What the Brazilian authorities expect of an effective compliance programme
July 2016 | EXPERT BRIEFING | FRAUD & CORRUPTION
Law n. 12,846/2013, known as the Brazilian Clean Company Act (BCCA), entered into force in early 2014 and is a landmark for the development of corporate compliance in the country and brings relevant incentives to the adoption of integrity rules. Under the BCCA, the existence of an effective compliance programme can be considered a factor for reducing fines to be paid by companies that violate its provisions.
The new legal framework is still in a formative stage and therefore Brazil’s controlling bodies do not have a sound track record on the evaluation of compliance programmes. But major companies are running to put their own programmes in place in order to benefit from the BCCA. While some of them can adapt and use the policies and procedures of their headquarters abroad, where compliance concerns started to be addressed much earlier than in Brazil, others must begin their programme from scratch. In both cases, however, understanding the criteria to be used by Brazilian public bodies while assessing their programmes is important.
The parameters for assessing compliance programmes were recently detailed by presidential decree n. 8,420/2015, which regulates the BCCA. Neither the BCCA nor the decree make it a legal requirement for companies to have a programme. While the BCCA brings the possibility of a reduction to applicable penalties if the company has an effective programme in place, the decree sets forth the criteria to be considered by authorities to evaluate it.
Following that, the Brazilian Office of the Comptroller General (CGU), the former body in charge, with internal control of the federal public administration (recently replaced by the ministry of transparency, inspection and control), released its ‘Guidelines for Integrity Programmes of Legal Entities’, containing relevant information on how companies should build their policies and procedures. Another important initiative by the federal government was the pró-ética (for ethics seal) database, where companies that demonstrate high ethical standards are accredited and allowed to use the seal of the programme. Although they do not have a legal character, both initiatives by the federal government represent a relevant indication of the grounds on which it will assess the existence and efficiency of integrity programmes.
The decree, the guidelines and the pró-ética standards are the main reference for companies when it comes to understanding what Brazilian authorities expect to find in their compliance programmes. The parameters contained in such documents are well summarised in the seven pillars of the pró-ética, as detailed below.
Top management commitment
The engagement of top level managers is essential for every relevant project and the same is true for compliance programmes. Those held responsible for managing the organisation must constantly reinforce the message that the programme is here to stay. The pró-ética guidelines list some different ways of demonstrating top management commitment to the programme, such as including the subject in their speeches, showing they are aware of the company’s ethical values and policies, discussing the effectiveness of integrity actions as a permanent agenda in meetings between top management and with other middle managers, and adopting applicable corrective measures if there are signs of irregularities.
It is important, however, for senior management to emphasise and demonstrate by means of examples and actions that any breach of the company’s principles and existing anti-corruption legislation will not be tolerated, even if it results in the company missing out on business opportunities.
Compliance internal body
The decree lists the independence, structure and authority of the internal body in charge of implementing and managing the integrity programme as paramount for its success. Such a body must be independent and have enough material, human and financial resources for its effective operation. Besides, access to the company’s highest decision-making officers and bodies must be guaranteed. It is also important that employees of the compliance body are protected against arbitrary punishment for the regular performance of their duties.
Policies and procedures
An effective compliance programme depends heavily on the existence of express rules that are binding on all employees. Such rules are essential to support decisions by managers and to demand ethical behaviour from everyone in the company and also from third parties acting on its behalf.
Such policies and procedures must be preceded by a thorough risk assessment that will show which are the most sensitive areas demanding express rules. The creation of a code of conduct is essential, where the company’s values and ethical principles are inserted. Further, the company must cascade down such principles into the most suitable policies and procedures in practice.
The guidelines list the following examples of policies to mitigate compliance risks: a policy for interacting with the public sector; a policy on offering hospitality and gifts to national or foreign public officials; a policy on accounting controls; a policy on contracts with third parties; and a policy on donations and sponsorship, among others. However, the convenience of implementing one or more of these policies will be better assessed after a risk analysis is conducted.
Communication and training
Once there is a programme in place, the company must make sure that all employees, board members and third parties are aware of its content. Every individual in the company must be trained on the guidelines of the integrity programme.
The communication can be made through messages from senior management, as well as face-to-face or online training sessions. Such sessions should be tailored according to the specificities and risks presented by each department. For example, those in charge of public bids should receive training about the policy on interaction with public authorities, and those in charge of procurement must have specific training about the policy on contracts with third parties. Training must be periodic so employees are constantly updated. Mandatory participation should also be considered by companies.
Carrying out a detailed risk assessment is one of the first steps when designing an effective compliance programme. Understanding the business, the regulatory aspects and the market where the company operates is crucial to map its main interactions and therefore the areas to be tackled. Periodic risk assessments will help the compliance department keep track of new risks.
Monitoring and improvement
A compliance programme is likely to erode if it does not include constant monitoring of its actual application. It must also be periodically monitored to guarantee that all the main risks arising out of the company’s activities are being duly covered. If any gaps in the application of policies and procedures are identified, they must be promptly remedied. Otherwise, their effectiveness will be at risk.
Transparency and social responsibility
It is fairly common to see companies suffer reputational damage as a result of bad choices and a lack of transparency when choosing beneficiaries for donations and sponsorships in Brazil. In many situations the company is well intentioned, but fails to take due care while checking the background of the organisation or individual receiving the resources. The adoption of transparency, background checks and accountability tools are necessary to avoid undesirable involvement with irregular entities or initiatives.
In sum, while providing indications on what an effective compliance programme is, Brazilian federal authorities also add that there is not a single formula for success. In other words, there is no ‘one size fits all’ format. During its elaboration, the company must constantly evaluate the characteristics of its business and its market and then make appropriate adjustments whenever conditions or risks change. In the case of multinational companies, where the use of global policies is common practice, it is recommended that any Brazilian business units consider local legal and cultural aspects in order to guarantee the effectiveness and legality of their programme in Brazil.
Shin Jae Kim, Renata Muzzi and Giovanni Falcetta are partners at TozziniFreire Advogados. Ms Kim can be contacted on +55 11 5086 5276 or by email: firstname.lastname@example.org. Ms Muzzi can be contacted on +55 11 5086 5441 or by email: email@example.com. Mr Falcetta can be contacted on +55 11 5086 5279 or by email: firstname.lastname@example.org.
© Financier Worldwide
Shin Jae Kim, Renata Muzzi and Giovanni Falcetta