Compliance in context
I recall vividly the first time that I led a compliance seminar in Latin America. Although I received a warm welcome that day in São Paulo, many in the room seemed uncertain about the relevance locally of the US Foreign Corrupt Practices Act and, more generally, anti-corruption best practices. From a compliance perspective, that was a lifetime ago. So much has changed.
Back then, it seemed improbable that Brazil would soon adopt a sweeping anti-corruption law. Only a short time later, following riots in the streets, Brazil did precisely that, and the law dramatically took effect in January 2014. Those sceptical that Brazil ever would adopt such a law quickly transitioned their scepticism, next doubting that Brazil ever would enforce this law. That assumption again proved faulty. A tsunami of enforcement followed soon after, making headlines around the globe. Companies have paid big penalties, and high-profile politicians and business executives have been charged, convicted and imprisoned, though questions persist regarding some of these proceedings.
In addition to spawning countless enforcement operations within Brazil, these developments have reverberated throughout Latin America, with further shockwaves felt around the world. Brazil is not alone in fighting the scourge of corruption, even though it plays an outsized role in Latin America’s anti-corruption narrative. In recent years, numerous countries in the region (such as Argentina, Colombia, Mexico and Peru) have adopted new and expansive anti-corruption laws. More surprising to many, local authorities increasingly have enforced these laws, albeit to varying degrees and while grappling with an array of challenges. Although anti-corruption contours vary throughout the region, some of the basic ingredients persist, including highly relevant laws, locals fed up with corruption and scandals that abound.
As demonstrated within this context, actual enforcement can serve as a powerful motivator of intensified corporate compliance efforts. Companies and individuals often want to do the right thing, but an effective compliance programme entails more than just a pristine ethical mindset. Among other elements discussed in this book, a compliance programme requires the commitment of management at all levels and sufficient resourcing to do the job well. For obvious reasons, the spectre of aggressive enforcement offers a highly persuasive justification for finding religion in this area and making the necessary adjustments and investments.
An effective compliance programme
Much ink has been spilled over what constitutes an effective compliance programme, including in Latin America. Yet the main elements are relatively uncontroversial, with certain compliance truths remaining generally applicable. For example, as outlined in guidance issued in June 2020 by the US Department of Justice, proper evaluation of a corporate compliance programme necessarily involves assessing its design, implementation and effective functioning:
- Design: proper design begins with a thoughtful risk assessment. This includes evaluating a company’s compliance risk factors, such as its jurisdictions of operation, industry, government touchpoints and reliance on third parties. Just as no two companies are the same, a compliance programme cannot be one-size-fits-all but must be tailored to a company’s risk profile and integrated into its internal controls.
- Implementation: even the most brilliantly crafted programme can provide only limited comfort if it is not implemented effectively. This requires the commitment of management, autonomy, resourcing and empowerment of the compliance function, and both incentives for compliance and disincentives for non-compliance.
- Functioning: a compliance programme is only as good as it functions in practice. Adequate monitoring, testing and review are necessary to ensure that a programme is working as intended and is refined as needed. Proper functioning also requires the investigation of potential misconduct and remediation of any underlying issues.
It bears underscoring that risks posed by third parties, in particular, remain many companies’ most significant anti-corruption exposure. Countless examples of recent enforcement in Latin America illustrate this reality: third parties rather than company employees often pay the bribes later subjected to government investigations. Third-party management is therefore a core element of an effective compliance programme and should include risk-based due diligence, written contracts that enshrine compliance obligations and careful oversight of the third parties’ services.
In the end, no compliance programme is perfect or can prevent all wrongdoing, even with the best of intentions and efforts. For most companies, the question is not whether a compliance violation one day will occur but how severe and extensive it will be, how early and by what means it will be detected, and how the company ultimately will respond.
Companies and their stakeholders must accept this reality while also making judicious use of sometimes limited compliance resources. This balancing act becomes particularly challenging amid a crisis, such as the covid-19 pandemic. However, it is predictably during a crisis when the cost of neglecting a compliance programme may be most acute.
Prosecutors also have a valuable role in helping to incentivise companies to implement and maintain effective compliance programmes. Authorities in the region can do even more to support the growing compliance culture, including by imposing lower penalties on companies that implement effective programmes or, better yet, by declining altogether under appropriate circumstances from penalising these companies when certain things go wrong. This is especially so when companies are plagued by isolated misconduct of a rogue employee or a small number of employees. While active enforcement undoubtedly breeds greater efforts to comply, enforcement decisions that respect such genuine compliance efforts arguably can do so even more.
Overview of the book
This project has been a true labour of love for many. It also has been an absolute delight to collaborate with such knowledgeable and thoughtful contributors. I thank them deeply for their regional insights, nuanced analysis, spirited advice and deep commitment to spreading the gospel of compliance.
The book proceeds in six parts. Part 1 sets the scene by surveying the broader Latin American compliance landscape:
- Chapter 1: Peter Spivack and Isabel Costa Carvalho of Hogan Lovells examine the dramatic rise and evolution of compliance in Latin America over several decades, becoming the necessity that it is today. They illustrate the increasing importance of compliance in the region, bolstered in part by guidelines issued by authorities in Argentina, Brazil, Colombia, Mexico and Peru. At the same time, the authors acknowledge the ongoing challenges of promoting cultural change – while companies remain under expanding scrutiny – and ensuring appropriate enforcement of new laws.
- Chapter 2: A team from Skadden, Arps, Slate, Meagher & Flom LLP – Jocelyn E Strauber, Julie Bédard, Lauren A Eisenberg and Mayra Suárez – assesses the current compliance climate in Latin America. They review legislative changes in the region and how data protection regimes may affect corporate investigations. The authors also explore recent enforcement trends, including the increasing coordination among regulators, the prioritisation of prosecuting individuals, and increased enforcement involving particular industries.
- Chapter 3: Eloy Rizzo, Andre Leme, Victoria Arcos and Gustavo Chimure Jacomassi of Demarest Advogados explore the considerable impact of inter-agency cooperation on anti-corruption enforcement. Both internationally and nationally, such coordination has raised the compliance stakes and posed new challenges for companies and individuals understandingly seeking finality when negotiating resolutions with authorities. In addition to capturing the impacts of this phenomenon across borders, the authors focus in particular on difficulties and opportunities in improving coordination among various Brazilian authorities.
Part 2 then addresses key considerations in building an effective compliance programme:
- Chapter 4: Reynaldo Manzanarez Radilla, a corporate attorney and compliance professional at Incode Technologies Inc, profiles a successful compliance department. While recognising that there is not a single formula for success, he analyses some of the fundamentals, including a strong tone at the top, a true team of professionals and adequate resourcing. He also explains how the compliance function must act as a trusted adviser to the business, operating cost-effectively and demonstrating its value.
- Chapter 5: Brendan P Cullen and Anthony J Lewis of Sullivan & Cromwell LLP elaborate on building a robust compliance programme in Latin America. They describe the elements of an effective programme, including those based on guidance issued by US regulators. Beyond anti-corruption compliance, the authors explain some nuances of sanctions and antitrust compliance and, more broadly, the treatment of whistle-blowers. Additionally, they recount best practices such as documenting programme changes and successes, broadcasting a culture of compliance, ensuring local input and buy-in, relying on local counsel and using data analytics.
- Chapter 6: Andrew Jánszky, a corporate governance and compliance consultant, turns to the pivotal role a company’s board of directors should play, suggesting that expectations of boards have risen and should continue to do so. Specifically, he calls on board members to engage substantively on risk assessment and compliance matters, actively complementing (but not supplanting) the essential role of management. While recognising the improbability that any company could achieve best practices in all respects, he underscores the importance for a compliance function of independence, autonomy, and structural and cultural compatibility.
- Chapter 7: A team from Buckley LLP – Daniel R Alonso, Andrew P Pennacchia, Benjamin W Hutten and Norma Ramirez-Marin – discusses best practices for building effective internal communications channels. They construe expansively this imperative, addressing communications from the top and elsewhere, dissemination of policies and procedures, and effective training programmes. In addition, the authors consider critical aspects of employee feedback, reporting of compliance issues, and communications regarding compliance testing and internal audits.
- Chapter 8: Luis A García Campuzano of Villarreal-VGF recounts the vital role of compliance training, which multinational companies should adapt for their local workforces. The author elaborates on adjusting a compliance programme to local laws and culture, including tailoring a global policy to work in a given location. Additionally, the author discusses incorporating compliance considerations into recruitment and hiring, as well as providing incentives to encourage desired conduct and disincentives to discourage the contrary.
- Chapter 9: A team from Vinson & Elkins LLP – Palmina M Fava, Zachary Terwilliger, Michael Ward, Jose Sanchez and Natalie Cardenas – tackles the significant compliance risks and related challenges posed by third parties. The authors provide compelling enforcement examples and then detail best practices for mitigating potential exposures, including by conducting risk-based due diligence and appropriately monitoring third parties’ activities.
- Chapter 10: Adrián Magallanes Pérez and Diego Sierra Laris of Von Wobeser y Sierra, SC review best practices for conducting internal investigations of alleged wrongdoing. After explaining why these investigations are vital, they detail the investigative life cycle, including conducting a preliminary assessment, determining whether to engage external counsel, developing an investigative plan, preserving evidence, taking steps to avoid any retaliation, reviewing documents, conducting interviews, preparing a final report and proposing any remedial steps.
- Chapter 11: Matt Galvin, Jaime Muñoz and Dheeraj Thimmaiah of Anheuser-Busch InBev articulate a provocative technological manifesto, accelerated in part by the pandemic, and illustrate in practical terms how a data-driven approach can and must revolutionise corporate compliance programmes. The authors espouse benefits for programmes that leverage data science and analytics, including across risk assessments, internal investigations, and improvement generally of business performance and profitability. While recognising that companies will proceed in varying ways, the authors note opportunities involving automation and process optimisation, identification and harmonisation of data sets, and the application of rule-based tests and both supervised and unsupervised machine learning.
Part 3 considers compliance as a business advantage. Although sometimes perceived solely as a cost centre, compliance undoubtedly can generate competitive advantages. The more businesses embrace this reality, the easier it sometimes becomes to change corporate culture and to convince management to invest accordingly. In particular:
- Chapter 12: Maria Ximena Garcia Roche and Jussara Rocha Tibério of Camargo Corrêa Infra explore the concept of selling integrity. They discuss ways to turn compliance into business strategy and use it to benefit the company. The authors detail various measures of a compliance programme’s effectiveness – including corporate governance, prevention, detection and correction – and suggest ways to evaluate a programme’s functioning relative to key performance indicators involving processes, culture and leadership.
- Chapter 13: My Debevoise & Plimpton LLP colleague Erich O Grosz and I delve into assessing and mitigating compliance risks in the transactional context. While unknowingly buying a compliance problem can be disastrous, even assets tainted by corruption can sometimes be attractive targets. This chapter examines why and how compliance due diligence is essential for evaluating a potential transaction’s true value and appropriateness, offering practical steps for conducting due diligence and addressing related risks. In addition, the chapter explains how identifying any problematic conduct before an investment can be critical, both to avoid overpaying for an asset and to terminate and remediate any misconduct promptly after closing.
- Chapter 14: A team from TozziniFreire Advogados – Shin Jae Kim, Renata Muzzi Gomes de Almeida, Giovanni Paolo Falcetta, Karla Lini Maeji, Fabio Rawet Heilberg and Laís Neme Cury Augusto Rezende – illustrates how having a robust compliance programme can pay dividends for companies subjected to external investigations by government authorities. A compliance programme ultimately can reduce fines and penalties, serving as a mitigating circumstance or even an affirmative defence under various anti-corruption laws in Latin America. Additionally, having a robust compliance programme can help a company immeasurably in responding efficiently and effectively to requests from government authorities in the context of an external investigation.
- Chapter 15: A team from QIL+4 Abogados – José Quiñones, Evelyn Rebuli, Ignacio Grazioso, Javier Castellan and Luis Pedro Martínez – addresses the timely question of whether it is worthwhile to obtain an ethics certification. As the authors explain, a certification cannot guarantee that any particular conduct will or will not occur, but can validate the implementation of systems, policies and controls that seek to encourage or discourage such behaviours. The authors also review different types of certifications, the process for obtaining them and potential benefits.
- Chapter 16: Juliana Gomes Ramalho Monteiro, Thiago Jabor Pinheiro and Marcel Alberge Ribas of Mattos Filho, Veiga Filho, Marrey Jr. e Quiroga Advogados recount relevant environmental, social and governance (ESG) developments both globally and regionally. The authors then detail Brazil’s patchwork of laws and regulations with environmental, social and governmental resonance, notwithstanding Brazil’s comparatively nascent stage of ESG maturity. Significantly, the authors observe how traditional compliance infrastructure can provide a valuable foundation for ESG matters, including as to written policies, training, risk assessments, due diligence and monitoring.
Part 4 turns to specific legislative and regulatory pressure points:
- Chapter 17: A team from FerradaNehme – Rafael Collado González, Lucía Álvarez Galvez, Josefa Zamorano Quiroga and Camilo León Millones – analyses laws designed to combat money laundering and terrorist financing, close cousins of corruption, organised crime and drug trafficking. Although most jurisdictions in Latin America now have such laws, they differ throughout, heightening the related compliance challenges. After exploring relevant legal prohibitions, the authors then discuss best practices for mitigating these compliance risks, including recommendations of the Latin American Financial Action Group.
- Chapter 18: Luis Luis Fernando Macías Gómez, Carolina Porras and Alexander Acosta Jurado of Philippi Prietocarrizosa Ferrero DU & Uría address environmental and health and safety compliance. The authors share their perspective from Colombia, but also include examples from elsewhere in the region. Throughout the chapter, the authors outline why and how companies should carefully monitor changes in legislation, noting potential liabilities from failing to do so and how demonstrating such compliance can help companies to win both public and private contracts.
- Chapter 19: Lorena Pavic, José Pardo and Benjamín Torres of Carey y Cía explore challenges in navigating competition rules, drawing principally on the Chilean experience. The authors dissect associated legal reforms in Chile and elsewhere, explaining how they have raised competition standards throughout the region. The chapter then examines related legal exposures, including cartel investigations, and proposes safeguards to mitigate competition risks, including avoiding, deterring and detecting collusive behaviour. As the authors note, close attention to competition law is imperative for effective corporate compliance in Latin America.
- Chapter 20: Carolina Rozo Gutiérrez and Pamela Alarcón Arias of Phillipi Prietocarrizosa Ferrero DU & Uría then outline best practices for avoiding tax evasion fines, focusing in particular on differing examples from Colombia, Peru and Spain. The authors explain anti-abuse rules and the significance of identifying accurately beneficial owners. Given criminal and other potential adverse consequences, the chapter then recounts compliance measures to mitigate related risks, including policies, procedures and reporting.
- Chapter 21: A team from Vinson & Elkins LLP – Devika Kornbacher, Palmina M Fava, Jessica Heim and Gabriel Silva – discusses how data protection laws have proliferated throughout Latin America, more recently following the European Union’s model. The authors explore differences in the various legal regimes, including around breach notification requirements. Additionally, the authors underscore the value of an effective data compliance programme, subject to testing and updating, both to prevent violations and, if necessary, to defend a company against any related lawsuits or investigations.
Part 5 addresses compliance challenges in certain higher-risk industries:
- Chapter 22: Anna Carolina Malta Spilborghs and José Guilherme Berman of Barbosa Müssnich Aragão analyse risks in working with the public sector in Brazil, focusing specifically on the oil and gas and the infrastructure industries. In both, government touchpoints are extensive, including with state-owned entities such as Petrobras. Particularly during this period of economic transition, the authors advocate building a culture of compliance, ensuring transparency, implementing adequate compliance mechanisms and ultimately adopting a zero-tolerance approach to bribery.
- Chapter 23: Maximiliano D’Auro and Gustavo Papeschi of Beccar Varela provide an Argentine perspective on risk management in the financial services industry. Although financial services providers usually recognise their inherent exposure to anti-money laundering risk, the authors argue that these providers often underappreciate their anti-corruption exposure, notwithstanding the breadth of government touchpoints. Accordingly, the authors expound on elements of an integrity programme for financial services providers, especially in light of recent changes to Argentine law and associated compliance guidelines.
- Chapter 24: Fabio Alonso Vieira and Carolina Barbosa Cunha Costa of Kestener, Granja & Vieira Advogados dissect compliance challenges involving data privacy, particularly in the healthcare industry. Within this evolving field, the authors explain relevant legal developments in Europe, the United States and, more recently, Brazil. They also reflect on natural tensions in balancing privacy and innovation, particularly with cross-border transfers of sensitive data that have the potential to save lives.
Last, Part 6 looks to the future, highlighting some compliance trends to watch. In particular:
- Chapter 25: A team from Quinn Emanuel Urquhart & Sullivan LLP – Ben O’Neil, Alexander J Merton, Avi Panth and Isabelle Sun – foretells the creep of legislation targeting private corruption. They review the corrosive effects of commercial bribery, which are increasingly borne by the public, and the differing regulatory regimes used to combat these types of corrupt practices. The authors also discuss strategies for identifying the tell-tale signs of kickback schemes and for preventing private corruption through appropriate compliance policies and internal controls.
- Chapter 26: Erica Sellin Sarubbi and Tomás Fezas Vital Mesquita of Maeda, Ayres & Sarubbi Advogados examine the growing prominence of external compliance monitorships, often viewed by companies as costly and undesirable. The authors provide a brief history of monitorships in the United States, exploring the process generally and associated compliance objectives. Additionally, the authors address monitorships recently imposed by Brazilian authorities, some of which involve external monitors and others monitoring by local authorities. By following certain best practices in dealings with monitors – including ensuring transparency and open communications – the authors suggest that companies can transform monitorships into beneficial experiences rather than burdensome ones.
Companies throughout the region (and world) naturally find themselves in different places in their compliance journeys. There is understandably a learning curve when it comes to compliance programmes, and companies often are learning in real time, as are prosecutors.
As this book illustrates, compliance is a continuing process of assessing risks in a dynamic environment amid ever-increasing regulatory expectations, and then crafting, implementing and refining strategies to mitigate these risks. Building effective compliance programmes and respecting the relevant laws help us to reach the desired destination, but these programmes and laws are the means and not the end.
On behalf of all the contributors, we sincerely hope that this book can serve as a valuable resource to the many compliance professionals, lawyers, business executives, board members, advisers, investors and others making this essential journey.
Andrew M Levine
Debevoise & Plimpton LLP
 Andrew M Levine is a litigation partner at Debevoise & Plimpton LLP.
 US Department of Justice, Criminal Division, ‘Evaluation of Corporate Compliance Programs’ (June 2020) <https://www.justice.gov/criminal-fraud/page/file/937501/download>;.