Managing anti-corruption compliance risks in Brazil

April 2022  |  EXPERT BRIEFING  | FRAUD & CORRUPTION

financierworldwide.com

 

Ten years ago, Brazil did not have a strong anti-corruption enforcement programme and corruption was an ever-present problem. Often, Foreign Corrupt Practices Act (FCPA) cases had a strong Brazilian element.

It was a scenario that would change in 2014, however, thanks to a massive anti-corruption probe dubbed ‘Operation Car Wash’ which revealed a major corruption scheme in Brazil. Over time it become the largest ever anti-corruption case in terms of fines, the number of people involved and the impact it has had upon other jurisdictions.

Yet the ongoing coronavirus (COVID-19) pandemic has curtailed enforcement efforts. Civil society could not support the cost of the investigation. The prosecutor in charge of Operation Car Wash suffered several setbacks, and the case was dissolved in 2021 during the pandemic.

Critics argue that Brazil has now regressed 10 years. In fact, according to the Corruption Perceptions Index, published by International Transparency, Brazil’s score has not dramatically changed since 1995. In the 2021 rankings, Brazil holds the 96th position out of 180 countries, with a score of 38 out of 100. These figures, while not very different from the other BRIC countries, place Brazil dangerously close to a score of 35 – a grade commonly used to determine whether a country is deemed to be high risk from an corruption perspective, and as a result requires enhanced due diligence with all the associated costs.

A more realistic view suggests that Operation Car Wash has left a legacy which has changed commercial practices and anti-corruption enforcement in Brazil. Today, being arrested for corruption and other white-collar offences is a possibility that did not exist 10 years ago. By itself, such a change in perception has lasting effects on corporate criminality. Moreover, legislation has increased the risk of sanctions for companies. In particular, Law. #12,846, known as the Anti-Corruption Law, passed in 2013, created civil and administrative liability for legal entities and implemented extraterritorial reach for corruption offences. In other words, Brazil adopted an FCPA-style legislation which does not depend on a single actor to be enforced. Among the innovations in the anti-corruption legislation, the compliance defence has incentive companies to implement compliance programmes – if a company has an effective compliance programme, it may qualify for reduced sanctions.

The first question that arises is: what should be considered an effective compliance programme? In this regard, some guidance is provided by Decree #8420/15, in which one of its main chapters provides parameters to assess a compliance programme. An integrity programme, as defined in the decree, is “the group of mechanisms and internal procedures of integrity, audit, and incentive for the report of irregularities, as well as the effective enforcement of the codes of ethics and conduct, policies, and directives with the purpose to detect and remedy deviations, frauds, irregularities, and illicit acts committed against national or foreign public administration”.

Article 42 of Decree 8 420 lists 16 criteria to assess the effectiveness of the integrity programme: (i) commitment of the legal entity’s senior management, including board members, demonstrated by clear and unequivocal support of the programme; (ii) standards of conduct, code of ethics, policies, and integrity procedures that are applied to all employees and administrators, regardless of their position or role; (iii) standards of conduct, code of ethics and integrity policies that are extended, when necessary, to third parties, such as suppliers, service providers, intermediaries and other associates; (iv) periodic training on the integrity programme; (v) periodic analysis of risks in order to implement necessary adjustments; (vi) accounting records that precisely and completely reflect the transactions of the legal entity; (vii) internal controls that assure that reports and financial statements of the legal entity are readily prepared and trustworthy; (viii) specific procedures to prevent fraud and illicit acts within tender processes, in the execution of administrative contracts or in any interaction with the public sector, even if intermediated by third parties, such as the payment of taxes, subjection to inspections or obtainment of authorisations, licences, permits and certificates; (ix) independence, in structure and authority, of the internal department that is responsible for enforcing the integrity programme and monitoring its compliance; (x) channels to report irregularities openly and broadly disseminated among employees and third parties, and mechanisms to protect good-faith whistleblowers; (xi) disciplinary measures enforced against those found to have violated the integrity programme; (xii) procedures that assure the immediate suspension of irregularities or detected infractions and the timely remediation of the damages caused; (xiii) proper due diligence conducted prior to engaging, and depending on the circumstances, to monitor third parties, such as suppliers, service providers, intermediaries and other associates; (xiv) verification, during a merger, acquisition or other corporate restructuring, of any irregularities or illicit acts, or the existence of vulnerabilities in the legal entities involved; (xv) continuous monitoring of the integrity programme to ensure it remains effective at preventing, detecting and otherwise addressing the wrongful acts set forth in article 5 of the Anti-Corruption Law; and (xiv) transparency surrounding donations to candidates and political parties made by the legal entity.

Even though the Anti-Corruption Law provides for an effective defence based on compliance programmes, it does not have a provision dedicated to accounting violations or to flaws in internal controls like the FCPA. The decree covers such aspects as parameters to evaluate compliance programmes. In view of that, companies must create policies and procedures to assure the accuracy of accounting records and internal controls, to be deemed as having an effective compliance programme.

Comptroller General of the Union (CGU) Ordinances #909/15 regulates the decree and clarifies in detail, not only the procedure for evaluating compliance programmes, but also the documents to be produced in an audit or investigation to prove the effectiveness of the programme. Briefly, the legal entity must present a profile report and a compliance report.

Although legal entities are not required to have a compliance programme or to register it, some companies may find it useful to register with the CGU to publicise their internal policy. As an example of the procedure, companies must fill in a questionnaire to help the government understand the compliance programme. After making certain internationally accepted checks, the CGU issues a Pro-Ethics Certificate, a ‘quality certificate’ that proves the company’s commitment to ethics. So far, several large companies have registered their compliance programmes, such as Siemens, Santander, EDP and Johnson Controls Building Efficiency.

Of course, the criteria set by Decree 8 420 must be carefully considered. Good sense is required to decide whether the compliance programme is effective or not. The number of employees, how they are hired, the number of departments, directorships or sectors in the company, the use of intermediaries like consultants or commercial representatives, the market, the state, the degree of interaction with the public sector and the importance of licences and government permits are some of the factors that must be considered.

The Decree also establishes that the integrity programme should be structured, implemented and updated according to the current characteristics and risks of the activities of each legal entity, which, in turn, should ensure continuous improvement and adaptation of the programme to guarantee its effectiveness. This is a relevant provision that emphasises the understanding that compliance programmes must be individualised: that there are no ‘off the shelf’ solutions. A risk assessment should be carried out to evaluate the company’s internal risks, so the compliance programme can be deemed effective.

In practice, depending on these factors, one or more requirements may be waived. Of course, the decision to waive a requirement must be done case by case – a risk assessment may be skipped for smaller companies, and a less thorough assessment may be acceptable for a medium-sized company. Such an assessment is performed by the CGU).

The first step to determine what is or is not needed is to perform an anti-corruption risk assessment. This is basically an exercise to understand the company and the risks to which it is exposed. There are several ways to perform a risk assessment, but most consist of reviewing documents and interviewing relevant people in the organisation.

For example, companies operating in the oil industry must consider the recent history of corruption in the sector in Brazil and assume that the risk is high. The same applies to companies located in geographically problematic regions, as they may be subject to greater political and governmental pressures. By contrast, the risks in the supermarket industry appear smaller, as most consumers are individuals. Even so, it does not mean that the risk of corruption is non-existent.

The risk assessment report must reflect the reality in which the company is operating. There is no ‘one size fits all’ option.

Once the risk assessment is complete, the company’s senior leaders must become involved and endorse the compliance programme, taking it under their wing. In past years, the Brazilian authorities have seen a great number of compliance programmes used to request an attenuation in fines, but they were ineffective in practice, mostly due to the lack of involvement and commitment by company’s leaders. As a result, these companies failed to have their fines reduced.

Once leadership support is secured, the company can move forward to implementing the compliance programme. Based on the findings of the risk assessment, adequate policies, procedures and controls must be written and put into practice. It is highly advisable for multinationals operating in Brazil to adapt their global compliance programme to local conditions. For instance, the definition of corruption may encompass fraud or collusion in public procurement.

The next step is to spread a culture of integrity throughout the organisation, by promoting the policies and the overall ethics. Again, the engagement of leadership is essential for the success of the communication strategy. Sometimes, the company has controls and policies in place, but no one knows them or how to assess them – it is not unheard of that some documents are not even translated into Portuguese, which decreases their effectiveness. That is why the educational aspect of anti-corruption is an important tool for developing corporate culture and spreading awareness.

Finally, companies must implement adequate monitoring mechanisms, as well as agile remediation tools. From a compliance perspective, monitoring consists of assessing whether the compliance programme is being properly implemented. It includes auditing the compliance programme, which applies only to large companies. Regarding remediation, this occurs only when there is a breach of company policy or legislation. Internal investigations are often considered remediation tools, but they also include the company’s response to information received through whistleblowing channels.

In Brazil, managing anti-corruption risks requires not only knowledge of local legislation, but also an understanding of the nuances of compliance in Brazil.

 

Leopoldo Pagotto is a partner at FreitasLeite Advogados. He can be contacted by email: pagotto@freitasleite.com.br.

© Financier Worldwide


BY

Leopoldo Pagotto

FreitasLeite Advogados


©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.