Brazil’s Clean Companies Act — Executingy
By Gabriela Roitburd
A new frontier in the fight against bribery and corruption
Given the lack of enforcement to date, coupled with high levels of bureaucracy, Brazil presents a high level of compliance risk for most companies. Brazilian private investigators do not need a license in order to practice. However, they should always follow applicable laws with respect to how data is gathered and used. Third-party investigators should also pay close attention to cultural norms, and the nuances inherent in complex professional relationships.
Brazil does not have specific data privacy laws in place. However, this may change, as there is a project that addresses data privacy under development by the Civil House, which will ultimately end up before Brazil’s House of Representatives. Notwithstanding the lack of specific data privacy laws, gathering relevant data to conduct third-party due diligence still presents challenges.
According to Brazilian law, publicly traded companies must annually disclose their accounting information through the newspapers. However, companies not subject to this law, such as the limited liability companies (LLC), do not have the obligation to openly disclose such information. Consequently, it is difficult to gather financial information relating to an LLC, which may result in companies relying on the third parties themselves to provide information. In these cases, the company may receive altered or incomplete information from their third parties. Whenever possible, information provided by a third party during the due diligence process should be independently verified for accuracy and completeness.
The third-party vetting process
Each third party presents a unique risk, and approaches to due diligence may vary accordingly. The vetting process can include an on-site visit to validate the legitimacy of the company’s business operations, an examination of corporate records, including the investigation of previous corporate misconduct, and litigation. It may also include an in-depth analysis of the network of business partnerships, including the reputation of the company and its principals.
Analysis of the company’s financial performance is often appropriate, including an understanding of the current sources of funding and a list of significant clients. A review of English language and local press may also help uncover the third parties’ business reputation, major business activities, and other social and business relationships of interest.
When a US company enters into a business relationship, compliance managers should ensure that the parties involved understand the anti-corruption laws of the United States, as well as the newly signed Clean Companies Act. A written declaration of the third party’s intent to uphold anti-corruption and anti-bribery policies and codes of conduct is a fundamental component for due diligence. Some companies find it helpful to automate this process so that due diligence queries, warranties and representations are systematic and easy to track.
Learning from others
In Brazil, the country’s financial institutions were the first to implement programs to comply with international anti-money laundering laws. The companies that firstly implemented compliance programs have since benefitted from having the tools to detect potential issues prior to the authorities, and in most cases, they have avoided regulatory scrutiny. The Brazilian companies that have not implemented anti-bribery and corruption compliance programs yet should consider conducting benchmarking exercises with local banks and companies that are subject to foreign anti-bribery and anti-corruption laws, such as the FCPA.
The depth and scope of a third-party due diligence effort depends on a number of factors. Obviously, a field investigation is more costly and time consuming than a review of databases and news media. In order to determine the appropriate level of due diligence to employ, companies must assess their overall risk tolerance, and their ability to defend inaction if a problem arises.
An important component of a company’s compliance efforts includes written documentation that clearly details the methodology applied during each investigation. The contents of each investigation file should provide direct evidence of the company’s approach, including all documents relied upon during the process, the existence of “red flags,” how they came to light, and how they were resolved.
Using a customized software tool can help reduce the complexity associated with certain aspects of due diligence. Such a tool can help multinationals, as well as Brazilian-based companies, establish and aggregate their third-party network data globally. Regardless of the tools and tactics that companies apply, complying with the Clean Companies Act requires the creation of an effective third-party due diligence program. And with the Act scheduled to take effect in January 2014, it would be prudent to create that program sooner, rather than later.