sustainability.

In Brazil, according to data released by the Federal Police in early January 2021, between April and December 2020, a total of 65 Federal Police operations (20 per cent of the 315 operations carried out in 2020) were launched to investigate the misuse of public funds to restrain the covid-19 pandemic’s effects – in particular, concerning the acquisition of health-related provisions, such as personal protective equipment and ventilators and other necessary supplies. Since then, several other operations have been launched by local authorities, including the recent Operation ‘Last Acts’ (Últimos Atos, in Portuguese) that gave rise to dawn raids conducted in April 2023 to investigate diversion of funds to fight the pandemic.

Likewise, other Latin American countries have launched investigations concerning the misappropriation of covid-19 funds involving high-level public officials, such as the Colombian Minister of Agriculture, the Bolivian Health Minister, the Ecuadorian Health Ministry, the Peruvian Anti-corruption Prosecution Offices and the Honduras’ Public Prosecutor’s Office.

Aside from all the challenges it has presented, the covid-19 pandemic showed there were easy-to-implement alternatives to increase transparency and public spending controls, especially technological tools. The use of solutions based on open data and fraud analytics has brought positive experiences both as a remote solution for negotiations during the pandemic and as a definitive accountability solution.

A significant example was the increase in e-procurement platforms and open contracting to facilitate bidding processes and increase compliance. The adhesion of initiatives such as the Open Contracting Data Standard (OCDS) – created by the global advocacy network Open Contracting Partnership – demonstrates that technological tools can increase transparency and decrease bureaucracy in public procurement processes. The OCDS creates clear and detailed standards for monitoring procurement processes, allowing a careful oversight of these procedures’ compliance and transparency. In Latin America, OCDS has already been adopted by Chile, Colombia and Paraguay.

Brazil and Colombia have developed fraud analytics platforms to leverage various datasets from multiple sources to flag corruption risks in government contracting. In Brazil, the Tender and Bidding Analyzer (Alice) is a Federal Audit Court tool to mine public procurement documents and identify inconsistencies. It captures the information from public bidding notices available on the federal government’s system to screen vulnerabilities and red flags. Similarly, the Colombian Comptroller General’s Office has implemented a contractual data centre platform named Océano, an analytics tool to cross-check information from public procurement online databases and detect possible irregularities. Through Océano, the Colombian Comptroller General’s Office has identified suspicious transactions led by certain city councils on health emergency-related contracts, which resulted in fraud investigations.

Although Latin America certainly has structural issues that make the fight against corruption challenging, including dealing with the effects of the covid-19 pandemic, it is clear that the region has been taking steps to ensure that the past decade’s progress is not lost. Still, the region demonstrates room for implementing disruptive solutions, which can help Latin America drive cultural transformation in public and corporate integrity and transparency.

The re-election of President Luiz Inácio Lula da Silva in 2022, despite his arrest for corruption some years before, is an unexpected and intriguing development in Brazil. Numerous major corruption scandals, such as the Operation Car Wash, have tarnished Lula’s administration, yet the Brazilian population chose to vote for him rather than President Bolsonaro, who also has been accused of several crimes. A new head of the CGU has been appointed and is a well-respected professional who expressed his willingness to continue the fight against corruption.

Currently, the leading hot topic from a compliance perspective is the evolution from compliance programmes into ESG (environmental, social and corporate governance) structures that will likely lead debates about corporate integrity in the following years.[37]

In Latin America, the introduction of ESG as a requirement is being driven by international private companies and financial institutions concerned with reputation, ethical endeavours and the impact of their transactions. Although legislative development in this regard is still in debate in certain countries and agencies and began implementation in others, the discussion on the OECD accession may expedite the countries to adopt straightforward ESG directives.

Latin America has very protective legislation in place that favours employees, which makes it challenging for companies to implement clawback provisions and collect data from personal devices when this is necessary for an internal or government investigation.


In the United States and Latin America, compliance began with a focus on rules-based systems and employee training. Over time, government agencies have required, and corporations have realised, that compliance programmes serve as proactive measures to detect and prevent corruption. The evolution of compliance has gone from a poster on the wall to a dynamic programme that involves all members of an organisation and its investors, as well as advanced technology to preserve, process and analyse relevant data. Compliance is no longer about simply following the letter of the law. The bar is being raised ever higher and, in addition to government agencies watching over misbehaviour and cooperating across the region, media, investors, potential business partners and other stakeholders are ever-more watchful. Compliance is now evolving beyond simple legal compliance to a consideration of societal benefits and a holistic ESG approach.


[1] Peter Spivack and Isabel Costa Carvalho are partners at Hogan Lovells. The authors gratefully acknowledge the considerable assistance of Rafael Szmid and Jessica Bigby, senior associates at Hogan Lovells.

[2] See Chapter 4, ‘Developing a Robust Compliance Programme in Latin America’ by Brendan P Cullen and Anthony J Lewis.

[3] 212 US 481 (1909).

[4] 467 F.2d 1000 (9th Cir. 1973).

[5] US Sentencing Commission, Guidelines Manual, § 8 (November 2018),

[6] The following is an example of an industry-specific compliance programme. The Office of Inspector General (OIG) for the US Department of Health and Human Services issued a series of voluntary compliance programme guidance documents specifically tailored to the healthcare industry. The initial guidance, issued in 1997, applied to clinical laboratories, seeking to safeguard them from fraud and abuse. A year later, the OIG issued guidance aimed at hospitals, nursing homes, durable medical equipment suppliers and third-party billers. The 1998 guidance supports the development and use of internal controls to promote compliance with applicable US federal and state law, federal and state programme requirements, and private health plans. The model compliance programme should, as a minimum, include: written policies and procedures that emphasise a commitment to compliance; designation of an officer charged with the development and monitoring of compliance programme training for all employees; a hotline to receive complaints; policies and procedures to ensure the anonymity of complainants and to protect whistleblowers from retaliation; audits or a similar mechanism to monitor compliance and to detect and prevent crime; and disciplinary policies to address potentially criminal misconduct. See Federal Register, Vol 63, No. 35, February 23, 1998,

[7] 698 A.2d 959 (Del. Ch. 1996).

[8] id., at 982.

[9] McCall v. Scott, 239 F.3d 808, 819 (6th Cir. 2001).

[10] id., at 817 (‘unconsidered inaction can be the basis for [officer] liability because . . . ordinary business decisions . . . can significantly injure the corporation and make it subject to criminal sanctions’); but see Dellastatious v. Williams, 242 F.3d. 191, 196 (4th Cir. 2001) (holding that officers can avoid liability by making a good-faith effort to have a reporting system).

[11] SEC Issues Report of Investigation and Statement Setting Forth Framework for Evaluating Cooperation in Exercising Prosecutorial Discretion’ (2001),

[12] This system is similar to that used in the Federal False Claims Act since its modernisation in 1986, with the express intent of increasing the incentives to report violative conduct to the US government.

[13] In fiscal year 2019, approximately 480 whistleblower tips came from outside the United States, including Latin America, US SEC, 2019 Annual Report to Congress on the Dodd-Frank Whistleblower Program, Appendix C,

[14] See United States v. Siemens Aktiengesellschaft, Case No. 08-CR-367-RJL (D.D.C. 2008).

[15] ‘Good Practice Guidance on Internal Controls, Ethics, and Compliance’,

[16] A Resource Guide to the US Foreign Corrupt Practices Act’, (Key updates in 2020 guidance include a new definition of ‘instrumentality of a foreign government’ and a non-exhaustive list of factors to determine (1) whether an entity is controlled by the government, and (2) whether the entity performs a function that the government treats as its own, that the court articulated in United States v. Esquenazi, which involved a state-owned enterprise when designing its compliance programmes; further limits to FCPA’s ‘local laws defence’; and a clarification that the statute of limitations is five years for violations of anti-bribery provisions, but six years for violations of the accounting provisions. There are also revisions that are not changes but rather indications that DOJ and SEC continue to emphasise the importance of companies conducting pre-acquisition due diligence. DOJ and SEC also are still taking an expansive view of their jurisdiction over foreign companies and individuals for conspiracy and aiding and abetting offences, and companies’ compliance efforts must reflect this.

[17] The updated Guide also incorporates new principles and resources that inform DOJ’s corporate enforcement decisions. DOJ continues to follow the department long-standing Principles of Federal Prosecution of Business Organizations, which provide factors to be ‘considered in conducting an investigation, determining whether to charge a corporation, and negotiating plea or other agreements’. New to those factors is ‘the adequacy and effectiveness of the corporation’s compliance program at the time of the offense, as well as at the time of a charging or resolution decision’. In addition, the updated Guide includes the Anti-Piling On Policy, which influences how DOJ and SEC ‘strive to avoid imposing duplicative penalties, forfeiture, and disgorgement for the same conduct’,

[18] The costs of compliance failures have continued to ratchet up. In 2020, DOJ and SEC announced record-breaking penalties for FCPA violations. In January 2020, a major aerospace defence contractor agreed to pay US$3.9 billion in global penalties for foreign bribery and International Traffic In Arms Regulations (ITAR) violations. Nine months later, in November 2020, a major investment bank was charged with a US$2.9 billion joint DOJ and SEC enforcement action for FCPA violations including conspiracy to violate the FCPA anti-bribery provisions, internal accounting controls, and books and records provisions of federal securities laws. The investment bank allegedly engaged in a conspiracy to pay more than US$1.5 billion to multiple high-level officials. Notably, although the investment bank had a comprehensive anti-corruption and compliance programme, the DOJ and SEC found its internal controls to be deficient because both high- and low-level employees were able to circumvent the controls and engage in corrupt activities.

[19] US Sentencing Commission, Guidelines Manual, § 8 (November 2018),

[20] For Latin American countries and other countries that wish to do business with the US government, the Federal Acquisition Regulation (FAR) establishes other requirements. The FAR prioritises ethics and compliance throughout the federal procurement process, from solicitation to execution of the awarded contract, and embodies the US government’s policy of dealing with only ‘presently responsible’ contractors. Government contractors must develop and maintain a compliance programme within 30 days of award. The programme must be in writing, available to all employees on the contract, and contain mechanisms to report violations; further, violations must be reported in writing to the contracting officer or the Office of Inspector General for the US Department of Health and Human Services in a timely manner. Solicitations and contracts expected to exceed US$5.5 million in value and 120 days in performance are required to include the Contractor Code of Business Ethics and Conduct clause in the documentation. To be compliant with the FAR, it is not enough to conduct only due diligence. The FAR views compliance programmes as a good judge of a government contractor’s character and an effective compliance programme may lead to contract awards. There is also no excuse for omitting a required clause in contracting documents. The Christian Doctrine states that if the FAR requires a clause to be in a contract, it is considered a requirement regardless of whether it is actually in the contract. In 2015, seven years after mandating compliance programmes, the FAR added a human trafficking requirement relevant to government contracting overseas. Supplies acquired and services performed overseas in excess of US$500,000 require that contractors certify compliance and monitoring of human trafficking issues. Importantly, government contractors may be liable for the actions of all contractors, subcontractors and agents

[21] United States Department of Justice, Assistant Attorney General Kenneth A Polite Jr Delivers Remarks on Revisions to the Criminal Division’s Corporate Enforcement Policy (17 January 2023),; United States Department of Justice, Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy (January 2023),

[22] id., in cases where a criminal resolution is still warranted, a corporation that voluntarily self-discloses can receive up to a 75 per cent reduction in penalties (up from a maximum of 50 per cent). Absent particularly egregious circumstances and an ineffective compliance programme, a corporate guilty plea and corporate monitorship is not required. For corporations that do not voluntarily self-disclose but still cooperate and remediate, prosecutors can recommend up to a 50 per cent reduction in penalties (up from a maximum of 25 per cent).

[25] Deputy Attorney General Lisa Monaco Delivers Remarks at American Bar Association National Institute on White Collar Crime, https: // (March 2023)

[27] See Chapter 11, ‘Why Fresh Perspectives on Tech Solutions Are Key to Evolving Data-Driven Compliance Monitoring’ by Martín Sánchez, Gabriel Calvillo, Adriana Morales and Paula Pérez Benítez.

[28] The Biden administration also committed to rooting out anti-corruption in Latin America by forming the Northern Triangle Anticorruption Task Force. This task force investigates and prosecutes asset recovery related to corruption through FCPA enforcement, counter-narcotics prosecutions, and the Kleptocracy Asset Recovery Initiative, which focuses on recovering assets gained from foreign corruption and prosecuting money laundering.

[30] ‘Since the covid-19 outbreak, different jurisdictions have constructively enacted and promulgated laws, regulations, acts and orders to ensure that they are sufficient to strengthen supervision over the implementation of compliance on enterprises and individuals within each jurisdiction . . . the promulgation of these laws and regulations also provides guidance to companies while encountering cross-border investigations and responding to the law enforcement movement from other jurisdictions from different perspectives.’

[32] See ‘SZMID. Rafael. Monitores Corporativos Anticorrupção no Brasil: Um Guia para sua Utilização no Processo Administrativo e Judicial,’ Quartier Latin, 2021.’

[34] See the Phase 3 Two-Year Follow-up Report: Colombia, which assesses the progress made by the country concerning the implementation of the OECD anti-bribery convention and the actions it needs to be adopted to comply with it fully (

[35] See Agreement between the United States of America, the United Mexican States, and Canada, Chapter 27, Article 27.3.

[36] 2022 FCPA Year in Review - Foreign Corrupt Practices Act Clearinghouse (FCPAC).

[37] See Chapters 19 (‘The Rise of ESG as a Social Pillar in Latin America’) and 20 (‘Compliance as a Foundation for ESG Oversight’) of this guide.

Unlock unlimited access to all Latin Lawyer content