By Laura Mallet and Layon Lopes*
A Compliance Program aims to establish procedures to prevent the occurrence of illicit acts committed by the company or by its customers as users of its services, through the definition of internal rules and processes. It also aims the establishment of internal norms and rules for the observance of the legislation or a regulatory body in a way that demonstrates that the company acts regularly regarding the impositions attributed to them by law or the risks of its segment.
Implementation of a Compliance Program in Brazil
The implementation of a compliance program in a company becomes more important through the process of evolution of each company and the worries of the market on what concerns investments to be made and commercial deals to be closed.
For the compliance program to be effective and bring benefits to the company which is implementing it, the same steps usually carried out all around the world must be considered. It is necessary to diagnose the company scenario through the analysis of its risk exposure regarding the market in which it is inserted, its commercial strategies, its size and contingency history, among other things. With that information collected, the compliance program must be structured in a way that protects the company and mitigates its risks.
In Brazil, the needs and goals of a compliance program are the same as anywhere else. Even though the process of implementing a compliance program is similar as in other jurisdictions, still it has its peculiarities regarding the Brazilian culture, environment, and laws.
For the compliance program to be effective and bring benefits to the company that is implementing it, some steps must be considered:
- Analysis and Identification of the Company’s Scenario
The first step for an effective compliance program is the understandment and identification of the potential risks and weaknesses of the operation, which must be carried out taking into account:
- the size of the company;
- the complexity of its business;
- corporate governance;
- the market in which it operates;
- the company’s purpose and values;
- the business strategy;
- the history of contingencies; and,
- regulatory requirements.
By this and other information, it will be possible to perform the analysis and measure the company’s risk exposure, which enables the definition of the scope that should be addressed in the compliance program.
Due to the goal and position in the corporate structure, we recommend that the internal legal department gather with risk management professionals who should be responsible for leading this step.
- Planning the Compliance Organizational Structure
The definition of the compliance structure to be implemented in a company depends on the result of the analysis previously carried out, the risk appetite and the identification of the main risks inherent to the company’s business, which will verify the amount and level of complexity of the demands that will need to be dealt with from its implementation, with no previously determined or modeled structure.
The responsible for the implementation should, based on the result of the analysis, identify the appropriate compliance structure, which is sufficient to meet the company’s needs.
For regulated companies, which need to comply with the requirements imposed by regulatory bodies for their operation, as well as for startups, which have expansive growth and seek a competitive advantage to receive investments, it is recommended to structure compliance through a specific internal area.
As for other types of companies, depending on their size, the values identified, the segment of activity, the commercial and operational strategy, as well as the complexity of the activity and the market in which they operate, compliance may be structured from the strategic performance of professionals in areas of greater risk to the company to the implementation of a compliance committee linked to the board of directors, acting independently.
We emphasize that in order for compliance to be effective and fulfill its role of ensuring compliance and security of companies’ processes, regardless of the defined structure, it must be implemented autonomously from other areas, including any type of remuneration linked to the achievement of goals or that, in a way, is intended to encourage the fulfillment of duties by the compliance area. This is because it is necessary that the implementation of compliance measures, as well as the definition of the rules of conduct and the identification and reporting of any deviations, are defined independently, without any kind of partiality or conflicts of interest.
- Planning the Compliance Program
Also, from the risk analysis performed, it will be possible to define which rules and procedures should be part of the compliance program to be implemented within the company. Allied to this, in the event that the company exercises regulated activity, the identification of the regulatory bodies and the resolutions and requirements applicable to the company’s activity should occur.
The best market practices show that the most efficient way to start implementing the compliance program is through the edition and publication of compliance policies on topics related to the company’s operation and risks, defining principles, guidelines and procedures to be followed, implementing, demonstrating and disclosing the measures taken to mitigate any related risks.
Prior to the elaboration of compliance policies, the support of Senior Management should be raised and obtained, in order to encourage compliance with the compliance program by the other employees of the company, who are the ones who will actually put the program into practice and must respect it.
Also, the Code of Ethics and Conduct must be prepared and implemented, a document that will serve as a basis for the conduct of all stakeholders and involved in the company’s activity, also serving for the construction of other compliance documents, since it will indicate the general measures related to the conduct of the company and its employees, in a broad way, so that the company can enter the specific risks through the elaboration of other policies.
- Effectiveness of the Compliance Program
As part of the structuring and planning of the compliance program, procedures, controls and channels aimed at the effectiveness of the program should be implemented, with the main purpose of implementing a culture of compliance in the company. This seeks to establish in a transparent way, to all involved, the added value of the compliance program, avoiding it being seen as a bureaucratic structure of mere papers that have formalized procedures that are not observed or executed in practice.
To this end, the compliance area, together with the company’s management, must ensure:
- the commitment of top management to the rules of conduct and procedures defined, through their observance, support and encouragement to other employees – if there is no commitment from top management, why would the hierarchical levels below commit?;
- the possibility of involving other employees in the implementation of procedures, through the identification and reporting of weaknesses, combined with suggestions for structuring new procedural routines;
- the engagement of all employees of the company, so that they absorb the determined procedures and follow the defined rules of conduct, passing on the instructions to new employees who will join the company, identifying failures and reporting violations; and,
- the supervision of its implementation, not only by the compliance area, but by all employees of the company, who should supervise their peers, in addition to their subordinates.
The above can be achieved through both continuous training of employees and implemented routines, either through internal communication that encourages their adoption or through external training on specific topics, such as the prevention of money laundering.
It is also worth mentioning that it is essential to implement an anonymous reporting channel, which allows the submission of violations and complaints by the company’s own employees, as well as by suppliers and customers of the company, without feeling compelled to identify themselves, generating an incentive for internal inspection, as well as continuous monitoring by the compliance area regarding compliance with the implemented routines. For the correct treatment of complaints and vulnerabilities identified, it is essential to have formal internal investigation procedures, ensuring assertiveness in the application of sanctions due to violators, in order to demonstrate the strength, importance and applicability of the compliance program implemented.
Important laws and regulations in Brazil
In sequence, we will demonstrate some legislation that must be followed and observed in compliance programs in companies in Brazil.
The only Brazilian law that explicitly mentions the development of a compliance program is Brazil’s Clean Company Act 2014 (Law Nº 12.846), with the goal to prevent corruption acts through the imposition of strict liability for companies that perform domestic or foreign bribery. In this case, the compliance program is considered for the sanction that will be applied, being able to reduce that sanction.
The referred Act is clear when it states that the company must have internal compliance procedures with incentive for whistleblowing by the employees, and the necessity of effective Code of Ethics and Conducts, policies, and rules with the goal of identifying frauds, irregularities and illicit acts against the public administration. That is, the compliance program must follow the rules indicated in Brazil’s Clean Company Act 2014 to be considered sufficient to justify a sanction reduction.
Moreover, the labor law must be considered for a compliance program for companies in Brazil. That is because the employment rights are strict and each profession has its own trade union attached to it, which means that is not enough to follow the rules implied by the labor law, but must also follow the trade union norms that can even prevail over Brazilian labor law.
That means that the non-observance of the trade union norms can also lead to a litigation risk. Also, depending on the size of the company, there will be more than one trade union, each one with different norms that the company must comply with.
Lastly, attention must be paid to regulatory norms for fintech companies and financial institutions. Depending on the activity of the company, it can be regulated by BCB – Banco Central do Brasil (Brazil’s Central Bank) or CVM – Comissão de Valores Mobiliários (Brazil’s Securities and Exchange Commission), for example.
For a company whose activities are regulated by any of the referred regulatory bodies to act in Brazil it must have authorization. The process of authorization requires a lot of impositions regarding the implementation of a compliance program to ensure and guarantee that the company will follow the law related to the security of its activity. As an example, we mention the main internal compliance policies required to be presented to the regulatory bodies that concern money laundry prevention, data privacy, cyber security, among other things.
Besides the legislation above mentioned, there are several other needs imposed by the Brazilian law that the companies must comply with to mitigate its risks.
Have any questions? The team at Silva Lopes Advogados can help!
*Layon Lopes is the CEO of Silva | Lopes and Laura Mallet is a member of the Silva | Lopes team.
