5. Developing a Robust Compliance Programme in Latin America

This is an Insight article, written by a selected partner as part of Latin Lawyer's co-published content. Read more on Insight

For several years, there has been an ever-increasing focus on corruption in Latin America.^[2] In the wake of major corruption scandals,^[3] protests and calls for change have swept the region.^[4] In response, governments in Argentina, Brazil, Mexico, Peru and elsewhere have added to or enhanced anti-corruption provisions in their corporate liability schemes.^[5] Companies in turn should increase focus on internal compliance programmes to brace themselves for closer scrutiny and a more active enforcement environment.^[6] For multinational companies with operations that span the region, this can be a significant challenge, since an effective compliance programme should meet the requirements promulgated by authorities in every jurisdiction in which a company operates. This is especially true when countries’ corruption or criminal enforcement legal regimes apply extraterritorially. But the risks presented by operations in a given country vary throughout Latin America and, to be effective, a compliance programme must be tailored to those risks – based on geography, industry and any other relevant factors.^[7]

This chapter gives a snapshot of some of the key risks and challenges a multinational corporation’s compliance programme in Latin America must confront, particularly as it relates to the need for tailoring a compliance programme to fit the needs of each relevant jurisdiction, and also with respect to guidance issued by the US Department of Justice (DOJ), which is one of the most active anti-corruption enforcement authorities in Latin America.^[8] There is then discussion about the practices companies can adopt to maintain an effectively tailored compliance programme.

Background

To understand the variability of the control environments throughout Latin America, we begin with the baseline prevalence of corruption, which is itself highly variable.^[9] As the magnitude of the risk varies dramatically from country to country, so do the types of risks.^[10]

Local enforcement regimes must also be considered in establishing an effective compliance programme. Many countries in Latin America have recently enacted substantially tougher anti-corruption measures.^[11] Still, the variances among them can be significant.^[12] A good example of this is the laws regulating ‘facilitating payments’. Some regimes permit them in limited circumstances (as does the US Foreign Corrupt Practices Act (FCPA)), but they are prohibited under local law in many countries, such as Brazil and Mexico.^[13]

While the principal objective of a compliance programme is to ensure a company is avoiding risk and complying with the law, one of the significant benefits of an effective compliance programme is detecting illicit conduct, if and when it does occur. Most countries seek to incentivise and credit companies that maintain compliance programmes and self-report conduct to anti-corruption regulators.^[14]

In Argentina, for example, some of the necessary conditions for corporations to be eligible for exemption from penalties and administrative liability include: that a system of internal controls and supervision be in place; that circumventing the system required deliberate effort by the wrongdoers; and that the company self-report and disgorge undue benefits.^[15] In Chile, companies might be either exempted from liability or have their penalty reduced as a result of implementing an effective compliance programme.^[16]

With this backdrop of the importance of a compliance programme, we move on to address the essential elements of an effective one.

Components of an effective compliance programme

Not all countries require compliance programmes. This is true for the United States and many countries in Latin America such as Argentina (except for entities that are parties to certain federal government contracts). However, the US DOJ and SEC have used their broad extraterritorial jurisdiction through the FCPA to bring enforcement actions against companies headquartered in Latin America, for conduct that occurred principally in Latin America and was carried out by nationals of countries in Latin America.^[17]

Thus, compliance programmes by major companies in Latin American should take account of the anti-corruption guidance from US agencies.^[18]

This was especially true in 2020, when, despite the covid-19 pandemic, the US SEC brought more than 700 enforcement cases, pulling in US$4.7 billion in civil penalties and ‘a record-setting nearly $3.6 billion in disgorgement’.^[19] Previously, the US DOJ had structured its guidance for evaluating compliance programmes into 11 compliance topics (also referred to as ‘hallmarks’) and 46 sub-topics. In a major revision to that guidance promulgated in April 2019, updated again in June 2020 as discussed below, the US DOJ guidance asks three core questions:

First, is the corporation’s compliance programme well designed?
Second, is the programme being applied earnestly and in good faith? In other words, is the programme being implemented effectively?
Third, does the corporation’s compliance programme work in practice?^[20]

While no formula will fit all companies, below are some of the key elements, drawn from the US DOJ’s guidance and the compliance requirements in several Latin American countries to consider for any compliance programme.

Tone at the top

Both senior and middle management should be sending out a clear message that misconduct is not tolerated, and that management endorses – and will enforce – the policies and procedures designed to drive ethical conduct. Every opportunity should be taken to show in concrete steps and clear terms management’s commitment to compliance, and to show that misconduct or significant risks will not be tacitly or otherwise tolerated in pursuit of business goals. For example, companies developing training materials may use anonymised descriptions of the type of misconduct that triggered discipline. Any signalling that the company or its leadership is compromising on adhering to its compliance values and rules may be read by more aggressive employees as condoning prohibited conduct.

Risk assessment

In any compliance programme, great emphasis should be placed on the degree to which a programme is tailored to the risks that are presented by a particular company’s business. Risks should be assessed based on a company’s geography, its industry, its competitive and regulatory environments, who its actual or potential clients or business partners are, and what types of transactions, payments or donations might be made to government officials, charities or other third parties.^[21] Companies should expect not only to show that they have identified and assessed the risks they face, but will be expected to be able to defend the way in which they have done so.

Resource allocation and autonomy

A compliance function must not only be adequately staffed and funded, it must have sufficient authority to perform its role. Leadership of the compliance function must have seniority in the organisation, as well as autonomy and independence from management.

There are several ways to address these challenges. Ideally, the head of compliance has access to the company’s board, the board’s audit committee, or the chief executive office (or more than one of these), and the job performance of compliance personnel is reviewed by very senior managers, the board’s compensation committee, or other components of the company that are sufficiently independent from the business operations that the compliance function reviews. Consideration should be given to whether the compliance function will be housed in its own department, within the legal department, or splintered and subordinated to various business units. Companies also should consider whether compliance personnel’s responsibilities will be purely compliance-related or if they will wear two hats and have a role in the business they may be reviewing, which may detract from their independence.

Several Latin American countries already require resource allocation and autonomy for the compliance function. In Chile, the compliance officer or body ‘must have autonomy’; in Brazil, compliance programmes must have ‘independence and authority’; and in Colombia, programmes should have ‘autonomy and the human, technological and economic resources required’ for effectiveness.^[22]

Policies and procedures

A code of conduct is one of the threshold matters that should be in place, reinforced by management, and should be readily available and broadcast to all employees in the languages those employees speak at work. There should be resources in place – which also are broadly communicated – that allow employees to seek guidance on issues relating to the company’s code of conduct or other policies or procedures. In addition to a written code of conduct, controls should be in place to avoid opportunistic bribe-seeking by state officials. If a mistake is made (for example, in completing a customs form for importing a company’s products, which a customs official could ‘overlook’ in exchange for a bribe), the company should have in place controls to make sure that the mistake is corrected through proper channels, even if there are negative business consequences for the company.

Training programmes

Training is a must – for directors and officers, for relevant employees, and in many cases for business partners, agents and other third parties. It should take account of the audience’s size, sophistication and experience with the subject matter. Of particular importance is training for gatekeepers: supervisors or control personnel, or other persons with approval authority or certification responsibilities.

Overall, a company should have a methodology for developing its training curriculum for different personnel up front, and on the back end should have ways to measure the effectiveness of its training programme – for example, documenting the completion rate, testing employees on what they have learned, addressing employees who fail to pass those tests, and tracking which personnel receive which training. Training, like all other aspects of an effective compliance programme, must be tailored to the specific business risks employees are likely to face. Most employees may well understand they cannot pay cash to a procurement official, for example, but may not appreciate, without specific training, that they also cannot offer him or her free or discounted company products.

Audit function

One of the core components of a compliance programme is its internal audit function, or comparable systems designed to test and monitor compliance, which should be directly mapped onto the results of periodic risks assessments and should place greater emphasis on high-risk areas. The documented results of those audits should periodically reach management and, depending on the scope or significance, the board should take actions in response to audit findings.

Third-party management

One of the areas of highest risk for companies is their agents, consultants, distributors or other vendors. It is widely recognised that third parties are a common vehicle to conceal illicit payments. The prevalence of this risk is vividly illustrated by a recent US$282 million combined fine that Walmart paid to the US SEC and US DOJ for failure of various subsidiaries to effectively investigate and mitigate third-party risk, including in Brazil and Mexico.^[23]

Thorough vetting or due diligence, and applicable controls, should include an assessment of each third party’s qualifications and reputation; the particular business need for their services; a specific description of the services they will be providing that can be objectively verified; a method to determine that compensation was at a fair market price for that industry and geographical region; and verification that the services were actually performed. Other enhancements might include updating due diligence, training personnel at those third parties, negotiating and exercising audit rights, or compliance certifications.

A process should be in place for documenting when red flags are discovered and how they are addressed, and for retaining that information to use in assessing future opportunities involving that third party. Failure to do so can result in substantial penalties. For example, in 2017, Zimmer Biomet Holdings Inc paid a criminal penalty of more than US$17 million, in part for continuing to use a Brazilian distributor that Zimmer knew had previously paid bribes on behalf of the company.^[24]

Confidential reporting structure

Confidential reporting, or whistle-blowing, allows employees to report possible misconduct when they either feel they have been unsuccessful in reporting it through ordinary supervisory channels or fear they will be unsuccessful in (or will suffer negative consequences for) doing so. Whistle-blowers often report misconduct or policy violations at significant personal and professional risk. Therefore, companies should widely broadcast their reporting mechanisms and consider proactive ways to foster an understanding that confidential reporting will remain as confidential as is legally permissible, that retaliation will not be permitted, and that processes are in place to protect whistle-blowers.

Consider the example of a recent US SEC enforcement action alleging a scheme to bribe Peruvian officials to obtain government contracts. The SEC Order describes how, as the scheme progressed and ‘the volume of improper payments increased, [a] Senior Finance Manager became increasingly concerned about authorizing them’.^[25] He ‘was brushed aside’ when he reported his concerns to another manager. The senior finance manager then raised the issue with a financial executive responsible for Latin America, who also failed to act. Had the senior finance manager used a confidential reporting structure, the scheme might have been uncovered, but instead it went on for years more and the company ultimately paid nearly US$10 million in fines.

Several countries are focusing on guidance changes designed to reinforce protections for whistle-blowing, including Argentina, Brazil, Colombia, Mexico and Peru. These changes have increased awareness of anonymous reporting mechanisms and encouraged their use. To illustrate, a survey tracking employees’ awareness and understanding of the compliance policies and procedures implemented at their companies showed significant increases in the percentage of employees who were aware that their companies offered anonymous reporting mechanisms — in Argentina employee awareness rose from 48 per cent in 2016 to 70 per cent in 2020, and in Peru it rose from 38 per cent in 2016 to 67 per cent in 2020.^[26]

Investigation process

Although handling internal investigations is treated in detail elsewhere in this publication, a basic measure of an effective compliance programme is its process for investigating complaints that do arise. The compliance programme should require the timely completion of investigations and appropriate follow-up and, where and as appropriate, the consequences for persons involved in any actual misconduct. When staffing investigations, it is important to select personnel who will be independent and objective. Some investigations may require external investigators, as in cases where the conduct appears widespread or may involve senior management. In those instances, the investigation should be managed by independent members of the board and by using external counsel. When the investigations are concluded, the investigators’ conclusions and outcome should be documented, and the company should engage in a candid and thorough root cause analysis to determine whether the misconduct involved any failures in controls, and whether those controls could be improved or any other weaknesses in the controls could be improved. A plan for remediation should be developed, documented and executed.

Incentives and discipline

While policies can set forth the rules, a compliance programme must recognise that employees’ behaviour must be incentivised to follow them, and there must be both positive and negative consequences for compliance or violations. Thought should be given to how the company can ensure that there is consistency in how discipline or incentives are applied throughout the company – laterally through different lines of business and vertically through different layers of management.

Promotions, rewards or bonuses for participation in compliance functions can all encourage employees to adhere to the company’s policies and the law.

Conversely, managers under whose supervision misconduct occurred may need to be disciplined if they did not exercise meaningful supervision or were put on inquiry notice related to the conduct at issue but failed to take appropriate action (and in that regard, the scope of an investigation should often include the management component or components overseeing the conduct at issue).

Updating

Even the best-designed compliance programme still requires periodic review and updating.^[27] Those revisions begin with an assessment of the risks presented (including previously unidentified or insignificant risks) and should also map other changes in the company – such as structural changes to the organisation or its components, changes in the company’s geographical markets or industries, and legal or regulatory changes.

Mining the lessons learned from prior incidents into a compliance programme (including future training programmes, in particular) is an effective way to show that a company is learning and adapting its compliance programme overall. Compliance programmes should evolve over time, just as the companies for which they have been designed evolve.^[28]

Mergers and acquisitions

Somewhat distinct from the compliance programme in the ordinary course is having a due diligence process in place for mergers and acquisitions activity (see also Chapter 11 on Assessing and Mitigating Compliance Risks in the Transactional Context). Subjecting a target company to adequate due diligence is not only important so that the successor or acquiror does not unwittingly inherit risk it should have found or pay a price for a target that fails to reflect the target’s actual risk level; it has also been flagged by the US DOJ as ‘indicative of whether [a company’s] compliance programme is, as implemented, able to effectively enforce its internal controls and remediate misconduct at all levels of the organisation’.^[29] Critically, a process also should be in place to track and address any post-acquisition risks or actual misconduct identified during pre-acquisition due diligence.

Summary

The US DOJ’s guidance is detailed, but a company’s compliance programme must take account of all the jurisdictions in which it operates, some of which may conflict with one another. In some instances, Latin American countries may have particular compliance requirements that that go beyond the US DOJ’s core, general topics.^[30] For example, in Brazil, while many elements are consistent with the topics treated above, an effective compliance programme should specifically include transparency regarding any donations made by a company to any political party.^[31] In Chile, companies can choose to have their compliance programme certified by the accredited organisations registered with the Financial Market Commission.^[32]

Sanctions compliance

The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) also issued guidance in 2020 on evaluating compliance programmes, known as the Framework for OFAC Compliance Commitments. OFAC administers sanctions regulations under US law (for example, sanctions prohibiting US companies from doing business with Iran or with certain designated individuals). While the US DOJ has authority to investigate criminal offences, including criminal sanctions violations, OFAC has authority to pursue civil penalties and administrative remedies for sanctions violations.^[33]

The focus of OFAC’s framework is overall the same as the US DOJ’s guidance. Instead of three main questions, OFAC’s framework calls for ‘five essential components of a compliance programme: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training’^[34] In many ways it is a different cross-section of the same landscape of an effective compliance programme. It also emphasises the favourable consideration a company will receive, when resolving a violation, for having had an effective compliance programme at the time of a violation, as well as for remedial steps taken since.

Some aspects, however, are particular to the sanctions environment and illustrate why any compliance programme must be customised to a company’s particular situation. For example, OFAC’s framework specifically looks to whether compliance staff have experience with OFAC’s regulations, processes and actions, and whether they have the ability to understand complex financial and commercial activities and to apply their knowledge of OFAC to them. Information technology software and systems are called out, in particular because sanctions compliance often depends on screening a company’s transactions, payments, customers and other counterparties against OFAC’s list of sanctioned persons and entities, as well as geographical regions. OFAC’s framework emphasises the importance of implementing compensating controls once a possible violation is discovered until a root cause is identified and remediated, and the importance of record-keeping as it relates to activities that may be prohibited by OFAC’s regulations.

A sanctions compliance programme must also be able to adjust quickly to the fluid regulatory environment and changes in multiple jurisdictions. Mexico, for example, is implementing the ability to blacklist individuals suspected of money laundering and other financial crimes.^[35]

There are two other salient issues particular to sanctions that are worth noting. First, a sanctions compliance programme requires companies to acknowledge and navigate the sanctions imposed by one jurisdiction (such as the United States) and blocking statutes enacted by certain other jurisdictions (such as the European Union) that prevent companies from complying with those sanctions.^[36] Experienced legal counsel in each jurisdiction should help the company address how it will treat conflicting legal obligations like these.

Second, mergers and acquisitions can present heightened challenges in complying with sanctions. An acquisition target may operate in a jurisdiction that has a blocking statute in place (prohibiting the target from complying with sanctions issued by another jurisdiction, such as the acquiror’s) that does not recognise US sanctions, or that is in or proximate to high-risk sanctions regions.

Antitrust compliance

In evaluating a company’s antitrust compliance programme, which generally occurs in the context of a criminal violation such as price fixing, bid rigging, or market allocation, the US DOJ’s Antitrust Division’s guidance asks three principal questions:^[37]

First, does the programme address and prohibit criminal antitrust violations?
Second, did the programme detect and facilitate prompt reporting of the violation?
Third, to what extent was a company’s senior management involved in the violation?

Many of the topics covered in the Antitrust Division’s guidance cover the same ground as the US DOJ’s general guidance referenced earlier, but many points are specific to the antitrust context.

By contrast, although not particular to antitrust, the Antitrust Division’s guidance also specifically called for guidance to employees regarding document destruction and obstruction of justice.

Treatment of whistle-blowers

As noted earlier, whistle-blowing channels are a critical element of a compliance programme. This is also an area where local attitudes can affect both the whistle-blower and the behaviour of the persons receiving a whistle-blower report. In this way, cultural factors can substantially alter the risk profile of a given country. The diverse array of cultures and customs throughout Latin America is a major challenge when establishing a compliance programme that spans the region.^[38] For instance, in certain Latin American countries, notably Brazil, there is a history of hostility towards whistle-blowers and a concomitant reluctance for them to come forward.^[39] In other countries (Mexico for instance), employees may place a lesser value on confidentiality.^[40] Marrying that cultural reality to the various legal requirements can be challenging for multinational companies.

Various countries in Latin America have particular legal provisions that cover whistle-blowers, but they do not all afford the same – and some do not provide any – protection. Argentina recently passed legislation that permits the government to provide economic awards to whistle-blowers as a special investigative technique and recommends that a compliance programme should contain a policy that protects whistle-blowers from retaliation.^[41] In Brazil, benefits can be used to encourage whistle-blowers, but whistle-blowers enjoy no legal protections.^[42] Similarly, in Chile, there are no legal protections for whistle-blowers in the private sector, although increasingly larger companies are implementing compliance programmes that adopt protections as a matter of policy.^[43]

While multiple Latin American government offices have created channels for witnesses to provide information to regulators, given the considerable risks that whistle-blowers often perceive in reporting misconduct, it may take time – and probably some widely reported success stories – before their use begins to be engrained in corporate culture.^[44] By contrast, the European Union has adopted a new Directive^[45] that imposes specific requirements on corporate whistle-blowing channels. This Directive protects a broader set of people from a broader range of retaliatory conduct than US or many Latin American whistle-blower provisions. Companies with operations in both Latin America and the European Union will need to ensure that they meet the EU’s enhanced requirements.

Best practices

As we expect has now been made clear, managing a multinational company’s compliance programme in a variety of environments to meet the factors described herein is a substantial and ongoing challenge. We therefore outline some practices that companies can use to help create a compliance programme that is up to the task.

Documenting changes and successes

Not only is it important to have a documented compliance policy, but to document and record the processes called for by that policy and any changes made to the compliance programme.

If a violation of law is discovered by (or reported to) regulators and any resulting investigation or prosecution is being resolved, a company’s compliance programme will be evaluated both at the time the resolution is negotiated and also as of the time the offence occurred. Compliance programmes, designed to prevent and detect misconduct, are thus often viewed through a lens looking back to when the misconduct occurred but was not detected. The ‘adequacy and effectiveness of the corporation’s compliance programme at the time of the offense’ must be evaluated, but as the US DOJ guidance puts it: ‘Due to the backward-looking nature of the . . . inquiry, one of the most difficult questions prosecutors must answer in evaluating a compliance program following misconduct is whether the program was working effectively at the time of the offense, especially where the misconduct was not immediately detected.’^[46] Similarly, it is difficult for the company itself to look back in time to measure its compliance programme. But the US DOJ has emphasised that it is committed to credit companies for investing in an effective compliance programme even when misconduct was not prevented or detected.^[47] This makes clear the importance of documentation, tracking and institutional memory. A company may make adjustments to its compliance programme diligently and in earnest, but if the process for doing so and the basis for doing so are not tracked and housed in an accessible system, the value of those good measures may be lost when they are forgotten or when the memory of them leaves with the employees who implemented them. It may be difficult to reconstruct changes to compliance programmes from an oral history of employees, particularly with personnel turnover or changes to record-keeping systems without a centralised process to record the steps in the evolution of the programme.

Not only should instances of misconduct be identified or tracked, but companies can consider a procedure to document success stories. It might be populated with unilateral changes it has made to its compliance programmes; strategic adjustments made to respond to compliance concerns; specific disciplinary actions taken, such as declining promotions or awards for persons found to have engaged in misconduct; transactions that were modified or halted; or third parties whose services were declined. A company is generally not going to know when its compliance programme will be evaluated in the future, so having a system to track an effective compliance programme is an important way to derive the benefits of having one.

When potential misconduct is brought to a company’s attention, it is incumbent on the company to examine its procedures and compliance programme to determine whether improvements can be made. In some instances, a company might fear that making changes to a compliance programme, and documenting them, would concede that deficiencies exist. But making changes to a programme indicates both (1) effective remediation of potential misconduct and (2) revisiting and updating the programme, both of which are important factors in demonstrating an effective compliance programme. Remediation is not only a factor when evaluating the form of a possible criminal resolution and the amount of a fine, but also in determining whether a monitor will be considered or other ongoing reporting obligations will be imposed.^[48]

Broadcasting a culture of compliance

It is vital that a multinational corporation has a healthy culture of compliance and ensures that it is disseminated across the globe. As an organisation grows, cultural, linguistic and geographical barriers can hamper its effectiveness.^[49] Effective communication begins with ensuring compliance materials are translated into the local language or dialect, but it is not only a matter of translation.^[50] The subtleties of these issues can result in miscommunication and confusion when a compliance programme is exported wholesale from a home office.^[51] Inappropriate cultural references should be removed and replaced with more suitable ones. These recommendations may seem obvious, but companies fail to follow them with surprising frequency. In 2012, for example, after the multinational company Orthofix NV acquired a Mexican subsidiary, it promulgated its own anti-corruption policy but failed either to translate it into Spanish or to assure it was implemented in Mexico.^[52] Orthofix ultimately paid more than US$2 million in fines over corrupt payments to secure purchase orders.

Local input and buy-in

Relatedly, local stakeholders, including local managers and employees, should be consulted and given a voice in the crafting of a compliance programme for their region. Compliance materials should, whenever possible, be tailored to account for each country’s culture, customs and compliance environment.^[53] Cultural practices can often present a compliance risk. Gift-giving is traditional and routine in some places and can present obvious compliance risks that an effective policy must anticipate and account for.^[54] Similarly, requests for charitable donations from local officials, though unexceptional on their face, may well constitute an unmistakable demand for an illegal payment in a particular location.^[55]

As an example, in 2013 and 2014, Telefônica Brasil SA hosted a hospitality programme in connection with the 2013 Confederations Cup and 2014 World Cup association football tournaments.^[56] Through the programme, the company provided tickets and hospitality services to government officials who were directly involved with or could influence legislative actions, regulatory approvals, and business dealings involving the company. For failure to devise and maintain sufficient internal accounting controls surrounding this incident, the company was fined more than US$4 million. Understanding the form that hospitality may take, for example, and gaining a detailed picture of how a business is operating at a local level is necessary to the successful implementation of a compliance programme. Adapting a compliance programme to the local culture is also vital,^[57] and local management is often the most knowledgeable about the particular compliance risks facing its operations.

Involving local stakeholders has the added benefit of increasing buy-in to the programme. A top-down imposition of strict rules can create a sense of resentment in branch offices that are given no ownership over their operations.^[58] This insight is confirmed by recent behavioural scientific research on the risks of overbearing enforcement strategies, which shows this type of extrinsic imposition can alienate local employees and create ‘compliance fatigue’ while crowding out employees’ intrinsic motivation to do the right thing, such as actively reporting compliance risks.^[59] Incorporating input from local managers, who will often be the people actually charged with implementing the programme, will increase their commitment to the programme and therefore help in implementing it.^[60]

Involvement of local managers should not translate into complete delegation, however, or detract from corporate management’s commitment and ownership of the compliance programme. Ultimately, multinational corporations must incorporate local input while still retaining a focus on carefully overseeing the programme. Resistance from a local manager that aspects of a policy are ‘not the way we do things here’ is not the end of the discussion but the beginning of one about how best to implement a particular policy in that office’s context.

Relying on local counsel

Consulting high-quality local counsel is essential to meet the challenges of a particular legal environment in a given country. Local counsel can provide insights into how a company’s compliance programme should be modified to meet particular aspects of local laws.^[61]

For instance, Mexico’s newly enacted anti-corruption law has a relatively specific list of components that must be included in a compliance programme to justify a sentence reduction.^[62] Local counsel will also very often have a valuable – and external – perspective on cultural issues, or other issues peculiar to a given locale, and counsel should be taken into account alongside the voice of the company’s own local personnel.^[63] Any statement by a local manager that ‘everybody does’ something that would otherwise violate a compliance policy can be tested with local counsel, who can also help in communicating to that manager that his or her perception of how widespread a practice is does not comport with counsel’s experience.

Using data analytics

There has been an increased emphasis on data analytics, which can take many forms, from off-the-shelf software suites to artificial intelligence. Indeed, the US DOJ’s 2020 update to its compliance guidance provides new language already incorporated into at least three deferred prosecution agreements requiring companies to integrate data analyses in compliance programmes.^[64] The Commodity Futures Trading Commission (CFTC) has used data analytics in its own enforcement efforts.^[65]

The CFTC has issued its own compliance guidance in 2020 that calls for enforcement staff to look to the adequacy of a company’s “internal surveillance and monitoring efforts.”^[66]

Data analytics can assist companies in enhancing compliance and demonstrating to regulators that their compliance programmes are robust, assess appropriate risks, and shape an audit programme. In one example, American company Lockheed Martin developed a human resources-based algorithm and web-based application to track high-risk worksites where employees were less likely to report ethics concerns due to the sites being smaller, more remote and thus more difficult to monitor.^[67],[68]

Adapting to evolving legal regimes

Even after a programme is established, the task is not complete. It is especially true in Latin America today that firms must monitor and update their programmes continually to adapt to changes in the compliance environment.^[69] Updating a compliance programme is always important, especially given substantial uncertainty surrounding how newly enacted legislation in different countries in the region will be interpreted and applied. Nowhere is this truer than with respect to enforcement authorities’ treatment of corporate compliance programmes, which will have to be updated continually as the regulatory landscape changes.^[70]

Conclusion

In summary, an effective compliance programme can save a company from considerable adverse consequences later on. It can prevent illicit conduct in the first place, it can detect it at the earliest possible stage if it does arise, and it can lessen or avoid many of the consequences that come with an enforcement action – not least of which could be a compliance monitor to help devise and implement a programme that should have been established in the first place.

Footnotes

^[1]Brendan P Cullen is a litigation partner and Anthony J Lewis is special counsel at Sullivan & Cromwell LLP. The authors thank Noah P Stern and Kelly H Yin, associates at Sullivan & Cromwell LLP, for their valuable assistance in researching this chapter.

^[2]Congressional Research Service, ‘Combating Corruption in Latin America: Congressional Consideration’, p. 7 (2019) <https://crsreports.congress.gov/product/pdf/R/R45733>.

^[3]Miller, Ben; Uriegas, Fernanda, ‘Latin America’s Biggest Corruption Cases: A Retrospective’, Americas Quarterly (22 July 2019) <https://www.americasquarterly.org/content/decades-most-iconic-corruption-cases> (describing high-profile corruption cases across the region); Congressional Research Service (footnote 2, above) Appendix C.

^[4]Sheridan, Mary Beth, ‘Why political turmoil Is erupting across Latin America’, The Washington Post (10 October 2019) <https://www.washingtonpost.com/world/the_americas/why-political-turmoil-is-erupting-across-latin-america/2019/10/10/a459cc96-eab9-11e9-a329-7378fbfa1b63_story.html> (describing protests in part against corruption across the region, including Brazil, Peru, Guatemala, Haiti and Honduras); Daugaard, Andreas, ‘Honduras: How a surge of corruption scandals has fuelled political crisis’, Voices for Transparency (22 September 2019) <https://voices.transparency.org/honduras-how-a-surge-of-corruption-scandals-has-fueled-political-crisis-85af16ceac85> (linking corruption scandals In Honduras with mass protests there).

^[5]Corres, Luis Dantón Martínez; et al., ‘Mexico: At a Turning Point in Anti-Corruption Investigations and Enforcement’ in Americas Investigations Review 2020, at 135, 137 to 144; Fava, Pamina; et al., ‘How to Mitigate Corruption Risk When Investing in Latin America’, Anti-Corruption Report (25 July 2018) <https://www.anti-corruption.com/2619631/
how-to-mitigate-corruption-risk-when-investing-in-latin-america.thtml>.

^[6]Americas Society/Council of the Americas, ‘Latin America’s Battle Against Corruption: A Path Forward’, 7 (2018) <https://www.as-coa.org/sites/default/files/CorruptionReport2018_ASCOA.pdf>; Newbery, Charles, ‘Compliance Is Taking Off in Latin America. Is It Effective?’, Americas Quarterly (22 July 2019) <https://www.americasquarterly.org/content/compliance-takes-latin-americ-it-working>; Hamilton-Martin, Roger, ‘Investigator’s Guide to Brazil’, Global Investigations Review (8 December 2017) <https://globalinvestigationsreview.com/article/1151271/investigators-guide-to-brazil>.

^[7]Transparency International, ‘Business Principles for Countering Bribery’, at 7 (2013); Sureda, Aixa; González Soldo, Evangelina, ‘Argentina’, Americas Investigations Review 2020, Global Investigations Review (19 August 2019)
<https://globalinvestigationsreview.com/benchmarking/americas-investigations-review-2020/1196467/argentina>.

^[8]US Dep’t of Justice [US DOJ], Criminal Division, ‘Evaluation of Corporate Compliance Programs’ (29 April 2019) [US DOJ Guidance] <https://www.justice.gov/criminal-fraud/page/file/937501/download>.

^[9]Koukios, James M; et al., ‘Anti-Corruption in Latin America’ in The Guide to Corporate Crisis Management, at 68 (discussing the prevalence of regional variations in corruption risk).

^[10]See Tillen, James; Bates, Gregory, Miller & Chevalier, ‘Managing Corruption in Latin America’s Police Forces’, Anti-Corruption Report (16 September 2020) <https://www.anti-corruption.com/7543846/managing-corruption-in-latin-americas-police-forces.thtml> (noting that the nature and extent of police corruption, for example, is not consistent across Latin America and that risks in general evolve over time).

^[11]See Portella, Renato Tastardi, ‘Managing Multi-jurisdictional Investigations in Latin America’ in Americas Investigations Review 2020, at 53 to 57 (reviewing the newly enacted anti-corruption laws of Brazil, Mexico, Chile, Colombia and Argentina).

^[12]See Koukios (footnote 9, above), at 70 and 71 (providing a comparison of the local anti-corruption laws in Latin America).

^[13]Corres (footnote 5, above), at 139 (‘The prohibitions in the GLAR are rather broad and there is no facilitating payments exception.’); see also Fava (footnote 5, above).

^[14]See Chapter 14, 'The Advantages of a Robust Compliance Programme in the Event of an External Investigation'.

^[15]Basch, Fernando Felipe; Cargnel, Maria Emilia, ‘Argentina’ in The International Investigations Review, 41, 45, 46 (Law Business Research, Nicolas Bourtin ed., 9th ed. 2019).

^[16]Bofill, Jorge; Praetorius, Daniel, ‘Chile’, in The International Investigations Review (Law Business Research, Nicolas Bourtin ed., 9th ed. 2019), at 103.

^[17]Sheehan, Evelyn; Short, Jason, Kobre & Kim, ‘DOJ’s Long Arm Over Latin America: Recent Trends and Future Risks From Extraterritorial Application of U.S. Laws’, Anti-Corruption Report (30 September 2020) <https://www.anti-corruption.com/7640641/dojs-long-arm-over-latin-america-recent-trends-and-future-risks-from-extraterritorial-application-of-us-laws.thtml>.

^[18]See Tillen, James; Bates, Gregory, Miller & Chevalier, ‘Managing Corruption in Latin America’s Police Forces’, Anti-Corruption Report (16 September 2020) <https://www.anti-corruption.com/7543846/managing-corruption-in-latin-americas-police-forces.thtml> (noting that the nature and extent of police corruption, for example, is not consistent across Latin America and that risks in general evolve over time).

^[19]Barbarino, Al, ‘2020 Marked By Blockbuster Compliance Cases, Milestones’, Law360 (15 December 2020) <https://www.law360.com/articles/1338010/2020-marked-by-blockbuster-compliance-cases-milestones>.

^[20]US DOJ Guidance (footnote 8, above).

^[21]id., at 3; e.g., US DOJ, Justice Manual 9-28.800 [Justice Manual] <https://www.justice.gov/jm/jm-9-28000-principles-federal-prosecution-business-organizations#9-28.800>.

^[22]Tillen, James; Montenegro Almonte, Alejandra; Hollinger, Abi; Miller & Chevalier, ‘A Comparative Look at Anti-Corruption Compliance Program Expectations in Latin America’, Anti-Corruption Report (28 October 2020) <https://www.anti-corruption.com/7831636/a-comparative-look-at-anticorruption-compliance-program-expectations-in-latin-america.thtml>.

^[23]Press release, US SEC, ‘Walmart Charged with FCPA Violations’ (20 June 2019) <http://fcpa.stanford.edu/fcpac/documents/5000/003871.pdf>.

^[24]See, e.g., Press release, US DOJ, ‘Zimmer Biomet Holdings Inc. Agrees to Pay $17.4 Million to Resolve Foreign Corrupt Practices Act Charges’ (12 January 2017) <http://fcpa.stanford.edu/fcpac/documents/4000/003434.pdf>. In 2017, Zimmer Biomet Holdings Inc paid a criminal penalty of more than US$17 million, in part for continuing to use a Brazilian distributor that Zimmer knew had previously paid bribes on behalf of the company. The US parent was also faulted for failing ‘to implement an adequate system of internal accounting controls at the company’s subsidiary in Mexico, despite employees and executives having been made aware of red flags suggesting that bribes were being paid’.

^[25]Justice Manual (footnote 22, above), at 9-28.800; US Sentencing Guidelines Manual, § 8B2.1(b)(5)(C) (US Sentencing Commission, 2018) [Sentencing Guidelines] <https://guidelines.ussc.gov/gl/%C2%A78B2.1>.

^[26]Tillen, Montenegro Almonte, & Hollinger (footnote 21, above).

^[27]US DOJ Guidance (footnote 8, above), at 3; Sentencing Guidelines (footnote 26, above), at § 8B2.1(c).

^[28]US DOJ Guidance (footnote 8, above), at 13.

^[29]id., at 8.

^[30]Tillen, Montenegro Almonte, & Hollinger (footnote 21, above).

^[31]Rassi, João Daniel; Labate, Victor, ‘Brazil’ in The International Investigations Review (Law Business Research, Nicolas Bourtin ed., 9th ed. 2019), at 91.

^[32]Bofill and Praetorius (footnote 15, above), at 99.

^[33]Griffiths, Michael, ‘Companies face stricter conditions to throw off US sanctions’, Global Investigations Review (16 October 2020) <https://globalinvestigationsreview.com/just-sanctions/companies-face-stricter-conditions-throw-us-sanctions>.

^[34]US Dep’t of the Treasury, Office of Foreign Asset Controls, ‘A Framework for OFAC Compliance Commitments’ (2 May 2019) <https://www.treasury.gov/resource-center/sanctions/Documents/framework_ofac_cc.pdf>.

^[35]Neal, Will, ‘Mexican Parliament votes to expand powers of finance ministry’, Global Investigations Review (7 November 2019) <https://globalinvestigationsreview.com/article/1210714/mexican-parliament-votes-to-expand-powers-of-finance-ministry>.

^[36]European Council Regulation No. 2271/96 (22 November 1996).

^[37]US DOJ, Antitrust Division, ‘Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations’ (July 2019) <https://www.justice.gov/atr/page/file/1182001/download>

^[38]KPMG International, ‘Cross-border investigations: Are you prepared for the challenge?’ (2013) <https://assets.kpmg/content/dam/kpmg/pdf/2013/12/cross-border-investigations.pdf>.

^[39]See Fundação Getúlio Vargas, ‘Speak Now or Forever Hold Your Peace: An Empirical Investigation of Whistleblowing in Brazilian Organizations’ (2012) <https://pdfs.semanticscholar.org/492a/47ac593f21b7b20bc1861b50390186bcc8f8.pdf> (reporting results of survey, which confirms that ‘Brazilian organizations seem to consider whistleblowing a taboo or a deviant behavior and to persecute and retaliate those who blow the whistle as [if] they, rather than the wrongdoing, were the problem’); McLeod, Frances; Voss, Jenna, ‘Moving Forward After an Investigation’ in Americas Investigations Review 2020, at 86 [Moving Forward After an Investigation] (‘While retaliation is very much a cross-cultural phenomenon, it can be more pronounced in certain countries. Historical factors such as the local law enforcement culture, role of the military in law enforcement, confidentiality around investigations and the effect of prior autocratic government structures, may contribute to a heightened culture of retaliation. A whistleblower in such a society may be viewed as a traitor.’).

^[40]Sierra, Diego, ‘Mexico’, in The Practitioner’s Guide to Global Investigations, Part II, 205 (Law Business Research, Judith Seddon, et al. eds., 3rd ed. 2019) (citing as a ‘principle challenge that arise[s] in cross-border investigations’ the ‘maintaining confidentiality of what comes to light during interviews with employees. This is often an issue as there is a weak confidentiality culture in Mexico.’).

^[41]Basch and Cargnel (footnote 14, above).

^[42]Rassi and Labate (footnote 30, above), at 89.

^[43]id., at 99.

^[44]Bofill and Praetorius (footnote 15, above), at 99.

^[45]Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law.

^[46]US DOJ Guidance (footnote 8, above), at 13.

^[47]Zwiebel, Megan, ‘AAG Benczkowski Wants Prosecutors to Be Compliance Sophisticates’, Anti-Corruption Report (8 January 2020) <https://www.anti-corruption.com/4230152/aag-benczkowski-wants-prosecutors-to-be-compliance-sophisticates.thtml?utm_source=emailArticle&utm_medium=email&utm_campaign=emailArticle>.

^[48]Memorandum from Brian A Benczkowski (US Assistant Attorney General) to US DOJ Criminal Division Personnel, ‘Selection of Monitors in Criminal Division Matters’ (18 October 2018) <https://www.justice.gov/opa/speech/file/1100531/download>.

^[49]See OECD, Corporate Governance and Business Integrity: A Stocktaking of Corporate Practices 56 (2015) <http://www.oecd.org/daf/ca/Corporate-Governance-Business-Integrity-2015.pdf>; Sureda and González Soldo (footnote 7, above).

^[50]See US DOJ and US Securities and Exchange Commission, ‘FCPA: A Resource Guide to the U.S. Foreign Corrupt Practices Act’ (2012) <https://www.sec.gov/spotlight/fcpa/fcpa-resource-guide.pdf>; KPMG (footnote 38, above), at 17.

^[51]Tillen, James G; Delman, Sonia M, ‘Lost in Translation: The Language of Bribery’, The Corporate Governance Advisor (1 August 2010).

^[52]Deferred Prosecution Agreement, United States of America v. Orthofix International, N.V., 12-cr-0015 (2012) <http://fcpa.stanford.edu/fcpac/documents/3000/002056.pdf>.

^[53]See Transparency International (footnote 7, above), at 7; Sureda and González Soldo (footnote 7, above).

^[54]United Nations Global Compact, ‘A Guide for Anti-Corruption Risk Assessment’, 23 (2013) [UN Global Compact Report]; Tillen and Delman (footnote 49, above).

^[55]Baker McKenzie, ‘Latin America Corporate Compliance Report: Seven Compliance Challenges and How to Overcome Them’, 31 (2015) <https://www.bakermckenzie.com/-/media/files/insight/publications/2015/12/spotlight-on-latin-america/la_compliancereport_english.pdf>.

^[56]Press release, US SEC, ‘SEC Charges Telefônica Brasil S.A with Violating Books and Records and Internal Accounting Controls Provisions of the FCPA’ (9 May 2019) <http://fcpa.stanford.edu/fcpac/documents/5000/003861.pdf>.

^[57]ibid.

^[58]See Costa Carvalho, Isabel; et al., ‘Brazil’ in The Practitioner’s Guide to Global Investigations, Part II (Judith Seddon, et al., eds., 3d ed. 2019); Moving Forward After an Investigation, at 86.

^[59]See OECD, Behavioral Insights for Public Integrity: Harnessing the Human Factor to Counter Corruption, at 33 (2018) [OECD, Behavioral Insights] <https://dx.doi.org/10.1787/9789264297067-en>; Graf Lambsdorff, Johann, ‘Preventing corruption by promoting trust: Insights from behavioral science’, at 4 to 5 (Passauer Diskussionspapiere - Volkswirtschaftliche Reihe, No. V-69-15, 2015) <http://hdl.handle.net/10419/125558>.

^[60]See UN Global Compact Report (footnote 54, above), at 15 to 16; cf. OECD, Behavioral Insights (footnote 59, above), at 35.

^[61]See Portella and Tastardi (footnote 11, above), at 55 (reviewing the newly enacted anti-corruption laws of Brazil, Mexico, Chile, Colombia and Argentina).

^[62]See Corres (footnote 5, above) at 140; Portella and Tastardi (footnote 11, above), at 55 to 56.

^[63]Warin, F Joseph; et al, ‘Co-operating with the Authorities: The US Perspective’ in The Practitioner’s Guide to Global Investigations, Part I (Judith Seddon et al. eds., 3d ed. 2019); Lehtman, Jeffrey A; Laporte, Margot, ‘Individuals in Cross-Border Investigations or Proceedings: The US Perspective’, in The Practitioner’s Guide to Global Investigation, Part I.

^[64]Kagubare Ines, ‘Latest DPAs increase focus on compliance data’, Global Investigations Review (1 October 2020) <https://globalinvestigationsreview.com/just-anti-corruption/spoofing/latest-dpas-increase-focus-compliance-data>.

^[65]See Commodity Futures Trading Commission, ‘FY2020 Division of Enforcement Annual Report’ 8 (2020) https://www.cftc.gov/media/5321/DOE_FY2020_AnnualReport_120120/download>.

^[66]Memorandum from James M McDonald (Director, Division of Enforcement) to Commodity Futures Trading Commission, Division of Enforcement Staff, ‘Guidance on Evaluating Compliance Programs in Connection with Enforcement Matters’ (10 September 2020) <https://www.cftc.gov/media/4626/EnfGuidanceEvaluatingCompliancePrograms091020/download>.

^[67]Pitaro, Vincent, Cybersecurity Law Report, ‘How Lockheed Uses Big Data to Evaluate Risk at Small Worksites’, Cybersecurity Law Report (21 October 2020) <https://www.cslawreport.com/7737416/how-lockheed-uses-big-data-to-evaluate-risk-at-small-worksites.thtml>.

^[68]See Chapter 11, 'Embracing Technology'.

^[69]US DOJ Guidance (footnote 8, above), at 7, 14.

^[70]See OECD, Integrity for Good Governance in Latin America and the Caribbean: From Commitments to Action, at 68 (2018) <https://doi.org/10.1787/9789264201866-en>; Fonseca, André; Lima, Marina, ‘Brazil’ in The International Comparative Legal Guide to: Corporate Investigations (Keith D Krakaur and Ryan Junck, eds., 2018) <https://www.acc.com/sites/default/files/resources/vl/membersonly/Article/1475099_1.pdf>; Corres (footnote 5, above), at 137 to 144.