the guide to corporate compliance...quinn emanuel urquhart & sullivan llp 26 external compliance...

THE GUIDE TO CORPORATE COMPLIANCE

SECOND EDITION

EditorsAndrew M Levine, Reynaldo Manzanarez Radilla, Valeria Plastino and Fabio Selhorst

© Law Business Research 2021

The Guide to Corporate Compliance

Second Edition

Editors

Andrew M Levine, Reynaldo Manzanarez Radilla, Valeria Plastino and Fabio Selhorst

Reproduced with permission from Law Business Research LtdThis article was first published in July 2021

For further information please contact [email protected]


PublisherClare Bolton

Deputy PublisherRosie Creswell

Senior Account ManagerMonica Fuertes

Senior Content CoordinatorPawel Frydrych

Head of ProductionAdam Myers

Production EditorSimon Tyrie

SubeditorMartin Roach

Chief Executive OfficerNick Brailey

Published in the United Kingdomby Law Business Research Ltd, LondonMeridian House, 34-35 Farringdon Street, London, EC4A 4HL, UK© 2021 Law Business Research Ltdwww.latinlawyer.com

No photocopying: copyright licences do not apply.

The information provided in this publication is general and may not apply in a specific situation, nor does it necessarily represent the views of authors’ firms or their clients. Legal advice should always be sought before taking any legal action based on the information provided. The publishers accept no responsibility for any acts or omissions contained herein. Although the information provided is accurate as at June 2021, be advised that this is a developing area.

Enquiries concerning reproduction should be sent to Law Business Research, at the address above. Enquiries concerning editorial content should be directed to the Publisher – [email protected]

ISBN 978-1-83862-750-8

Printed in Great Britain byEncompass Print Solutions, DerbyshireTel: 0844 2480 112


v

Acknowledgements

The publisher acknowledges and thanks the following for their assistance throughout the preparation of this book:

Alvarez & Marsal LLP

Andrew Jánszky

Anheuser-Busch InBev

Barbosa Müssnich Aragão

Beccar Varela

Buckley LLP

Camargo Corrêa Infra

Carey y Cía

Debevoise & Plimpton LLP

Demarest Advogados

FerradaNehme

Hapvida

Hogan Lovells

Incode Technologies Inc

Kestener, Granja & Vieira Advogados


Acknowledgements

vi

Lumen Technologies

Maeda, Ayres & Sarubbi Advogados

Mattos Filho, Veiga Filho, Marrey Jr e Quiroga Advogados

Philippi Prietocarrizosa Ferrero DU & Uría

QIL+4 Abogados

Quinn Emanuel Urquhart & Sullivan LLP

Skadden, Arps, Slate, Meagher & Flom LLP

Sullivan & Cromwell LLP

TozziniFreire Advogados

Villarreal-VGF

Vinson & Elkins LLP

Von Wobeser y Sierra, SC


vii

Publisher’s Note

Latin Lawyer and LACCA are delighted to publish the second edition of The Guide to Corporate Compliance.

Edited by Andrew M Levine, a litigation partner at Debevoise & Plimpton LLP, Reynaldo Manzanarez Radilla, a corporate attorney and compliance profes-sional at Incode Technologies Inc, Valeria Plastino, vice president, general counsel and regional compliance officer at Lumen Technologies, and Fabio Selhorst, general counsel, chief integrity officer and chief communications officer at Hapvida, this new guide brings together the knowledge and experience of leading practitioners from a variety of disciplines and provides guidance that will benefit all practitioners.

We are delighted to have worked with so many leading individuals to produce The Guide to Corporate Compliance. If you find it useful, you may also like the other books in the Latin Lawyer series, including The Guide to Infrastructure and Energy Investment and The Guide to Corporate Crisis Management, as well as our jurisdictional references and our new tool providing overviews of regulators in Latin America.

My thanks to the editors for their vision and energy in pursuing this project and to my colleagues in production for achieving such a polished work.


ix

Contents

Introduction ��1Andrew M LevineDebevoise & Plimpton LLP

PART 1: SETTING THE SCENE

1 The Evolution of Compliance: How Did We Get Here? �� 13Peter Spivack and Isabel Costa CarvalhoHogan Lovells

2 Latin America's Compliance Climate Today �� 34Jocelyn E Strauber, Julie Bédard, Lauren A Eisenberg and Mayra SuárezSkadden, Arps, Slate, Meagher & Flom LLP

3 The Implications of Greater Inter-Agency Cooperation �� 70Eloy Rizzo, André Leme, Victoria Arcos and Gustavo Chimure JacomassiDemarest Advogados

PART 2: BUILDING AN EFFECTIVE COMPLIANCE PROGRAMME

4 The Profile of a Successful Compliance Department �� 81Reynaldo Manzanarez RadillaIncode Technologies Inc

5 Developing a Robust Compliance Programme in Latin America �� 93Brendan P Cullen and Anthony J LewisSullivan & Cromwell LLP


Contents

x

6 The Board’s Role in Compliance �� 114Andrew JánszkyAndrew Jánszky

7 Building Effective Internal Communication Channels �� 136 Daniel R Alonso, Andrew P Pennacchia, Benjamin W Hutten and Norma Ramirez-MarinBuckley LLP

8 Employee Compliance Training: Adapting Programmes to Local Laws and Customs �� 155Luis A García CampuzanoVillarreal-VGF

9 Third-Party Due Diligence: Expanding a Compliance Programme to Suppliers and Clients �� 171Palmina M Fava, Zachary Terwilliger, Michael Ward, Jose Sanchez and Natalie CardenasVinson & Elkins LLP

10 How to Conduct Internal Investigations of Alleged Wrongdoing �� 186Adrián Magallanes Pérez and Diego Sierra LarisVon Wobeser y Sierra, SC

11 Embracing Technology �� 202Matt Galvin, Jaime Muñoz and Dheeraj ThimmaiahAnheuser-Busch InBev

PART 3: COMPLIANCE AS A BUSINESS ADVANTAGE

12 Selling Integrity �� 221Maria Ximena Garcia Roche and Jussara Rocha TibérioCamargo Corrêa Infra


Contents

xi

13 Assessing and Mitigating Compliance Risks in the Transactional Context �� 233Andrew M Levine and Erich O GroszDebevoise & Plimpton LLP

14 The Advantages of a Robust Compliance Programme in the Event of an External Investigation �� 247Shin Jae Kim, Renata Muzzi Gomes de Almeida, Giovanni Paolo Falcetta, Karla Lini Maeji, Fabio Rawet Heilberg and Laís Neme Cury Augusto RezendeTozziniFreire Advogados

15 Certification of Ethics: Are They Worth It? �� 266José Quiñones, Evelyn Rebuli, Ignacio Grazioso, Javier Castellan and Luis Pedro MartínezQIL+4 Abogados

16 Compliance as a Foundation for ESG Oversight �� 287Juliana Gomes Ramalho Monteiro, Thiago Jabor Pinheiro and Marcel Alberge RibasMattos Filho, Veiga Filho, Marrey Jr e Quiroga Advogados

PART 4: LEGISLATIVE AND REGULATORY PRESSURE POINTS

17 Anti-Money Laundering and Counter-Terrorist Financing in Latin America �� 301Rafael Collado González, Lucía Álvarez Galvez, Josefa Zamorano Quiroga and Camilo León MillonesFerradaNehme

18 Environmental and Health and Safety Compliance: Avoiding Costly Penalties �� 312Luis Fernando Macías Gómez, Carolina Porras and Alexander Acosta JuradoPhilippi Prietocarrizosa Ferrero DU & Uría

19 Navigating Competition Rules From a Chile Perspective �� 326Lorena Pavic, José Pardo and Benjamín TorresCarey y Cía


Contents

xii

20 Compliance Checks for Avoiding Tax Evasion Fines �� 345Carolina Rozo Gutiérrez and Pamela Alarcón AriasPhillipi Prietocarrizosa Ferrero DU & Uría

21 Demonstrating Compliance with Data Privacy Legislation �� 365Devika Kornbacher, Palmina M Fava, Jessica Heim and Gabriel SilvaVinson & Elkins LLP

PART 5: STAYING COMPLIANT IN HIGHER-RISK INDUSTRIES

22 Working with the Public Sector: How to Say ‘No’ to Bribery in the Oil and Gas and Infrastructure Industries in Brazil �� 381Anna Carolina Malta Spilborghs and José Guilherme BermanBarbosa Müssnich Aragão

23 Risk Management in the Financial Services Industry in Argentina and the Changes Being Adopted �� 392Maximiliano D’Auro and Gustavo PapeschiBeccar Varela

24 Data Privacy and Protection Relating to Healthcare in Europe, the United States and Brazil �� 409Fabio Alonso Vieira and Carolina Barbosa Cunha CostaKestener, Granja & Vieira Advogados

PART 6: TRENDS TO WATCH

25 The Creep of Legislation Targeting Private Corruption �� 427Ben O’Neil, Alexander J Merton, Avi Panth and Isabelle SunQuinn Emanuel Urquhart & Sullivan LLP

26 External Compliance Monitorships �� 444Erica Sellin Sarubbi and Tomás Fezas Vital MesquitaMaeda, Ayres & Sarubbi Advogados

About the Authors �� 459Contributing Firms �� 491


Part 2Building an Effective Compliance Programme


171

CHAPTER 9

Third-Party Due Diligence: Expanding a Compliance Programme to Suppliers and Clients

Palmina M Fava, Zachary Terwilliger, Michael Ward, Jose Sanchez and Natalie Cardenas1

The use of third parties in a company’s efforts to expand its business, whether internationally, domestically or locally, is not only inevitable but necessary. From manufacturing to supply chain to distribution and product services and support – and including many other key functions of a business previously handled inter-nally (e.g., human resources, information technology, finance and audit) – there is a fast-growing outsourced business model that relies on third parties. Often, using third parties is cheaper, faster and more effective, rendering it a competi-tive necessity. Third parties can take the form of a company’s agent, intermediary, supplier, consultant or joint venture partner and can provide the company with invaluable and critical services, ranging from product design or delivery to legal or tax advice to sales opportunities. For example, a third party could provide crucial transportation of goods without which a company could not bring its product to market. In 2021, we see just such an instance with the highly particular cold storage requirements for certain covid-19 vaccines.

1 Palmina M Fava, Zachary Terwilliger and Michael Ward are partners, Jose Sanchez is a counsel, and Natalie Cardenas is an associate at Vinson & Elkins LLP.



172

The modern approach of disaggregating business functions necessarily means that doing business through a number of third parties is the norm and not the exception, resulting in a growing volume and diversity of third parties, which brings inherent corruption risks. Companies must be cognisant of and prepared to mitigate such risks to maximise the third parties’ utility.

Pursuant to the strictures of the Foreign Corrupt Practices Act (FCPA), companies are prohibited from either directly or indirectly bribing non-US govern-ment officials to obtain business.2 Indirect bribes expressly include payments made by third parties acting on behalf, at the direction, or with the knowledge of the company.3 To be liable under the FCPA, a company need not explicitly authorise the payment. So long as the company had a reasonable belief that the conduct was likely to occur, it can be held liable for the third party’s conduct. Knowledge of improper payments – or even the offer of anything of value – can be inferred from circumstances demonstrating a reasonable probability of illicit conduct.4 Thus, companies cannot avoid liability by consciously disregarding or ignoring red flags suggesting that a bribe has been or will be offered, promised or made.

Walmart’s recent settlement with the Securities and Exchange Commission (SEC) and the Department of Justice (DOJ) is a perfect example of the FCPA’s unforgiving nature towards alleged deliberate ignorance.5 In 2019, the SEC charged Walmart with violating the FCPA by failing to implement and operate a sufficient compliance programme nearly two decades earlier. According to the SEC, Walmart ignored red flags and corruption allegations when it expanded its business internationally, allowing its subsidiaries in Brazil, Mexico, China and India to use third-party intermediaries to make payments to foreign govern-ment officials. This prompted investigations in the United States and Mexico.6

2 The Foreign Corrupt Practices Act of 1977, 15 U.S.C. § 78dd-1.3 See Dep’t of Justice & Sec. and Exch. Comm’n, A Resource Guide to the U.S. Foreign

Corrupt Practices Act, at 22 (July 2020), https://www.justice.gov/criminal-fraud/file/1292051/download.

4 id.5 Press Release, Sec. and Exch. Comm’n, Walmart Charged With FCPA Violations (June 20,

2019), https://www.sec.gov/news/press-release/2019-102; Press Release, Dep’t of Justice, Walmart Inc. and Brazil-Based Subsidiary Agree to Pay $137 Million to Resolve Foreign Corrupt Practices Act Case (June 20, 2019), https://www.justice.gov/opa/pr/walmart-inc-and-brazil-based-subsidiary-agree-pay-137-million-resolve-foreign-corrupt.

6 See Press Release, SFP Verifica Permisos Federales Para la Apertura y Operacion de las Tiendas de la Empresa Walmart de Mexico, Secretaria de la Funcion Publica (SFP) (25 April 2012).]



173

According to the SEC’s order, Walmart allegedly failed to investigate and miti-gate the risks as it expanded its operations, particularly in Latin America, and paid more than US$282 million in penalties and fines.7

A company’s exposure to liability for third-party actions is not unique to the FCPA. Anti-corruption laws in most countries hold companies culpable for third-party conduct.8 Latin American countries are no exception. For example, Mexico has enacted a number of anti-corruption laws as part of its National Anti-Corruption System.9 Under these laws, a company can be held liable for the actions of individuals who engage in corrupt offences on behalf of the company.10 Brazil’s Clean Company Act takes this a step further. Under the Act, companies are held strictly liable for the corrupt conduct of their employees and agents.11 Take Keppel Offshore & Marine Ltd (KOM) as an example. KOM allegedly paid roughly US$55 million in bribes to Brazilian officials through the use of third-party intermediaries.12 In 2017, KOM agreed to pay a combined total of US$422 million to resolve charges brought by anti-corruption authorities in the United States, Brazil and Singapore.

7 See also, Press Release, Dep’t of Justice, SBM Offshore N.V. and United States-Based Subsidiary Resolve Foreign Corrupt Practices Act Cases Involving Bribes in Five Countries (Nov. 29, 2017), https://www.justice.gov/opa/pr/sbm-offshore-nv-and-united-states-based-subsidiary-resolve-foreign-corrupt-practices-act-case. On 29 November 2017, SBM Offshore NV (SBM) was assessed a criminal penalty from the DOJ in the amount of US$238 million for an alleged bribery scheme in violation of the FCPA. For approximately 16 years, SBM allegedly paid third-party intermediaries US$180 million in commissions that were then used to bribe government officials in Brazil, Angola, Equatorial Guinea, Kazakhstan and Iraq. The order found that SBM was liable because it knew that a portion of the commission payments would be used to pay these bribes for the purposes of obtaining business with state-owned oil companies.

8 For example, the United Kingdom’s Bribery Act states that an organisation or company is liable for the corrupt actions taken by a person ‘associated’ with the company and on the company’s behalf. The Act defines an associated person as one who performs services for the company, such as an employee or agent. See, Bribery Act, 2010, c.23, § 7(1) (U.K.); Ministry of Justice, The Bribery Act 2010, at 16 (March 2011).

9 See Ley General Del Sistema Nacional Anticorrupción [LGSNA], Diario Oficial de la Federación [DOF], July 18, 2016.

10 id.11 See Brazil Clean Company Act (Law No. 12.846/2013).12 Press Release, Dep’t of Justice, Keppel Offshore & Marine Ltd. And U.S. Based Subsidiary

Agree to Pay $422 Million in Global Penalties to Resolve Foreign Bribery Case (Oct. 22, 2020), https://www.justice.gov/opa/pr/keppel-offshore-marine-ltd-and-us-based-subsidiary-agree-pay-422-million-global-penalties.



174

Liability exposure presents issues for companies that lack significant control and oversight over their business partners and agents, including suppliers and, in certain circumstances, clients. Companies must take the necessary steps to expand their compliance programmes to mitigate the risks that arise from their busi-ness dealings. Among the steps used by many companies and expected by many regulators are: conducting thorough background checks or due diligence prior to engaging a third party, educating a third party on the applicable anti-bribery and anti-corruption laws, contractually mandating a third party’s compliance with the same, and monitoring the third party’s actions throughout the life of the contract.13 The level of due diligence, compliance training and monitoring to be performed by the company on the third party depends on the scope of work provided by the third party, the inherent risk of the work or the transaction, the geographic loca-tion of the services, the industry and the compensation to be paid.14 A company’s vendor of office supplies, for example, will not be subject to the same scrutiny as the company’s customs broker or freight forwarder interacting with government officials on behalf of the company.

How to assess third partiesRisk-tiered due diligenceBefore engaging a third party or entering into a transaction with a customer, companies must learn about the entity on the other end of the deal to fully evaluate the potential liability risks triggered by that entity and to ensure that the internal controls built into the company’s compliance programme are deployed appropri-ately to mitigate the risk. For example, a company may employ certain internal controls when contracting with a public sector entity, but those controls are only initiated if the entity is identified properly as public sector. If the personnel entering the information are unaware of the proper designation because no diligence is conducted, then the mechanisms to mitigate the risk of liability are not utilised.

Similarly, when engaging third-party suppliers or other agents, it is critical to conduct sufficient due diligence to understand the third party’s experience, benefi-cial owners and reputation. These efforts often take the form of risk management

13 See Dep’t of Justice & Sec. and Exch. Comm’n, A Resource Guide to the U.S. Foreign Corrupt Practices Act, at 60-61 (July 2020), https://www.justice.gov/criminal-fraud/file/1292051/download.

14 id.; see also ICC, ICC Anti-Corruption Third Party Due Diligence: A Guide for Small and Medium Size Enterprises, at 14–21, https://iccwbo.org/content/uploads/sites/3/2015/07/ICC-Anti-corruption-Third-Party-Due-Diligence-A-Guide-for-Small-and-Medium-sized-Enterprises.pdf.



175

programmes and analysis designed to understand multiple aspects, including the entity’s reputation for corrupt practices. Ultimately, the results of this analysis will help companies better understand, assess and mitigate any risk that may arise over the course of the contractual relationship. For example, due diligence efforts could help uncover whether a third party has any connections to government officials or whether the third party has been accused of engaging in corrupt practices in the past. Likewise, due diligence may identify a financial institution as a publicly funded bank, thus triggering internal compliance safeguards. Uncovering these red flags early in the engagement can help inform further business dealings and save the company from future liability.

Eliminating all potential corruption risks that a third party could pose is neither possible nor required. For example, many companies distribute their product through a network of thousands of distributors and resellers, rely on dozens of manufacturers of component parts, employ consultants to provide market-relevant information, hire tax and legal advisers, use consultants with specialised technical skills, and outsource a host of other functions. Not all of these third parties presents the same level and type of risk. Resources – both time and money – are limited, so vetting all third parties to the same degree is unrealistic. It is vital that any company considering its due diligence obligations intelligently allocates its resources to maximise the overall return of those investments.

Risk-tiered due diligence helps companies focus their finite resources on those parties that present the most significant risks to the company. The extent of corruption risks vary from one third party to another, so the proportionality of the due diligence efforts applied also vary. This type of due diligence not only helps to prioritise risk monitoring, but also demonstrates that the company is taking an active and committed role to detecting and preventing corrupt practices should an investigation arise.

Risk-tiered due diligence factors to considerAllocating risks among various third parties can often be difficult to establish and is not subject to a one-size-fits-all approach. However, there are certain factors that a company should consider when determining a third party’s risk-level:15

15 See Dep’t of Justice & Sec. and Exch. Comm’n, A Resource Guide to the U.S. Foreign Corrupt Practices Act, at 60-62 (July 2020), https://www.justice.gov/criminal-fraud/file/1292051/.download; OECD, OECD Due Diligence Guidance for Responsible Business Conduct (2018); ICC, ICC Anti-Corruption Third Party Due Diligence: A Guide for Small and Medium Size Enterprises, at 8-12, https://iccwbo.org/content/uploads/sites/3/2015/07/ICC-Anti-corruption-Third-Party-Due-Diligence-A-Guide-for-Small-and-Medium-sized-Enterprises.pdf.



176

Interactions with government entities or public officialsSituations where the third party is either a government entity or works closely with a public official will give rise to increased anti-corruption enforcement scru-tiny. Companies should note that a mere association with a foreign public official could lead to scrutiny and warrants heightened due diligence and internal controls around the third party’s activities. While most countries impose criminal liability for all forms of bribery in a commercial context and not just bribes to public officials, the vast majority of the corruption enforcement actions that impose significant financial and business consequences involve public sector contracts. Accordingly, it is critical to understand whether a third-party supplier is benefi-cially owned by a current or former government official or his or her close family members. If so, it is important to closely monitor the performance of services by that entity should the company engage it. Similarly, third parties engaged to interact with government officials must be subject to increased diligence and monitoring throughout the life of the contract to deter and detect potential illicit conduct. Additionally, interactions with customers beneficially owned or controlled by government entities merit enhanced scrutiny and the imposition of internal controls to mitigate risk, including the evaluation and pre-approval of entertainment, marketing, charitable or travel expenses involving those customers.

The jurisdictionWhere the third party is located and where the services are to be performed can help a company determine the level of potential risk that a third party might pose and thus, the commensurate level of due diligence required. The Corruption Perceptions Index published by Transparency International ranks the corruption levels of various countries, ranging from ‘highly corrupt’ to ‘very clean’.16 If the country where the third party is primarily working or in which the transaction occurs ranks as highly corrupt, then the level of due diligence applied to that third party or to that transaction should be consistent with the heightened risk presented. Moreover, if the jurisdiction is one with active enforcement of anti-corruption laws, a company would be well advised to invest more resources in ensuring that its business dealings do not invite scrutiny. A decade ago, many companies accepted excuses from third parties or customers reluctant to partici-pate in due diligence who pointed to the differences in business customs across jurisdictions as justification for sharing limited or no information in diligence

16 Transparency Int’l, Corruption Perceptions Index (2020), https://www.transparency.org/en/cpi/2020/index/nzl.



177

exercises. Today, with a greater focus on the deleterious consequences of unchecked corruption, many countries across the world, and particularly in Latin America, are engaged in enforcement measures to decrease fraudulent and corrupt prac-tices, thus reducing the reliability of a ‘customs’ excuse.

The nature of the services that the third party will provideSome services may be more susceptible to corruption risks than others. For example, agreements where a third party is to provide a service to a public offi-cial create more of a risk than agreements in which the third party is supplying the company with furniture or IT services. While the latter may present conflict of interest or kickback concerns that merit examination, they typically do not result in large-scale investigations that distract personnel and divert resources for months. To help mitigate potential risks, companies should ensure that the scope of the services expected is clearly defined, that all expenses are itemised and supported by documentation, and that the third party is sufficiently aware of the conduct in which he or she cannot engage.

Third-party compensation and the value of the contract Companies should consider compensation and the overall value of the contract when allocating risk. Compensation may raise a red flag if it is disproportionate to the typical compensation received for similar services. Higher-than-normal compensation may suggest that excess payments will be used for bribes or kick-backs. As part of due diligence, companies often examine the fair market value of a transaction to evaluate whether the supplier has experience pricing similar contracts, may be padding the cost to allow for improper payments, or is offering an unfair rate. Similarly, in contracts with a customer, examine the request for proposal or any tender documentation to substantiate discount requests or the need for third-party sales or services intermediaries. For example, sales agents often request non-standard discounts on the basis of a customer’s budgetary restrictions or competitive pressures. To the extent the company has access to requests for proposal or other tender documentation, the due diligence process should include reviewing such documents to verify the veracity of the discount requests. Such documents, for example, may indicate that a tender is sole source, rendering a competitive pressure excuse invalid.

The overall value of the contract also could lead to potential risks. Higher valued contracts may tempt a third party to engage in corrupt conduct to obtain the benefits provided in the agreement. Similarly, a transaction with a percentage of the final sale as the commission payment may afford the supplier with signifi-cant funds to make improper payments, absent heightened scrutiny of the



178

supplier’s experience, reputation, and compliance standards. Accordingly, higher value contracts should be subject to greater internal controls and diligence to mitigate such risks.

The company’s pre-existing relationship with the third party A company’s long-standing experience or pre-existing relationship with a third party may mitigate the risk of impropriety or it may make a company compla-cent. Certainly, the presence of an existing business relationship presents relevant information about the entity’s experience and reputation, but if heightened risk factors are present in the transaction, companies would be well served to conduct some measure of due diligence to identify red flags and to mitigate risks should they arise. Companies also should monitor the third party throughout the life of the contract to ensure continued compliance. A long-standing relationship may make the supplier overly dependent on its business with the company such that it could be compromised by improper requests from a company sales manager, for example. Effective diligence and monitoring serves to protect both parties in the transaction.

General due diligence factors to considerWhile the level and severity of due diligence can vary, companies should seek certain background information on the following topics when conducting due diligence analysis.17

Beneficial ownershipCompanies must know the actual identity of those with whom they are contracting. Companies should identify the third party’s principal shareholders to determine who has actual control and ownership of the business. This information can be established through the third party’s official company registration documents, but, in many cases, should not be limited to a review of the incorporation certifi-cates. For example, someone seeking to disguise the true beneficial owners may list family members or individuals whose business is to incorporate entities under local law.

17 See Dep’t of Justice & Sec. and Exch. Comm’n, A Resource Guide to the U.S. Foreign Corrupt Practices Act, at 60-62 (July 2020), https://www.justice.gov/criminal-fraud/file/1292051/download; OECD; OECD Due Diligence Guidance for Responsible Business Conduct (2018); ICC, ICC Anti-Corruption Third Party Due Diligence: A Guide for Small and Medium Size Enterprises, at 14-21, https://iccwbo.org/content/uploads/sites/3/2015/07/ICC-Anti-corruption-Third-Party-Due-Diligence-A-Guide-for-Small-and-Medium-sized-Enterprises.pdf.



179

In January 2021, the United States passed the Corporate Transparency Act as part of the National Defense Authorization Act.18 This new law creates a beneficial ownership registry within the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) in an effort to curtail corrupt practices. However, not all companies are required to report their beneficial ownership to the FinCEN under the Act. Accordingly, requiring potential third parties to complete a due diligence questionnaire identifying their beneficial owners is a better prac-tice than relying simply on company registration documents. Understanding the true ownership structure will help companies avoid liability for the corrupt prac-tices of hidden owners.

Financial background Asking third parties to submit financial reports or statements is critical to under-standing the financial health of the third party, not simply for credit worthiness purposes, but also for exposure to legal risk. Financial reports can alert the company to those entities who may be compromised or unduly influenced by improper overtures to secure business. Additionally, financial reports often reflect whether the entity maintains its books and records in a manner that provides transparency and reliability – a key factor in anti-corruption analysis and one that can create liability or serve as a useful monitoring tool. Companies should endeavour to ensure that the information in the disclosed financial reports is accurate and detailed enough to allow the company to spot discrepancies or unusual payments. Moreover, the financial reports or statements may offer insight as to whether the third party is sufficiently experienced and reputable to perform the services anticipated for the company and can serve to verify the third party’s declarations of prior experience in the industry. Depending on the significance and risk of the third party’s activities on behalf of the company, the company’s diligence may include researching, and, if possible, independently verifying the third party’s financial activities to evaluate the potential sources of revenue. This independent corroboration would help guard against potential negative media narratives that unnecessarily could imperil the company’s good will and repu-tation if, for example, the third party’s revenue partially derives from criminal activities or has been laundered.

18 See, National Defense Authorization Act for Fiscal Year 2021, H.R. 6395, 116th Cong. (2020) § 6403, https://www.congress.gov/bill/116th-congress/house-bill/6395/text.



180

Third-party competencyCompanies must be on alert for red flags that indicate a third party has offered to provide services in an area where it seems to lack competence. This is especially true when the services offered involve interactions with government officials. Companies should ensure the third party has the actual expertise and experience required by checking references, researching the third party’s history, probing the third party’s knowledge of the industry and market, and examining the third party’s website for details that substantiate its declarations of experience. To avoid actual or perceived corrupt conduct, a company also should ensure that it has a legitimate business justification for entering into the agreement with the third party. A proper business justification will help mitigate the company’s potential risk in the future, provided there is no readily available information which the company failed to evaluate or collect that discredits the third party’s competency.

Third-party historyAnother measure to assess potential risks is to run an internet search to identify any available reputational information regarding the third party. Adverse news alleging that the third party or its officers, directors or employees have engaged in corrupt, fraudulent or unethical practices in the past is a clear red flag that the company should consider before entering into further business dealings. Such adverse news also may offer insight on the third party’s competency. The company can conduct this research using the information provided by the third party or from information located in the public domain and behind relatively minor paywalls. In certain markets, this information may not be as readily avail-able or reliable as in other jurisdictions, but, depending on the risk presented by the third party’s anticipated activities, it may be worth the effort to uncover. For example, a sales intermediary responsible for negotiating with potential public sector customers should be subject to greater due diligence scrutiny than a manu-facturing supplier of component parts.

Third-party reputationA third party’s reputation often can be discerned through researching its history and any adverse news through internet searches. But in higher-risk cases, due diligence efforts also should involve other means. For example, companies should seek out references who personally know or have worked with the third party in question and can speak towards the party’s character, experience, and past engage-ments. This can help establish whether the third party has engaged in corrupt practices in the past, has a propensity for behaviour that skirts the law, or has a close relationship with a public official that may raise a red flag.



181

The third party’s approach to ethics and complianceFinally, companies should examine the ethics and compliance policies that the third party has in place for its own business. The third party’s overall tone and attitude toward compliance efforts should be noted as potential risk factors. This analysis includes inquiring whether the third party engages in its own due diligence of business partners, suppliers, contractors and, in particular, any sub-contractors it may use in connection with the work to be performed for the company. In many cases, this analysis includes understanding the financial and other controls in place by the third party to mitigate risks of misconduct and to monitor its employees’ and agents’ compliance. With respect to customers, this inquiry may inform whether the company has an obligation to complete certain compliance certifications or to advise the customer of certain benefits offered or provided to its personnel in connection with the negotiation or performance of the contract. For example, certain public sector entities prohibit their employees from engaging in any events or accepting any benefits, even if nominal, absent pre-approval; understanding whether such prohibitions exist is critical to ensuring the success of the customer relationship and to mitigating liability for failure to abide by these requirements.

In recent years, more Latin American countries have enhanced and enforced anti-corruption laws. Anti-corruption legislation in most countries emphasises the importance of corporate compliance programmes, consistent with the mandates of the OECD Anti-Bribery Convention, the United Nations Convention Against Corruption and the Inter-American Convention Against Corruption. Certain countries, such as Brazil, Mexico and Peru, have adopted guidelines for calculating fines and considering leniency premised on the adoption of corporate compliance programmes, and in Peru’s case, providing safe harbour from liability if an adequate compliance programme was in place prior to the corrupt activity.19

Accordingly, whether an entity has failed to adopt internal controls consistent with its risk profile and the applicable legal requirements is a key factor to consider in due diligence.

Due diligence does more than just mitigate potential risk. A robust and effective programme promotes ethical conduct among the various parties to an agreement. For example, conducting third-party due diligence may require that the third party itself examine and redefine its own compliance and anti-corruption

19 Controladoria-Geral De Uniao – CGU, Programa de Integridade: Diretrizes para Empresas Privadas (22 September 2015); Mexico General Law of Administrative Responsibilities (GLAR or the Ley 3 de 3) (18 July 2016); Peru: Corruption Report, GAN Business Anti-Corruption Portal (last updated: September 2016).]



182

efforts to avoid risk and to better position itself to build future business relation-ships. Thus, taking the time to expand due diligence efforts that encompass all third-party relationships will be beneficial for both parties to the transaction.

Approaching due diligence when negotiating and dealing with counterpartiesContracts with third-party suppliers or clients should clearly state the respon-sibilities of all of the parties and their compliance expectations. These contracts should reference the company’s due diligence efforts to ensure that the third party abides by all applicable anti-corruption laws. Third parties should be aware of the types of risks that would give rise to enforcement scrutiny so as to help mitigate the company’s potential liability should corrupt conduct occur. In most cases, the following representations and warranties should be considered in the contract:• agrees to comply with all applicable laws and policies and certifies compliance

for at least the prior five years;• certifies that no actions have been proposed or taken, directly or indirectly,

that would cause a government official to benefit improperly;• agrees to adopt (or certifies adoption of ) adequate and effective compliance

policies and internal controls, which include training on those policies and controls to employees;

• agrees to provide prompt notice to the company if it plans to retain other agents or representatives to assist in providing services under the contract;

• agrees to provide immediate notice to the company if it becomes aware of an allegation of a potential or actual violation of an anti-corruption or anti-bribery law;

• certifies that it maintains accurate, detailed, transparent, and up-to-date books and records setting forth the financial transactions related to any work conducted on behalf of the company, together with supporting documentation;

• agrees to allow the company to audit its books and records related to the contract; and

• permits the company to terminate rights under the contract in the event of a compliance breach, including a provision requiring the third party to forfeit any compensation agreed upon in the contract.

Means of mitigating potential exposureRed flags that arise from due diligence efforts do not automatically mean that a company cannot contract with a third party. Certain risks can be mitigated to limit potential exposure to anti-corruption enforcement scrutiny.



183

Training third partiesBefore contracting, companies should ensure that the third party is aware of the relevant anti-corruption laws that affect the transaction and that it is aware of its customer’s anti-corruption policies and practices. One method of ensuring adequate knowledge of the applicable laws and compliance policies is through substantive training. When investigating corrupt practices, regulators around the world consider a company’s efforts to communicate its policies effectively through trainings and certifications.20 An effective training process takes into account the target audience.21 For example, the information and hypotheticals should revolve around situations that the third party would likely encounter, and training materials should be provided in the local language, if applicable. The more targeted and thorough the training, the more likely a company can mitigate potential liability risks should they arise.

Implementing a third-party code of conductAll companies should implement a general code of conduct as a foundation for their overall compliance programmes. These codes should be clear and concise, and companies should ensure that they are made available to all employees and third-party agents working on behalf of the company. This includes providing the material in the local language, if necessary. Effective codes of conduct outline the company’s policies and procedures, as well as the expectations the company has in terms of compliance. When investigating corrupt practices and imposing liability, regulators consider the effectiveness of a company’s code of conduct and whether the company has provided the code to its third parties and updated the code to account for current risks.

Continued monitoring Due diligence efforts do not cease once the third party has been officially retained. Companies should continue to monitor the third party’s conduct throughout the business relationship to identify and follow up on potential red flags. This may include updating due diligence practices, providing additional training, periodi-cally auditing the third party’s practices and compliance protocols, and requesting updated compliance certifications.

20 See Dep’t of Justice & Sec. and Exch. Comm’n, A Resource Guide to the U.S. Foreign Corrupt Practices Act, at 60-61 (July 2020), https://www.justice.gov/criminal-fraud/file/1292051/download.

21 id.



184

As an additional monitoring tool, ensure that the third party's invoices and supporting documentation are examined and their work verified prior to approving payments.

Enforcing contractual audit clauses As stated above, companies should seek to ensure that they include a contractual provision requiring compliance with applicable anti-corruption laws. However, merely stating that a third party must follow the applicable laws is not enough to fully mitigate the risks. Companies bear the responsibility to continue monitoring third parties throughout the life of the contract to better detect any potential issues that might arise. This can be achieved through periodic audits of the third party’s activities and invoices, as well as audits of the third party’s own compliance policies. In the context of a contract with a customer, the company can review the request for proposal, any tender documents, and the deal booking documents to ensure that applicable laws are being satisfied. This continued monitoring, like due diligence, is tiered based on the risks presented by the third party.

The World Acceptance Corporation’s (WAC) case illustrates the conse-quences that a failure to implement the necessary auditing control can have. In that case, WAC’s Mexican subsidiary allegedly used third-party intermediaries to pay over US$4 million in bribes to Mexican officials for almost a decade. The SEC found that WAC lacked the necessary internal auditing controls to detect and prevent the payments, subjecting itself to the risk of liability. WAC agreed to pay US$21.7 million to resolve the charges.22

Using data analyticsAnti-corruption enforcement agencies have increasingly focused on data analytics when evaluating corporate compliance programmes. The June 2020 revision to the DOJ compliance guidelines requires prosecutors to investigate how a company is tracking the functionality of its operations and compliance efforts.23 Part of this determination is done by looking at the company’s use of data analytics. Data analytics allows a company to continuously and remotely gather data, monitor

22 Press Release, Sec. and Exch. Comm’n, SEC Charges Consumer Loan Company With FCPA Violations (Aug 6, 2020), https://www.sec.gov/news/press-release/2020-177.

23 Dep’t of Justice, Evaluation of Corporate Compliance Programs, at 3 (Updated June 2020), https://www.justice.gov/criminal-fraud/page/file/937501/download.



185

transactions and analyse risks, including those presented by third parties. It provides the company with a method of analysing the effectiveness of its policies and controls to better address new concerns.

Using data analytics could help continuously monitor and ensure third-party compliance by identifying risks as they emerge. This gives companies more time to evaluate and determine the best course of action to mitigate potential liability.

ConclusionThe use of third parties is both beneficial and necessary for most companies. Maximising the utility of such relationships, however, requires a deliberate and focused approach to due diligence to mitigate the inherent risks. Companies should take the necessary steps to identify potential risk factors before entering into a business relationship but need not terminate a relationship if risks arise. Implementing a robust and effective compliance programme that incorporates risk-tiered due diligence and monitoring efforts will help mitigate the risks of corruption and allow the companies to retain the benefit of third-party services.


459

APPENDIX 1

About the Authors

Palmina M FavaVinson & Elkins LLPPalmina M Fava is a partner at Vinson & Elkins LLP’s New York office, who has over 20 years of experience. She represents clients in internal and government investigations, litigation, and corporate governance counselling, with a principal focus on matters involving the Foreign Corrupt Practices Act (FCPA), interna-tional anti-corruption, anti-money laundering and anti-bribery laws, accounting irregularities, bid rigging and unfair trade practices, off-label pharmaceutical marketing, misappropriation of trade secrets, fraud, cybersecurity and data privacy.

Palmina regularly represents companies in matters before the United States Department of Justice, the Securities and Exchange Commission, other federal and state agencies, and international regulatory bodies. She leads teams in investi-gations in Latin America, throughout Western and Eastern Europe, Asia, Africa, and the Middle East. Relying on her extensive language skills, she is capable of assisting clients in Spanish, Portuguese, Italian and English.

She also designs and implements comprehensive, practical and user-friendly corporate compliance programmes tailored to a client’s particular risks and growth strategies. She provides employee and third-party training; conducts proactive reviews of a client’s high-risk business areas; structures commercial arrangements to protect against compliance risks; and handles due diligence of agents, joint venture partners, and targets in mergers and acquisitions or other investment transactions.

Palmina’s litigation practice focuses on commercial, business tort, and intel-lectual property disputes. She has served as lead litigation and trial counsel in matters involving breaches of fiduciary duty, breaches of contract, fraud, negli-gence, misappropriation of trade secrets and insurance coverage. She has tried and defended cases in federal and state courts, and before arbitration panels, and represented clients in appellate arguments, mediations and negotiations.


About the Authors

460

Zachary TerwilligerVinson & Elkins LLPG Zachary ‘Zach’ Terwilliger is a partner at Vinson & Elkins LLP, based in Washington, DC. Zach advises corporate clients and individuals who are subject to criminal investigations and civil enforcement actions. Additionally, he handles uniquely Washington problems related to congressional inquiries and interfacing with leadership at the highest levels of the Department of Justice. Prior to joining Vinson and Elkins, Zach served for 14 years at the Department of Justice. His most recent position was as the presidentially appointed and Senate confirmed United States Attorney for the Eastern District of Virginia – home to some of the most complex and high-profile cases in the country. Zach also served as an Associate Deputy Attorney General in the Office of the Deputy Attorney General with responsibility for criminal matters. Zach also spent over a decade as an Assistant United States Attorney in the Eastern District of Virginia. Just prior to becoming an AUSA, Zach served as law clerk to the Hon. K. Michael Moore, who serves as the Chief Judge of the United States District Court for the Southern District of Florida. Zach graduated with highest honours from William & Mary School of Law. He obtained his undergraduate degree at the University of Virginia.

Michael WardVinson & Elkins LLPMichael Ward is a partner at Vinson & Elkins LLP, based in the San Francisco office. His practice focuses on defending companies under investigation for suspected compliance lapses. As both a former federal prosecutor and an expe-rienced chief compliance officer who has designed and implemented award winning compliance programmes at leading companies like Target, McKesson, Adobe, Cisco, and Juniper Networks, Mike focuses on advising management and boards on practical and effective compliance solutions.

Jose F SanchezVinson & Elkins LLPJose F Sanchez, counsel in Vinson & Elkins LLP’s New York office, handles international arbitration matters in English, Spanish and Portuguese, under the laws of numerous jurisdictions across the globe, with emphasis in New York and Latin America, under the ICC, ICSID, ICDR, LCIA, UNCITRAL, and the Brazil–Canada Chamber of Commerce Rules. Jose’s practice focuses mostly on infrastructure, energy, investor-state relationships, and post-acquisition disputes. In addition to acting as counsel, Jose has also served as arbitrator in cases handled by several institutions.


About the Authors

461

Jose also handles cross-border litigation issues related to arbitration, mostly in the Second and Fifth Circuits, such as enforcement of arbitration and forum selection clauses, choice of law clauses, foreign judgments, and arbitration awards. Additionally, Jose works on internal and government investigations in Latin America, particularly in the infrastructure and energy industries.

Natalie CardenasVinson & Elkins LLPNatalie is an attorney in V&E’s Washington, DC office. Her principal practice area is complex commercial litigation.

Vinson & Elkins, LLP1114 Avenue of the Americas32nd FloorNew York, New York 10036United StatesTel: +1 212 237 [email protected]@[email protected]@[email protected]@[email protected]@velaw.comwww.velaw.com


Published by Latin Lawyer and LACCA, edited by Andrew M Levine, a litigation partner at Debevoise & Plimpton LLP, Reynaldo Manzanarez Radilla, a corporate attorney and compliance professional, Valeria Plastino, vice president, general counsel and regional compliance officer at Lumen Technologies, and Fabio Selhorst, general counsel, chief integrity officer and chief communications officer at Hapvida, The Guide to Corporate Compliance is designed to assist key corporate decision-makers and their advisers in the effective handling of their compliance obligations in Latin America.

This guide delivers specialist insight to our readers – general counsel, compliance officers, government agencies and private practitioners –who must navigate the region’s complex, fast-changing framework of rules and regulations.

In preparing this guide, we have been working with practitioners from a variety of disciplines and geographies, who have contributed a wealth of knowledge and experience. We are grateful for their cooperation and insight.

Visit latinlawyer.comFollow @LatinLawyer on Twitter

Find us on LinkedIn

ISBN 978-1-83862-750-8


the guide to corporate compliance...quinn emanuel urquhart & sullivan llp 26 external compliance...

Documents