Compliance, nowadays, is a commonly used and irreplaceable term in business affairs. The term compliance started out as a subject in Administrative Sciences, but now also experts in the legal fields are increasingly giving importance to it. The law No. 13.303/2016, which was recently enacted in Brazil, establishes specific rules that must be added to companies bylaws (including
publicly-held companies, joint ventures and its subsidiaries), proving that this is a tendency that can not only be observed in the field of corporate law – in which compliance evolved as a strategy to protect institutional interests of a company, primarily with regard to its managers and employees in contact with thirdparty associates – but also in the field of public law: establishing that the bylaws of state-owned enterprises must include „rules of corporate governance, transparency and structuring, risk management and internal control practices, composition of the management and, in case the company has shareholders, mechanisms for their protection“ (Art. 6). Law No. 13.303/2016 identifies the need to manage state-owned enterprises and goes beyond traditional ways of government control (as e.g.: constitutional writs, administrative misconduct, audit
processes carried out by the Audit Courts, etc.).

The subject is a quite complex one. Regardless of the options that leaves Law No. 13.303/2016, by borrowing from the Administrative Sciences and adopting the concept of compliance in the sciences of law it turned into a confusing topic, constantly redefining itself. Indeed, when it comes to business management, compliance is an area that belongs solely to the company‘s management area, generally combined with the governance and risk management department (this integration is thought to prevent corporate crises and is known by the acronym
GRC – Governance, risk management and compliance). However, in the field of law, compliance was originally separated from corporate governance and risk management and began to be used primarily in the prosecution of financial crimes (especially in money laundering cases, acc. to Law No. 9.613/1998). From there on, the uses and the scope of compliance have been gradually expanding, going from practices to improve a company‘s reputation by implementing anti-corruption measures (acc. to Law No. 12.846/2013), up to the point where compliance turns into an extensive legal tool to promote corporate transparency and integrity.

From this holistic point of view, compliance would imply internal organizational work involving the following activities: (i) identify and consolidate legal (statutory, regulatory and contractual) and non-legal (corporate policies and strategies, standards of conduct, practices and procedures) rules that departments, areas, managers, representatives and agents of the company should comply with, stipulating these, as far as possible, in a code of ethics and integrity; (ii) organize a compliance area responsible for (ii.a) corporate instruction on concerning the code of conduct and integrity, (ii.b) monitoring of non-fulfillment of the code of conduct and integrity, including the provision of anonymous reporting channels, (ii.c) support in solving identified problems, creation of mechanisms to prevent new occurrences, and disciplinary measures; and, finally, (iii) combine the duties of the compliance area with the company‘s organization and corporate governance by ensuring them autonomy.

Law No. 13.303/2016 added these legal terms to the conception of compliance, which becomes especially evident in its Article 9, regulating the statutory structure of compliance within state-owned enterprises. In the first paragraph of this article, the law imposes the elaboration and dissemination of a code of conduct and integrity, which must consist of (i) principles, values and mission of the state-owned enterprise as well as guidance on how to prevent conflicts of interest and the prohibition of actions of corruption and fraud; (ii) the implementation of internal organs responsible for constantly updating and enforcing the code; (iii) a reporting channel that enables the receipt of internal and external complaints concerning breaches of the code and other rules not included in the code; (iv) protection mechanisms to prevent any kind of retaliation against persons using the reporting channel; (v) penalties applicable in case of non-compliance with the code; and (vi) at least annually held trainings on how to comply with the code for employees and directors trainings on risk management for leading positions.

The difficulties come to light, however, when it comes to the organization of the compliance area as an instrument of internal control with state-owned enterprises, and as such, not to be mistaken with the internal audit area. From the beginning, the law lacked consistency in the term „compliance area“, a term that appears only in § 4 of Article 9 of the law, while section II and § 2 of the same article speak of an „area responsible for the monitoring of the fulfillment of obligations and risk management“. Nevertheless, the fulfillment of these rules does not generate any major challenges, given that § 2 establishes that the compliance area is connected to the CEO of the state-owned enterprise, while § 4 states that there is only one exception to this rule: when there is reason to suspect that the CEO itself is involved in irregularities or illegal activity, the compliance department must report directly to the Board of Directors of the state-owned enterprise. The fact that the internal audit department has to report to the Board of Directors, directly or through the Statutory Audit Committee (Article 9, § 3, I) also confirms that § 2 and § 4 of Article 9 refer to the same compliance area, although with different denominations.

However, in the distribution of the duties between the compliance department and the internal audit department, the problems within the formulation of Law No. 13.303/2016 become more evident. Thus, a certain interpretation of Article 9, § 3, II, could suggest that the internal audit department also has responsibilities with respect to internal control, risk management as well as
governance processes and not exclusively to collection, measurement, classification, recording and dissemination of events and transactions. The issue gets further complicated when it comes to the duties of the Statutory Audit Committee, because, according to Article 9, only the internal audit department is responsible, amongst other duties for (i) the supervision of activities in areas of internal control, internal audit and preparation of financial statements of the state-owned enterprise (Art. 24, § 4, III); (ii) monitoring of the quality and integrity of the mechanisms of internal control, financial statements, as well as information and measurements published by the state-owned enterprise (Art. 24, § 4, IV); (iii) assessment and monitoring of risk exposures of the state-owned enterprise and, if required, provision of detailed information on the policies and procedures related to the management‘s salaries, the use of assets of the state-owned company and the expenses on behalf of the state-owned company (Art. 24, § 4, V); and (iv) evaluation and monitoring – in cooperation with the management and the internal audit department – the eligibility of transactions with third parties (Art. 24,§ 4, VI).

It is known that these activities are usually assigned to the compliance department, not the internal audit area, coordinated by the Statutory Audit Committee. In order to harmonize these rules, the interpreter of Law No. 13.303/2016 seems to have no other choice than (i) to establish the Statutory Audit Committee as an supervisory body of the internal audit department as
well as the compliance department – something that the Law does not state explicitly – or alternatively (ii) to highlight the final part of Article 9, § 3, Section II, in which the activities of the internal audit department are limited exclusively to the “preparation of financial statements”. Therefore, the duties concerning internal control, risk management and governance processes would be limited to this definition and, therefore, compliance efforts would remain under the responsibility of the risk management department.

Although companies are most likely to choose the second alternative, especially taking into account the habits and practices of business management concerning the GRC, one question remains unanswered: the means for receiving complaints, including confidential complaints, internal and external of the state-owned enterprise. According to Article 24, § 2, the Statutory Audit Committee shall be responsible for this, although these areas are generally under the responsibility of the compliance department and, if this is not provided for in the code of conduct
and integrity, these mechanisms have not been explicitly assigned to a department. Should the state-owned enterprises have two anonymous collaboration channels, one in the compliance department and one in the Statutory Audit Committee? If yes, how to avoid the leakage of sensitive information and protect complainants from retaliation when using such channels?

Professionals in law will gradually try to solve these and many other complexities. However, although momentarily lacking final answers the notable progress achieved through the Law No. 13.303/2016 cannot be denied, not only as a regulatory milestone for compliance as a legal instrument to promote corporate transparency and integrity, but also as a new way to be able to control the public management of state-owned enterprises.

To view the original article, click here.