The Evolution of Compliance: How Did We Get Here?
Corporate compliance is the focus of many corporations around the world these days, but compliance has not always been a priority. In the United States, compliance programmes have transformed during the past five decades from a passive, reactive approach to a proactive approach that seeks to harness big data to monitor and ensure compliance. This new decade favours an approach that considers not only traditional aspects of effective compliance programmes, but also incorporates new elements such as behavioural science, social responsibility and societal benefits.
The United Nations, the Organisation for Economic Co-operation and Development (OECD), the World Bank and other multilateral organisations have sought to promote compliance programmes as part of economic development. The United States and other nations have similarly incorporated law enforcement cooperation and compliance enhancement as part of their diplomatic strategies. These efforts have slowly taken hold. Prior to 2014, there was minimal awareness pertaining to corporate governance in Latin America. Operation Car Wash, the largest anti-corruption investigation in Brazil, which spread across the region, was a catalyst for Latin American countries to focus their attention on compliance and its effects.
This chapter reviews the evolution of compliance from the 1970s until today in the United States and Latin America. It traces how compliance programmes have evolved from being considered a luxury to becoming a necessity, especially for leniency in corporate prosecutions.
1970s and 1980s: accounting compliance and accountability
In the United States, the 1970s was a decade riddled by scandal. An investigation by the US Securities and Exchange Commission (SEC) revealed that hundreds of US companies – including some of the most widely known and respected – bribed foreign officials to further their business interests. Corporations across a wide range of industries chose to remediate mistakes internally instead of correcting and reporting the errors. In response, the Foreign Corrupt Practices Act (FCPA) was signed into law in December 1977.
In the 1980s, there was an emphasis on ethics, specifically in the defence and healthcare industries, that required government contractors to adhere to stringent rules. It was not until a decade later, as corporations began to be held liable and be prosecuted for the criminal acts of their employees and agents, that corporations paid greater attention to proactive compliance programmes. Before this, corporate compliance was largely addressed passively through codes of conduct and value statements that were provided to employees or hung on walls but carried little weight.
1990s: expansion of corporate liability
In the United States, corporate criminal liability can be traced back to respondeat superior, a legal doctrine commonly used in tort law. Respondeat superior requires that corporations take responsibility for the acts of their employees and agents if the acts occur within the scope of employment or agency, even if contrary to organisational policy and training. Under early case law, a corporation was considered to be a legally fictitious entity, incapable of forming the mens rea necessary to commit a criminal act. The Supreme Court ultimately rejected this notion in 1909 in New York Central & Hudson River Railroad v. United States. (Notably, this concept of a legal person not being subject to criminal liability was also recognised in most civil code countries. As discussed below, that legal doctrine is also changing in countries such as Brazil, Argentina and Colombia.)
The modern notion of corporate criminal liability was established in United States v. Hilton Hotels Corp. This case established that corporations can be liable for the criminal activity of its employees and agents even if the employee or agent acted contrary to the corporation’s policies or an officer’s direction, as long as the employee or agent acted within the scope of his or her apparent authority and with the intent – even if only in part – to benefit the corporation.
Despite a corporation’s best efforts to prevent criminal conduct within the organisation, corporate prosecution could bring forth financial and reputational ruin, as well as negatively affecting the morale of the corporation’s employees.
To address this institutional vulnerability and incentivise corporations to exemplify good corporate citizenship, as well as to provide a means to rehabilitate corporations that have engaged in criminal conduct, the United States Sentencing Commission developed the Federal Sentencing Guidelines for Organizations (the Organizational Guidelines). These Guidelines signalled to corporations that the corporate code of conduct and value statements established decades ago were no longer sufficient by themselves to reduce penalties. The Guidelines recognise that an effective compliance programme is necessary to prevent and deter corporate criminal activity.
Federal Sentencing Guidelines for Organizations
The Federal Sentencing Guidelines for Organizations apply to corporations, partnerships, non-profit entities, workforce unions, government units, pension funds and trusts. They address two key elements of sentencing: just punishment and deterrence. Just punishment intends to justly reflect the offender’s degree of blameworthiness; deterrence offers incentives for organisations to detect and prevent criminal acts. These Guidelines lay out the minimum criteria for an effective corporate compliance programme, under which an organisation must:
- establish standards and procedures to prevent and detect crime;
- provide oversight by high-level management, typically the board of directors;
- exercise due care in delegating substantial discretionary authority;
- establish effective communication and training for all employees;
- monitor, audit and report suspected wrongdoing, and periodically evaluate the effectiveness of the ethics and compliance programme;
- promote and consistently enforce the corporate compliance programme by incentivising use of the established mechanisms, and disciplining employees who commit crimes or fail to take reasonable steps to prevent or detect criminal conduct; and
- take reasonable steps to respond to criminal conduct once it has been detected and to prevent further criminal conduct.
Corporate compliance programmes
The most effective compliance programmes are those tailored for particular companies. However, a typical programme includes the key elements required by the Organizational Guidelines. In practical terms, the following are necessary: the endorsement and commitment of senior management, the appointment of a responsible officer to run the programme, risk assessment, relevant policies and procedures, training, certification of compliance with the rules and procedures of the programme, internal financial controls, due diligence of business partners, reporting mechanisms, investigation protocol, a progressive discipline policy, periodic auditing, monitoring, assessments of effectiveness and trend analysis. The Guidelines deliberately do not address the implementation of compliance programmes to provide organisations with the flexibility to design a programme that is best suited to their needs and particular industry.
Corporate compliance programmes are likewise important because of the liability a corporation and its officers can face. In re Caremark established a duty at the board of directors level to ensure companies had reporting systems in place to detect, prevent and mitigate violations of law. Courts view the Organizational Guidelines as powerful incentives for corporations ‘to have in place compliance programs to detect violations of law, promptly to report violations to appropriate public officials when discovered, and to make prompt, voluntary remedial efforts’. Officers can breach their fiduciary duty if they intentionally disregard red flags that should alert them to fraudulent activity within their corporation. Note, however, that officers can be civilly liable for unintentional actions as well.
2000s: reaction to financial scandals and economic crisis
The start of the millennium brought fraudulent accounting scandals that resulted in bankruptcy for corporate giants Enron and Worldcom, and Enron’s auditor, accountancy firm Arthur Andersen. Enron and Worldcom were prosecuted for falsifying balance sheets to inflate earnings. These acts eroded investors’ confidence and the Sarbanes-Oxley Act of 2002 (SOX) was enacted to provide investors with a slate of protections from future wrongdoings.
Securities and Exchange Commission
In October 2001, the SEC issued a Report of Investigation and Statement (known as the Seaboard Report) explaining its decision not to take enforcement action against a public company it had investigated for financial statement irregularities. In this Report, the SEC articulated an analytical framework for evaluating cooperation by companies. In respect of compliance programmes, the Report stressed the importance of ‘[s]elf-policing prior to the discovery of the misconduct, including establishing effective compliance procedures and an appropriate tone at the top’ and ‘[r]emediation, including dismissing or appropriately disciplining wrongdoers, modifying and improving internal controls and procedures to prevent recurrence of the misconduct, and appropriately compensating those adversely affected’.
Sarbanes-Oxley Act of 2002
The United States Congress soon saw an opportunity to include compliance measures in legislation borne out of a series of financial crises. SOX is a federal law that addresses corporate fraud. Named after its sponsors, Senator Paul Sarbanes, D-Md and Congressman Michael Oxley, R-Ohio, SOX is primarily enforced by the SEC, and its main goal is to increase corporate responsibility and protect investors. Many companies in Latin America have sought access to the US capital markets and, as a result, have become familiar with SOX compliance.
SOX holds corporate officers responsible for transparent and accurate financial accounting and timely reporting of violations. The Act mandates that chief executive officers and chief financial officers acknowledge responsibility for the accuracy, documentation and submission of all financial reports to the SEC. Management is responsible for internal control of financial records and flaws within this reporting. SOX requires corporations to develop, communicate and enforce formal data security policies for all financial data that is stored and used. Corporations must document, continuously update and remain compliant with SOX requirements. SOX also mandates annual audits and requires external auditors to attest that a corporation’s internal controls regarding financial records are appropriate. Both results of annual audits and certification by management and attestation by external auditors must be made available to stakeholders.
SOX also includes a provision that protects whistle-blowers at publicly traded companies. The provision encourages internal reporting by prohibiting retaliation against a whistle-blower who provides information, causes information to be provided, or assists in an investigation of any conduct that the whistle-blower reasonably believes should be reported to the SEC.
Before the first decade was out, the United States suffered another financial crisis. In response, the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank) was enacted. A major goal of Dodd-Frank was to protect the US economy from the collapse of financial institutions, such as was experienced in 2007 and 2008.
Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010
Dodd-Frank significantly reformed regulatory schemes by improving accountability and transparency in corporate accounting in an effort to promote financial stability. The Act forced improvements in corporate governance, such as executive compensation review, clawback and other provisions.
This law also expanded on the whistle-blower protections created under SOX. Section 1057 of Dodd-Frank expanded the SOX protections to create a private cause of action for whistle-blowers in the financial industry, lowered the burden of proof to prevail on a claim, extended the statute of limitations and rewarded prospective whistle-blowers.
The most significant change in Dodd-Frank is that it amends the Securities Exchange Act of 1934 to provide a ‘bounty’ system for prospective whistle-blowers. The amended provisions financially reward whistle-blowers who voluntarily report to the SEC ‘original information’ that leads to a successful recovery by the SEC as it relates to a violation of securities law. A whistle-blower is eligible for an award of between 10 per cent and 30 per cent of the collected monetary sanctions in excess of US$1 million. The amended provision incentivises whistle-blowers to report directly to the SEC at the same time as they report to the company through internal channels.
The Dodd-Frank protections apply to publicly traded companies, subsidiaries and affiliates. Whistle-blowers are protected when providing information about, or refusing to participate in, activity reasonably believed to be a violation of law under the SEC’s jurisdiction. The burden of proof necessary to prevail is also reduced under Dodd-Frank. To prevail, the whistle-blower must show by a preponderance of the evidence that protected conduct contributed to retaliation against the whistle-blower. To defeat the action, the employer must demonstrate by clear and convincing evidence that the employer’s action against the whistle-blower would be the same even if the employee had not reported the activity. The provision also prohibits pre-dispute arbitration, except when it is set forth in collective bargaining agreements.
Whistle-blower provisions, as well as the prosecution of Arthur Andersen in the midst of the Enron scandal, moved the focus to the internal workings of an organisation. In part as a result of the collapse of Arthur Andersen following its prosecution, the corporate prosecutorial strategy of the US Department of Justice (US DOJ) shifted from the punishment of corporate conduct to the reform of corrupt corporate cultures. One way to assess a corporation from the inside out is through an external corporate monitor.
Now relatively common, the US DOJ required a corporate monitor for the first time in 2008. Corporate monitors are required in a particular case as part of a plea or deferred prosecution agreement, usually when the US DOJ or the SEC (or both) believe that the company’s compliance system is not adequately developed or mature. A corporate monitor is responsible for developing, maintaining and monitoring a corporation’s compliance programme. As part of its Principles of Federal Prosecution of Business Organizations, the US DOJ considers corporate compliance programmes when making charging decisions.
2010s: voluntary disclosure and government enforcement of compliance
The 2010s highlighted a concerted effort to export compliance through public and private enforcement. In the United States, regulatory agencies created policies to incentivise corporations to develop effective compliance programmes, and corporations have increasingly understood the benefit of compliance. In fact, corporations without effective compliance programmes may suffer significant penalties. Organisational and regulatory agency guidance assists companies in developing and monitoring the effectiveness of compliance programmes, which, in turn, assesses risks and increases the likelihood of voluntary disclosure of violations. A summary of some of the more significant guidance is below.
OECD Good Practice Guidance on Internal Controls, Ethics, and Compliance
In 2010, the OECD adopted good practice guidance to establish and ensure the effectiveness of compliance programmes and internal controls to detect and prevent foreign bribery in international business transactions. The guidance is similar to the components of effective compliance programmes in the United States and ‘recognises that to be effective, such programmes or measures should be interconnected with a company’s overall compliance framework’.
Guidance on compliance
In 2020, the US DOJ and SEC updated its jointly issued 2012 guidance that made clear that in exercising judgement, prosecutors will look to determine whether the company had a compliance programme in place and whether there was a commitment by the company to make effective use of such a programme. The US DOJ further elaborated on this guidance in its FCPA Corporate Enforcement Policy. A strong demonstration of a company’s compliance programme can help to change the structure of a resolution, moving it from a criminal charge to a deferred prosecution agreement, and can reduce the compliance obligations, such as for an external monitor.  Moreover, even if a company is charged with a criminal violation of the FCPA, the Organizational Guidelines, which have considerable influence on the ultimate penalty imposed, provide for a mitigation of penalties if a company can demonstrate that the violation occurred in spite of an effective compliance programme. These Guidelines apply to all corporate criminal conduct and not just FCPA violations.
US DOJ compliance guidance
Corporations have been rewarded for effective compliance programmes for decades, but the US DOJ’s updated compliance programme guidance announced in November 2021 pressures corporations to ensure their compliance programmes are strong. The new guidance focuses on individual responsibility and accountability. The US DOJ takes a wider view of companies’ past wrongdoing, requires more detailed information on individuals related to actions in question and allows for the broader use of corporate compliance monitorships. Companies will need to be able to demonstrate their internal efforts to detect, prevent and mitigate fraud should an issue come to light.
Harnessing big data: the rise of data analytics in compliance programmes
Compliance is a top priority for corporations today, and they are now harnessing internal data to monitor employees and increase the effectiveness of compliance programmes. Data analytics help compliance personnel within corporations to identify patterns that human beings cannot recognise, improve the way risk is managed and respond quickly to developing compliance issues. Of course, data analytics are only as effective as the data inputs and analytical outputs, so although this technique is a useful tool, it is not a replacement for a well-integrated compliance programme.
Soft skills and integrity
This new decade ushers in an approach that considers not only traditional aspects of effective compliance programmes, but must also incorporate social responsibility and societal benefits. The new approach requires corporations to move beyond the letter of the law or actions within corporate policy, and view compliance as a benefit for society.
Environmental, social and corporate governance factors
A corporation’s financial performance drives its business decisions. Corporate officers focus on hard numbers to determine success. The new approach asks these officers to look beyond the data and to environmental, social and corporate governance (ESG) factors to strengthen financial performance and compliance. ESG factors, such as how a corporation responds to climate change, how effective health and safety policies are at preventing accidents, and how good the corporation is at building trust and fostering innovation, are not traditionally calculated in a financial analysis, but adherents are advocating that they have relevance and financial impact.
ESG is different from the movement to motivate corporations to be more socially responsible. Unlike social responsibility, which examines what corporations will not do (such as sell firearms), investors evaluate a corporation’s ESG to understand its purpose and value. Using this information, investors make decisions about where to invest. For this reason, the financial effects of ESG factors can be significant.
Renewed focus on anti-corruption and coordination among national enforcement authorities
In 2021, the Biden administration conveyed its focus on anti-corruption efforts, established that anti-corruption is a national security interest, and issued the first ever US Strategy on Countering Corruption (the Strategy). The Strategy is a five-pillar framework:
- modernising, coordinating and resourcing US government efforts to fight corruption;
- curbing illicit finance;
- holding corrupt actors accountable;
- preserving and strengthening multilateral anti-corruption architecture; and
- improving diplomatic engagement and leveraging foreign assistance resources to advance policy objectives.
This framework reflects the government’s broader-lens approach to understand and stop corrupt activity and signals increased scrutiny for corporations.
Shortly after the Strategy was issued, the OECD adopted a comprehensive series of recommendations for Member States and for OECD Anti-Bribery Convention signatories to integrate into their legal frameworks to combat foreign bribery of public officials. The recommendations include strengthening enforcement of foreign bribery laws, addressing the demand side of foreign bribery, enhancing international cooperation, introducing principles on the use of non-trial resolutions in foreign bribery cases, incentivising anti-corruption compliance by companies, and providing comprehensive and effective protection for reporting persons.
One trend that the pandemic has reinforced is the cooperation among national enforcement authorities and across borders. Multinational corporations must be prepared for investigation by jurisdictional authorities as well as coordination among other enforcement officials as parallel inquiries proceed.
Compliance in Latin America
As has been noted, until the beginning of 2010s, compliance was merely a secondary concern for companies in Latin America, seen as a superfluous investment with uncertain incomes. Even for companies subject to international anti-corruption laws, such as the FCPA and UK Bribery Act, compliance was often in place just as a paper programme without sufficient human and financial resources.
However, this situation began to change at the end of 2014 with the launch of Operation Car Wash. Although Brazil passed its anti-corruption law (the Clean Company Act) in late 2013, Operation Car Wash was the decisive turning point that transformed the fight against corruption in Brazil and across Latin America. As a result, the perception of the need for compliance policies also changed.
Operation Car Wash is the most extensive anti-corruption investigation in Latin America, focused on bribery schemes surrounding infrastructure projects and involving a series of construction companies, public officials and politicians. It is a cross-border investigation that exposed the corruption of public officials from several Latin American countries in addition to Brazil, including Argentina, Chile, Colombia, Dominican Republic, Ecuador, Mexico, Panama, Peru and Venezuela.
The compliance notions in Latin America were modified by two main elements of Operation Car Wash. The first was the fact that media attention put a red flag on investments in the region, which required a change of approach, especially by Latin American companies, to recover market confidence. The second was the international cooperation in investigations, resulting in multilateral agreements with rigid clauses, promoting the ‘regulation by enforcement’ in compliance rules.
With Operation Car Wash, several cross-border violations became public and resulted in close cooperation between Brazilian and foreign authorities. Three leading cases that led to cooperation between the US DOJ, the SEC and Brazilian authorities were Petróleo Brasileiro SA (Petrobras), Eletrobras – Centrais Elétricas Brasileiras SA (Eletrobras) and Construtora Norberto Odebrecht SA (Odebrecht). In all three cases, companies were subject to FCPA regulations as well as Brazil’s Clean Company Act since they are public entities listed on the New York Stock Exchange or had conducted business in the United States.
In addition to strengthening dialogue and cooperation between countries to build a global anti-corruption environment, these cases introduced new preventive, mitigation and disciplinary measures, creating a cross-regulation by enforcement. The imposition of corporate monitors is a clear example of innovation gained from this cooperation. A dual monitorship (i.e., the appointment of monitors from the United States and Brazil) was included in the settlement agreed between the US authorities and Odebrecht. Although it was not provided as a sanction in most Latin American compliance legislation, this alternative is currently on the radar of the local authorities.
On 1 February 2021, after 79 action plans (or their so-called phases with their hand-picked names), Operation Car Wash was formally dissolved as a task force. However, the remaining and related, and upcoming corruption cases will continue to be closely investigated under the leadership of the permanent team called Special Group for the Fight Against the Organized Crime of the Federal Public Prosecutor’s Office. Some members of the former group, including its head, have transitioned to the special group.
Ultimately, Operation Car Wash put a spotlight on the weakness of compliance regulation and enforcement in Latin America, which resulted in a call for change. The response was the disruption of the current schemes and a movement to establish control measures. In Brazil, for example, participation in public tenders requires having a robust compliance programme addressing non-interference of the competitive nature of public tenders.
Through extensive enforcement, Brazilian legislation has become a reference in Latin America and the basis of newly enacted laws in the region, such as Mexico’s General Law of Administrative Responsibility of 2016 and Argentina’s Corporate Criminal Liability Law of 2018.
Compliance guidelines in Brazil
Although inspired by the FCPA, Brazil’s Clean Company Act is broader in certain respects than the US requirements, extending to local officials and conduct against public administration, such as fraud in the public tender process and bid rigging.
The Clean Company Act forbids direct and indirect, active and passive bribery of local and foreign public officials, including the concealment and the use of intermediaries to engage in bribery. It also forbids fraud in public bids and obstruction of government investigations. It imposes civil and administrative strict liability for violations by an entity’s directors, officers, employees and agents when acting on behalf of the entity.
While the Clean Company Act outlines specific corruption violations, it was its supplementary law (Decree No. 8420), issued in 2015, that provided details about corporate liability, penalties and mitigating measures – including fines, public disclosure of violation and debarment from contracting with government entities for violations. Besides setting benefits relating to collaboration in investigations through leniency agreements, Decree No. 8420 provides for the existence of an effective compliance programme as the primary defence and mitigating measure.
Decree No. 8420 defines a compliance programme as a set of internal integrity and audit mechanisms, policies and guidelines to detect and remedy deviations, fraud, irregularities and unlawful acts committed against national or foreign public administration, and procedures for reporting irregularities and effectively enforcing codes of ethics and conduct. According to Decree No. 8420, a compliance programme must be tailored, implemented and updated following the peculiarities and risks of the entity, and to ensure its continuous improvement and effectiveness.
To be considered as a defence, a compliance programme will be evaluated according to several parameters, as outlined by Decree No. 8420:
- Tone at the top: the commitment of senior management, including board members, who must show unequivocal and public support for the compliance programme.
- Implementation of internal policies: standards of conduct, codes of ethics, integrity policies and procedures shall apply to all employees and managers regardless of their position or function.
- Third-party policies: policies for hiring, selecting and monitoring of third parties, due diligence procedures and risk matrix. In addition, third parties must be provided with the code of ethics and other applicable standards of conduct in force at the company.
- Training: periodic training that is tailored to the target audience.
- Periodic risk assessment: regular risk analysis to identify risks and to implement improvements.
- Internal control: accurate and precise accounting records and information, and maintaining effective internal controls for financial reports and statements.
- Specific policies concerning interaction with public officials: specific policies and procedures to prevent fraud and illicit conduct relating to bidding processes, execution of contracts with public entities, obtaining licences, and other interaction with public officials, including interactions intermediated by third parties.
- Responsible officer: independence, sufficient powers and adequate human and financial resources available to the internal body responsible for the implementation and enforcement of the compliance programme.
- Reporting channels: effective channels for reporting violations, based on non-retaliation and confidentiality, which shall be clearly and widely disclosed to employees and third parties.
- Disciplinary measures: policies on internal investigations and enforcement of disciplinary measures for violations.
- Remediation and mitigation: procedures that ensure the prompt interruption of violations when they are detected and the timely remediation of the damage generated.
In October 2015, the Office of the Comptroller General in Brazil (CGU) – a leading enforcement agency of the Clean Company Act – published its Integrity Programme: Guidelines for Legal Entities (the CGU Guidelines). These Guidelines summarised the requirements from Decree No. 8420 in ‘five pillars’ of the Integrity Programme:
- the commitment of senior management;
- an internal department responsible for the Integrity Programme;
- profile and risk analysis;
- the structuring of rules and instruments; and
- continuous monitoring strategies.
Besides the Brazilian legislation, the CGU Guidelines reference the UK’s Bribery Act Guidance, the OECD’s Good Practice Guidance on Internal Controls, Ethics and Compliance, the UN’s An Anticorruption Ethics and Compliance Programme for Business: A Practical Guide, the US Sentencing Commission’s Guidelines Manual and The Complete Compliance and Ethics Manual published by the Society of Corporate Compliance and Ethics.
Compliance guidelines in Colombia
Following the enactment of Brazil’s Decree No. 8420, Colombia, Mexico, Peru and Argentina also provided specific compliance standards. In general, those provisions are very similar to the FCPA and Brazil’s Clean Company Act, but with particular nuances concerning the extension of requirements, enforcement and gradation of mitigation for liability.
On 2 February 2016, Colombia enacted Law 1778 (the Transnational Corruption Act), in which anti-corruption mechanisms are set as relevant criteria for calculating penalties for violations. According to the Transnational Corruption Act, private companies that maintain transnational businesses and act under the supervision of the Colombian Superintendence of Corporations shall adopt compliance programmes, which shall provide internal anti-corruption mechanisms, audit policies and preventive measures, and promote transparency.
Similar to Decree No. 8420, Colombia enacted Resolution No. 100-000003 (the Transnational Corruption Act Compliance Guidelines), on 26 July 2016, to guide the implementation of compliance programmes, based on three basic principles:
- The compliance programme shall be tailored based on the particular risks of each entity. Accordingly, risk assessment must be undertaken based on (1) transparency risks from the country involved in the transnational operation, (2) the specific sector – taking into consideration that energy, infrastructure and healthcare require stronger controls – and (3) the level of interaction with third parties.
- Senior management shall endorse a commitment to a culture of ethical behaviour and lead measures to avoid transnational bribery and other corrupt violations.
- Control mechanisms, due diligence procedures and periodic audits should be established to ensure the effective detection of violations and undertaking of mitigation actions.
Following these principles, the compliance programme shall:
- provide written compliance policies, and the code of conduct shall summarise and detail all relevant standards of conduct provided in those policies. The policies shall be translated into the language of the countries with which the company maintains transnational transactions;
- ensure wide disclosure of the compliance programme and clear communication of its requirements;
- conduct robust and periodic risk assessment concerning the hiring of third parties (due diligence) and performance of the compliance programme;
- train employees and assign responsibility, including members of senior management and boards, to detect, prevent and mitigate violations;
- implement internal control mechanisms and audit procedures to ensure precise accounting records and information; and
- require specific formal commitments concerning ethics, audit rights and termination from high-risk third parties.
To expand compliance guidelines beyond transnational operations, Colombia’s Secretary of Transparency introduced a Register of Active Companies in Anti-Corruption (EAA) to promote internal best practice and prevent corruption. The EAA uses nine categories to assess the compliance programmes of private entities:
- risk assessment;
- corporate organisation and responsibilities;
- policies tailored to specific high-risk areas;
- the programme’s implementation;
- financial and internal controls;
- communication and training;
- human resources policies;
- reporting of policy procedures; and
- compliance programme audit system.
Recently, following OECD guidelines, Colombia has enacted two new provisions to enhance monitoring and enforcement. First, on 16 October 2020, Colombia Enacted Decree No. 1,358, which determines the debarment from public procurement procedures and public finance sources companies convicted for corruption. In addition, on 26 June 2021, Colombia enacted Decree No. 830, which includes specific guidelines related to public exposed persons (PEPs), and certain reporting obligations for and the establishment of a public registry of PEPs.
Compliance guidelines in Mexico
The wave of change to Mexico’s legal framework against corruption started with the Constitutional Reform of 7 February 2014, which introduced transparency obligations relating to the access of information. Then, the launch of the National Anticorruption System on 27 May 2015 resulted in the enactment of a series of anti-corruption provisions.
In addition, on 18 July 2016, the General Law of Administrative Responsibility (GLAR) was enacted with the purpose of outlining compliance obligations. GLAR is very similar to Brazil’s Clean Company Act and prohibits the payment of bribes to public officials, bid rigging, improper interference in public procurement processes and contracts, and other corruption violations.
Similarly to the Brazilian and Colombian legislation, GLAR establishes that a compliance programme may be a mitigating factor of liability, provided it meets the following minimum requirements:
- to provide clear information about the organisational structure and reporting lines;
- to establish and widely discloses a code of conduct, which shall include and detail standards of ethics and procedures;
- to provide adequate control, compliance and audit systems to support regular and periodic reviews of the performance of the compliance programme;
- to maintain robust hotline channels, both internally and outside the entity, and policies on investigation proceedings and disciplinary measures;
- to conduct periodic training;
- to provide human resources staff with policies and training to prevent the hiring of high-risk individuals; and
- to provide mechanisms to enhance transparency within the entity.
On 1 July 2020, the United States–Mexico–Canada Agreement (USMCA) entered into force, replacing the North America Free Trade Agreement (NAFTA) and creating a new landmark in the regional fight against corruption. Unlike NAFTA, USMCA has a chapter establishing obligations on anti-corruption efforts to benefit the three parties alike, entitled ‘Transparency and anti-corruption’, whose primary drive is to fight international trade and investment corruption. In addition, it provides a detailed framework for preventing and combating corruption and internal controls by requiring the countries to adopt, maintain and enforce anti-corruption measures aimed to criminalise failures regarding books and records accounting provisions and other corporate governance aspects and determining proper whistle-blower protections to be put in place.
Compliance guidelines in Peru
The Peruvian anti-corruption legislation (the Corporate Administrative Liability Law) was enacted on 1 April 2016 as a corporate liability extension of the crime of corruption provided in the Criminal Code.
Under the Corporate Administrative Liability Law, the existence of an effective compliance programme can exempt an entity of penalties for a corruption violation. An effective compliance programme as outlined by the Law is significantly more straightforward than those required by legislation in other Latin American countries.
According to the Corporate Administrative Liability Law, to be regarded as ‘an effective preventive mechanism’, the compliance programme shall:
- properly map and identify an entity’s activities and procedures concerning risks of corruption, money laundering and terrorism, and other violations provided in the Criminal Code;
- establish preventive policies and procedures;
- identify management, audit and accounting policies and procedures that may prevent corruption violations; and
- provide reporting mechanisms, investigative protocols and disciplinary measures.
Compliance guidelines in Argentina
Law No. 27401 (the Corporate Criminal Liability Law) was enacted on 2 March 2018 to join Latin America’s efforts against corruption. It provides for local and transnational corruption violations, including bribery of public officials, fraudulent negotiations of public contracts, and fraudulent accounting reports and statements.
Under the Corporate Criminal Liability Law, an investigated entity that is proven to have an effective and appropriate compliance programme may be exempt from penalties. To qualify for the waiver, the compliance programme shall provide (1) periodic risk assessment and policy review, (2) support from senior management, (3) hotline mechanisms, (4) whistle-blower protection policies, (5) internal investigation protocols, (6) third-party due diligence process and procedures, (7) due diligence policies and procedures for corporate transactions, (8) periodic and continuous monitoring, and (9) assignment of a responsible officer to take charge of implementation and supervision.
Compliance guidelines in Chile
Unlike many Latin American countries affected by Operation Car Wash, Chile has chosen not to create a specific anti-corruption law. On 2 January 2009, Chile enacted Law No. 20393 (the Criminal Responsibility of Legal Entities Law), which broadly sets out provisions against money laundering, terrorism financing and bribery.
The Criminal Responsibility of Legal Entities Law sets a ‘crime preventive model’, which must be led by a responsible officer or department (a ‘preventive commissioner’) with an independent reporting line and adequate human and financial resources.
The preventive commissioner will be responsible for identifying risks, setting internal policies and controls, implementing accounting controls and enforcing disciplinary measures.
Other Latin American compliance provisions
Providing adequate treatment of the anti-corruption laws of the 20 countries and six dependencies that comprise Latin America would require a separate book. However, it is noteworthy that Panama and, recently, Costa Rica have also enacted laws providing compliance guidelines. Other countries, such as Guatemala and Uruguay, define corruption violations in their criminal codes but do not provide details on compliance requirements. However, most countries follow international compliance guidelines, such as the OECD’s Good Practice Guidance on Internal Controls, Ethics and Compliance.
Another step forward to corporate integrity in Latin America was the OECD decision, disclosed on 25 January 2022, to open the discussions with Argentina, Brazil and Peru regarding their access to OECD membership.
The fact that accession was also opened to three key Latin American countries may have a significant impact on the region’s economic growth, as it can result in a gigantic legislative advance for the entire area and attract investors. However, the process will be tough, and it is seen as a long road ahead to be concluded. An individual roadmap for the detailed assessment process will now be prepared, provided the countries confirm their adherence to the values, vision, and priorities reflected in the OECD’s 60th Anniversary Vision Statement and the Ministerial Council Statement (the OECD Statement) adopted last year. The OECD Statement includes the organisation’s primary values, such as individual liberty, democracy, rule of law preservation and protection of human rights, and the value of open trading, competitive, sustainable and transparent market economies. OECD members also have to commit to promoting sustainable and inclusive economic growth and their goals to tackle climate change, including halting and reversing biodiversity loss and deforestation.
The process will include a rigorous and in-depth evaluation by more than 20 technical committees of the candidate country’s alignment with OECD standards, policies and practices. As a result of these technical reviews, changes to the candidate countries’ legislation, policy and practices will be required to align with OECD standards and best practices, thus serving as a powerful catalyst for reform. Therefore, it is expected that Latin America will start adopting several legislative reforms to comply with the requirements.
Future in sight
The closure of Operation Car Wash is emblematic for Latin America by representing what the last decade meant for the fight against corruption in the region. However, the covid-19 pandemic evidenced that, although Latin America has undoubtedly made advances in the fight against corruption, the mere existence of a new legal panorama is not enough to prevent violations from arising, particularly in scenarios of large-scale and urgent public procurement procedures. Therefore, while the 2010s outlined the new legal framework for the fight against corruption in Latin America, the new decade will stake a claim for effectiveness, public governance, social responsibility and sustainability.
In Brazil, according to data released by the Federal Police in early January 2021, between April and December 2020, a total of 65 Federal Police operations (20 per cent of the 315 operations carried out in 2020) were launched to investigate the misuse of public funds to restrain the covid-19 pandemic’s effects – in particular, concerning the acquisition of health-related provisions, such as personal protective equipment and ventilators and other necessary supplies.
Likewise, other Latin American countries have launched investigations concerning the misappropriation of covid-19 funds involving high-level public officials, such as the Colombian Minister of Agriculture, the Bolivian Health Minister and the Ecuadorian Health Ministry.
Aside from all the challenges it has presented, the covid-19 pandemic showed there were easy-to-implement alternatives to increase transparency and public spending controls, especially technological tools. The use of solutions based on open data and fraud analytics has brought positive experiences both as a remote solution for negotiations during the pandemic and as a definitive accountability solution.
A significant example was the increase in e-procurement platforms and open contracting to facilitate bidding processes and increase compliance. The adhesion of initiatives such as the Open Contracting Data Standard (OCDS) – created by the global advocacy network Open Contracting Partnership – demonstrates that technological tools can increase transparency and decrease bureaucracy in public procurement processes. The OCDS creates clear and detailed standards for monitoring procurement processes, allowing a careful oversight of these procedures’ compliance and transparency. In Latin America, OCDS has already been adopted by Chile, Colombia and Paraguay.
Brazil and Colombia have developed fraud analytics platforms to leverage various datasets from multiple sources to flag corruption risks in government contracting. In Brazil, the Tender and Bidding Analyzer (Alice) is a Federal Audit Court tool to mine public procurement documents and identify inconsistencies. It captures the information from public bidding notices available on the federal government’s system to screen vulnerabilities and red flags. Similarly, the Colombian Comptroller General’s Office has implemented a contractual data centre platform named Océano, an analytics tool to cross-check information from public procurement online databases and detect possible irregularities. Through Océano, the Colombian Comptroller General’s Office has identified suspicious transactions led by certain city councils on health emergency-related contracts, which resulted in fraud investigations.
Although Latin America certainly has structural issues that make the fight against corruption challenging, including dealing with the effects of the covid-19 pandemic, it is clear that the region has been taking steps to ensure that the past decade’s progress is not lost. Still, the region demonstrates room for implementing disruptive solutions, which can help Latin America drive cultural transformation in public and corporate integrity and transparency.
Currently, the leading hot topic from a compliance perspective is the evolution from compliance programmes into ESG (environmental, social and corporate governance) structures that will likely lead debates about corporate integrity in the following years.
In Latin America, the introduction of ESG as a requirement is being driven by international private companies and financial institutions concerned with reputation, ethical endeavours and the impact of their transactions. Although legislative development in this regard is still in debate in certain countries and agencies and began implementation in others, the discussion on the OECD accession may expedite the countries to adopt straightforward ESG directives.
In the United States and Latin America, compliance began with a focus on rules-based systems and employee training. Over time, government agencies have required, and corporations have realised, that compliance programmes serve as proactive measures to detect and prevent corruption. The evolution of compliance has gone from a poster on the wall to a dynamic programme that involves all members of an organisation and its investors. Compliance is no longer about simply following the letter of the law. The bar is being raised ever higher and, in addition to government agencies watching over misbehaviour and cooperating across the region, media, investors, potential business partners and other stakeholders are ever-more watchful. Compliance is now evolving beyond simple legal compliance to a consideration of societal benefits and a holistic ESG approach.
 Peter Spivack and Isabel Costa Carvalho are partners at Hogan Lovells. The authors gratefully acknowledge the considerable assistance of Cintia Rosa and Jessica Bigby, associates at Hogan Lovells.
 See Chapter 13, ‘The Advantages of a Robust Compliance Programme in the Event of an External Investigation’.
 212 US 481 (1909).
 467 F.2d 1000 (9th Cir. 1973).
 US Sentencing Commission, Guidelines Manual, § 8 (November 2018), https://www.ussc.gov/guidelines/2018-guidelines-manual.
 The following is an example of an industry-specific compliance programme. The Office of Inspector General (OIG) for the US Department of Health and Human Services issued a series of voluntary compliance programme guidance documents specifically tailored to the healthcare industry. The initial guidance, issued in 1997, applied to clinical laboratories, seeking to safeguard them from fraud and abuse. A year later, the OIG issued guidance aimed at hospitals, nursing homes, durable medical equipment suppliers and third-party billers. The 1998 guidance supports the development and use of internal controls to promote compliance with applicable US federal and state law, federal and state programme requirements, and private health plans. The model compliance programme should, as a minimum, include: written policies and procedures that emphasise a commitment to compliance; designation of an officer charged with the development and monitoring of compliance programme training for all employees; a hotline to receive complaints; policies and procedures to ensure the anonymity of complainants and to protect whistle-blowers from retaliation; audits or a similar mechanism to monitor compliance and to detect and prevent crime; and disciplinary policies to address potentially criminal misconduct. See Federal Register, Vol 63, No. 35, February 23, 1998, https://oig.hhs.gov/authorities/docs/cpghosp.pdf.
 698 A.2d 959 (Del. Ch. 1996).
 id., at 982.
 McCall v. Scott, 239 F.3d 808, 819 (6th Cir. 2001).
 id., at 817 (‘unconsidered inaction can be the basis for [officer] liability because . . . ordinary business decisions . . . can significantly injure the corporation and make it subject to criminal sanctions’); but see Dellastations v. Williams, 242 F.3d. 191, 196 (4th Cir. 2001) (holding that officers can avoid liability by making a good-faith effort to have a reporting system).
 SEC Issues Report of Investigation and Statement Setting Forth Framework for Evaluating Cooperation in Exercising Prosecutorial Discretion’ (2001), https://www.sec.gov/news/headlines/prosdiscretion.htm.
 This system is similar to that used in the Federal False Claims Act since its modernisation in 1986, with the express intent of increasing the incentives to report violative conduct to the US government.
 In fiscal year 2019, approximately 480 whistle-blower tips came from outside the United States, including Latin America, US SEC, 2019 Annual Report to Congress on the Dodd-Frank Whistleblower Program, Appendix C, https://www.sec.gov/files/sec-2019-annual%20report-whistleblower%20program.pdf.
 See Chapter 22, ‘External Compliance Monitorships’.
 See United States v. Siemens Aktiengesellschaft, Case No. 08-CR-367-RJL (D.D.C. 2008).
 A Resource Guide to the US Foreign Corrupt Practices Act’, https://www.justice.gov/criminal-fraud/file/1292051/download. (Key updates in 2020 guidance include a new definition of ‘instrumentality of a foreign government’ and a non-exhaustive list of factors to determine (1) whether an entity is controlled by the government, and (2) whether the entity performs a function that the government treats as its own, that the court articulated in United States v. Esquenazi, which involved a state-owned enterprise when designing its compliance programmes; further limits to FCPA’s ‘local laws defence’; and a clarification that the statute of limitations is five years for violations of anti-bribery provisions, but six years for violations of the accounting provisions. There are also revisions that are not changes but rather indications that DOJ and SEC continue to emphasise the importance of companies conducting pre-acquisition due diligence. DOJ and SEC also are still taking an expansive view of their jurisdiction over foreign companies and individuals for conspiracy and aiding and abetting offences, and companies’ compliance efforts must reflect this.
 The updated Guide also incorporates new principles and resources that inform DOJ’s corporate enforcement decisions. DOJ continues to follow the department long-standing Principles of Federal Prosecution of Business Organizations, which provide factors to be ‘considered in conducting an investigation, determining whether to charge a corporation, and negotiating plea or other agreements’. New to those factors is ‘the adequacy and effectiveness of the corporation’s compliance program at the time of the offense, as well as at the time of a charging or resolution decision’. In addition, the updated Guide includes the Anti-Piling On Policy, which influences how DOJ and SEC ‘strive to avoid imposing duplicative penalties, forfeiture, and disgorgement for the same conduct’, https://www.justice.gov/criminal-fraud/page/file/937501/download.
 The costs of compliance failures have continued to ratchet up. In 2020, DOJ and SEC announced record-breaking penalties for FCPA violations. In January 2020, a major aerospace defence contractor agreed to pay US$3.9 billion in global penalties for foreign bribery and International Traffic In Arms Regulations (ITAR) violations. Nine months later, in November 2020, a major investment bank was charged with a US$2.9 billion joint DOJ and SEC enforcement action for FCPA violations including conspiracy to violate the FCPA anti-bribery provisions, internal accounting controls, and books and records provisions of federal securities laws. The investment bank allegedly engaged in a conspiracy to pay more than US$1.5 billion to multiple high-level officials. Notably, although the investment bank had a comprehensive anti-corruption and compliance programme, the DOJ and SEC found its internal controls to be deficient because both high- and low-level employees were able to circumvent the controls and engage in corrupt activities.
 US Sentencing Commission, Guidelines Manual, Section 8 (November 2018), https://www.ussc.gov/guidelines/2018-guidelines-manual.
 For Latin American countries and other countries that wish to do business with the US government, the Federal Acquisition Regulation (FAR) establishes other requirements. The FAR prioritises ethics and compliance throughout the federal procurement process, from solicitation to execution of the awarded contract, and embodies the US government’s policy of dealing with only ‘presently responsible’ contractors. Government contractors must develop and maintain a compliance programme within 30 days of award. The programme must be in writing, available to all employees on the contract, and contain mechanisms to report violations; further, violations must be reported in writing to the contracting officer or the Office of Inspector General for the US Department of Health and Human Services in a timely manner. Solicitations and contracts expected to exceed US$5.5 million in value and 120 days in performance are required to include the Contractor Code of Business Ethics and Conduct clause in the documentation. To be compliant with the FAR, it is not enough to conduct only due diligence. The FAR views compliance programmes as a good judge of a government contractor’s character and an effective compliance programme may lead to contract awards. There is also no excuse for omitting a required clause in contracting documents. The Christian Doctrine states that if the FAR requires a clause to be in a contract, it is considered a requirement regardless of whether it is actually in the contract. In 2015, seven years after mandating compliance programmes, the FAR added a human trafficking requirement relevant to government contracting overseas. Supplies acquired and services performed overseas in excess of US$500,000 require that contractors certify compliance and monitoring of human trafficking issues. Importantly, government contractors may be liable for the actions of all contractors, subcontractors and agents
 The Biden administration also committed to rooting out anti-corruption in Latin America by forming the Northern Triangle Anticorruption Task Force. This task force investigates and prosecutes asset recovery related to corruption through FCPA enforcement, counter-narcotics prosecutions, and the Kleptocracy Asset Recovery Initiative, which focuses on recovering assets gained from foreign corruption and prosecuting money laundering.
 ‘Since the covid-19 outbreak, different jurisdictions have constructively enacted and promulgated laws, regulations, acts and orders to ensure that they are sufficient to strengthen supervision over the implementation of compliance on enterprises and individuals within each jurisdiction . . . the promulgation of these laws and regulations also provides guidance to companies while encountering cross-border investigations and responding to the law enforcement movement from other jurisdictions from different perspectives.’ https://globalinvestigationsreview.com/review/the-asia-pacific-investigations-review/2022/article/china-related-cross-border-government-investigation-after-the-covid-19-pandemic.
 See also Chapter 22, ‘External Compliance Monitorships’.
 See the Phase 3 Two-Year Follow-up Report: Colombia, which assesses the progress made by the country concerning the implementation of the OECD anti-bribery convention and the actions it needs to be adopted to comply with it fully (https://www.oecd.org/daf/anti-bribery/Colombia-phase-3-follow-up-report-en.pdf).
 See Agreement between the United States of America, the United Mexican States, and Canada, Chapter 27, Article 27.3.
 See Chapters 23 (‘Compliance as a Foundation for ESG Oversight’) and 24 (‘ESG in Latin America and the Rise of the Social Pillar’) of this guide.