Brazilian anti-corruption authority updates its Corporate Compliance Program Guidelines

New guidance includes implementing proactive risk management and defining management and control practices with an emphasis on ESG.

It has been 10 years since the Brazilian Law N.º 12,846/2013 (Brazilian Anti-Corruption Law or BACL) came into force, establishing the strict liability of companies for corrupt acts against national and foreign government officials.

At the time, there were many doubts about whether the BACL would be highly enforced in Brazil. The outcome of Operation Car Wash solidified the law’s authority by raising over BRL 20 billion ($4.1 billion) and resulting in the arrest of high-level executives and significant Brazilian public figures.

Proactive approach to fighting corruption

The Brazilian General Comptroller’s Office (Controladoria-Geral da União, CGU), as the internal control body of the Brazilian Federal Government, coordinated actions against corruption alongside domestic authorities and adopted a proactive approach to fighting corruption, enhancing its collaboration with foreign law enforcement agencies.

As part of its proactive approach, in 2015, CGU launched the Compliance Program: Guidelines to Private Entities (Programa de Integridade, Diretrizes para Empresas Privadas), providing valuable information on the concept of a compliance program in accordance with the Brazilian Anti-Corruption Law and its regulations, specifically at that time: Federal Decree No. 8,420/2015. The CGU guidelines were issued as non-binding and did not create any rights or guarantees in potential legal proceedings.

Initially, CGU established five essential pillars for an effective corporate compliance program under the parameters of the Brazilian Anti-Corruption Law:

  • (i) commitment from senior management;
  • (ii) an independent compliance department;
  • (iii) periodic risk assessments;
  • (iv) specific policies and procedures; and
  • (v) continuous monitoring.

Additionally, CGU emphasized the organization’s commitment to providing regular training and communication of relevant compliance policies and procedures to its stakeholders. Furthermore, an independent compliance reporting channel with a reliable procedure for enforcing the program was considered fundamental to ensuring its effectiveness.

CGU kept its proactive approach by issuing the Practical Guide to Evaluating Compliance Programs (Manual Prático de Avaliação de Programa de Integridade em PAR) in 2018. CGU recognized that while Federal Decree No. 8,420/2015 established parameters for evaluating compliance programs, it did not provide detailed guidance on how to conduct these assessments.

Also, CGU acknowledged that the BACL grants each body and entity of the executive, legislative, and judicial branches the authority to enforce the law, resulting in a significant number of potential individual evaluators. Thus, CGU aimed to bring objectiveness and minimize discrepancies among the compliance program assessments conducted by different government authorities.

New guidance for effective compliance programs

In the past 10 years, significant changes have occurred in the Brazilian anticorruption framework, mainly the enactment of Federal Decree No. 11,129/2022, replacing the former Federal Decree No. 8,420/2015 in July 2022; and, the regulation of Law No. 14,133/2021 (known as Brazilian New Procurement Law), which encourages companies doing business with public administration to implement compliance programs since April 2021. (For more information, please see our previous article, Ten years of the Brazilian Anti-Corruption Law).

New ESG considerations

Considering these significant changes in the Brazilian anti-corruption framework and the growing consensus that compliance programs should encompass environmental, social, and governance (ESG) topics, CGU has recently released an updated version of its guidelines for private entities, titled Compliance Program: Guidelines for Private Entities Vol. II. (Programa de Integridade, Diretrizes para Empresas Privadas Vol. II). Although dated from August 2024, CGU only published it on October 15, 2024.

Essential pillars of compliance

The new guide highlights the well-known reasons for implementing an effective compliance program, such as the reduction of monetary penalties in case of violations, proactive risk management, reduction of operational costs, and lower likelihood of fraud and corruption.

Regarding the essential pillars of a compliance program, in addition to the support of senior management through the adequate allocation of resources to the compliance program as determined in the Federal Decree No. 11,129/2022, CGU emphasizes the importance for every company, regardless of its size and complexity, to have a clearly defined management and control structure, with roles and responsibilities that are well defined and available to stakeholders.

CGU stressed that well-structured corporate governance ensures integrity within the organization by specifying each role and the individual’s responsibilities. Likewise, CGU establishes that all legal entities, regardless of their size and complexity, must have accurate books and records.

While the CGU is not introducing a new concept regarding the importance of corporate governance and precise books and records, it does impose a heightened level of compliance scrutiny on non-publicly traded companies in Brazil, as the BACL applies to all types of legal entities. According to official Brazilian government data, as of September 2024, there are over 21 million legally registered entities in the country. The vast majority, nearly 14 million, are sole proprietorships, followed by approximately 7 million limited liability companies (LLCs).

Publicly traded companies account for only about 200,000 of the active legal entities registered in Brazil. Although the CGU guidelines are non-binding and do not create any rights or guarantees in potential legal proceedings, their emphasis on corporate governance and books and records can enhance transparency and security when conducting business with sole proprietorships and LLCs in the country.

In comparison to the previous guide, CGU not only emphasizes the importance of conducting regular compliance risk assessments but also highlights the need for a structured approach to risk management. Moreover, CGU provides a range of practical examples of violations of the Brazilian anti-corruption framework that go beyond the payment of undue advantages. Among these examples are ;

  • (i) the purchase of reports containing confidential information extracted from the Brazilian Federal Revenue’s internal systems;
  • (ii) obstructing oversight activities through the alteration of product formulas and labels, as well as fraud in laboratory testing; and
  • (iii) irregularities in guarantees offered in credit operations with state-owned banks.

Policies and procedures

In relation to policies and procedures, the CGU emphasizes the necessity of conducting a preliminary risk assessment to implement a tailored program. Additionally, the CGU incorporates ESG concerns into the scope of compliance policies and procedures, along with issues of moral and sexual harassment—topics that have primarily been addressed by HR departments in the past.

Furthermore, aligned with Federal Decree No. 11,129/2022, CGU provides detailed information on how to conduct adequate due diligence for hiring risky third parties (brokers, consultants, and sales representatives), politically exposed persons, and granting donations and sponsorships. The new guide provided information on databases maintained by the Brazilian government to provide public access to records of companies that have been subject to legal sanctions or are in violation of regulations.

KPIs

Lastly, the CGU recommends key performance indicators (KPIs) for compliance to support the requirement for continuous monitoring. For example;

  • (i) the number of employees trained on the company’s compliance policies during the year;
  • (ii) the average time (in days) taken to conduct internal investigations;
  • (iii) the percentage of business partners hired without following the compliance due diligence process; and
  • (iv) the percentage of action plans defined by internal and/or external audit that have been completed.

Brazil has been facing criticism from international organizations to demonstrate that what happened in the last decade, particularly Operation Car Wash, was not in vain. However, CGU’s proactive approach to enforcing proceedings against foreign bribes has been appreciated in the international community. (For more information, please see previous article, Past positives no guarantee of a better future as Brazil battles bribery).

As the country tries to move forward, the implementation of these guidelines may reflect a significant step toward fostering a compliance culture within both public and private sectors.

Cláudia Massaia has significant experience in corporate compliance with recognition in Chambers Brazil 2022 and Chambers Global 2023. She holds a dual Master’s degree (LLM) in Corporate Compliance and Banking, Corporate, and Finance from Fordham University.