By Laura Mallet and Layon Lopes*
A compliance program aims to establish procedures to prevent the occurrence of illicit acts committed by the company or by its customers as users of its services through the definition of internal rules and processes. It also aims the establishment of internal norms and rules for the observance of the legislation or a regulatory body in a way that demonstrates that the company acts regularly regarding the impositions attributed to them by law or the risks of its segment.
The implementation of a compliance program in a company becomes more important through the process of evolution of each company and the worries of the market on what concerns investments to be made and commercial deals to be closed.
To be effective and bring benefits to the company which is implementing it, a compliance program in Brazil must follow the same steps usually carried out all around the world. It is necessary to diagnose the company scenario through the analysis of its risk exposure regarding the market in which it is inserted, its commercial strategies, its size and contingency history, among other things. With that information collected, the compliance program must be structured in a way that protects the company and mitigates its risks.
In Brazil, the needs and goals of a compliance program are the same as anywhere else, following the global best practices. Even though the process of implementing a compliance program is similar as in other jurisdictions, still it has its peculiarities regarding the Brazilian culture, environment, and laws.
Therefore, this paper will demonstrate the process for implementation of a compliance program in a company and some legislation that must be followed and observed in compliance programs in companies in Brazil.
Compliance Program Implementation
- Analysis and Identification of the Company’s Scenario
Due to the goal and position of the corporate structure, compliance department, or, if it does not exist, the internal legal department, must be responsible for leading the implementation, through the identification of potential risks and weaknesses, which must be carried out taking into consideration:
- the size of the company;
- the complexity of its business;
- the corporate governance;
- the market where it operates;
- the company’s purpose and values;
- the commercial strategy;
- the history of contingencies; and
- regulatory requirements, if applicable.
Based on these and other information, it will be possible to perform the analysis and measure the company’s exposure to risk, which enables the definition of the scope that must be addressed in the compliance program.
- Planning of the Compliance Organizational Structure
The definition of the compliance structure to be implemented within a company depends on the result of the analysis previously performed, the risk appetite, and the identification of the main risks inherent to the company’s business. Those information will enable to identify the amount and level of complexity of the demands that will be necessary to be handled for the implementation process of the compliance program.
The compliance department must, considering the result of the analysis, identify the compliance structure that is suitable and sufficient to meet the company’s needs.
For regulated companies, which need to follow the requirements imposed by regulatory agencies for their operation, as well as for startups, which have expansive growth and seek a competitive differential to receive investments, the structuring of compliance through a specific internal area is also recommended.
As to the other types of companies, depending on their size and on their values, their operation segment, their commercial and operational strategies, as well as on the complexity of the activity and of the market in which they operates, compliance may be structured by strategic professionals from areas of higher risk for the companies or by the development of a compliance committee linked to the board of directors, acting independent regarding the other company’s departments.
We emphasize that for compliance to be effective and fulfill its role of ensuring the compliance and safety of the companies’ processes, regardless of the defined structure, it must be implemented as an autonomous department from the other departments of the company. This includes any type of compensation linked to the achievement of goals by the compliance department or any other manner that has the purpose of encouraging the compliance department to fulfill its attributions. This is because the implementation of the adequacy measures, as well as the definition of the rules of conduct and the identification and reporting of eventual deviations must be defined independently, without any type of partiality or conflict of interest.
- Planning the Compliance Program
Also, based on the risk analysis performed, it will be possible to define which rules and procedures must be part of the compliance program to be implemented within the company. In addition to that, in case the company performs a regulated activity, the identification of the regulatory agencies and its norms and requirements applicable to the company’s activity must occur.
The best practices of the market show that the most efficient way to start the implementation of a compliance program is through the issue and publication of compliance policies on themes related to the operation and risks of the company, defining principles, guidelines and procedures to be followed, implementing, demonstrating and disclosing the measures taken to mitigate any related risks.
Prior to the preparation of the compliance policies, the support of the C-levels must be sensitized and obtained, with the purpose of encouraging the compliance with the compliance program by the other employees of the company, who are the ones that, in fact, will put the program into practice and must respect it.
The Code of Ethics and Conduct must be prepared and implemented as a document that will serve as a basis for the conduct of all interested and involved in the company’s activity. The stipulated guidelines in the Code of Ethic and Conduct must be considered for the development of other compliance documents, since those guidelines indicate the general rules related to the conduct of the company and its employees.
- Effectiveness of the Compliance Program
As part of the structuring and planning of the compliance program, implementation procedures must be applied, such as controls and channels that aim the effectiveness of the program, having as its main purpose the implementation of a compliance culture in the company. This seeks to establish, in a transparent manner to all those involved, the added value of the compliance program, preventing it from being seen as a bureaucratic structure of mere papers that have formalized procedures that are not observed or executed in practice.
To do so, the compliance area, together with the company’s management, must ensure:
- the commitment of the C-levels with the rules of conduct and procedures defined, through their observance, support and incentive to the other employees – if there is no commitment of the C-levels, why would the hierarchical levels below commit themselves?
- the possibility of involvement of the company’s employees in the implementation of the procedures, through the identification and reporting of weaknesses, combined with suggestions for the structuring of new procedure routines;
- the engagement of all the company’s employees, so that they absorb the determined procedures and follow the defined rules of conduct, passing on the instructions to the new employees that will join the company, identifying flaws and reporting violations; and
- the supervision of its implementation, not only by the compliance area, but by all the company’s employees, who must supervise their peers, besides their subordinates.
The above may be performed through the continuous training of the employees and with routines implemented through internal communication that encourages its adoption or through external training for specific themes, such as, for example, the prevention of money laundering.
It is also worth mentioning that it is essential to implement an anonymous channel for denunciations and whistleblowers, which allows the report of violations and complaints by the company’s employees, as well as by suppliers and clients, without feeling compelled to identify themselves, generating an incentive to internal inspection with the continuous monitoring of the compliance routine by the compliance department. For the correct treatment of the identified complaints and vulnerabilities, the existence of formal procedures of internal investigation is essential, ensuring assertiveness in the application of the sanctions due to the violators, to demonstrate the strength, importance and applicability of the compliance program implemented.
Brazilian Legislation that you must know if your company is coming to Brazil
- Brazil’s Clean Company Act 2014 – Anticorruption
The only Brazilian law that explicitly mentions the development of a compliance program is Brazil’s Clean Company Act 2014 (Law Nº 12.846), with the goal to prevent corruption acts through the imposition of strict liability for companies that perform domestic or foreign bribery. In this case, the compliance program is considered for the sanction that will be applied, being able to reduce that sanction.
The referred Act is clear when it states that the company must have internal compliance procedures with incentive for whistleblowing by the employees, and the necessity of effective Code of Ethics and Conducts, policies, and rules with the goal of identifying frauds, irregularities and illicit acts against the public administration. That is, the compliance program must follow the rules indicated in Brazil’s Clean Company Act 2014 to be considered sufficient to justify a sanction reduction.
- Labor Law and Trade Union
Moreover, the labor law must be considered for a compliance program for companies in Brazil. That is because the employment rights are strict and each profession has its own trade union attached to it, which means that is not enough to follow the rules implied by the labor law but must also follow the trade union norms that can even prevail over Brazilian labor law.
That means that the non-observance of the trade union norms can also lead to a litigation risk. Also, depending on the size of the company, there will be more than one trade union, each one with different norms that the company must comply with.
- Regulatory Norms
Lastly, attention must be paid to regulatory norms for fintech companies and financial institutions. Depending on the activity of the company, it can be regulated by BCB – Banco Central do Brasil (Central Bank of Brazil) or CVM – Comissão de Valores Mobiliários (Securities and Exchange Commission of Brazil), for example.
For a company whose activities are regulated by any of the referred regulatory bodies, to act in Brazil it must have authorization. The process of authorization requires a lot of impositions regarding the implementation of a compliance program to ensure and guarantee that the company will follow the law related to the security of its activity. As an example, we mention the main internal compliance policies required to be presented to the regulatory bodies that concern money laundry prevention, data privacy, cyber security, among other things.
Besides the legislation above mentioned, there are several other needs imposed by the Brazilian law that the companies must comply with to mitigate its risk.
If your company is starting its operations in Brazil and intends, from the beginning, to implement a compliance program to mitigate risks, contact us at Silva Lopes Advogados.
* Layon Lopes is the CEO of Silva | Lopes and Laura Malltet is a member of the Silva | Lopes team.