Compliance in context
I recall vividly the first time I led a compliance seminar in Latin America. Although I received a warm welcome that day in São Paulo, many in the room seemed uncertain about the relevance locally of the US Foreign Corrupt Practices Act and, more generally, anti-corruption best practices. From a compliance perspective, that was a lifetime ago. So much has changed.
Back then, it seemed improbable that Brazil would soon adopt a sweeping anti-corruption law. Only a short time later, following riots in the streets, Brazil did precisely that, and the law dramatically took effect in January 2014. Those sceptical that Brazil ever would adopt such a law quickly transitioned their scepticism, next doubting that Brazil ever would enforce this law. That assumption again proved faulty. A tsunami of enforcement followed soon after, making headlines around the globe. Companies have paid big penalties, and high-profile politicians and business executives have been charged, convicted and imprisoned. Even so, questions persist regarding some of these proceedings, and backlash continues in various forms.
In addition to spawning countless enforcement operations within Brazil, these developments have reverberated throughout Latin America, with further shockwaves felt around the world. Although Brazil has played an outsized role in Latin America’s anti-corruption narrative, other jurisdictions also have augmented their efforts to combat corruption. Numerous countries in the region (such as Argentina, Colombia, Mexico and Peru) have adopted new and expansive anti-corruption laws. More surprising to many, local authorities increasingly have enforced these laws, albeit to varying degrees and while grappling with an array of challenges. Anti-corruption contours vary throughout the region, but some of the basic ingredients persist, including highly relevant laws, locals fed up with corruption and scandals that abound.
Within this context, actual enforcement can serve as a powerful motivator of intensified corporate compliance efforts. For obvious reasons, the spectre of aggressive enforcement offers a highly persuasive justification for finding religion in this area and making the necessary adjustments and investments. Last year, along these lines, the US Deputy Attorney General warned that ‘[c]ompanies need to actively review their compliance programs to ensure they adequately monitor for and remediate misconduct – or else it’s going to cost them down the line’.
More broadly, enforcement risk remains acute in the United States and certain other jurisdictions. This is especially the case in the United States after the Biden administration in 2021 elevated fighting corruption to a national security priority and since has launched related initiatives. Unsurprisingly, a significant element of the resulting US anti-corruption strategy involves active engagement and close coordination with foreign partners, possibly foretelling greater collaboration between US authorities and Latin American counterparts.
An effective compliance programme
Companies and individuals often want to do the right thing, but an effective compliance programme entails more than just a pristine ethical mindset. Among other essential features discussed in this book, a compliance programme requires the commitment of management at all levels and sufficient resourcing to do the job well.
Indeed, much ink has been spilled over what constitutes an effective compliance programme, including in Latin America. Yet the main elements are relatively uncontroversial, with certain compliance truths remaining generally applicable. For example, as outlined in guidance issued in June 2020 by the US Department of Justice, proper evaluation of a corporate compliance programme necessarily involves assessing its design, implementation and effective functioning:
- Design: proper design begins with a thoughtful risk assessment. This includes evaluating a company’s compliance risk factors, such as its jurisdictions of operation, industry, government touchpoints and reliance on third parties. Just as no two companies are the same, a compliance programme cannot be one-size-fits-all but must be tailored to a company’s risk profile and integrated into its internal controls.
- Implementation: even the most brilliantly crafted programme can provide only limited comfort if it is not implemented effectively. This requires the commitment of management, autonomy, resourcing and empowerment of the compliance function, and both incentives for compliance and disincentives for non-compliance.
- Functioning: a compliance programme is only as good as it functions in practice. Adequate monitoring, testing and review are necessary to ensure that a programme is working as intended and is refined as needed. Proper functioning also requires the investigation of potential misconduct and remediation of any underlying issues.
It bears underscoring that risks posed by third parties, in particular, remain many companies’ most significant anti-corruption exposure. Countless examples of recent enforcement in Latin America illustrate this reality: third parties rather than company employees often pay the bribes later subjected to government investigations. Third-party management is therefore a core element of an effective compliance programme and should include risk-based due diligence, written contracts that enshrine compliance obligations and careful oversight of the third parties’ services.
In the end, no compliance programme is perfect or can prevent all wrongdoing, even with the best of intentions and good-faith efforts. For most companies, the question is not whether a compliance violation one day will occur but how severe and extensive it will be, how early and by what means it will be detected, and how the company ultimately will respond.
Companies and their stakeholders must accept this reality while making judicious use of sometimes limited compliance resources. This balancing act becomes particularly challenging amid a crisis, such as the covid-19 pandemic. However, it is predictably during a crisis when the cost of neglecting a compliance programme may be most acute. And, in the last year, economic challenges and political upheaval have both exacerbated the pandemic’s devastating impacts and disrupted some of region’s anti-corruption momentum.
Prosecutors have a valuable role in helping to incentivise companies to implement and maintain effective compliance programmes. Authorities in the region can do even more to support the growing compliance culture, including by imposing lower penalties on companies that implement effective programmes or, better yet, by declining altogether under appropriate circumstances from penalising these companies when certain things go wrong. This is especially so when companies are plagued by isolated misconduct of a rogue employee or a small number of employees. While active enforcement undoubtedly breeds greater efforts to comply, enforcement decisions that respect such genuine compliance efforts arguably can do so even more.
Overview of the book
This project has been a true labour of love for many. It also has been an absolute delight to collaborate with such knowledgeable and thoughtful contributors. I thank them deeply for their regional insights, nuanced analysis, spirited advice and deep commitment to spreading the gospel of compliance.
The book proceeds in six parts and includes significant updates since the prior edition and several new chapters (6, 7, 17, 18 and 24). Part 1 sets the scene by surveying the broader Latin American compliance landscape:
- Chapter 1: Peter Spivack and Isabel Costa Carvalho of Hogan Lovells LLP examine the dramatic rise and evolution of compliance in Latin America over several decades, becoming the necessity that it is today. They illustrate the increasing importance of compliance in the region, bolstered in part by guidelines issued by authorities in Argentina, Brazil, Colombia, Mexico and Peru. At the same time, the authors acknowledge the ongoing challenges of promoting cultural change – while companies remain under expanding scrutiny – and ensuring appropriate enforcement of new laws.
- Chapter 2: Julie Bédard, Lauren A Eisenberg and Mayra Suárez of Skadden, Arps, Slate, Meagher & Flom LLP assess the current compliance climate in Latin America. They review legislative changes in the region and how data protection regimes may affect corporate investigations. The authors also explore recent enforcement trends, including the increasing coordination among regulators, the prioritisation of prosecuting individuals and increased enforcement involving particular industries.
Part 2 then addresses key considerations in building an effective compliance programme:
- Chapter 3: Reynaldo Manzanarez Radilla, a corporate attorney and compliance professional at Incode Technologies Inc, profiles a successful compliance department. While recognising that there is not a single formula for success, he analyses some of the fundamentals, including a strong tone at the top, core compliance polices, a true team of professionals and adequate resourcing. He explains how the compliance function must act as a trusted adviser to the business, operating cost-effectively and demonstrating its value.
- Chapter 4: Brendan P Cullen and Anthony J Lewis of Sullivan & Cromwell LLP elaborate on building a robust compliance programme in Latin America. They describe the elements of an effective programme, including those based on guidance issued by US regulators. Beyond anti-corruption compliance, the authors explain some nuances of sanctions and antitrust compliance and, more broadly, the treatment of whistle-blowers. Additionally, they recount best practices such as documenting programme changes and successes, broadcasting a culture of compliance, ensuring local input and buy-in, relying on local counsel and using data analytics.
- Chapter 5: Andrew Jánszky, a corporate governance and compliance consultant, turns to the pivotal role a company’s board of directors should play, suggesting that expectations of boards have risen and should continue to do so. Specifically, he calls on board members to engage substantively on risk assessment and compliance matters, actively complementing (but not supplanting) the essential role of management. While recognising the improbability that any company could achieve best practices in all respects, he extracts from various case studies cautionary lessons for boards and underscores the importance for a compliance function of independence, autonomy, and structural and cultural compatibility.
- Chapter 6: Daniel S Kahn, Tatiana R Martins and Jordan Leigh Smith of Davis Polk & Wardwell LLP next tackle conducting compliance risk assessments, the starting point for designing an effective compliance programme. As part of this process, they explain the elemental tasks of mapping compliance risks based on factors such as a company’s geographical and operational footprint and then ensuring that compliance resources and controls adequately address the identified risks. The authors also identify significant considerations regarding who conducts a compliance risk assessment, as well as the importance of refreshing an assessment, especially in the face of triggers that may alter a company’s intrinsic risk profile.
- Chapter 7: María González Calvet, Krystal Vazquez and Baldemar Conzalez of Ropes & Gray LLP next discuss best practices for building effective internal communications channels and the vital role of compliance training. They address the centrality of communications from the top and elsewhere regarding a deep commitment to compliance, the foundational role of compliance policies and procedures, and the imperative of an anonymous reporting mechanism. The authors elaborate on tailoring a compliance programme to relevant laws and cultures, including adapting a global policy to work in a given location and delivering training that is customised for local workforces and replete with real-world examples.
- Chapter 8: Palmina M Fava, Zachary Terwilliger and Natalie Cardenas of Vinson & Elkins LLP tackle the significant compliance risks and related challenges posed by third parties. The authors provide compelling enforcement examples and then recount best practices for mitigating potential exposures, including by conducting risk-based due diligence, documenting compliance expectations and appropriately training third parties and monitoring their activities.
- Chapter 9: Adrián Magallanes Pérez and Diego Sierra Laris of Von Wobeser y Sierra, SC review best practices for conducting internal investigations of alleged wrongdoing. After explaining why these investigations are vital, they detail the investigative life cycle, including conducting a preliminary assessment, determining whether to engage external counsel, developing an investigative plan, preserving evidence, taking steps to avoid any retaliation, reviewing documents, conducting interviews, preparing a final report and proposing any remedial steps.
- Chapter 10: Matt Galvin (a Research Fellow at Harvard Business School and previously of Anheuser-Busch InBev) and Jaime Muñoz and Dheeraj Thimmaiah (both of Anheuser-Busch InBev) articulate a provocative technological manifesto, accelerated in part by the pandemic, and illustrate in practical terms how a data-driven approach can and must revolutionise corporate compliance programmes. The authors espouse benefits for programmes that leverage data science and analytics, including across risk assessments, internal investigations, and improvement generally of business performance and profitability. While recognising that companies will proceed in varying ways, the authors note opportunities involving automation and process optimisation, identification and harmonisation of data sets, and the application of rule-based tests and both supervised and unsupervised machine learning.
Part 3 considers compliance as a business advantage. Although sometimes perceived solely as a cost centre, compliance undoubtedly can generate competitive advantages. The more businesses embrace this reality, the easier it sometimes becomes to change corporate culture and to convince management to invest accordingly:
- Chapter 11: Jussara Rocha Tibério of Camargo Corrêa Infra explores the concept of selling integrity. She discusses ways to turn compliance into a business strategy and to use it to benefit the company. The author details various measures of a compliance programme’s effectiveness – including corporate governance, prevention, detection and correction – and suggests ways to evaluate a programme’s functioning relative to key performance indicators involving processes, culture and leadership.
- Chapter 12: my Debevoise & Plimpton LLP colleague Erich O Grosz and I delve into assessing and mitigating compliance risks in the transactional context. While unknowingly buying a compliance problem can be disastrous, even assets tainted by corruption can sometimes be attractive targets. This chapter examines why and how compliance due diligence is essential for evaluating a potential transaction’s true value and appropriateness, offering practical steps for conducting due diligence and addressing related risks. In addition, the chapter explains how identifying any problematic conduct before an investment can be critical, both to avoid overpaying for an asset and to terminate and remediate any misconduct promptly after closing.
- Chapter 13: a team from TozziniFreire Advogados – Shin Jae Kim, Renata Muzzi Gomes de Almeida, Giovanni Paolo Falcetta, Karla Lini Maeji, Fabio Rawet Heilberg, Brunna Padovan Ortega de Almeida and Laís Neme Cury Augusto Rezende – illustrates how having a robust compliance programme can pay dividends for companies subjected to external investigations by government authorities. A compliance programme ultimately can reduce fines and penalties, serving as a mitigating circumstance or even an affirmative defence under various anti-corruption laws in Latin America. Additionally, having a robust compliance programme can help a company immeasurably in responding efficiently and effectively to requests from government authorities in the context of an external investigation.
Part 4 turns to specific legislative and regulatory pressure points:
- Chapter 14: a team from FerradaNehme Abogados – Rafael Collado González, Lucía Álvarez Galvez, Josefa Zamorano Quiroga and Camilo León Millones – analyses laws designed to combat money laundering and terrorist financing (close cousins of corruption), organised crime and drug trafficking. Although most jurisdictions in Latin America now have such laws, they differ throughout, heightening the related compliance challenges. After exploring relevant legal prohibitions, the authors then discuss best practices for mitigating these compliance risks, including recommendations of the Latin American Financial Action Group.
- Chapter 15: Lorena Pavic, José Pardo Benjamín Torres and Raimundo Gálvez of Carey explore challenges in navigating competition rules, drawing in part on reforms in Argentina, Brazil, Chile, Mexico and Peru. The authors explore relevant legal landscapes, illustrating the increased anticompetition standards throughout the region. The chapter then examines related exposures, including cartel investigations, and proposes safeguards to mitigate competition risks, including avoiding, deterring and detecting collusive behaviour. As the authors note, close attention to competition law is imperative for effective corporate compliance in Latin America.
- Chapter 16: a team from Vinson & Elkins LLP – Devika Kornbacher, Palmina M Fava, Gabriel Silva and Chris James – discusses how data protection laws have proliferated throughout Latin America, more recently following the European Union’s model. The authors explore differences in the various legal regimes, including around breach notification requirements. Additionally, the authors underscore the value of an effective data compliance programme, subject to testing and updating, both to prevent violations and, if necessary, to defend a company against any related lawsuits or investigations.
- Chapter 17: relatedly, Antonio Gesteira, Jordan Rae Kelly and Adriana Prado of FTI Consulting explore strategies for reducing cybersecurity and data risk, focusing in particular on ensuring incident readiness and building a culture of compliance. The authors detail the perfect storm of growing risks involving data breaches and cyber incidents, compounded by increasing enforcement in Latin America regarding data protection. In particular, the authors underscore the importance of prevention, including careful attention to incident response planning, and best practices for confronting an incident and dealing with the aftermath.
- Chapter 18: Ryan Fayhee, Diego Durán de la Vega, Tyler Grove and Anna Hamati of Hughes Hubbard & Reed LLP explore risks in Latin America involving compliance with US sanctions, a topic of particular prominence given recent global events. After providing an overview of US economic sanctions and embargo programmes, including both primary and secondary sanctions, the authors focus on recent developments regarding Cuba, Venezuela and Nicaragua, and they detail sanctions that target human rights violations and narcotics trafficking. The authors conclude with recommendations for designing and implementing an effective sanctions compliance programme.
Part 5 addresses compliance challenges in certain higher-risk industries:
- Chapter 19: Anna Carolina Malta Spilborghs and José Guilherme Berman of Barbosa Müssnich Aragão Advogados analyse risks in working with the public sector in Brazil, focusing specifically on the oil and gas and the infrastructure industries. In both, government touchpoints are extensive, including with state-owned entities such as Petrobras. Particularly during times of economic transition, the authors advocate building a culture of compliance, ensuring transparency, implementing adequate compliance mechanisms and adopting a zero-tolerance approach to bribery.
- Chapter 20: Maximiliano D’Auro and Gustavo Papeschi of Beccar Varela provide an Argentine perspective on risk management in the financial services industry. Although financial services providers usually recognise their inherent exposure to anti-money laundering risk, the authors argue that these providers often insufficiently appreciate their anti-corruption exposure, notwithstanding the breadth of government touchpoints. Accordingly, the authors expound the elements of an integrity programme for financial services providers, especially in light of changes to Argentine law and associated compliance guidelines.
Last, Part 6 looks to the future, highlighting some compliance trends to watch:
- Chapter 21: Ben O’Neil and Elissa N Bauer of McGuire Woods LLP foretell the creep of legislation targeting private corruption. They review the corrosive effects of commercial bribery, which are increasingly borne by the public, and the differing regulatory regimes used to combat these types of corrupt practices. The authors also discuss strategies for identifying the telltale signs of kickback schemes and for preventing private corruption through appropriate compliance policies and internal controls.
- Chapter 22: Erica Sellin Sarubbi and Tomás Fezas Vital Mesquita of Maeda, Ayres & Sarubbi Advogados examine the growing prominence of external compliance monitorships, often viewed by companies as costly and undesirable. The authors provide a brief history of monitorships in the United States, exploring the process generally and associated compliance objectives. Additionally, the authors address monitorships recently imposed by Brazilian authorities, some of which involve external monitors and others monitoring by local authorities. By following certain best practices in dealings with monitors – including ensuring transparency and open communications – the authors suggest that companies can transform monitorships into beneficial experiences rather than burdensome ones.
- Chapter 23: Juliana Gomes Ramalho Monteiro, Thiago Jabor Pinheiro and Marcel Alberge Ribas of Mattos Filho, Veiga Filho, Marrey Jr. e Quiroga Advogados recount relevant environmental, social and governance (ESG) developments both globally and regionally. The authors then detail Brazil’s patchwork of laws and regulations with ESG resonance, notwithstanding Brazil’s comparatively nascent stage of ESG maturity. Significantly, the authors observe how traditional compliance infrastructure can provide a valuable foundation for ESG matters, including as to written policies, training, risk assessments, due diligence and monitoring.
- Chapter 24: relatedly, a team from Morrison & Foerster LLP – Ruti Smithline, Hayley Ichilcik, James M Koukios, Stephanie Pong and Lauren Navarro – delves deeply into ESG’s social pillar (the ‘S’), broadly encompassing companies’ relationships with stakeholders including employees, suppliers, customers and others. The authors review several frameworks for measuring associated progress, such as the UN Sustainable Development Goals, and then explore relevant legal developments in Brazil, Chile, Colombia, Mexico and Peru. In addition, the authors highlight important considerations for companies in addressing the social pillar, concluding that those doing so effectively may enjoy a competitive advantage, especially as new ESG-related legal regimes emerge.
Companies throughout the region (and world) naturally find themselves in different places in their compliance journeys. There is understandably a learning curve when it comes to compliance programmes, and companies often are learning in real time, as are prosecutors.
As this book illustrates, compliance is a continuing process of assessing risks in a dynamic environment amid ever-increasing regulatory expectations, and then crafting, implementing and refining strategies to mitigate these risks. Building effective compliance programmes and respecting the relevant laws help us to reach the desired destination, but these programmes and laws are the means and not the end.
On behalf of all the contributors, we sincerely hope that this book can serve as a valuable resource to the many compliance professionals, lawyers, business executives, board members, advisers, investors and others making this essential journey.
Andrew M Levine
Debevoise & Plimpton LLP
 Andrew M Levine is a partner at Debevoise & Plimpton LLP.
 US Department of Justice, ‘Deputy Attorney General Lisa O. Monaco Gives Keynote Address at ABA’s 36th National Institute on White Collar Crime’ (28 October 2021), https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-gives-keynote-address-abas-36th-national-institute.
 US Department of Justice, Criminal Division, ‘Evaluation of Corporate Compliance Programs’ (June 2020), https://www.justice.gov/criminal-fraud/page/file/937501/download.