July 17, 2020 / Compliance / by Samuel Rivero
The renewed approach against corruption and compliance laws and regulations has emphasized the importance of constructing and maintaining an effective compliance program within any company. There is no specific structure or program example that may be defined as the perfect one for all companies.
There are several responsibilities for each company. It is commonly believed that the responsibility is unique to criminal matters, however, there are other types of responsibility that are independent one from another; therefore, knowing, preventing, and mitigating bad behavior of companies is a matter that can never be left aside. Due to the foregoing, we must generate instruments that help us mitigate bad behavior within the company.
In addition, we must have policies regarding this topic. Any program would have to correspond to the risk areas of the company, its size, resources, industry sector, commercial locations, etc.
Two responsibilities in which a company may be subject to penalties and a general guide for the effective implementation of a program in companies to mitigate and prevent these behavior are presented below:
II. Corruption in Mexico
Corruption in Mexico has increased over the years, both in the public and private sector. In fact, most of the time, these 2 sectors are related in corruption acts. According to the Mexican Association of Ethics and Compliance Professionals, corruption in companies represents 9% (nine percent) of the GDP, which is a big impact on the economy of the country and an issue that must be addressed in a particular manner.
In Mexico, despite there the Ministry of State and the Ministry of Government Affairs fights against corruption, this is focused on public matters, in other words, regarding corruption actions performed by public officers. In addition, it is only involved in the public sector when an external person to the public administration is related to any corruption action where there is a relationship with a public officer; therefore, the private sector is not the main subject for the Ministry of State mentioned above. However, in the last decade, the Government and the Private Sector have noted an increase in corruption behaviors within the companies; therefore, laws, guidelines, manuals, and several instruments to mitigate such actions have been gradually issued.
III. Administrative Violations in the Private Sector
As mentioned above, the main purpose of the Ministry of Government Affairs is to design, plan, execute, and coordinate the public policies in internal control matters and assess the government administration, as well as regulate or establish the guidelines for this special sector derived from several legal instruments allowing individuals to act in government situations. Pursuant to the United Nations Convention against Corruption, Article 12, it is established that the countries must take measures to prevent corruption, improve the accounting, and audit regulations in the private sector, as well as to set forth penalties in case of breaches. Therefore, the General Law on Administrative Responsibilities (hereinafter, the LGRA) sets forth the penalties for the commission of flaws of individuals as well as the procedures for their application, and the competent authority powers for such purpose.
Derived from the aforementioned Law, Articles 21 and 25, the Ministry of Government Affairs issued the “Business Integrity Model Program”. This is a manual which purpose is to guide the private sector with a series of actions and guidelines to be implemented according to the General Law on Administrative Responsibilities (LGRA), Article 25. The purpose of the aforementioned manual is to boost the adoption and respect for the internal regulations (Corporate Government), as well as the accountability of the company; to ensure the commitment of the directors and senior members of the company to prevent and inhibit corruption through “good practices”, codes of conduct, complaint systems, control systems, surveillance and auditing, training and several mechanisms to ensure transparency at all times.
As mentioned before, the purpose of the “Business Integrity Model Program” is to prevent corruption acts, however, LGRA establishes that there are administrative violations by individuals pursuant to the Law, Chapter III and IV.
Therefore, LGRA, Third Section, Chapter III established several penalties for individuals incurring any behavior against the law set forth in such law, which —for legal entities, pursuant to Article 81— are the following: a) Economic penalty that may reach up to two-thirds of the benefits obtained and, in case of having no benefits, it will be the equivalent of the amount of 1,000 (one thousand) up to 1,500,000 (one million five hundred) times the daily value of the Units of Measurement and Update; b) Temporal suspension for participations in sales, leasings, public services, or works for a period no shorter than 3 (three) months and no longer than 10 (ten) years; c) Activity suspension for a period no shorter than 3 (three) months and no longer than 3 (three) years, which will consist in temporarily stopping, delaying, or depriving individuals of their trading, economic, contractual, or business activities on account of their link to administrative violations; d) Dismantlement of the relevant corporation by judicial order and as a consequence of the commission, link, participation, and relation with a severe Administrative Violation; and e) Compensation for the damages and lost profits to the Federal Public Treasury, whether local or municipal, or to the assets of public entities.
As we can see, administrative violations are a responsibility a company may also have. We must remember that there are several responsibilities a private entity may have in criminal, administrative, and civil matters.
IV. Criminal Liability in the Companies
Within the Mexican criminal system, certain consequences the judge may impose on a legal entity if this has been used as means to commit a crime have already been contemplated; however, currently, pursuant to the National Code of Criminal Procedures (CNPP), Article 421, the liabilities between the legal entity in which their representatives may incur and the administrators are independent.
Pursuant to the CNPP, Article 421, legal entities will be criminally liable for the crimes commited on their behalf, on their own account, to their benefit, or through the means granted by them when determined that there was also a breach of the due control in their organization. This breach refers to a lack of surveillance or supervision as well as the lack of a policy to prevent the aforementioned event.
It is important to clarify that the criminal liability determination of the legal entity does not require that the action is performed by the legal representatives, administrators, partners, shareholders, etc., but that the crime may be made by any colleague —regardless of the name or position they bear— since it is only necessary for the liability to apply that the crime is made through the means granted by such legal entity. The foregoing pursuant to the Federal Criminal Code, Article 11; therefore, it is important that all employees of the company are aware of the policies to mitigate these kinds of actions.
CNPP, Article 421 also establishes that the criminal liability of legal entities —when merging, transforming, absorbing, or splitting— will not be extinguished. In these cases, the penalty transfer may be regulated regarding the relationship with the legal entity that was originally responsible for the crime.
In addition, according to CNPP, Article 422, regarding the Federal Criminal Code (hereinafter, the “FCC”), Article 11 Bis, the applicable legal consequences for legal entities in this matter will be applied depending on whether they have their own legal capacity or not. If they have their own legal capacity, the penalties that may apply —whether one or more— are: a) Non-material fine or penalty; b) Confiscation of instruments, objects, or products of the crime; c) Sentence publication; d) Corporation dismantlement; and e) Any other determined in an express manner by the criminal laws. Regarding legal entities with or without their own legal capacity, the penalties will be: a) Activity suspension; b) Establishment or store closure; c) Prohibition of making future activities they have made or where they have participated in their comission; d) Temporary disablement by suspending the rights to participate in a direct or indirect manner, or through an intermediary, in contracting proceedings of the public sector; e) Legal intervention to protect the rights of employees or creditors; and f) Public reprimands.
On the other hand, FCC, Article 11 Bis, last paragraph establishes that the penalties may be alleviated up to one quarter if, before the act for which they are accused, the legal entities had a permanent control body responsible for verifying compliance with the applicable legal provisions to follow up the internal policies of crime prevention.
Therefore, it is important that there are policies and procedures to address, prevent, and mitigate the behaviors that may be deemed as corruption actions in order to prevent penalties mentioned above since we must remember that the criminal liability is independent of the administrative liability just as the penalties, which may lead us to several penalties legally imposed against the company.
V. Risk Evaluation
Successful compliance programs are based on successful risk evaluations. No internal policy, procedure, or control will accomplish much if these tools are including the incorrect risks in the incorrect manner. However, conducting risk evaluations may be a hard task to do, not only due to their risk variety but because a standard risk evaluation format cannot be applied for all the risks a company may face. Corporations face risks exclusive of their structure, in their particular industry, and that may be related to their business partners and/or the place in which they operate.
First, the function of the compliance risk evaluation must be defined. Then, all correct and necessary information must be gathered, since an effective compliance risk evaluation requires that the compliance officer (CO) examine all necessary information types on order to provide a correct measurement of the risk at issue and which parts of the corporation may help in such measurement.
Once the risks of the company have been identified, these must be measured. Basically, a risk evaluation measures how well the internal controls work in a corporation to mitigate the probability of the identified risk. It is important to close the findings with a written summary or report describing the most probable compliance failures; that mainly indicates why the internal controls are not sufficient (poor accountable controls, obsolete research procedures, unclear document retention policies, etc.); and which areas require more solid internal control mechanisms. Ideally, the report will also include action elements to be implemented.
VI. Policy and code of conduct
Being able to design effective policies is key for a successful compliance program. Compliance Officers must systematize the policy creation and adoption even when their content is more specific and detailed. It is important to use a methodic approach to design policies individually: Policies that may be understood, respected, and abided by the employees (and third parties). Regardless of the regulatory requirement or the commercial risk prompting the need for a specific policy, if such policy cannot comply with the 3 points mentioned above, it will not function properly to cover the needs of the company.
According to the “Business Integrity Model Program”, it is emphasized that the policies must be clear and limit functions and responsibilities of each colleague within the company depending on their area; and it must clearly specify the different chains of command and leadership within the structure.
Similarly, the policies and the code of conduct must be published and consulted by all members of the organization and have real application systems and mechanisms. It must include guidelines preventing conflicts of interest and these must promote the due and proper execution of commercial activities. To avoid such policies and the code of conduct being used only as examples, it is important to take applicability measures and penalty proceedings in case of a breach, as well as to refer severe cases to the relevant authorities.
The foregoing leads us to consider a proper complaint system, both within the corporation and to the relevant authorities, as well as specific consequences regarding those who act against the internal regulations and the applicable laws.
Another important element to include in the policies of the company are the exception requests: each policy must explain how an employee may request and exemption or why an exception is not allowed. A policy must never completely ignore the exception requests for fear of employees simply deciding not to ask about an exception and breach the policy without informing it. Exception requests must include all necessary information so that the supervisors may handle the request in a proper manner; and so that the company may file the request as a future reference, if necessary.
It is important that our policies also include, within the human resources area, guidelines and guides tending to avoid the incorporation of people who may create a risk within the corporation.
VII. Managing policies and exception requests
Exception request patterns may lead to reviewing and finally readjusting the compliance program. But in order to obtain such knowledge, compliance programs need 2 things. First, they need exception request data; that is why it is important to have clear and sufficient documentation within the request itself regarding the applicant and the reason for the request. Secondly, the compliance program needs a system to gather all the information so it can be analyzed. As always, the more automatized and interconnected the data collection, the better.
VIII. Due diligence
Dishonest third-parties represent the higher individual risk for a company. Therefore, it is essential that companies perform a due dilligence of third-parties. As stated above, an effective due dilligence must be based on the risk; the processes must correspond with the needs of the company. On the other hand, the implementation framework may be based on a series of standard steps that may guide the process of creating due diligence work flows that are exclusive of the company. Specifying and particularize the processes and systems for each company requires a comprehensive analysis of each case per provider, client, and even colleague of the company, which will provide certainty in the due diligence to be met by the business.
IX. Make an internal evaluation of the risk of third-parties
The relationship between the company and a third party must be submitted to a risk evaluation in an intern questionnaire format, which poses a series of questions of relationship or “alert” to the entity or area initiating the business (originator) which will generate additional information requests. These questions must include some key areas that indicate low, medium, or high corruption risks such as the prior experience with the third party; the purpose of the commercial relationship; the interaction with government officers; the nature of the activities to be performed; the compensation type and payment terms; the manner in which the third party was selected; and a risk classification of the country in which the third party operates.
In this stage, a third party must be examined against an Internet data basis or other available sources (lists of penalized parties, PEP’s, etc.), through reviews of analysts for false positives. This provides a precise determination of which questionnaire must be completed instead of be based on a risk score calculated with basis only in the answers of the originator.
X. Conducting an external due dilligence on the third party
A risk score must be calculated based on the results of the internal questionnaire and the background exam. The risk score of a third party determines the minimum scope required by the due diligence that must be made through a set of questions in the external due diligence questionnaire. In general, the higher the risk level, the deeper the research that must be made. Some questions included in the high-risk standard questionnaire include terms and conditions of the proposed commercial relationship; bank details and references; connections with government officers; current and past litigations; criminal researches and penalties, etc.
An external questionnaire must be assigned and sent to the third party. Once such questionnaire is completed, the risk score of the third party will be adjusted to place their answers. A compliance officer must determine if the third party will be approved or rejected after the review is completed. It must be sure that the third parties classified as medium or high risk are evaluated by an area different from the commercial such as the compliance or legal area, or even an external evaluation entity to avoid any conflict of interests.
XI. Post-approval of third parties.
According to the identified risk level, the recertification of the third party must be automatically programmed in predefined periods. This can be done through automatized recertification reminders. Similarly, once the third party is approved, it is possible to request them to sign the policies and complete the relevant training. Ideally, these activities will have related notices and/or materials which are sent automatically once the company has been marked as a commercial relation.
Good training must reflect policies and proceedings showing the employees the connection between the compliance purposes the company intends to reach and the policies and systems the company uses to manage the daily operations.
It is important to know your audience since not all the employees need all the training in the same amount. The frequency with which the training material is sent may need to be adjusted according to the risk environment of the different employee groups. Employees or partners working in high-risk environments must receive training more often.
The training program effectiveness must also be evaluated when linking it to the intended results. For example, a higher coincidence among the employees may generate a higher complaint rate.
Trainings must contain topics such as: a) law compliance and penalties; b) general guidelines of the national and international regulations in anticorruption and antibribery matters; c) prevention and management of conflict of interests; and d) business ethics and integrity, among others.
Likewise, it will be important to regularly evaluate the employees regarding the knowledge acquired in the training since tangible values rating the learning level of the employee in anti-corruption matters will derive from there, as well as their capacity to detect corruption actions.
XIII. Case management
Compliance areas deal with a great variety of matters and the Compliance Officer must deal with several claims, queries, and investigations at the same time. Therefore, it is necessary to have a case management system in the compliance program since it is a fundamental tool not only to maintain the effectivity of the program but to maintain the effectivity of the Compliance Officer.
Any case management system must establish an effective admission system to allow the employees to submit a complaint. The more obvious example is a direct claim line. An efficient admission system allows the claims to arrive from any channel and gathers all the entries in a master system allowing the Compliance Officers to see all the complaint activity globally. It is very important that the claims or complaints remain anonymous so there is a higher confidence of the employee to report probable behaviors tending to corruption within any area of the corporation.
It is also necessary to classify these allegations as high or low risk to understand the severity of the allegation and the urge of the response. A case management system should help the Compliance Officer to analyse the differences in a quick and correct manner.
Case management systems should also allow investigators to record any “trigger event” that may lead the case in a new direction. In fact, all evidence must be collected and documented in a central file. Ideally, the case management system should generate a report of the case stages, the activity history, and the result. The company must have a complete file of the case ready to be reviewed by any authority that may retrace if the original complainant bring the case to the regulators.
Once the necessary investigations are mande, someone must recommend the required actions and then perform them. Taking any disciplinary measure following the recommendation state must depend on the policies established in the workplace, the due process for the accused employees, and which executives may make decisions on certain kinds of issues.
XIV. Reports and Monitoring
A comprehensive compliance program will not be efficient if it is not based on proper report and monitoring systems.
The biggest risk for Compliance Officers (and all the senior executives) is not comprehend what is really occuring in the business.
A solid report system must grant the Compliance Officer a complete activity image. A good compliance program will capture as much data as possible and will gather that information in a precise and useful manner.
Once the report material is created, it must be added and sent to the relevant executives for review. Once this data consolidation process is established, the broadest tendencies of the compliance activity may be monitored and the failures can be detected and resolved.
Similarly, the monitoring may be made in several manners. However, the challenge is to understand the identified risks (for example, risks from third parties) the company is facing and process the data that would describe or quantify that risk and then extend that exercise so that all the monitoring data may be added allowing the compliance team to spend more time analyzing data instead of preparing them.
A clear and proper escalation system for a breach may be quickly reported. An efficient escalation proceeding routes the concerns to the Compliance Officer and other senior executives, as applicable. In other words, an efficient escalation proceeding leads to a “risk event” (a bad behavior allegation, a worrying data tendency, a specific incident such as a data violation) for those in the company who have as purpose to respond to such event.
We have noticed 2 liabilities that may affect the companies and the way in which they may be affected; therefore, nowadays, the company must abide by the applicable legislation and perform actions by itself to prevent and mitigate behaviors that may be attributable to the company. Hence, having an internal control through policies and codes of conduct is important for this matter.
As mentioned above, compliance programs are not a unique model for all companies. It is important to understand the critical component of a program and then adapt each aspect to the specific needs of the business. When the compliance team is able to reach a more strategic position, the compliance can be deemed less as a crisis intervention team and more as a critical commercial partner.
For more information related to the foregoing, please contact any of the following members of BGBG:
Miguel Gallardo Guerra
Samuel Uziel Rivero Prado
Mario Arturo Preciado Alonso
Ministry of Government Affairs (July 12, 2017). Business Integrity Model Program [PDF File]. Retrieved from https://www.gob.mx/cms/uploads/attachment/file/272749/Modelo_de_Programa_de_Integridad_Empresarial.pdf