In a globalized context where the world is fully interconnected and information flows with a speed never seen before, the impact that a breach of the rules by a company can generate, makes it essential to become familiar with certain concepts related to “Compliance”.

In this very brief report, we would like to share some preliminary ideas on this novel matter that, from Vouga Abogados, we understand will be applied by many organizations in Paraguay.

1) What is Compliance?

The term “compliance” refers to “compliance”. That is to say that the subject matter surrounding this concept is related to compliance with the legislation applicable to a company, as well as to the entire internal regulatory scheme that, whether the company is a local company or a subsidiary of a multinational, has established for self-regulation.

Although there are specific references to the origin of the subject, it is true that it is often linked to other issues surrounding business life, such as “Sustainability”, “Corporate Social Responsibility”, “Corporate Values and Ethics”, “Integrity” at the time of doing business, etc. All these concepts, although each with its own specificity and characteristics, have a common denominator in the companies that develop them: they start from the initial assumption of a “culture of compliance” within the organization, which is the cornerstone for the construction of a company aligned with “Compliance”. This is a permanent challenge, since it is not only an issue that requires a legal approach, but also -and mainly- from the commitment of the top management, the work of the human resources, control and audit areas, etc., requires a permanent level of involvement in training, control, communication and prevention of risky situations that may place the company in an episode of non-compliance.

2) What is Compliance for?

Corporate reputation is one of the most difficult intangible assets to achieve and also one of the easiest to lose in an instant, if the company faces a situation of non-compliance that may affect it.

For this reason, the central objectives of any compliance program include:

a) Caring for the reputation of the organization.

b) Ensure compliance with all regulations applicable to the business (including public regulations and those arising from “self-regulation”).

c) To add value to the business, providing a long-term, integral and sustainable vision.

d) Add competitive advantage, since not all organizations are actively working on compliance programs.

e) Create and strengthen a culture of compliance. This also plays a fundamental role in attracting and retaining talent.

3) What should a Compliance Program contain?

There is no single recipe, since in general the program is tailor-made for each organization, mainly taking into account the risks faced by the business being developed. However, there are some elements that are present in the vast majority of programs. Among them, we can find the following:

a) Code of Conduct: in general, this document serves to determine the fundamental axes that, in terms of values and conduct, the company will assume for the development of its business. Of course, compliance with the law is the starting point of any of these documents, although from there, an internal regulatory scaffolding is built that can become very complex, establishing very clear parameters of the behaviors that the company encourages, and those that it emphatically rejects. In multinational corporations, the tenor of these guidelines is adjusted to the regulations applicable to the parent companies (e.g. the “Foreign Corrupt Practices Act” of the United States, the “Anti Bribery Act” of the United Kingdom, among others).

b) Corporate policies: based on the Code of Conduct, companies usually work on drafting a wide range of corporate policies (e.g., environmental protection, anti-bribery, anti-trust, diversity, gifts and entertainment, information management, use of technological resources and social networks, protection of personal data, etc.).

c) Special policies: certain special policies -many of them related to human resources management- can also be worked with, such as the allocation of company vehicles, the use of corporate credit cards, clothing, travel, etc.).

d) Guidelines on how to deal with a “Conflict of Interest”: the role that some officers must play in their functions may place them -in many cases- in situations where there is or may become a conflict of interest. These occur when a person may lose objectivity in the decision making process, due to a conflict of interest with the person, the company, the business, with whom he/she is managing. For this reason, and as it is extremely difficult to establish parameters of general behavior, Compliance Programs usually incorporate prior consultation mechanisms, so that officials who face this type of situation can obtain a corporate validation that endorses the action they are taking on behalf of the company.

e) Ethical compass: beyond the effort that companies devote to the formalization of corporate policies, there are countless situations that may remain in a space of “doubts” as to whether the conduct in question is allowed or not allowed. To work on these situations, companies usually develop certain general parameters that help employees to resolve these “ethical dilemmas”, and in the event that they cannot yet be resolved, establish contact mechanisms with the necessary support areas to analyze the situation accordingly.

f) Anonymous whistle-blowing channel: whether by telephone, e-mail or through an on-line platform, these channels are very often available so that everyone who interacts with an organization -employees, customers, suppliers- can report situations that they consider are not in line with corporate policies. The investigation of each report must be carried out with great seriousness and professionalism (it is important to be able to determine whether the report has legitimacy or not), the anonymity of the whistleblower must be protected to the last possible consequence, very clear policies must be established to protect against retaliation against whistleblowers, as long as it can be determined that the report has been made in good faith.

g) Integrity checks (key employees, customers, suppliers, partners): in order for a company to be able to boast of working within the framework of a compliance culture, it is essential to be able to establish some mechanisms that allow knowing some preliminary information about the people or organizations with which it will relate at the time of developing its business activity. In this sense, integrity checks (also known as “know your client” or “know your client”) are extremely valuable tools for this purpose.

4) How to implement an effective Compliance Program?

In many countries, which is not the case of Paraguay at the moment, having a Compliance Program for the prevention of non-compliance with regulations, particularly those derived from acts of corruption, operates as a mitigating factor and even an exemption from the sanction by the authorities, to the extent that it can be proven that it is “effective”. Although this term may be somewhat vague, there are some guidelines -mainly those provided by the U.S. Department of Justice- that facilitate this task.

Among the most significant are the following:

a) Risk matrix: in order for the Program to be effective, i.e. to help prevent the detection of possible non-compliance, it must be constructed taking into consideration the main risks faced by the business operations of the company in question (commonly known as “risk matrix”). This matrix should not only identify the risks faced by the organization, but also classify them (reputational, legal, operational, financial, etc.) and establish control mechanisms for their early detection.

b) Top management commitment: in order for the Compliance Program to be considered effective, it will undoubtedly require the maximum commitment from the entire organization, but particularly from those who are responsible for decision making. This is usually called “Tone of the top”, and must be materialized with a clear communication from these officials, as well as -and mainly- with facts that can demonstrate this commitment in practice.

c) Accessible information on the regulations to be complied with: it is essential that all the organization's employees can have access to and fully understand the obligations to be complied with on a daily basis. The rules may have a poor legislative technique, be difficult to understand, confusing, ambiguous and vague. For this reason, there must be a sector of the organization (or several, as the case may be) whose challenge is to make available to everyone the regulatory scheme to be complied with - including, as mentioned above, both the legislative rules and those internal rules that have been drafted as a self-regulatory mechanism (corporate policies) - in plain, clear language and linked to the task to be performed by each employee.

d) Ongoing training and advice: in addition to what was mentioned in the previous point, the communication of the rules to be complied with must be accompanied by ongoing training instances (either in person or through technological tools), where people with a deep knowledge of this subject can share with people not only the technical contents of the rules and policies, but also concrete experiences that allow the visualization of the risk situations that the company tries to avoid. Likewise, in certain cases it is more than advisable to have an awareness-raising event when the organization is facing or may face very important risk situations that may damage its reputation.

e) Tailor-made program: since the risks faced by organizations differ in each case, it is impossible for a Compliance Program to be applied identically in two situations. Therefore, it is not advisable to start from standard models, but rather the construction of a Compliance Program should arise from an internal process of the company, where the risks to which it is exposed are identified, the corresponding controls are established to avoid non-compliance, the corresponding internal rules are drafted, and work is done on the axes of Communication, Training and Control, with the aim of consolidating a Compliance Culture within the organization, which allows the Program to be qualified as “efficient”.

f) Effective controls and adequate investigation and eventual sanction protocols: even if all the officers of an organization are fully aware of the obligations they are responsible for, it is prudent, in order to have an effective program, to implement controls over the most critical processes (linked to the risk matrix that has been prepared), which allow for an early detection of a deviation. Likewise, and as a last resort, certain procedures must be defined that -in the event of a complaint or detection of non-compliance- allow an investigation to be carried out based on objective, impartial and efficient parameters, to confirm or reject the complaint. If appropriate, the corresponding sanctions must be applied, which must be consistent with the internal regulatory framework and the facts effectively demonstrated in the investigation.

5) Who is the Compliance Officer?

Taking into consideration the size of the organization, the risks to which it is exposed, the volume of business, among other factors, it is increasingly common that the responsibility of leading internally everything related to the Compliance Program is headed by an official who is called “Compliance Officer” or “Compliance Officer”.

The requirements that are usually demanded for the performance of this function are:

a) Knowledge. Not only must he/she have a solid understanding of the business developed by the organization, but also -from a professional training point of view- it is expected that he/she has knowledge of rules, processes, communication, negotiation, leadership, among others. Although training in law is very common, there are also very good professionals in the field, who have a degree in Administration or Accounting. At the same time, postgraduate training programs specifically oriented to Compliance are beginning to be created.

b) Experience. Knowing the organization and its employees is a great advantage to perform this function. There are daily situations that require their intervention, so having the confidence of their peers is a very important differential.

c) Independence of judgment. Due to the responsibility of this function, it cannot be relegated to a hierarchical position within the organizational chart, which prevents it from making the right decisions. They usually report either directly to the highest authority of the company, or to the Board of Directors or Executive Committee.

d) Sufficient resources. To pretend to develop and implement an effective Compliance Program within a company without having sufficient economic, material and human resources, makes it very difficult to classify it as effective. The challenge in the management of these areas is to be able to defend their internal budget, not from the point of view of a “cost center”, but from a “benefit center”, understanding that risk prevention can avoid much higher economic costs.

Author: Gonzalo Ruiz Díaz (compliance of counsel)