14. The Advantages of a Robust Compliance Programme in the Event of an External Investigation

This is an Insight article, written by a selected partner as part of Latin Lawyer's co-published content. Read more on Insight

In recent years, corruption scandals involving popular politicians have continued to make the headlines. Protests and mass demonstrations have taken over the main streets in various countries as people demand transparency and stronger approaches in the fight against corruption.

As this movement has reached new frontiers, more and more countries have adopted anti-corruption laws as a top policy priority. These laws have established corporate liability with significant penalties and non-monetary sanctions as well as significant incentives for creating preventive mechanisms.

In addition to new laws, several governments have been focusing on enforcement against companies and individuals. The United States still leads the overall numbers in enforcement of corruption matters, but Brazil has become a major player in launching complex cross-border investigations. Chile and Uruguay have also experienced an increasing number of enforcement actions, as has been the case across Latin America.

As a consequence, compliance has become a hot topic in the corporate world and an important item on the agendas of leadership meetings. More than legal or regulatory matters, boards and managements are considering compliance as a strategic element of sustainable business growth.

Various cases across the globe prove that a well-established compliance programme can certainly benefit companies in various situations, including external investigations.

Interactions with government authorities during external investigations, including possibly to self-report and cooperate, are also attracting much attention and interest from companies. These types of interactions are complex and can involve interactions with authorities in multiple jurisdictions.

To provide more transparency and to be more consistent, enforcement authorities are relying on guidelines and specific legislation for objectively determining the penalties a company should bear, and whether a corporate monitorship is required. In these circumstances, a compliance programme can be an important mitigator of penalties, provided a company can demonstrate the programme’s effectiveness to the authorities.[2]

This chapter explains some of the advantages of a having a robust and effective compliance programme in the event of an external investigation, and discusses how authorities have been evaluating a compliance programme in these circumstances, particularly in Latin America.

Advantages of a compliance programme in the event of an external investigation

Compliance programme as a line of defence: company and management

Authorities tend to seek strong enforcement against companies that do not have a compliance programme at all, or one that is ineffective. Being able to prove that a compliance programme not only exists but is also effective can help to reduce fines and penalties resulting from external investigations.

In that sense, many jurisdictions have followed the United States’ lead and implemented measures to offer important benefits for companies that have implemented effective compliance programmes. In Brazil, a compliance programme structured under parameters provided by law can help to reduce fines arising from corruption violations by between 1 per cent and 4 per cent of the company’s gross revenue. Similarly, other relevant laws in Latin America, such as those in Argentina[3] and Colombia,[4] provide for a possible sanction mitigation and even an affirmative defence if a company demonstrates the existence and effectiveness of its compliance programme.

The last column of the chart below[5] indicates that anti-corruption laws in many Latin American countries provide benefits for companies with compliance programmes in the event of violations:

Summary of anti-corruption legislation in Latin America

CountrySignatory to the OECD Anti-Bribery ConventionCriminal corporate liabilityCorporate civil liability for foreign briberyCompliance programme: requirement, affirmative defence or mitigating circumstance
ArgentinaYesYesYesMitigating circumstance
BrazilYesNoYesMitigating circumstance
ChileYesYesYesAffirmative defence
ColombiaYesNoYesAffirmative defence
Costa RicaYesNoYesN/A
Dominican RepublicNoYesYesN/A
El SalvadorNoNoYesN/A
GuatemalaNoYesYesAffirmative defence
MexicoYesYesYesMitigating circumstance
PeruNoYesYesAffirmative defence
*A bribe payment to a foreign government official is a violation of the Criminal Code, which punishes conduct only of individuals. There may be ‘accessory consequences’ to an entity, however, including dissolution of the company.

Possibly in the wake of the Yates Memorandum,[6] the United States and other jurisdictions started a sweeping wave of enforcement actions against individuals who have been involved in violations, whether directly or indirectly. While analysing a compliance programme, enforcement authorities have been asking various questions: Does it hold individuals accountable for their acts? Who approved the particular contracts? Who approved potentially problematic payments? Why did no one notice the specific risks?

People tend to look for a rogue employee in the event of a violation or in the context of an external investigation, but in fact members of top management can also be blamed for failing to put in place control structures that could have prevented the violation.[7]

The imperative of implementing a compliance programme has been shifting from being only a protection tool for companies, to also being a protection tool for executives and directors. In the event of an external investigation, executives must now justify to authorities why the proper controls were not implemented and, even if they were, why they were ineffective.

Reducing the impact of an external investigation

A robust compliance programme provides better tools to react and respond to authorities’ requests for documents and information during an external investigation, helping companies to reduce the impact of external investigations. Building strong internal controls is part of having an effective compliance programme and this encompasses implementing a system to ensure retention of relevant documents and payments control, including keeping files for agreements, purchase orders and invoices. Thus, maintaining proper internal controls usually means that a company has control over and organises its documents and information, which allows a company to be more prompt and able to assist the government in the event of an external investigation. Regardless of the company’s willingness to cooperate, external investigations also mean that the government will request or seize relevant information. If a company has control over its documents and information, it is less likely to be caught off guard and will have a better sense of what has been rendered or taken by the authorities. This is crucial for analysing exposure and defining the best course of action.

Moreover, companies with compliance programmes are more likely to conduct internal investigations when needed, or at least more than other companies that do not have a robust compliance programme. This may also benefit companies in the event of an external investigation, as it facilitates gathering relevant information about the matter and allows companies to have better control of its information. In common law countries, for example, knowing where key documents and information are facilitates and expedites the discovery process, making the whole external investigation experience go away much more quickly.

Whether a company has conducted a previous internal investigation or not, having a compliance programme enables a company to be aware of what its main flaws are. This may be a valuable tool for assessing what the authorities might be keen to investigate, or evaluating its exposure if documents and equipment are seized.

Training may also be given to employees on how to deal with certain investigative measures taken by government authorities (such as dawn raids and inspections), which may reduce the operational impact in the organisation and enable everyone to be better prepared to face this kind of situation. For example, having well-established and well-publicised policies about the use of social media or even regular media can lead to a more organised response to the public, avoiding aggravating a crisis with unnecessary multiple sources of information.

Strategic advantage while cooperating with authorities

Having a well-structured compliance programme is also beneficial when co­operating with authorities – whether voluntarily or not. In the context of an external investigation, should a company decide to cooperate, it will probably have to produce several documents relating to its business and finances, in addition to the documents relating to the investigation. Of course, the kinds of documents requested by authorities will vary depending on the jurisdiction, but the list of information requested under cooperation is likely to include documents from different areas of the company and detailed information about the business, such as the number of employees, use and identities of third parties, agreements and roles, among other things.

A perfect example that illustrates the importance of having quick access to documents and information is the data analytics system used by global brewer Anheuser-Busch InBev (AB InBev), which helps to identify transaction patterns presenting risks and mitigating those risks in an efficient manner. AB InBev’s Vice President of Ethics and Compliance, Matt Galvin, has explained its mechanics: ‘For example, if an investigation is launched by prosecutors in one jurisdiction, AB InBev’s team can go into its database to search for the names of those involved in the investigation to check whether it has any risk exposure.’[8] (See also Chapter 11, ‘Embracing Technology’.)

This is important in a globalised world, in which cross-border investigations and cooperation between authorities from different countries become increasingly common. ‘Because global standards are rapidly converging, the core elements of a compliance programme can be designed to effectively address the concerns of multiple enforcement authorities at the same time,’ according to Matt Galvin.[9] Setting out a worldwide compliance programme leads to faster interactions with different jurisdictions, reducing the need for cooperation between authorities and the risk of piling on, and increasing the chances of a global settlement.

If a company has a robust compliance programme in place, including some of the elements outlined below, the compliance officer, or the person in charge of compliance, will already have at least some of these documents and information at hand, which will ease the burden on the government investigation and lead to faster solutions in general. Not being able to deliver the documents and information to the authorities (which could happen should the company lack control and organisation regarding its documents) may be interpreted by authorities as an unwillingness to cooperate. When it comes to settlements, a company’s ability to provide crucial information in a timely fashion can influence the government’s view about a company’s cooperation and the strength of its compliance programme; both these factors usually have a considerable impact on authorities’ final decisions regarding penalties and monitorship.

Adding value to a future sale of asset

Companies that participate in mergers and acquisitions (M&A) transactions know the importance of correctly assessing risks for establishing a fair price for the asset. For this reason, companies worldwide have been increasingly engaging in compliance due diligence before M&A transactions,[10] especially in risky locations, such as Latin America. Compliance due diligence usually goes beyond due diligences in other areas that seek materialised liabilities. Compliance due diligences seek compliance risks inherent to the business in general and the target company’s exposure to those risks. (See also Chapter 13, ‘Assessing and Mitigating Compliance Risks in the Transactional Context’.)

In this situation, having a well-structured, risk-focused compliance programme helps to build value in a company’s assets and to mitigate potential risks, even if the risks are not strictly created by the selling party’s conduct.[11] This is particularly true for companies that have been subject to external investigations, after which their compliance liabilities are enhanced and usually confirmed, especially when an investigation is public. Showing potential buyers that a company has strengthened its compliance programme despite previous irregularities adds an additional layer of certainty to the transaction and, therefore, increases the company’s value in a sensitive area.

Moreover, some jurisdictions provide for buyers’ successors liability, even after M&A transactions. Therefore, implementing a strong compliance programme also mitigates buyers’ potential risks in the future and thus brings value to the selling side.

Ensuring that it will not happen again

Another evident benefit of having a robust compliance programme is potentially avoiding undergoing an external investigation, particularly after having already faced one. Implementing a strong compliance programme and internal controls is no guarantee that a violation will not happen again. Companies are always subject to the action of rogue employees or third parties that do not play by the rules, even if the rules are clear and broadly communicated. However, there have been many cases in which a company has created or improved its programme after a government investigation and has been successful in avoiding new enforcement actions. Siemens is a good example. In 2008, authorities called Siemens’ compliance programme a ‘paper programme’.[12] A few years and an US$800 million penalty later, Siemens implemented an award-winning programme that serves as an example for other companies both within and beyond its sector.

Paying for the settlement is perhaps the least of the problems in these circumstances. There is no limit for the potential reputational damage caused by external investigations, especially for repeat offenders. Companies spend much more than the settlement amounts trying to rebuild their image and reputation, not to mention lawyers’ fees and the costs of internal investigations, which can reach the hundreds of millions.[13] Moreover, negotiating with authorities can interfere with business operations. The company’s leadership may wait for a resolution to make new investments, to assess the financial impact and, sometimes, executives are even insecure about signing an agreement or taking a next step.

Having an effective compliance programme in place eases these burdens and, in the event of a new violation, shows the authorities that the company was diligent and is now working to fix the gaps in its programme or to discipline a rogue employee or third party.

Another challenge that a company may face while undergoing an external investigation is the possibility of market restrictions on its products. Investigations can sometimes take years to resolve and, in the meantime, the company moves sideways and opens the door to its competitors. To illustrate, from 2017 to 2020, Brazilian authorities investigated corruption, regulatory and public procurement violations within some of the biggest companies in the country. Companies involved in the investigations had to deal with massive bans on multiple continents and are still fighting to rebuild their reputations.

Having to go through an external investigation for a second time may also suggest a significant lack of commitment from the top management. For all these reasons, the penalties imposed on repeat offenders are usually higher, especially if the company fails to demonstrate that it has taken reasonable and sizeable steps towards an effective compliance programme. If not for all the benefits that a compliance programme can bring to a company, implementing a robust programme after an external investigation is a smart business move that, if ignored, can cost the company it very existence.

Structuring a robust compliance programme

Having now identified some of the benefits and importance of having a robust and effective compliance programme, especially during external investigations, one question remains: what makes a compliance programme robust in the context of an external investigation? In other words, how will authorities assess and evaluate the elements of the compliance programme of a company facing investigation by the government?

The answer is not immediately clear as the key elements, and their interpretation by authorities, may vary from jurisdiction to jurisdiction and even among different authorities within the same jurisdiction. However, at a higher level, compliance seems to have been heading in the same direction everywhere. Generally, the key elements of compliance programmes follow similar standards around the world and the authorities seem to be aligned in adopting the same high-level patterns for assessing programmes. National and international organisations have been able to put together basic guidelines and definitions of main areas that must be addressed if a company wants to have its compliance programme deemed robust.

In essence, a programme’s content must be tailored to the particular needs of each company. This is especially important in the context of an external investigation. Guidelines establish the basic pillars but the best compliance programmes are built on each company’s specific risks and day-to-day business.

In the following sections, we address how some of the elements of a robust compliance programme are assessed by the authorities in the context of an external investigation. Of course, government authorities have the final word on whether they regard a particular programme as effective.

Tone at the top

If one were to rank all the elements of a robust compliance programme, tone at the top would certainly be one of the first and is therefore one on which the authorities focus when assessing a programme. When a company is going through an external investigation, the main factors explored by the authorities will include whether the leaders of the company were aware of the potential irregularities and whether they took any action to prevent those irregularities from taking place. For a compliance programme to be effective, a company’s leadership must endorse and enforce the programme among, at least, all its employees. If this is not the case when the compliance programme is assessed by authorities, it can prove very costly to the company, especially when trying to reduce the penalties.

A company’s ‘leadership’ can be defined as the higher hierarchical levels of a company, such as employees and executives holding positions with strategic decision-making powers and managerial roles. It may also include the board of directors, should the company have one.[14]

If the head of the company does not play by the rules of his or her own company, nor support and participate in the process of publicising the programme, employees will not be motivated to follow the rules.

Practical measures are typically what the authorities look for when assessing a compliance programme and there are many ways for a company’s leadership to demonstrate support for its programme. First, authorities will look for evidence that the leadership participated in its implementation, including mapping out the main risks and the process of creating a department responsible for compliance and providing it with resources and independence. The leadership should also be involved in reviewing and approving policies and procedures, participating in training sessions for other employees and sending supporting messages showing the importance of compliance and training. Keeping records of all these activities is of paramount importance, as these may have to be presented to the authorities.

One way for the leadership to effectively spread the compliance commitment throughout the company is by engaging middle management in broad support for the programme. This specific measure is important, and authorities take it into consideration when assessing a compliance programme, as it is directly linked to the effective application of rules applicable to day-to-day business. In this way, all employees will follow the same path, as middle management is responsible for overseeing the daily tasks and activities of employees. If the tone is not endorsed by middle management (such as managers and coordinators), employees may also feel that compliance is not particularly relevant to their own daily tasks, which is likely to be regarded negatively during an investigation.

The leadership also sets the tone for employees through oversight and effectively checking with employees, to ensure that internal rules are being followed. A feasible alternative is to establish a committee to be responsible for daily oversight; however, there must also be regular follow-up by the leadership, otherwise it may not be clear to the authorities that the leadership is showing its support for, or interest in, compliance matters. Creating an oversight committee and holding regular meetings will certainly be seen as a positive step, and these measures can easily be demonstrated to the authorities when they are assessing whether rules are being followed.

Department responsible for compliance

Having a department or individuals responsible for implementation and enforcement is also one of the backbones of a robust compliance programme and is one of the first things the authorities will address during an investigation. The leadership must provide sufficient independence and resources to the department or individuals by means of adequate materials, staff and budget.

The department responsible for compliance should have among its main attributions to actively contribute to the programme’s development, and to notify the internal rules to the employees. In the same way as it notifies employees about internal rules, the department is responsible for receiving and dealing with reports coming from the hotline or any other source, always avoiding any potential conflict of interests. Furthermore, the department should be responsible for creating the company’s internal policies and procedures, which may be done with the assistance of other departments in the company.

To do this, the compliance department must be responsible for conducting a risk assessment at the company to identify the main risk areas and implement adequate rules and controls to deal with those risks.

The compliance officer is frequently the contact point, with external counsel, to provide information and interact with government authorities during an external investigation. For this reason, the compliance department should be aware and be updated on the company’s risks, business and risk mitigating factors. It is strongly advisable that potential misconduct is investigated and applicable corrective measures are taken. To that end, the department’s independence and autonomy are essential to foster prevention, detection and remediation activities.

Codes, policies and procedures

Having formal policies and procedures in place is an important and fundamental aspect that will be assessed by the authorities. This is also essential for a robust compliance programme. According to the OECD Anti-Bribery Convention,[15] companies should take measures to control specific areas that are particularly vulnerable when it comes to anti-corruption, such as:

  • gifts, hospitality, and entertainment;
  • third-party management;
  • political contributions;
  • donations and sponsorships;
  • facilitation payments;
  • solicitation and extortion; and
  • book-keeping.[16]

The authorities will also expect a company to have policies in place to cover specific risks in each location where it has operations. This can be evidenced by supplementary policies addressing local risks and legal frameworks. For instance, the Office of the Comptroller General (CGU) in Brazil recommends that companies also implement policies to guide their interactions with public officials.[17]

The type of protection necessary for each company will be different, as the risks will depend on variables such as the business sector, geographical location and regulation applied to the company’s activities. For example, companies conducting business in countries with a higher corruption risk need stricter rules and protection than those conducting business in locations with lower corruption risks.[18] Likewise, companies acting in regulated sectors that have historically presented corruption issues, such as the oil and gas or mining industries,[19] also need further protections. Moreover, companies that participate in public bids, such as selling to the government or public entities, should implement a specific policy setting out guidelines and limits for sensible interactions throughout this type of process.

Therefore, even though the OECD sets out guidelines for some of the most important areas that need to be addressed in a compliance programme, conducting a compliance-focused risk assessment is essential. This includes, at a later stage, building policies and procedures that make sense for the company’s specific activities. In other words, the policies and procedures should be drafted to target the results of the risk assessment.

Policies and procedures should be written in simple and straightforward language, so that everyone at the company can understand, and in a way that can effectively be put in practice. Otherwise, the policies may be detrimental to the effectiveness of the entire programme – this is another of the key factors that the authorities will investigate when evaluating a compliance programme. The inclusion of practical examples in training is a good way to facilitate understanding of the policies and how they apply to everyone, which, in turn, is essential for the compliance programme’s effectiveness.

Third-party management

Third parties are commonly involved in bribery scandals, which is why authorities tend to look specifically for this when assessing a compliance programme. If a company is going through an external investigation, its relationships with third parties will be scrutinised and the company is likely to be compelled to present information or evidence on the nature, scope, payments and deliverables in connection with these commercial relationships. To this end, having third-party management measures in place will facilitate interaction with the authorities and in defending the company’s position before the authorities.

Based on best practices, ‘third parties’ may be defined as individuals or entities with formal or informal representation powers, such as those granted power of attorney, suppliers, commercial partners, lawyers and consultants, among others.

Sham contracts and phantom vendors have been at the centre of many bribery cases in Latin America. Therefore, ensuring good third-party management is particularly relevant in this region,[20] and it is essential for companies operating in Latin America to implement (1) a third-parties policy, to make employees aware of how to behave and to mitigate risks while interacting with third parties, and (2) specific controls relating to third parties, to mitigate at least part of the risk related to their services.

The following are some of the best practices for managing and mitigating third parties’ compliance risks, based on what the authorities tend to look for.

Concerns regarding third-party risks begin before even signing the agreement. It is important to perform a due diligence before retaining or associating with a third party. Due diligence is helpful for checking whether there is any specific cause for concern in having a contractual relationship or any type of association with a third party. In this sense, it is recommended that due diligence is risk-based and has a level of complexity based on the risk evaluation. For example, high-risk third parties benefit from more complex due diligence than low-risk third parties. It is also important to have rules setting out the parameters for the risk evaluation and the way of treating each third party according to its evaluated risks. In doing so, the company will be addressing one of the main issues in third-party relationships, namely managing its risk, which is one of the main concerns for authorities when evaluating compliance programmes.

According to the International Chamber of Commerce,[21] third-party risk evaluation should consider country risk, industry risk, the size of the contract and whether the contract involves relationships with public officials. As such, high-risk third parties are usually entities or individuals that interact or have some kind of connection with public officials, have representation powers in business deals or work in high-risk jurisdictions.

Formalising a relationship with a third party is also important, not least in the eyes of the authorities. The mitigating steps in this process include signing an agreement with clear, specific and legitimate deliverables, fit for the purpose of the contract. While defining the payment method, success fees are not recommended and should be avoided, particularly if the service involves the generation of business or is in the context of interaction with the government. Inserting compliance clauses and obligations in the agreement is also recommended, as are compliance-focused damage clauses and the possibility of suspending payment and services.

Once a company has retained a third party, it should monitor the work that is being performed and the way the third party is performing it. This is particularly important when dealing with high-risk third parties. In the event of an external investigation relating to a third party’s action, authorities will be interested in how the company monitored it.

Monitoring also includes updating the third party’s due diligence, to ensure that the third party has not been involved in any irregularity or that there is no cause for concern in continuing to be associated with a specific third party.

Thus, companies should consider the following four key points while implementing controls on third parties: (1) perform risk-based due diligence, before associating with the third party; (2) formalise the relationship, establishing clear rules to which the third party must abide; (3) monitor the service being provided regularly and specifically check for non-compliance;[22] and (4) track the payments made to the third parties, to ensure that amounts are correctly recorded, in accordance with the contract and services rendered and follow necessary internal controls.[23]

Finally, periodic compliance training should also be extended to third parties, especially if they present a high risk, such as those that interact with the government. A company should ensure that third parties are fully aware of its ethical principles and compliance rules, as set out below. In this way, a company can extend the reach of its compliance programme, which will help to mitigate the potential risk and will be seen as a positive step when authorities are carrying out an evaluation.

Communication and training

Another relevant part of building a robust compliance programme entails establishing efficient measures to communicate with and train employees and third parties. This is key to ensuring that the compliance programme is effectively applied, through teaching employees and third parties and disseminating the company’s rules and principles. A company that does not properly communicate with its employees and inform them of its values will find it more difficult to explain or argue to authorities that a violation was an isolated case or that it was simply one bad employee that disrespected the rules. This is likely to be the case even if the company has all applicable codes and policies in place.

Therefore, it is important that the code of conduct, policies and procedures are easily accessible to any interested party. The language used in these documents must be easy for all individuals to understand. This could include having the policies and code of conduct translated into one or more other languages in which the document will be communicated and applied. It is equally important to communicate the existence of a hotline channel, so that all employees and third parties can report any misconduct or violation of the company’s policies. While it is hard to predict where or when a violation will take place, assuring that all employees have access and understand the expected conduct can significantly mitigate problems in the future.

Furthermore, providing training for employees and third parties on the company’s policies is essential to ensure that everyone is aware of how the company expects them to behave in relation to each subject matter. Should the company believe it is recommended, it may also be important to hold training sessions on how to act in situations where specific investigative measures may be taken by the government in the event of an external investigation (e.g., regarding dawn raids).

Additionally, as mentioned above, training of employees should be appropriately documented, including who specifically attends and, in appropriate circumstances, tests should be given after the training has been delivered, so the company can measure the level of understanding of the employees who have participated. Keeping good records of attendance lists, the information conveyed and even pictures of training sessions is very important. This material can help to prove to the authorities that a certain employee or department was given instructions about the company’s rules and that the company did its part in educating its employees. It also shows to the authorities that the company has an organised and efficient compliance department that takes its role seriously.

Normally, separate training sessions should be held to reflect different audiences and subjects. Certain subjects and policies are more important to a certain department or area than to others, which could require a more detailed form of training for some employees. This type of differentiation can also help to enhance the participants’ level of understanding. Another recommended measure is to have practical training, other than in the form of a lecture.

Interactive training tends to achieve a higher level of understanding by the audience, which helps to ensure its effectiveness. In other words, personalised training tends to be more effective, especially if the training includes examples common to the regular business, such as common requests from external parties, difficulties and gaps. The leadership should help the compliance department to map out these common situations while preparing the training.

Finally, follow-up training should also be given periodically, to ensure that all employees are constantly updated. Having online training available on a rolling basis between live training can be helpful to that end and even help to prepare employees further. The company may consider how to assess employees’ retention of the content after providing training. One way of doing that is analysing the overall results of the tests – including the wrong answers, which could indicate that employees do not understand a particular subject, for example. However, obtaining and analysing employees’ answers can be a double-edged sword during external investigations if the company does not take any follow-up action, as this would demonstrate to the authorities that the company failed to properly convey a subject to its employees. After receiving and analysing the answers, the company must strive to resolve any questions or misconceptions arising from the training.

Auditing and monitoring

Having constant auditing and monitoring is another important element of a robust compliance programme. This can be made in various ways and by different measures, according to the size and type of the company.

Auditing and monitoring are important for ensuring the effectiveness of a compliance programme and for ensuring that any flaws or risks are quickly identified and solved. Also, risks and flaws identified in previous auditing and monitoring processes should be tested subsequently, to ensure they have been effectively treated and fixed. Efficient monitoring can help to identify a problem before it happens or, if it happens, to discover it before the authorities do. This gives the company leverage to negotiate a settlement and the option to self-disclose, if appropriate.

Monitoring entails consistent analysis of reports and information regarding a company’s business and the effectiveness of the compliance programme. This information can be obtained as a result of an auditing procedure, which can be an effective way to identify whether the policies and procedures are in line and still appropriate to the company’s business and risks. It can also be obtained through the hotline reports, internal verifications and interviews with employees in key areas, among other measures.

The department responsible for implementing the compliance programme should be responsible for supervising its effectiveness and should do so independently and with all the adequate resources. The leadership has an important role in this, as explained above. Auditing, on the other hand, should be carried out by a different team, either in-house or external, to avoid conflicts of interest and to ensure the audit’s independence.

Investigation and reporting

Another important aspect that should be addressed as part of a company’s implementation of a robust compliance programme is internal investigation and reporting. Once a possible irregularity or misconduct is identified, the company should take appropriate measures to investigate and identify the details and source of the problem, including the individuals involved and potential flaws in the programme. This will ensure the company has the information and answers it needs should an external investigation be initiated. External investigations usually go beyond simply identifying a specific issue and the individuals involved. The authorities will also want to know whether there have been any similar issues in the past or if the same misconduct has been replicated in other units or branches. Conducting an internal investigation beforehand may provide some of these answers.

Moreover, a company should consider from the very beginning whether it is going to use the documents and information obtained during an internal investigation in the event of an external investigation. To this end, and as a matter of best practice, companies should have a specific policy setting out rules for conducting internal investigations, including document and information retention policies.

Once an internal investigation has been concluded, the company should take immediate measures to ensure that any potential irregularity has been stopped, apply disciplinary measures, if applicable, and use the lessons learned from the investigation to enhance and improve the compliance programme.

One possible decision, which can be linked to performing an internal investigation, is reporting the issue to the relevant authorities, even before the authorities are aware. This should be considered by the company and depends on several variables, including the level of information and documents the company was able to gather during the internal investigation. Local legislation in the countries in which the company operates should also be considered. This allows the company to check whether there is any law that makes reporting to authorities mandatory, or otherwise desirable. As an example, in some jurisdictions, financial institutions must report suspicious activities to prevent money laundering. Self-reporting can help to avoid a more extensive external investigation if the company has full understanding of what happened and has successfully obtained at least the most relevant answers. It can also demonstrate the company’s goodwill and cooperation.

In many cases, self-reporting and cooperating with the authorities is recommended to mitigate and reduce the fines and penalties a company would normally face for the particular irregularities. However, the decision of reporting to authorities should be made under careful consideration of all variables, as previously explained.

In any event, having performed an internal investigation of potential issues will help should there be an external investigation.


The compliance area has evolved worldwide to establish consistent guidelines for what constitutes a robust and effective compliance programme. However, a truly effective programme must be tailored to a company’s specific risks, operations and needs. Having a strong compliance programme is invaluable to a modern and efficient corporation.

The advantages of having a good compliance programme surpass the need for a programme in the context of an external investigation. Still, there are immeasurable benefits in having a robust programme if a company faces situations such as those outlined in this chapter. The consequences for a company not being properly prepared while facing the government span from reputational damage, reduced competitiveness and severe expense and penalties.


[1] Shin Jae Kim, Renata Muzzi Gomes de Almeida, Giovanni Paolo Falcetta and Karla Lini Maeji are partners, Fabio Rawet Heilberg is a senior associate and Laís Neme Cury Augusto Rezende is an associate at TozziniFreire Advogados.

[2] Though certainly the most frequent, external investigations are not the only circumstances in which an authority reviews a compliance programme. In Brazil, for example, the Office of the Federal Comptroller General (CGU) and the Ethos Institute created the Pro-Ethics Companies List, for companies with optimal compliance programmes. In its evaluation, the Pro-Ethics Companies List attributes points to the different areas of a company’s compliance programme, such as leadership commitment (important in the programme’s evaluation), codes and policies, hotlines, remediation and risk assessment. Guidelines such as the Pro-Ethics Companies List and guidance issued by US enforcement authorities must not be taken as compliance certifications, but are tools that companies can use to evaluate the state of compliance programmes, even before an external investigation is initiated.

[3] ‘New Argentine Law on Corporate Liability and Compliance Programs for Certain Corruption Cases’, FCPAméricas blog (December 2017) <http://fcpamericas.com/english/anti-corruption-compliance/argentine-law-corporate-liability-compliance-programs-corruption-cases/>.

[4] ‘The “TCA”: Colombia’s New Foreign Bribery Law’, FCPAméricas blog (April 2016) <http://fcpamericas.com/english/anti-corruption-compliance/tca-colombias-foreign-bribery-law>.

[5] ‘Anti-Corruption in Latin America’ in The Guide to Corporate Crisis Management (First Edition, 2018), Latin Lawyer <https://latinlawyer.com/chapter/1177364/anti-corruption-in-latin-america>.

[6] US Department of Justice, Memorandum dated 9 September 2015 from Sally Quillian Yates, Deputy Attorney General, re: Individual Accountability for Corporate Wrongdoing <https://www.justice.gov/archives/dag/file/769036/download>.

[7] Harmon, Douglas, ‘The Board’s Overlooked Role in Compliance’, Corporate Compliance Insights (August 2017) <https://www.corporatecomplianceinsights.com/boards-overlooked-role-compliance/>.

[8] Caswell, Emily, ‘Proactive compliance: predicting corrupt payments’ <https://globalinvestigationsreview.com/article/1197641/proactive-compliance-predicting-corrupt-payments>.

[9] id.

[10] ‘Taking Center Stage: The Rise of Compliance Due Diligence in Africa’, Baker McKenzie (September 2019) <https://www.bakermckenzie.com/en/insight/publications/2019/09/rise-of-compliance-due-diligence-africa>.

[11] Some businesses are subject to inherent compliance risks that can arise from different sources: a problematic location, a risky sector, regulated environment, high exposure and interaction with competitors (at class associations, for example), among others.

[12] Harrington, Jack, ‘How to Avoid a “Paper” Anti-Corruption Compliance Program’, The Suffolk Lawyer (September 2016) <https://cmmllp.com/avoid-paper-anti-corruption-compliance-program/>.

[13] ‘Approximately 7.5 Years After Disclosing FCPA Scrutiny, Walmart FINALLY Resolves FCPA Enforcement Action’, FCPA Professor (June 2019) <http://fcpaprofessor.com/approximately-7-5-years-disclosing-fcpa-scrutiny-walmart-finally-resolves-fcpa-enforcement-action/>.

[15] OECD, ‘Convention on Combating Bribery of Foreign Public Officials in International Business Transactions and Related Documents’ (2011) <http://www.oecd.org/daf/anti-bribery/ConvCombatBribery_ENG.pdf>.

[16] The areas identified and recommended by the OECD are historically the riskiest when it comes to anti-corruption.

[18] The Corruption Perceptions Index is prepared by Transparency International to measure the perceived levels of public sector corruption. The index was last updated in 2019 and ranks 180 countries and territories <https://www.transparency.org/cpi2019>.

[19] ‘Unearthing Corruption Risks in Mining Approvals’, Transparency International (December 2017) <https://www.transparency.org/news/feature/unearthing_corruption_risks_in_mining_approvals>.

[20] Ellis, Matteson, The FCPA in Latin America: Common Corruption Risks and Effective Compliance Strategies for the Region (2016), p. 114 https://www.corporatecomplianceinsights.com/the-fcpa-in-latin-america-common-corruption-risks-and-effective-compliance-strategies-for-the-region/>.

[21] International Chamber of Commerce, ‘ICC Anti-Corruption Third Party Due Diligence: A Guide for Small and Medium Size Enterprises’ (May 2015), p. 13 <https://cdn.iccwbo.org/content/uploads/sites/3/2015/07/ICC-Anti-corruption-Third-Party-Due-Diligence-A-Guide-for-Small-and-Medium-sized-Enterprises.pdf>.

[22] id., at 23.

Unlock unlimited access to all Latin Lawyer content