On August 30, the National Monetary Council (CMN) published Resolution No. 4,595, which governs the compliance policy of financial institutions and other institutions authorized to operate by the Central Bank of Brazil (BACEN). The new rules do not apply to (i) administrators of consortia and (ii) payment institutions, which shall observe specific regulations issued by BACEN.
The rule is an addition to the new regulatory framework established by the CMN for risk management (Resolution No. 4,557/17) and internal audit (Resolution No. 4,588/17), which seeks to strengthen and modernize the compliance structures of financial institutions and other authorized institutions. In line with the proportionality provided for the risk management and internal audit rules contained in the resolutions mentioned above, Resolution No. 4,595/17 establishes that the institutions covered by the rule shall implement and maintain a compliance policy compatible with the nature, size , complexity, structure, risk profile, and business model of the institution in order to ensure effective management of its compliance risk.
The resolution sets out some minimum parameters that the compliance policy should define, such as the purpose and scope of the compliance function, clear division of responsibilities of the persons involved, in order to avoid possible conflicts of interest (especially with the business areas of the institutions), and procedures for coordinating the activities of the compliance function with the risk management and internal audit functions. The compliance policy must be approved by the board of directors of the institution (or by the board of officers, if the institution does not have a board of directors), which will also have various responsibilities related to the management and implementation of the compliance policy.
The unit responsible for the compliance function, when established, should be fully segregated from the internal audit activity.
The institutions subject to the resolution shall maintain at BACEN's disposal: (i) documentation related to the compliance policy approved by the board of directors (or by the board of officers, if no board of directors is established); and, for a minimum period of 5 years, (ii) reports containing a summary of the results of activities related to the compliance function, its main conclusions, recommendations, and actions taken by the institution's management.
Although it does not expressly mention Law No. 12,846/2013 (Anti-corruption Law) and has a broader understanding of the concept of compliance within its scope (such as preventing failures to comply with all laws and regulations applicable to such institutions), the resolution ended up touching on points that coincide with the rules that address prevention of ethical integrity breaches in companies.
Thus, there is at least a partial overlap of the new obligations with various elements established in anti-corruption laws, such as recommendations that companies adopt an integrity program.
The resolution expressly authorizes institutions to hire specialists to carry out activities related to compliance policy (while the board of directors fully maintains its duties and responsibilities). This opens up an opportunity to align fulfillment of the obligations set out in the resolution with implementation of aspects of anti-corruption integrity programs, which, although optional, can bring relevant benefits to institutions (risks of sanctions and reputational risks, for example) and their directors and officers (who are less exposed to criminal and civil risks).
With rapid adaptation, compliance with the resolution may also imply compliance with various aspects stipulated by the Decree No. 8,420/15 – which provides regulation to the Anti-corruption Law –, such as: training and education of relevant employees and third parties; periodic analysis of compliance risks and compliance program monitoring; dissemination of integrity standards and ethical conduct as part of the institution's culture; and assurance of the adoption of corrective measures in the event of failures.
Institutions subject to the resolution must implement a compliance policy by December 31, 2017.